A Survey ofRely-Guarantee Approaches in

Compositional Verification

Murat Demirbas

OSU

Typical verification methods:

• Deduction:– Temporal and Modal Logic, Emerson 90– TLA, Lamport 94– UNITY Logic, Chandy & Misra 88

• Model Checking

Typical verification methods:

• non compositional

• require a global examination of the entire system

• effective on small examples, however, fail to scale up for large-scale systems

A plea for Compositional Verification

≜ any automaton with 10 states• A ≜ parallel composition of 80 of such ’s• A has 1080 states

– Greater than the # of electrons in the universe

• Now, consider the Internet …• The verification method should scale

linearly rather than exponentially in the number of components

Compositional Verification Methods:

• shift the burden of verification from the global level to the component (local) level

• so that global properties are established by composing independently verified component properties.

Compositional Verification Methods: (cont.)

• Enables us to verify whether a program meets its spec on the basis of the specs of its components (without assuming any knowledge of the interiors of those components).

Rely-Guarantee Approach

• The best studied approach to compositional verification

• A rely-guarantee spec for M is (R, G)– R: the conditions that M relies on its

environment to provide– G: the conditions that M guarantees in return

Rely-Guarantee Approach (cont.)

• The intuition for using R-G specs for M– M needs to behave correctly only when its

environment does

• M (R,G) :⊨ the environment of M violates R before M fails to satisfy G

Composition Principle

Let M be the composition of Mi s.t. iI. Ifj:: R /\ Gi Rj

i:: Mi (R⊨ i, Gi)

• /\ Gi G

ThenM (R,G)⊨

Cyclic Dependencies

output var c initially 0;input var d;loop

<c:=d>endloop

output var d initially 0;input var c;

loop<d:=c>

endloop

c

d

M1 M2

Safety properties in Rely

• M1

– R1: always d=0

– G1: always c=0

• M2

– R2: always c=0

– G2: always d=0

• M ≜ M1 || M2

• R: true

• G: always c=0 d=0

Liveness properties in Rely

• M1

– R1: eventually d=1

– G1: eventually c=1

• M2

– R2: eventually c=1

– G2: eventually d=1

• M ≜ M1 || M2

• R: true

• G: ???

Outline

1. History of compositional verification

2. Stark’s work

3. Abadi & Lamport’s work

4. Lazy composition

5. Modified Rely-Guarantee rules

6. Other work

7. Rely-Guarantee wrappers for f-t

8. Conclusion

1. History of Compositional Verification

• Compositionality in predicate logic, Frege 1923

• Sequential program verification– Inductive assertion method (non

compositional), Floyd 67– axiomatic compositional proof style, Hoare 69

History of Compositional Verification (cont.)

• Concurrent & distributed systems– Proof system for shared variable concurrency:

interference freedom test (non compositional), Owicky & Gries 76

– Temporal logic (non compositional), Pnueli 77– Rely-guarantee formalism (compositional),

Misra & Chandy 81– Rely-guarantee formalism for safety properties

in shared-memory, Jones 81, 83

Misra & Chandy: Proofs of Network of Processes

• Spec for a process Mi is “Ri | Mi | Gi”– Gi holds for empty trace– for all traces t of Mi, if Ri holds for all proper prefixes

of t, then Gi holds for all prefixes (proper & improper) of t

• R | M | G holds if – R /\ Gi /\ Rj

i:: Ri | Mi | Gi

– /\ Gi G

Hoare’s proof rule is an instance of composition principle

• Precondition: the rely of the program on the program state when the control reaches that point

• Postcondition: what the program guarantees in return if and when the control leaves that point

• Limited to the verification of safety properties only

M = M1;M2

• If – RR1, {R1}M1{G1},

– G1R2, {R2}M2{G2}, G2G

• Then {R}M{G}– R G1 G2 R1 , R G1 G2 R2

– M1 (R⊨ 1, G1), Mi (R⊨ i, Gi)

– G1 G2 G

2. Stark’s Proof Technique for Rely-Guarantee Properties

• Stark’s proof technique rules out circular dependencies in liveness conditions; one can derive global liveness properties of a system from its components’ liveness properties.

Stark’s work

• Intuition: Find a set of specs that “cuts” the dependence between a component Mi and its environment. Analogy: loop invariant

• RGi,j = what Mi guarantees to Mj = what Mj relies on Mi to provide

{RGi,j: i,jI{ext}} is a cut set:

• R /\jI RGext,j

• /\iI RGi,ext G

• (j:: /\iI{ext} RGi,j Rj )

• (i:: Gi /\jI{ext} RGi,j )

Acyclic cut sets

• If no Ri holds, then no Gi holds, hence G does not hold

m:: \/k{0...m-1} RGik, ik+1

• Finding a cut set is analogous to finding a loop invariant, no algorithm exists

Rely-Guarantee Proof Rule

• M is a program, RG is an acyclic cut set for M, R, G, and {Ri, Gi: iI}

• If (i: iI : M (⊨ Ri, Gi) )

• Then M (⊨ R, G)

Examples

• Verification of a mutual exclusion algorithm (token ring ME)

• Verification of a distributed resource allocation algorithm

• The proof technique is compared against other liveness proof techniques such as Proof Lattice Method (Lamport & Owicky), and Variant Function Method (Floyd)

3. Abadi & Lamport’s work

• Composing Specifications, 92

• Conjoining Specifications, 93

• Main thm: If all the “rely” specifications (R, i:: Ri) are safety properties, then circularity in “Composition Principle” is safe (i.e., does not lead to circular reasoning).

Stuttering Equivalence

• Specifications should allow “stuttering” steps that leave the state unchanged.

• Consider F, G. A behavior of their composition is obtained by interleaving actions from the two components.

• However, this interleaved behavior does not satisfy F, since it contains steps that do not belong to actions of F, nor does it satisfy G.

Conjoining Specs

• Parallel composition is conjunction.

• Temporal Logic of Actions

• Composition thm

• Decomposition thm

(R,G) R→≜ + G (R secures G)

• R →+ G {σ≜ RG | i: σ[i] S(R) σ[i+1] S(G) }

• S(R) :the strongest safety property containing R (i.e., safety closure of R)

• R →+ G rules out unrealizable implementations of RG where S(G) fails before the failure of S(R) can be detected by the component.

• RG R →+ G for machine realizable specs. They allow the same implementations.

Safety properties in rely specs

• R →+ G (R≜ G) (S(R) →+ S(G))

• R →+ G = S(R) →+ (S(G) (R G))

• Thus, any rely/guarantee spec can be converted to one whose rely is a pure safety property.

Composition Thm

Let M be the composition of Mi s.t. iI. Ifj:: S(R) /\ S(Gi) Rj

i:: Mi (R⊨ i, Gi) (i.e., i:: Ri →+ Gi )

• R →+ (/\ Gi G)

Then

M (R,G) ⊨ (i.e., R →+ G )

Decomposition Problem

• Let M M≜ 1 || …|| Mn, Ml M≜ l1 || …|| Ml

n.

• Prove that Ml implements M by proving

((E, /\iI Mli ) (E, /\iI Mi))

• Trivially true if (i: iI : MliMi)

• However, MliMi is not necessarily the case

in top down refinements of a system.

Decomposition

• We can relax MliMi and still reason about

one component at a time: – (i: iI: Ei Ml

iMi )

• However, the composition principle requires proving (i: iI: (/\kI Ml

k Ei)• Instead, we can avoid reasoning about the

entire low level system: – (i: iI: (/\kI Mk Ei))

Decomposition Thm

Ifj:: S(E) /\ S(Mi) Ej

• Ei →+ (Mli Mi)

Then

E →+ (/\iI Mli /\iI Mi)

Queue example

• Q1, Q2: queues of length N.• Q of length 2N+1 can be obtained by

composing Q1 and Q2.• The example is wrong

– Q1 and Q2 refer to N– Q1 and Q2 are not aware of each other

• Shankar 97 presents a buffer example very similar to the queue example

4. Lazy Composition, Shankar 97

• Difficult to apply R-G specs to composition– Gi should be strong enough to imply any potential

constraint Rj.– It is not easy to anticipate all the potential

constraints that might be placed on Mi.

• In lazy composition Gi of Mi is proved of the system Mi|| Ei where Ei captures the expected behavior of the abstract environment for Mi.

Lazy Composition (cont.)

• Gi might not hold for Mi|| Mj , however it holds for Mi|| (Mj Ei).

– Thus, the proof obligation that Mj satisfies Ei can be delayed till later.

• Lazy composition: cited as the main contribution of the paper– Same delay of proof is also possible for the

regular R-G specs.

Composition

• Let Me1= M1|| E1

• Closed co-imposition– Me

1 Me2 ≜ (M1 E2) || (M2 E1)

• Open co-imposition– Me

1 Me2 ≜ Me

1 Me2 || (E1 E2)

• Thm: [Me1Me

2] [Me1]

[Me1 Me

2] [Me1]

Elimination of Ei’s by using Refinement Proofs

• One can show that (M1 E2) || (M2 E1) || (E1 E2) is refined by

M1|| (M2 E1) || (E1 E2) to eliminate E2

• This is the main advantage of this approach– we do not have to prove G1 →+ R2

– instead we can employ a refinement proof to eliminate E2 (i.e. to satisfy R2)

5. Modified Rely-Guarantee rules, Manohar, Sivilotti 96

• M (R,G) (⊨ ≜ E:: (E||M R)⊨ (E||M ⊨G))– Thus, one has to consider all E to prove above.

• Modified Rely-Guarantee: R and G can refer only the local variables in M.

• M (R⌦ G) ⌦ (⊨ ≜ M R) ⊨ (M G) . ⊨

Modified Rely-Guarantee rules (cont.)

• Compositionality:– Let M (R G) ⊨ ⌦– Then (N:: M||N (R G) )⊨ ⌦

• Handles the verification of liveness properties easily.

Composition Thm

Let M be the composition of Mi s.t. iI. Ifj:: R ( /\i<j Ri Gi ) Rj

i:: Mi (R⊨ i G⌦ i)Then

M (R (⊨ ⌦i:: Ri Gi) )

Composition Thm: (safety props)

Let M be the composition of Mi s.t. iI. Ifi:: Ri ,Gi are safety properties j:: R /\Gi Rj

i:: Mi (R⊨ i G⌦ i)Then

M (R (⊨ ⌦i:: Ri Gi) )

Examples

• K mutual exclusion in a ring (works very good)

• Synchronization with Gossip

6. Other work

• The need for compositional proof systems, deRoever 97– Decomposition thm Dijkstra’s verify while develop

approach

• Systematic composition of distributed objects: Processes & Sessions, Chandy & Rifkin 97– Considers Internet (anarchic system) as an application

of bottom up design using composition

Other work (cont.)

• Composition: A way to make proofs harder, Lamport 97– Decomposition thm is popular only because it

can be expressed in terms of PPL favored by CS people

– Decomposition thm is not necessary; when a system is specified using mathematics, decomposition trivially follows from math.

Other work (cont.)

• Towards a compositional approach to the design & verification of distributed systems, Charpentier&Chandy– UNITY framework– Resource allocator example

• Both top-down and bottom-up approaches used

– A component should publish its provided spec as well as different weaker specs to simplify reuse in different applications.

7. Rely-Guarantee wrappers for fault-tolerance

• Let M be the composition of Mi s.t. iI.

• Compositionality principle holds– (i:: Mi (R⊨ i, Gi)) M (R,G)⊨

– I.e., (i:: Si ) S

Rely-Guarantee wrappers (cont.)

• S’i (Fspan(R≜ i ) , Gi)

:masking F-tolerant version of Mi = M’i

• S’’i (Fspan(R≜ i ) , (Si unless Ri)S(Gi)) (Fspan(Ri ) , SiS(Gi)) :fail-safe F-tolerant version of Mi = M’’i

• S’’’i (Fspan(R≜ i ) , Si(True ↦Ri)) :nonmasking F-tolerant Mi = M’’’i

Rely-Guarantee wrappers (cont.)

• Let w’i be the wrapper to be added to Mi to get M’i (i.e., M’i ≜ w’i || Mi )

• R1: Calculate R-G specs for w’i , w’’i , w’’’i

• Si w’i = S’i then w’i ≜ Si S’i

• w’’i ≜ (Si , S’’i ) (Si , (FSpan (Ri ) S(Gi))

• w’’’i ≜ (Si , S’’i )

(Si , (FSpan (Ri ) ↦ Ri))

Proposal:

• Problem: How to calculate FSpan(Ri)?

• Using modified R-G would help – local reasoning while calculating FSpan(Ri)

– In general, we might not avoid global reasoning

• Use abstract faulty environment EFi

– Lazy composition for refinement proofs

• If F is a transient fault: FSpan(Ri) =True

Rely-Guarantee wrappers (cont.)

• R2: Prove that – (i:: S’i ) S’

– (i:: S’’i ) S’’

– (i:: S’’’i ) S’’’

• Can M be made F-tolerant by composing each Mi with wi ?

R2Need to show

j:: Rx /\ Gxi Rx

j

– Rx /\ Gxi Gx

To deduce (i:: RxiGx

i ) (Rx Gx )

• Easy for closed systems (R=True); – reuse criterion Gx

i Gj

– Ri Fspan(Rj )– Interference freedom rule might be needed for

nonmasking f-t

8. Conclusion

• (R,G) specs provide a natural (and also graybox) way to specify components

• Composition (via conjunction) provides a simple but powerful model for reasoning about large-scale distributed programs

• It is a good model to study graybox dependability wrappers