A Survey of Rely-Guarantee Approaches in Compositional Verification Murat Demirbas OSU

Typical verification methods: Deduction: –Temporal and Modal Logic, Emerson 90 –TLA, Lamport 94 –UNITY Logic, Chandy & Misra 88 Model Checking

Typical verification methods: non compositional require a global examination of the entire system effective on small examples, however, fail to scale up for large-scale systems

A plea for Compositional Verification  ≜ any automaton with 10 states A ≜ parallel composition of 80 of such  ’s A has states –Greater than the # of electrons in the universe Now, consider the Internet … The verification method should scale linearly rather than exponentially in the number of components

Compositional Verification Methods: shift the burden of verification from the global level to the component (local) level so that global properties are established by composing independently verified component properties.

Compositional Verification Methods: (cont.) Enables us to verify whether a program meets its spec on the basis of the specs of its components (without assuming any knowledge of the interiors of those components).

Rely-Guarantee Approach The best studied approach to compositional verification A rely-guarantee spec for M is (R, G) –R: the conditions that M relies on its environment to provide –G: the conditions that M guarantees in return

Rely-Guarantee Approach (cont.) The intuition for using R-G specs for M –M needs to behave correctly only when its environment does M ⊨ (R,G) : the environment of M violates R before M fails to satisfy G

Composition Principle Let M be the composition of M i s.t. i  I. If  j:: R  /\ G i  R j  i:: M i ⊨ (R i, G i ) /\ G i  G Then M ⊨ (R,G)

Cyclic Dependencies output var c initially 0; input var d; loop endloop output var d initially 0; input var c; loop endloop c d M1M1 M2M2

Safety properties in Rely M 1 –R 1 : always d=0 –G 1 : always c=0 M 2 –R 2 : always c=0 –G 2 : always d=0 M ≜ M 1 || M 2 R: true G: always c=0  d=0

Liveness properties in Rely M 1 –R 1 : eventually d=1 –G 1 : eventually c=1 M 2 –R 2 : eventually c=1 –G 2 : eventually d=1 M ≜ M 1 || M 2 R: true G: ???

Outline 1.History of compositional verification 2.Stark’s work 3.Abadi & Lamport’s work 4.Lazy composition 5.Modified Rely-Guarantee rules 6.Other work 7.Rely-Guarantee wrappers for f-t 8.Conclusion

1. History of Compositional Verification Compositionality in predicate logic, Frege 1923 Sequential program verification –Inductive assertion method (non compositional), Floyd 67 – axiomatic compositional proof style, Hoare 69

History of Compositional Verification (cont.) Concurrent & distributed systems –Proof system for shared variable concurrency: interference freedom test (non compositional), Owicky & Gries 76 –Temporal logic (non compositional), Pnueli 77 –Rely-guarantee formalism (compositional), Misra & Chandy 81 –Rely-guarantee formalism for safety properties in shared-memory, Jones 81, 83

Misra & Chandy: Proofs of Network of Processes Spec for a process M i is “R i | M i | G i ” –G i holds for empty trace –for all traces t of M i, if R i holds for all proper prefixes of t, then G i holds for all prefixes (proper & improper) of t R | M | G holds if –R  /\ G i  /\ R j –  i:: R i | M i | G i –/\ G i  G

Hoare’s proof rule is an instance of composition principle Precondition: the rely of the program on the program state when the control reaches that point Postcondition: what the program guarantees in return if and when the control leaves that point Limited to the verification of safety properties only

M = M 1 ;M 2 If –R  R 1, {R 1 }M 1 {G 1 }, –G 1  R 2, {R 2 }M 2 {G 2 }, G 2  G Then{R}M{G} –R  G 1  G 2  R 1, R  G 1  G 2  R 2 –M 1 ⊨ (R 1, G 1 ), M i ⊨ (R i, G i ) –G 1  G 2  G

2. Stark’s Proof Technique for Rely-Guarantee Properties Stark’s proof technique rules out circular dependencies in liveness conditions; one can derive global liveness properties of a system from its components’ liveness properties.

Stark’s work Intuition: Find a set of specs that “cuts” the dependence between a component M i and its environment. Analogy: loop invariant RG i,j = what M i guarantees to M j = what M j relies on M i to provide

{RG i,j : i,j  I  {ext}} is a cut set: R  /\ j  I RG ext,j /\ i  I RG i,ext  G (  j:: /\ i  I  {ext} RG i,j  R j ) (  i:: G i  /\ j  I  {ext} RG i,j )

Acyclic cut sets If no R i holds, then no G i holds, hence G does not hold  m:: \/ k  {0...m-1} RG i k, i k+1 Finding a cut set is analogous to finding a loop invariant, no algorithm exists

Rely-Guarantee Proof Rule M is a program, RG is an acyclic cut set for M, R, G, and {R i, G i : i  I} If (  i: i  I : M ⊨ (R i, G i ) ) Then M ⊨ (R, G)

Examples Verification of a mutual exclusion algorithm (token ring ME) Verification of a distributed resource allocation algorithm The proof technique is compared against other liveness proof techniques such as Proof Lattice Method (Lamport & Owicky), and Variant Function Method (Floyd)

3. Abadi & Lamport’s work Composing Specifications, 92 Conjoining Specifications, 93 Main thm: If all the “rely” specifications (R,  i:: R i ) are safety properties, then circularity in “Composition Principle” is safe (i.e., does not lead to circular reasoning).

Stuttering Equivalence Specifications should allow “stuttering” steps that leave the state unchanged. Consider F, G. A behavior of their composition is obtained by interleaving actions from the two components. However, this interleaved behavior does not satisfy F, since it contains steps that do not belong to actions of F, nor does it satisfy G.

Conjoining Specs Parallel composition is conjunction. Temporal Logic of Actions Composition thm Decomposition thm

(R,G) ≜ R→ + G (R secures G) R → + G ≜ {σ  R  G |  i: σ[i]  S(R)  σ[i+1]  S(G) } S(R) :the strongest safety property containing R (i.e., safety closure of R) R → + G rules out unrealizable implementations of R  G where S(G) fails before the failure of S(R) can be detected by the component. R  G  R → + G for machine realizable specs. They allow the same implementations.

Safety properties in rely specs R → + G ≜ (R  G)  (S(R) → + S(G)) R → + G = S(R) → + (S(G)  (R  G)) Thus, any rely/guarantee spec can be converted to one whose rely is a pure safety property.

Composition Thm Let M be the composition of M i s.t. i  I. If  j:: S(R)  /\ S(G i )  R j  i:: M i ⊨ (R i, G i ) (i.e.,  i:: R i → + G i ) R → + ( /\ G i  G) Then M ⊨ (R,G) (i.e., R → + G )

Decomposition Problem Let M ≜ M 1 || …|| M n, M l ≜ M l 1 || …|| M l n. Prove that M l implements M by proving ((E, /\ i  I M l i )  (E, /\ i  I M i )) Trivially true if (  i: i  I : M l i  M i ) However, M l i  M i is not necessarily the case in top down refinements of a system.

Decomposition We can relax M l i  M i and still reason about one component at a time: –(  i: i  I: E i  M l i  M i ) However, the composition principle requires proving (  i: i  I: ( /\ k  I M l k  E i ) Instead, we can avoid reasoning about the entire low level system: –(  i: i  I: ( /\ k  I M k  E i ))

Decomposition Thm If  j:: S(E)  /\ S(M i )  E j E i → + (M l i  M i ) Then E → + ( /\ i  I M l i  /\ i  I M i )

Queue example Q1, Q2: queues of length N. Q of length 2N+1 can be obtained by composing Q1 and Q2. The example is wrong –Q1 and Q2 refer to N –Q1 and Q2 are not aware of each other Shankar 97 presents a buffer example very similar to the queue example

4. Lazy Composition, Shankar 97 Difficult to apply R-G specs to composition –G i should be strong enough to imply any potential constraint R j. –It is not easy to anticipate all the potential constraints that might be placed on M i. In lazy composition G i of M i is proved of the system M i || E i where E i captures the expected behavior of the abstract environment for M i.

Lazy Composition (cont.) G i might not hold for M i || M j, however it holds for M i || (M j  E i ). –Thus, the proof obligation that M j satisfies E i can be delayed till later. Lazy composition: cited as the main contribution of the paper –Same delay of proof is also possible for the regular R-G specs.

Composition Let M e 1 = M 1 || E 1 Closed co-imposition –M e 1  M e 2 ≜ (M 1  E 2 ) || (M 2  E 1 ) Open co-imposition –M e 1  M e 2 ≜ M e 1  M e 2 || (E 1  E 2 ) Thm: [M e 1  M e 2 ]  [M e 1 ] [M e 1  M e 2 ]  [M e 1 ]

Elimination of E i ’s by using Refinement Proofs One can show that (M 1  E 2 ) || (M 2  E 1 ) || (E 1  E 2 ) is refined by M 1 || (M 2  E 1 ) || (E 1  E 2 ) to eliminate E 2 This is the main advantage of this approach –we do not have to prove G 1 → + R 2 –instead we can employ a refinement proof to eliminate E 2 (i.e. to satisfy R 2 )

5. Modified Rely-Guarantee rules, Manohar, Sivilotti 96 M ⊨ (R,G) ≜ (  E:: (E||M ⊨ R)  (E||M ⊨ G)) –Thus, one has to consider all E to prove above. Modified Rely-Guarantee: R and G can refer only the local variables in M. M ⊨ (R ⌦ G) ≜ (M ⊨ R)  (M ⊨ G).

Modified Rely-Guarantee rules (cont.) Compositionality: –Let M ⊨ (R ⌦ G) –Then (  N:: M||N ⊨ (R ⌦ G) ) Handles the verification of liveness properties easily.

Composition Thm Let M be the composition of M i s.t. i  I. If  j:: R  ( /\ i<j R i  G i )  R j  i:: M i ⊨ (R i ⌦ G i ) Then M ⊨ (R ⌦ (  i:: R i  G i ) )

Composition Thm: (safety props) Let M be the composition of M i s.t. i  I. If  i:: R i,G i are safety properties  j:: R  /\ G i  R j  i:: M i ⊨ (R i ⌦ G i ) Then M ⊨ (R ⌦ (  i:: R i  G i ) )

Examples K mutual exclusion in a ring (works very good) Synchronization with Gossip

6. Other work The need for compositional proof systems, deRoever 97 –Decomposition thm  Dijkstra’s verify while develop approach Systematic composition of distributed objects: Processes & Sessions, Chandy & Rifkin 97 –Considers Internet (anarchic system) as an application of bottom up design using composition

Other work (cont.) Composition: A way to make proofs harder, Lamport 97 –Decomposition thm is popular only because it can be expressed in terms of PPL favored by CS people –Decomposition thm is not necessary; when a system is specified using mathematics, decomposition trivially follows from math.

Other work (cont.) Towards a compositional approach to the design & verification of distributed systems, Charpentier&Chandy –UNITY framework –Resource allocator example Both top-down and bottom-up approaches used –A component should publish its provided spec as well as different weaker specs to simplify reuse in different applications.

7. Rely-Guarantee wrappers for fault-tolerance Let M be the composition of M i s.t. i  I. Compositionality principle holds –(  i:: M i ⊨ (R i, G i ))  M ⊨ (R,G) –I.e., (  i:: S i )  S

Rely-Guarantee wrappers (cont.) S’ i ≜ (Fspan(R i ), G i ) :masking F-tolerant version of M i = M’ i S’’ i ≜ (Fspan(R i ), (S i unless  R i )  S(G i ))  (Fspan(R i ), S i  S(G i )) :fail-safe F-tolerant version of M i = M’’ i S’’’ i ≜ (Fspan(R i ), S i  (True ↦ R i )) :nonmasking F-tolerant M i = M’’’ i

Rely-Guarantee wrappers (cont.) Let w’ i be the wrapper to be added to M i to get M’ i (i.e., M’ i ≜ w’ i || M i ) R1: Calculate R-G specs for w’ i, w’’ i, w’’’ i S i  w’ i = S’ i then w’ i ≜ S i  S’ i w’’ i ≜ (S i, S’’ i )  (S i, (FSpan (R i )  S(G i )) w’’’ i ≜ (S i, S’’ i )  (S i, (FSpan (R i ) ↦ R i ))

Proposal: Problem: How to calculate FSpan(R i )? Using modified R-G would help –local reasoning while calculating FSpan(R i ) –In general, we might not avoid global reasoning Use abstract faulty environment E F i –Lazy composition for refinement proofs If F is a transient fault: FSpan(R i ) =True

Rely-Guarantee wrappers (cont.) R2: Prove that –(  i:: S’ i )  S’ –(  i:: S’’ i )  S’’ –(  i:: S’’’ i )  S’’’ Can M be made F-tolerant by composing each M i with w i ?

R2 Need to show –  j:: R x  /\ G x i  R x j –R x  /\ G x i  G x To deduce (  i:: R x i  G x i )  (R x  G x ) Easy for closed systems (R=True); –reuse criterion G x i  G j –R i  Fspan(R j ) –Interference freedom rule might be needed for nonmasking f-t

8. Conclusion (R,G) specs provide a natural (and also graybox) way to specify components Composition (via conjunction) provides a simple but powerful model for reasoning about large-scale distributed programs It is a good model to study graybox dependability wrappers