110 likes | 217 Vues
The supercompiler SCP 4 verification. Alexei P. Lisitsa The University of Liverpool . Andrei P. Nemytykh Program System Institute, Russian Academy of Sciences. Verification of parameterized systems by the supercompiler SCP4. ( http://www.csc.liv.ac.uk/~alexei/VeriSuper/ ).
The supercompiler SCP 4 verification. Alexei P. LisitsaThe University of Liverpool. Andrei P. NemytykhProgram System Institute, Russian Academy of Sciences.
Verification of parameterized systems by the supercompiler SCP4. ( http://www.csc.liv.ac.uk/~alexei/VeriSuper/ ) • Successful experiments on verification of global cache coherence protocols: • IEEE Futurebus+, MOESI, MESI, MSI, “The University of Illinois”, DEC Firefly, “Berkeley”, Xerox PARC Dragon. • More global parameterized protocols: • Java Meta-Locking Algorithm, Reader-Writer protocol.
A class of parameterizedcache coherence protocols. Cache coherence protocols are used to maintain data consistency in multiprocessors systems equipped with local fast caches (elements of memory). A class of such protocols can be described as the following games: Let n baskets be given. The i-th basket contains xistones. A step of a game is a permutation of yikstones from the i-th basket to the k-th basket (for all 0 < i,k < n+1), if the yik satisfy some conditions. If two or more steps can be done in the same time, then a random choice from the steps takes place. Let a start configuration of such a game be given, then the data consistency problem is a non-reachability problem of some configurations in the game.
Testing. • Given a total recursive function f: D M, let Im(f) be a subsetof the truth’s set of a total recursive recursive predicate. • LetPbe a programimplementing; Pf be a program, such thatd0Dthe call Pf(d0) terminates. Let Pf be assumed to implement f. • Testing ofPfwith respect to a post-conditionis a program T: D {True, False} implementingthe following composition P∘Pf . • d0Dthe result of evaluation of T(d0) = Trueconfirmscorrectnessof Pfond0, whileT(d0) = Falsegives a testd0where Pfis invalid.
Verification. • Running over the whole Dwith the valid result of the testing verifies Pfwith respect to the post-condition. • Letbean optimizer such that the result of (P∘Pf,d)is a programwith a simplesyntactical propertyguarantying that Im() = {True}. • Let the result of optimization, by definition of, implements an extension of the partial function implemented by the program to be transformed (in our caseP∘Pf). • In such a case we have verification of Pfwith respect to the post-condition.
Encoding of a class ofcache coherence protocols. • Evolution of the set of states of a multiprocessor system is a non-deterministicdynamic system with discrete time. • Let Int(time,InitConfig) be an interpreterof the system, such thatgiven astartconfigurationInitConfigof the system Int returns the configuration Configthe systemreaches in time. • To simulate the non-deterministic choicewe mark the time’s tacts with the random actions taking place in the system. • The correctness of the protocols is expressed by unreachability of a special kind of the configurationsand it is tested by a predicate-program (Config). • The task for a supercompiler is: specializethe following composition ∘Int(time,InitConfig0)
The MOESI protocol.(The proof by SCP4: induction on time) Theorem1 Theorem2 True 8 True 2 # $ $ $ # Lemma $ True 4 # $ 5 $ 6 True 7
Verification of the Xerox PARC Dragon cache coherence protocol. • An error in a description of the protocol has been foundas a result of analyzing of the residual program: • G. Delzanno, Automatic Verification of Parameterized Cache Coherence Protocols. and a test indicating the error was constructed. • Successful verification of a corrected version of the description of the protocol was done: • http://www.disi.unige.it/person/DelzannoG/protocol.html
Language’s dependence.(TheMOESI protocol) RandomAction { … … = (invalid e.x1) (modified ) (shared I e.x3 e.x4) (exclusive )(owned e.x2 e.x5); … } Append { () (e.y) = e.y; (s.z e.x) (e.y) = s.z <Append (e.x) (e.y)>; } RandomAction { … … = (invalid e.x1) (modified ) (shared I <Append (e.x3) (e.x4)>) (exclusive )(owned <Append (e.x2) (e.x5)>); … }
References [1] Lisitsa A. P., and Nemytykh A.P., Verification of parameterized systems using supercompilation. In Proc. of the APPSEM05, Fraunchiemsee, Germany, 12-15 September 2005. [2] Lisitsa A. P., and Nemytykh A.P., Towards verification via supercompilation. In Proc. of the COMPSAC’2005, 2005. [3] Lisitsa A.P., and Nemytykh A.P., Verification as parameterized testing (Experiments with the supercompiler SCP4). (In Russian), Submitted to the journal “Programming”, 2006. [4] Lisitsa A. P., and Nemytykh A.P., Work on errors. (In Russian), Submitted to the conference “Program Systems: Theory and Applications”, 2006.