Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Simple Method for Extracting Models from Protocol Code David Lie, Andy Chou, Dawson Engler and David Dill Computer Systems Laboratory Stanford University.

Published byKristin Rice Modified over 9 years ago

Similar presentations

Presentation on theme: "A Simple Method for Extracting Models from Protocol Code David Lie, Andy Chou, Dawson Engler and David Dill Computer Systems Laboratory Stanford University."— Presentation transcript:

1 A Simple Method for Extracting Models from Protocol Code David Lie, Andy Chou, Dawson Engler and David Dill Computer Systems Laboratory Stanford University

2 The Validation of Modern Systems Our ability to build complex systems has outstripped our ability to verify and validate them There are several reasons for this: –It is difficult to get good coverage of large systems –Traditional testing is tedious and very costly –Applying formal methods is hard Our goal: Create tools to facilitate the application of formal methods

3 Model Checking It is a formal method, but with more pragmatic goal of finding bugs rather than proving system correctness System is modeled as a state machine –States are explored –Correctness is checked at every state –If the state space is too big, an estimate on the number of missed states is performed –This places some bound on the possibility of missing a bug

4 Problems with Model Checking Traversing the state space requires a lot of memory to remember visited states Constructing the models is difficult and error-prone –Details should be abstracted –Model needs to be scaled down Manually constructing models causes: –Errors to be introduced by human modeling –Models to miss implementation changes (Drift)

5 Case Study: FLASH Distributed shared memory multiprocessor Cache-coherence protocol runs in node controller firmware Many race conditions and corner cases due to concurrency and distributed state CPU 0 NC 0 Mem 0 CPU 1 NC 1 Mem 1 CPU 2 NC 2 Mem 2 Interconnection Network

6 FLASH Architecture Node Controller R10K Processor I/O Subsystem Network Processor Interface (PI) Network Interface (NI) I/O Interface (IO) Protocol Code

7 Simplifying the Application of Model Checking Use compiler support to extract a model of the software implementation Protocol Code (Implementation) Model Checker State Variables Translation Patterns compiler Protocol Model Initial State Correctness Properties Hardware Model Error List

8 The Tools Leverage two existing tools: –xg++ extensible compiler –Mur  model checker State Variables Protocol Code (Implementation) Translation Patterns Mur  Protocol Model Correctness Properties Initial State Hardware Model xg++ compiler Error List

9 xg++ Compiler Modified g++ that allows users to add extensions that operate on the Abstract Syntax Tree (AST) –Analyze or modify AST –Several extensions can be run one after another as separate passes Users write extensions in a language called Metal –Pattern matching language –Arbitrary actions taken when patterns match

10 The Mur  Model Checker Models are described by a set of functions called “rules” –Preconditions –Assertions –Transitions Model checker –Starts in an initial state –Looks for rules with applicable preconditions –Checks that assertions are satisfied –Executes transitions to compute the next state

11 Example Mur  Code Rule "PI Local Get" Cache.State = Invalid & !Cache.Wait Begin Assert !DH.Local "PILocalGet:2" Assert DH.Head & !DH.List & DH.Real=0 "PILocalGet:1“ DH.Pending := true; Cache.Wait := true; Send_Request(Home, DH.HPtr, Get, Home, void); End; Rule has a precondition which indicates when it can be applied Assertions check for correctness Variable assignments compute new values State also includes network; this is also a state transition

12 The Extraction Process Two configuration components specified by user –State variables –Translation Patterns State Variables Protocol Code (Implementation) Translation Patterns Mur  Protocol Model Correctness Properties Initial State Hardware Model xg++ compiler Error List

13 A Key Observation: Handlers map to Rules A handler is FLASH is triggered by an event –A request from the processor –A request from the network Rules in Mur  execute when precondition is satisfied –Processor needs a piece of memory –A message arrives from another node controller A handler in FLASH is equivalent to a rule in Mur 

14 Specifying State Variables (Metal Slicer) This allows users to indicate the important state variables and functions to the compiler Compiler uses “Program Slicing” algorithm –Determines which statements should be extracted to create the Protocol Model Example, slice out the network header field: pat length = { packet.length }; pat sends = { NI_SEND(data) };

15 Specifying Translation Patterns (Metal Printer) The user tells the compiler about places where it can –Perform abstractions to reduce state space –Insert extra checks to tighten correctness properties Example, convert two different values into one: { len_cacheline } | { len_word } ==> { emit("len_data"); }

16 Other Metal Printer Examples Insert code to check network sends: { NI_SEND(argument); } ==> if ( is_constant(data) != 0) emit("assert(packet.length = len_data);"); else emit("assert(packet.length = len_nodata);"); emit("ni_send(%t);", argument); Abstract away bit operations: { packet ^= ( new_opcode ^ old_opcode ); } ==> { emit(“packet.opcode = Opcode_substitute(%t, %t, packet);\n", old_opcode, new_opcode); }

17 Protocol Code Extraction Example Rule "PI Local Get" Cache.State = Invalid & ! Cache.Wait ==> Begin packet.length := len_data; if (!directory.Pending) then if (!directory.Dirty) then assert(packet.length = len_data) ni_send (packet); directory.Pending := 1; else assert(!directory.List); void PILocalGet(void) { // Boiler Plate Setup Code Load_From_memory (&directory) // Debug code printf (“Entering PILocalGet\n”); packet.length = len_cacheline; if (!directory.Pending) { if (!directory.Dirty) { directory.IO = 1; NI_SEND(data); directory.Pending = 1; } else { ASSERT(!directory.List); Gather Statistics(); Protocol CodeProtocol Model

18 Combining the Other Components Extracted Protocol Model is combined with Correctness Properties, a Hardware Model and an Initial State State Variables (Metal Slicer) Protocol Code (Implementation) Translation Patterns (Metal Printer) Mur  Protocol Model Correctness Properties Initial State Hardware Model xg++ compiler Error List

19 Correctness Properties Correctness Properties are defined by –Assertions in the rules (extracted) –Global Invariants (manually added) Global Invariants: –They are checked at every state –Example: Don’t overflow network queues Don’t invalidate a processor who has data in the exclusive state

20 ??? The Hardware Model Mur  Model R10K Processor Model Processor Interface (PI) Network Interface (NI) I/O Interface (IO) Protocol Model I/O Subsystem Model Network Model

21 Verification Results Mur  outputs an error trace that aids in finding errors The automatic extraction reduces the manual effort as well as making the model more faithful to the implementation State Variables (Metal Slicer) Protocol Code (Implementation) Translation Patterns (Metal Printer) Mur  Protocol Model Correctness Properties Initial State Hardware Model xg++ compiler Error List

22 The Error List If a bug is found –The error is stated –A trace of all visited states and executed rules is given Whether a bug is found or not –Mur  gives number of states explored –For us, our largest models had about 6 million states

23 Example of Gory Bug Home Node 1Node 2 Request Has line exclusive Sharing Writeback Reply Data Has Line Shared Forward Pending Bit is Set Node 2 is on the sharing list even though it does not have the line Hint is Dropped Replacement Hint Does not have Line

24 Reduction in Manual Labor and Increase in Effectiveness ProtocolErrors Found Protocol Size (Lines) Extracted Model Size (Lines) Manual Component (Lines) Metal Size (Lines) Dynamic Pointer 612K1100100099 Bitvector28K7001000100 RAC010K15001200119 Coma015K28001400159

25 Conclusion A method to make the application of model checking easier and more effective was developed The extracted protocol model is both easier to produce and more faithful to the implementation Method relies on a user who understands the details of the system being modeled

Download ppt "A Simple Method for Extracting Models from Protocol Code David Lie, Andy Chou, Dawson Engler and David Dill Computer Systems Laboratory Stanford University."

Similar presentations

Implementation and Verification of a Cache Coherence protocol using Spin Steven Farago.

Implementation and Verification of a Cache Coherence protocol using Spin Steven Farago.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Software Analysis at Philips Healthcare MSc Project Matthijs Wessels 01/09/2009 – 01/05/2010.

Software Analysis at Philips Healthcare MSc Project Matthijs Wessels 01/09/2009 – 01/05/2010.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Using Formal Specifications to Monitor and Guide Simulation: Verifying the Cache Coherence Engine of the Alpha 21364 Microprocessor Serdar Tasiran Systems.

Using Formal Specifications to Monitor and Guide Simulation: Verifying the Cache Coherence Engine of the Alpha Microprocessor Serdar Tasiran Systems.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.
ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.

ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.

Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
Programming Types of Testing.

Programming Types of Testing.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Cache Coherent Distributed Shared Memory. Motivations Small processor count –SMP machines –Single shared memory with multiple processors interconnected.

Cache Coherent Distributed Shared Memory. Motivations Small processor count –SMP machines –Single shared memory with multiple processors interconnected.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
CS 355 – Programming Languages

CS 355 – Programming Languages
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.

Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.
Verification of Hierarchical Cache Coherence Protocols for Future Processors Student: Xiaofang Chen Advisor: Ganesh Gopalakrishnan.

Verification of Hierarchical Cache Coherence Protocols for Future Processors Student: Xiaofang Chen Advisor: Ganesh Gopalakrishnan.

Similar presentations

Ads by Google