Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Survey of Rely-Guarantee Approaches in Compositional Verification Murat Demirbas OSU.

Published byMaximilian Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "A Survey of Rely-Guarantee Approaches in Compositional Verification Murat Demirbas OSU."— Presentation transcript:

1 A Survey of Rely-Guarantee Approaches in Compositional Verification Murat Demirbas OSU

2 Typical verification methods: Deduction: –Temporal and Modal Logic, Emerson 90 –TLA, Lamport 94 –UNITY Logic, Chandy & Misra 88 Model Checking

3 Typical verification methods: non compositional require a global examination of the entire system effective on small examples, however, fail to scale up for large-scale systems

4 A plea for Compositional Verification  ≜ any automaton with 10 states A ≜ parallel composition of 80 of such  ’s A has 10 80 states –Greater than the # of electrons in the universe Now, consider the Internet … The verification method should scale linearly rather than exponentially in the number of components

5 Compositional Verification Methods: shift the burden of verification from the global level to the component (local) level so that global properties are established by composing independently verified component properties.

6 Compositional Verification Methods: (cont.) Enables us to verify whether a program meets its spec on the basis of the specs of its components (without assuming any knowledge of the interiors of those components).

7 Rely-Guarantee Approach The best studied approach to compositional verification A rely-guarantee spec for M is (R, G) –R: the conditions that M relies on its environment to provide –G: the conditions that M guarantees in return

8 Rely-Guarantee Approach (cont.) The intuition for using R-G specs for M –M needs to behave correctly only when its environment does M ⊨ (R,G) : the environment of M violates R before M fails to satisfy G

9 Composition Principle Let M be the composition of M i s.t. i  I. If  j:: R  /\ G i  R j  i:: M i ⊨ (R i, G i ) /\ G i  G Then M ⊨ (R,G)

10 Cyclic Dependencies output var c initially 0; input var d; loop endloop output var d initially 0; input var c; loop endloop c d M1M1 M2M2

11 Safety properties in Rely M 1 –R 1 : always d=0 –G 1 : always c=0 M 2 –R 2 : always c=0 –G 2 : always d=0 M ≜ M 1 || M 2 R: true G: always c=0  d=0

12 Liveness properties in Rely M 1 –R 1 : eventually d=1 –G 1 : eventually c=1 M 2 –R 2 : eventually c=1 –G 2 : eventually d=1 M ≜ M 1 || M 2 R: true G: ???

13 Outline 1.History of compositional verification 2.Stark’s work 3.Abadi & Lamport’s work 4.Lazy composition 5.Modified Rely-Guarantee rules 6.Other work 7.Rely-Guarantee wrappers for f-t 8.Conclusion

14 1. History of Compositional Verification Compositionality in predicate logic, Frege 1923 Sequential program verification –Inductive assertion method (non compositional), Floyd 67 – axiomatic compositional proof style, Hoare 69

15 History of Compositional Verification (cont.) Concurrent & distributed systems –Proof system for shared variable concurrency: interference freedom test (non compositional), Owicky & Gries 76 –Temporal logic (non compositional), Pnueli 77 –Rely-guarantee formalism (compositional), Misra & Chandy 81 –Rely-guarantee formalism for safety properties in shared-memory, Jones 81, 83

16 Misra & Chandy: Proofs of Network of Processes Spec for a process M i is “R i | M i | G i ” –G i holds for empty trace –for all traces t of M i, if R i holds for all proper prefixes of t, then G i holds for all prefixes (proper & improper) of t R | M | G holds if –R  /\ G i  /\ R j –  i:: R i | M i | G i –/\ G i  G

17 Hoare’s proof rule is an instance of composition principle Precondition: the rely of the program on the program state when the control reaches that point Postcondition: what the program guarantees in return if and when the control leaves that point Limited to the verification of safety properties only

18 M = M 1 ;M 2 If –R  R 1, {R 1 }M 1 {G 1 }, –G 1  R 2, {R 2 }M 2 {G 2 }, G 2  G Then{R}M{G} –R  G 1  G 2  R 1, R  G 1  G 2  R 2 –M 1 ⊨ (R 1, G 1 ), M i ⊨ (R i, G i ) –G 1  G 2  G

19 2. Stark’s Proof Technique for Rely-Guarantee Properties Stark’s proof technique rules out circular dependencies in liveness conditions; one can derive global liveness properties of a system from its components’ liveness properties.

20 Stark’s work Intuition: Find a set of specs that “cuts” the dependence between a component M i and its environment. Analogy: loop invariant RG i,j = what M i guarantees to M j = what M j relies on M i to provide

21 {RG i,j : i,j  I  {ext}} is a cut set: R  /\ j  I RG ext,j /\ i  I RG i,ext  G (  j:: /\ i  I  {ext} RG i,j  R j ) (  i:: G i  /\ j  I  {ext} RG i,j )

22 Acyclic cut sets If no R i holds, then no G i holds, hence G does not hold  m:: \/ k  {0...m-1} RG i k, i k+1 Finding a cut set is analogous to finding a loop invariant, no algorithm exists

23 Rely-Guarantee Proof Rule M is a program, RG is an acyclic cut set for M, R, G, and {R i, G i : i  I} If (  i: i  I : M ⊨ (R i, G i ) ) Then M ⊨ (R, G)

24 Examples Verification of a mutual exclusion algorithm (token ring ME) Verification of a distributed resource allocation algorithm The proof technique is compared against other liveness proof techniques such as Proof Lattice Method (Lamport & Owicky), and Variant Function Method (Floyd)

25 3. Abadi & Lamport’s work Composing Specifications, 92 Conjoining Specifications, 93 Main thm: If all the “rely” specifications (R,  i:: R i ) are safety properties, then circularity in “Composition Principle” is safe (i.e., does not lead to circular reasoning).

26 Stuttering Equivalence Specifications should allow “stuttering” steps that leave the state unchanged. Consider F, G. A behavior of their composition is obtained by interleaving actions from the two components. However, this interleaved behavior does not satisfy F, since it contains steps that do not belong to actions of F, nor does it satisfy G.

27 Conjoining Specs Parallel composition is conjunction. Temporal Logic of Actions Composition thm Decomposition thm

28 (R,G) ≜ R→ + G (R secures G) R → + G ≜ {σ  R  G |  i: σ[i]  S(R)  σ[i+1]  S(G) } S(R) :the strongest safety property containing R (i.e., safety closure of R) R → + G rules out unrealizable implementations of R  G where S(G) fails before the failure of S(R) can be detected by the component. R  G  R → + G for machine realizable specs. They allow the same implementations.

29 Safety properties in rely specs R → + G ≜ (R  G)  (S(R) → + S(G)) R → + G = S(R) → + (S(G)  (R  G)) Thus, any rely/guarantee spec can be converted to one whose rely is a pure safety property.

30 Composition Thm Let M be the composition of M i s.t. i  I. If  j:: S(R)  /\ S(G i )  R j  i:: M i ⊨ (R i, G i ) (i.e.,  i:: R i → + G i ) R → + ( /\ G i  G) Then M ⊨ (R,G) (i.e., R → + G )

31 Decomposition Problem Let M ≜ M 1 || …|| M n, M l ≜ M l 1 || …|| M l n. Prove that M l implements M by proving ((E, /\ i  I M l i )  (E, /\ i  I M i )) Trivially true if (  i: i  I : M l i  M i ) However, M l i  M i is not necessarily the case in top down refinements of a system.

32 Decomposition We can relax M l i  M i and still reason about one component at a time: –(  i: i  I: E i  M l i  M i ) However, the composition principle requires proving (  i: i  I: ( /\ k  I M l k  E i ) Instead, we can avoid reasoning about the entire low level system: –(  i: i  I: ( /\ k  I M k  E i ))

33 Decomposition Thm If  j:: S(E)  /\ S(M i )  E j E i → + (M l i  M i ) Then E → + ( /\ i  I M l i  /\ i  I M i )

34 Queue example Q1, Q2: queues of length N. Q of length 2N+1 can be obtained by composing Q1 and Q2. The example is wrong –Q1 and Q2 refer to N –Q1 and Q2 are not aware of each other Shankar 97 presents a buffer example very similar to the queue example

35 4. Lazy Composition, Shankar 97 Difficult to apply R-G specs to composition –G i should be strong enough to imply any potential constraint R j. –It is not easy to anticipate all the potential constraints that might be placed on M i. In lazy composition G i of M i is proved of the system M i || E i where E i captures the expected behavior of the abstract environment for M i.

36 Lazy Composition (cont.) G i might not hold for M i || M j, however it holds for M i || (M j  E i ). –Thus, the proof obligation that M j satisfies E i can be delayed till later. Lazy composition: cited as the main contribution of the paper –Same delay of proof is also possible for the regular R-G specs.

37 Composition Let M e 1 = M 1 || E 1 Closed co-imposition –M e 1  M e 2 ≜ (M 1  E 2 ) || (M 2  E 1 ) Open co-imposition –M e 1  M e 2 ≜ M e 1  M e 2 || (E 1  E 2 ) Thm: [M e 1  M e 2 ]  [M e 1 ] [M e 1  M e 2 ]  [M e 1 ]

38 Elimination of E i ’s by using Refinement Proofs One can show that (M 1  E 2 ) || (M 2  E 1 ) || (E 1  E 2 ) is refined by M 1 || (M 2  E 1 ) || (E 1  E 2 ) to eliminate E 2 This is the main advantage of this approach –we do not have to prove G 1 → + R 2 –instead we can employ a refinement proof to eliminate E 2 (i.e. to satisfy R 2 )

39 5. Modified Rely-Guarantee rules, Manohar, Sivilotti 96 M ⊨ (R,G) ≜ (  E:: (E||M ⊨ R)  (E||M ⊨ G)) –Thus, one has to consider all E to prove above. Modified Rely-Guarantee: R and G can refer only the local variables in M. M ⊨ (R ⌦ G) ≜ (M ⊨ R)  (M ⊨ G).

40 Modified Rely-Guarantee rules (cont.) Compositionality: –Let M ⊨ (R ⌦ G) –Then (  N:: M||N ⊨ (R ⌦ G) ) Handles the verification of liveness properties easily.

41 Composition Thm Let M be the composition of M i s.t. i  I. If  j:: R  ( /\ i<j R i  G i )  R j  i:: M i ⊨ (R i ⌦ G i ) Then M ⊨ (R ⌦ (  i:: R i  G i ) )

42 Composition Thm: (safety props) Let M be the composition of M i s.t. i  I. If  i:: R i,G i are safety properties  j:: R  /\ G i  R j  i:: M i ⊨ (R i ⌦ G i ) Then M ⊨ (R ⌦ (  i:: R i  G i ) )

43 Examples K mutual exclusion in a ring (works very good) Synchronization with Gossip

44 6. Other work The need for compositional proof systems, deRoever 97 –Decomposition thm  Dijkstra’s verify while develop approach Systematic composition of distributed objects: Processes & Sessions, Chandy & Rifkin 97 –Considers Internet (anarchic system) as an application of bottom up design using composition

45 Other work (cont.) Composition: A way to make proofs harder, Lamport 97 –Decomposition thm is popular only because it can be expressed in terms of PPL favored by CS people –Decomposition thm is not necessary; when a system is specified using mathematics, decomposition trivially follows from math.

46 Other work (cont.) Towards a compositional approach to the design & verification of distributed systems, Charpentier&Chandy –UNITY framework –Resource allocator example Both top-down and bottom-up approaches used –A component should publish its provided spec as well as different weaker specs to simplify reuse in different applications.

47 7. Rely-Guarantee wrappers for fault-tolerance Let M be the composition of M i s.t. i  I. Compositionality principle holds –(  i:: M i ⊨ (R i, G i ))  M ⊨ (R,G) –I.e., (  i:: S i )  S

48 Rely-Guarantee wrappers (cont.) S’ i ≜ (Fspan(R i ), G i ) :masking F-tolerant version of M i = M’ i S’’ i ≜ (Fspan(R i ), (S i unless  R i )  S(G i ))  (Fspan(R i ), S i  S(G i )) :fail-safe F-tolerant version of M i = M’’ i S’’’ i ≜ (Fspan(R i ), S i  (True ↦ R i )) :nonmasking F-tolerant M i = M’’’ i

49 Rely-Guarantee wrappers (cont.) Let w’ i be the wrapper to be added to M i to get M’ i (i.e., M’ i ≜ w’ i || M i ) R1: Calculate R-G specs for w’ i, w’’ i, w’’’ i S i  w’ i = S’ i then w’ i ≜ S i  S’ i w’’ i ≜ (S i, S’’ i )  (S i, (FSpan (R i )  S(G i )) w’’’ i ≜ (S i, S’’ i )  (S i, (FSpan (R i ) ↦ R i ))

50 Proposal: Problem: How to calculate FSpan(R i )? Using modified R-G would help –local reasoning while calculating FSpan(R i ) –In general, we might not avoid global reasoning Use abstract faulty environment E F i –Lazy composition for refinement proofs If F is a transient fault: FSpan(R i ) =True

51 Rely-Guarantee wrappers (cont.) R2: Prove that –(  i:: S’ i )  S’ –(  i:: S’’ i )  S’’ –(  i:: S’’’ i )  S’’’ Can M be made F-tolerant by composing each M i with w i ?

52 R2 Need to show –  j:: R x  /\ G x i  R x j –R x  /\ G x i  G x To deduce (  i:: R x i  G x i )  (R x  G x ) Easy for closed systems (R=True); –reuse criterion G x i  G j –R i  Fspan(R j ) –Interference freedom rule might be needed for nonmasking f-t

53 8. Conclusion (R,G) specs provide a natural (and also graybox) way to specify components Composition (via conjunction) provides a simple but powerful model for reasoning about large-scale distributed programs It is a good model to study graybox dependability wrappers

Download ppt "A Survey of Rely-Guarantee Approaches in Compositional Verification Murat Demirbas OSU."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.

50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.
Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.

Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Program Analysis and Verification 0368-4479

Program Analysis and Verification
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties.

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
© Katz, 2007CS236368 Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS236368 Shmuel Katz The Technion.

© Katz, 2007CS Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS Shmuel Katz The Technion.
© Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 1 Lamport ’s State Machines Formal Specifications of Complex Systems CS236368 Spring.

© Katz, Spring 2004 CS Formal SpecificationsLecture-- Lamport 1 Lamport ’s State Machines Formal Specifications of Complex Systems CS Spring.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Graybox Stabilization Anish Arora Murat Demirbas Sandeep Kulkarni The Ohio State University/ Michigan State University July 2001.

Graybox Stabilization Anish Arora Murat Demirbas Sandeep Kulkarni The Ohio State University/ Michigan State University July 2001.
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
CS294, YelickSelf Stabilizing, p1 CS 294-8 Self-Stabilizing Systems

CS294, YelickSelf Stabilizing, p1 CS Self-Stabilizing Systems
1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

Similar presentations

Ads by Google