Better Verification Through Symmetry

Tintu David Joy

AgendaMotivationBetter Verification Through Symmetry-basic ideaStructural Symmetry and Multiprocessor SystemsMurϕ verification systemScalarsetConstruction of Equivalent StatesGraph AutomorphismRepresentative of the symmetry equivalence classPractical ResultsConclusion

2

MotivationNetwork and communication protocols in

hardware, protocols in large multiprocessorsProtocols are becoming increasingly complexProper verification is importantAutomatic verification of finite state

concurrent systemsState explosion problemMethod to reduce the state space??

3

Better Verification Through Symmetry• Aim:

– Exploit Symmetries in the system – e.g. Mutual exclusion algorithm for 2 processes

• Method:– Extending Murϕ verifier by adding scalar set

– Murϕ verifier -A verification system– Scalar set- a new data type to detect symmetries

– Equivalence relation between the states– Select one state per equivalence class as

representative• Result:

– Reduction of state space– More efficient verification

4

Example: Multiprocessor Systems

Data consistency of local caches is importantAll processors access a shared global

memoryDirectory based cache coherence protocol

Set of rules for coordinating processors, cache controllers, memory controllers

Protocol verification need to be doneWithout original state spaceReduction of state space desirable

5

Structural Symmetry in Multiprocessor Systems

6

Structural Symmetry

Directory tracks the processor

Processors have distinct processor –id’s

Properties of integers are irrelevant in high-level protocol description

Here: ordering of processor id’s irrelevant for correctness of protocol

7

Structural Symmetry

Standard Verifiers will not detect the symmetriesInspects symmetrically equivalent states many

timesOther symmetries

Addresses, data values,memory module id‘s, message id‘s

Consider multiple kind of symmetriesTwo problems:

Detecting structural symmetriesDetecting symmetrically equivalent states

8

Murϕ Verification System

• Formal verification system for finite state concurrent systems

• Mainly used in verifying multiprocessor systems and cryptographic protocols

• Parts of Murϕ verification system – Description Language• Description of finite state asynchronous concurrent

systems– Murϕ Compiler• C++ program, • generates reachable states and checks for execution of

error statements, violation of invariants, deadlocks

9

Murϕ Description Language

Declarations (constant, type, variable, procedure)

Definitions(transition rule)Rules are guarded commands consisting of a

condition and an actionNondeterministic selection of rulesAtomic execution

Descriptions (start state, invariant)

10

Example:

11

ScalarsetNew datatype in Murϕ

To facilitate detection of symmetries and testing of equivalent states

FeaturesAssignment, testing equality/inequality and array

indexing supportedNo arithmetic and comparison operators (other than

equality/inequality testing)Convert the subrange to scalar set

If numerical value of subrange not importantEnforcing and documenting symmetries

results from permuting members of scalar set

12

Example:

13

Construction of Equivalent States

Aim:Obtain equivalent states

Permuting scalar set entries of the set

Permutation ProcessWhen Permutation applied to scalar set

Value modified to corresponding permuted valueAn array indexed by scalar set permuted

Contents of elements are permuted Elements are rearranged

14

Example:

Equivalent states are basis for generating a reduced state space

15

Graph AutomorphismTo specify symmetry formally we use notions of

state graphs and automorphismsCan be used to combine abstractly equivalent

statesDefinition: A graph automorphism on a state

graph A = (Q, S,Δ) is a one to one mapping h: A A

16

Graph AutomorphismThe transition relation is preservedGraph automorphisms closed under functional

composition induces an equivalence relation on statesTheorem: The set of permutations π on the scalar set

entries in the states forms a set of graph automorphisms over the state graph. The set is closed under functional composition and the corresponding equivalence relation is a bisimulation

17

Representative of the symmetry equivalence class

Only change in Murϕ verifier – canonical function is added

Canonical function: determines a unique state to represent the equivalence class

But finding canonical state is hardThe large reduction in state space compensates

for the computation load in canonicalizationIn complicated state structure the computation

load in canonicalization is very high Observation: Any subset of states in the

equivalence class can be used to represent the class and still give sound verification algorithm for safety properties 18

NormalizationCanonicalization algorithm: all permutations

are generated and lexicographically smallest state is used as canonical state

So Normalization AlgorithmSeperates states into twoPart with most significant bits is canonicalized

with few canonicalized permutationsSecond part is normalized by one permutation

used to canonicalize the first partResult is a normalized state of a small

lexicographically value

19

Practical ResultsSymmetry based algorithm in Murϕ

verification systemVerified cache coherence protocol on DASH

multiprocessorProcessing nodes communicating to memory

modulesEach processing nodes have its own

processors and caches

20

Result on Cache coherence protocolProcessing nodes- 2,3,4Reduced state space by 90%

21

Data SaturationExploiting data-independenceTheorem: For any finite state system with M

scalarsets that are not used as array indexes, there exists finite integers N1...Nm such that the reduced state graph has the same size as the one obtained from the system with the scalar sets of sizes N1...Nm or above, even if the sizes approach infinity.

Reduce the infinite state space to a finite one

22

Conclusion

Symmetry can be exploited in verification of concurrent systems

Rotational symmetry can also be done in the same way

Can be applied to other high level languages, specifications and models

In several cases more efficient verification due to reduced state space

23

Thank you for the attention