Similar documents

KeyEscrowinMutuallyMistrustingDomains?

timeout StoR!msg0 RtoS?ack0


1. What are the three types of business organizations? Define them

Last not not Last Last Next! Next! Line Line Forms Forms Here Here Last In, First Out Last In, First Out not Last Next! Call stack: Worst line ever!

AccountView. Single Sign-On Guide

Binary Heaps * * * * * * * / / \ / \ / \ / \ / \ * * * * * * * * * * * / / \ / \ / / \ / \ * * * * * * * * * *

DATA STRUCTURE - STACK

Data Structures and Algorithms Lists


DATA STRUCTURE - QUEUE

SERVICES PRICE LIST - COMMERCIAL Sysorex Government Services, Inc.

Sorting revisited. Build the binary search tree: O(n^2) Traverse the binary tree: O(n) Total: O(n^2) + O(n) = O(n^2)

TESTING WITH JUNIT. Lab 3 : Testing

Abstract Data Type. EECS 281: Data Structures and Algorithms. The Foundation: Data Structures and Abstract Data Types

How To Validate Synchronous Reactivesystems

3.Processstatemonitoring

SBM2302 Advanced Supply Chain Management 2

Get me off Your Fucking Mailing List

Outline. Computer Science 331. Stack ADT. Definition of a Stack ADT. Stacks. Parenthesis Matching. Mike Jacobson

Admissions Protocol and Procedures

Data Management Plan Template Guidelines

Two-Level Metadata Management for Data Deduplication System

Queues and Stacks. Atul Prakash Downey: Chapter 15 and 16

SysAid Remote Discovery Tool

Performance Comparison of SCTP and TCP over Linux Platform

ISO/IEC 9126 in practice: what do we need to know?


Smart Integration of Wireless Temperature Monitoring System with Building Automation System

Quality of Service Routing Network and Performance Evaluation*

Appendix B Checklist for the Empirical Cycle

Recursion. Definition: o A procedure or function that calls itself, directly or indirectly, is said to be recursive.

TIBCO ActiveMatrix BPM Integration with Content Management Systems Software Release September 2013

FSPAMFPI06 Complete reports for mortgage and/or financial planning clients

Identity based Authentication in Session Initiation. Session Initiation Protocol

Research and Implementation of Single Sign-On Mechanism for ASP Pattern *

Computer Science 483/580 Concurrent Programming Midterm Exam February 23, 2009

Agent-Oriented Software Engineering PORTO Methodology AIAD 2013/2014. António Castro and Eugénio Oliveira

Time has something to tell us about Network Address Translation

St S a t ck a ck nd Qu Q eue 1

Analysis of a Search Algorithm

HW3: Programming with stacks

Reducing Certificate Revocation Cost using NPKI

2.3 Product Manual Models: 400, 500, 500 R, and 1000

How To Write A Paper On Csp And Object-Z

Queues Outline and Required Reading: Queues ( 4.2 except 4.2.4) COSC 2011, Fall 2003, Section A Instructor: N. Vlajic

User Setup for SQL Security

MPR 1 Use a performance management system to monitor achievement of organizational objectives.

Paillier Threshold Encryption Toolbox

Programming with Data Structures

How to set up as VPN Network

1. Systematic literature review

A secure login system using virtual password

Software Defined Active Queue Management

Print Manager Plus 2010 How to Migrate your Database to a New SQL or Print Server

A Real-Time Cloud Based Model for Mass Delivery

The Authentication and Processing Performance of Session Initiation Protocol (SIP) Based Multi-party Secure Closed Conference System

Master of Science Business Information Systems. Agile Processes Combining Business Processes and Business Rules

NormalizingIncompleteDatabases

Object-Oriented Type Inference

A Probabilistic Quantum Key Transfer Protocol

Characterization and Modeling of Packet Loss of a VoIP Communication

A Comprehensive Study on Cloud Computing Standardization

Quosal Form Designer Training Documentation

Accounting for Government Grants

FortiGate UTM. Daily Activity Report. Nov 11, :02:21. FortiGate Host Name: FG300C FortiGate Serial Number: FG300C

SCADA System Security, Complexity, and Security Proof

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

Continuous Quality Improvement Process Tailored for the School Nutrition Environment

Trust areas: a security paradigm for the Future Internet

CONSIDERATION OF DYNAMIC STORAGE ATTRIBUTES IN CLOUD

Transcription:

AmyP.Felty1,DouglasJ.Howe1,andFrankA.Stomp2 ProtocolVericationinNuprl? 2Dept.ofComp.Sci.,UCDavis,Davis,CA95616,USA.stomp@cs.ucdavis.edu 1BellLabs,MurrayHill,NJ07974,USA.ffelty,howeg@bell-labs.com whileretainingexistingadvantagesofthesystem,anddescribesapplicationoftheprovertoverifyingthescicachecoherenceprotocol.the interactivetheoremproveramoreeectivetoolforprotocolverication vericationisbased,inpart,onformalmathematicsimportedfromanothertheorem-provingsystem,exploitingaconnectionweimplemented Abstract.ThispaperpresentsworkdirectedtowardmakingtheNuprl signicantbecausenuprl'spowerfulconstructivetypetheorybuysmuch eectivelyappliedbythesystem'sautomatedreasoningfacilities.thisis annotationschemefornuprl'slogicthatallowstypeinformationtobe betweennuprlandhol.wehavedesignedandimplementedatype 1Introduction ofitsexpressivepowerandexibilityatthecostofgivingupthemore manageablekindsoftypesystemfoundinotherlogics. ofitsmaindistinguishingcharacteristicsisitshighlyexpressiveformallogic,a constructivetypetheorywhoseclassicalvarianthasexpressivepowerequivalent toconventionalsettheory(zfc)[12,6]. Nuprl[2]isaninteractivetheorem-provingsysteminthelineageofLCF.One shallowandrepresentationallysimple. tobeasubstantialadvantageinavarietyofdomains,butlittleworkhasbeen specicallydirectedtowardeectivenessforthekindoflarge-scalepracticalapplicationswherethebulkoftheformalmathematicsishighlycomplicated,but Nuprlhasbeenextensivelyapplied,anditsexpressivepowerhasbeenshown ofnuprltoprovesafetypropertiesofthescicachecoherenceprotocol[8]. Modelcheckingsystemsthathavebeenappliedtotheprotocolsuerfromstate ofthescaleofalgorithmswhichcanbecurrentlyhandledbymechanizedtools. Thispaperdescribesourworkinthisdirection,andfeaturesanapplication explosionatasmallnumberofprocessors,thoughevensosomebugshavebeen found[11].asecondreasonforchoosingitisthataproofmethodandsupported WechoseSCIasanexamplepartlybecauseitscomplexityisrepresentative compromisingexistingadvantagesofthesystemby,e.g.,addingrestrictionsto thelogic.therearethreepartstothiswork. invariantshavealreadybeenworkedout[3].?inproceedingsofthetenthinternationalconferenceoncomputer-aidedverication,june1998. OurworkhasbeentoimproveNuprlforthesekindsofapplicationswithout

andmodels.buildingitistime-consuming,andislargelyduplicationofeort sincethesebasicfactstendtobesimilaracrosssystems.toavoiddoingthis quiresagreatdealofbasicformalmathematicsaboutelementarydatastructures ourselves,weimportsomebasicmathematicsfromhol[5],asystemthathas, Importedmathematics.Vericationusinganinteractivetheorem-proverre- applicationtoamoderatelydicultprobleminmetamathematics.ourwork, thoughjustarststep,establishesthatsharingmathematicscanbeusefulin forsoftware/hardwareverication.thepaper[7]givesthebasicdesignofthe connectionbetweenholandnuprl,and[4]givesanextensiontoitandan overtheyears,accumulatedalargecorpusofmathematicsofthekinduseful software/hardwareverication. ditionalaspectsoftypesystems.inparticular,thetypetheory'sexibilityisin largepartduetothefactthattermsareuntypedinthesensethatonecannotdeterminefromthesyntaxofanexpressionwhat,ifany,typeitisamemberof.in thisway,nuprlissimilartosettheory,withtypesbeinganalogoustosets.this TypeAnnotation.Nuprlbuysitsexpressivepoweratthecostofsometra- isaproblemforautomationfortworeasons.first,itisoftenimportantforterms tocomewiththeirtypes;forexample,intermrewriting,typeinformationcan enableausefulformofconditionalrewriting.second,typingpropertiesrequire proof,so,forexample,everytimealemmaisinstantiated,theinstantiatingobjectsmustbeprovedtohavetherighttypes.wehavedesignedandimplemented anannotationschemewheretermsaredecoratedwithtypesinsuchawaythat tunately,theimplementationwasn'tcompleteduntilpart-waythroughthesci typescan(almostalways)beecientlymaintainedduringinference,butnonew of10speedupintermrewriting(themainworkhorseinnuprlproofs).unfor- syntacticrestrictionsareplacedonthelogic.wehaveobtainedroughlyafactor toimplementasuiteofautomatedreasonersspecializedtothismodel. kindofembeddingofaunity-likelanguage.weusednuprl'stacticmechanism eort,soagooddealofworkwasdonewithoutitsbenet. OnemightaskwhynotjustuseHOL(forexample)?Theansweristhatwe Tacticsupport.Werepresenttheprotocolanditsspecicationusingafamiliar areaimingtomakenuprlaneectivetoolforawiderangeofformalproblems relatedtoprotocolverication.forexample,wewanttobeabletoreasonabout expressivepowercanbeagreatadvantage.ofcourse,thereareverication abstractionandrenementmethods(see[1]foranexample),anareawhere restrictionsthataecttherstkind. tasks,suchascheckingthattheatomicstatetransitionsofasystempreservea eectivenessofbasicinferencemechanisms,suchastermrewriting,iscrucial. property,whereexpressivepowermaybelessimportantandwherethespeedand applicationforthisfactinthisparticularcase,itisnoteworthythatconstructivityhasnotgottenintheway.itmaybepossibletoengineerconstructiveproofs simulationsoftheprotocolandproduceinterestingdataaboutthecurrentstate. ofprotocolsfromwhichonecansynthesize,forexample,programsthattrack Ourproofiscompletelyconstructive(bychoice).Whilewedon'tseemuch Onegoalofourworkistoenhancethesecondkindofreasoningwithoutimposing 2

paper.detailsofthecompletedformalizationwillbeavailableonthewebat www.cs.bell-labs.com/~felty/sci/. completion.adescriptionofwhatremainstobedoneisincludedlaterinthe provementswemadetonuprl.theproofisnotyetnished,thoughitisnearing IntherestofthepaperwedescribetheSCIcorrectnessproofandtheim- ThissectiongivesanoverviewoftheSCIcachecoherenceprotocolanditsformalizationinNuprl.Beforeproceedingtotheoverview,wegiveabriefdescription ofnuprl.formalmathematicsinnuprlisorganizedinasinglelibrary,whichis displayforms,theorems,commentsorobjectscontainingmlcode.denitions termsandpreviouslydenedoperators.displayformsprovidenotationsforde- brokenintolessimulatingatheorystructure.libraryobjectscanbedenitions, 2SCICacheCoherenceanditsFormalizationinNuprl usesstructureeditors.theoremshavetreestructuredproofs,possiblyincomplete.eachnodehasasequent,andrepresentsaninferencestep.thestepis nedandprimitiveoperators.thesenotationsneednotbeparsablesincenuprl derivedfromthatoflcf,asishol's. someexampletypes:n2n:bn!bn, justiedeitherbyaprimitiverule,orbyatactic.nuprl'snotionoftacticis denenewoperators,possiblywithbindingstructure,intermsofexistingnuprl fx2nlistjx6=nilg;n2n:bn;(x;y):zn+==(x1y2=y1x2): Nuprl'stypetheoryhasarichsetoftypeconstructors.Thefollowingare numbersrepresentedaspairsofintegerswiththeusualequivalencerelation. ann-arybit-vectortoann-arybit-vector.thesecondisthetypeofnonempty Therstofthesecanbethoughtofasthetypeoffunctionsmappingannand isann-arybit-vector,andthelastisaquotienttyperepresentingtherational listofnaturalnumbers,thethirdisthecollectionofpairs(n;b)suchthatb 2.1SCICacheCoherence thatprotocol.adetaileddescriptionofourmodelcanbefoundin[3]. presentaveryhigh-leveldescriptionofourmodelofthecachecoherencepartof multiprocessorsinasharedmemorymodel[8].duetothespacelimitationswe TheSCIprotocolisanIEEEstandardforspecifyingcommunicationbetween trackof,forinstance,itsviewofthecache(cvp),knowledgeofwhetherornotits forthelinkedlist.insteadeachprocessorphasasetoflocalvariableswhichkeeps arise.theprotocolisdistributed;thereisnoglobalcacheorglobaldatastructure canbethoughtofasprioritizingprocessorssothatreadandwriteconictsdonot Processorswhichtrytoaccessthestoreformadoublylinkedlist.Thislist thelinkedlist,ifany.allcommunicationisviapoint-to-pointmessagepassing. Sinceaverylargenumberofprocessorscouldbeonthenetwork,ahugeamount viewisvalid(csp),anditscurrentsuccessor(succp)andpredecessor(predp)on 3

formalizingprovesthecorrectnessforanarbitrarynitenumberofprocessors.) IEEEstandardspeciesanupperboundof64,000processors.Theproofweare ofconcurrencyispresent,complicatingtheunderstandingoftheprotocol.(the lowingisanactionexecutedbythememorycontrollerm. Theprotocolisspeciedasasetofguardedactions.Forexample,thefol- buf[m]?readcachefreshq(p)! ifstatusm=gonethenbuf[p]!readcachefreshr(m;headm;cvm;gone) Here,theguardindicatesthatthisactioncanbeexecutediftherstmessage elsebuf[p]!readcachefreshr(m;headm;cvm;ok); inbuf[m](m'smessagebuer)hastypereadcachefreshqwhichindicatesthat headm:=p;ifstatusm=homethenstatusm:=fresh senttop.(argumentokindicatesthatnoprocessorsareonthelistwhichhave toprocessorp,ifsomeprocessoronthelisthadissuedawritequery(indicatedby theargumentgone).otherwise,responsereadcachefreshr(m;headm;cvm;ok)is processorpwantstoread.themessageisremovedfromthequeue(received)and requestedtomodifythestore.)localvariablestatusmisusedbymtorecord thebodyisexecuted.amessagereadcachefreshr(m;headm;cvm;gone)issent whethersomeprocessorisonthelistwhichhasissuedawritequery itsvalue isthengone;orwhetherprocessorsonthelisthaveissuedreadqueriesonly bebooleanconditions. containassignments,conditionals,andsends.inadditiontoreceives,guardscan itsvalueisthenfresh;orifnosuchquerieshavebeenissuedandhencethelist bymtorecordtheheadofthelist.asshownbythisexample,bodiescan isempty itsvalueisthenhome.finally,localvariableheadmismaintained aboveand17foreachprocessor.communicationisvia14typesofmessages, processorthatisalreadyonthedoublylinkedlistbecauseitisreading,andone madeupof7pairsofquery(q)andresponse(r)messages.inadditiontothe aboveaction,memoryhastwoactionsrespondingtowriterequests,onefroma Theprotocolisrepresentedas21actions:4formemoryincludingtheone fromaprocessorthatisnotyetonthelist.italsohasanactionrespondingtoa processorthatwantstogoothelist.the17actionsforeachprocessorinclude onereadrequest,twowriterequests,actionsforrequestingtogoonthelistor togoothelist(forexample,afterithas\accessed"thestore),anactionfor Severalroundsofmessagesmustbeexchangedbeforeaprocessorisonthelist Thishighdegreeofcommunicationisamaincomplicatingfactorintheprotocol. aswellasactionsthatrespondtoeachkindofrequestfromanotherprocessor. anddecidedthatitisindeedgoingtodoso,actionsformodifyingthecache, purgingothersothelistwhenithasbeengivenpermissiontowritethestore modiedandconstitutesanabstractionofthestructurewhicharisesduringan actualcomputation.avariablestatuspkeepstrackofaprocessorp'sstatewith respecttothelistandcantakeononeof8possiblevalues. withsuccpandpredpproperlyset.thus,thedoublylinkedlistisconstantly 4

2.2FormalizationinNuprl Ourformalizationofcorrectnessfollowscloselytheproofin[3].Ourembedding Wedeneastateasapairwheretherstcomponentistheusualmappingfrom ofthesemanticsofstatetransitionsystemsinnuprlisfairlystraightforward. identierstovalues.thesecondcomponentisahistoryvariablethatrecords dardnuprllibraries. execution.thishistoryvariableisimportantforreasoningabouttheprogram's givenbelow.booleans(b),atoms,integers(z),andlistsaredenedinthestan- thesequenceofmessagesthathavebeensentandreceivedduringtheentire PId=={k:Z k0} communicationbehavior.thenuprldenitionsofthecomponentsofstateare Forsimplicity,thevaluesofallidentiers(id)areassumedtobeintegers.The id==atompid mesg==zzlist state==(id!z)hist hist_el==bpidzmesg rstcomponentofanidentierisitsname(typeatom)andthesecondisthe ==hist_ellist processidentier(typepid)towhichthevariablebelongs.therstcomponent encodesthearguments. encodedasintegersastherstcomponentofamessage.thesecondcomponent ofahistoryelement(hist_el)isabooleanvalueindicatingwhetherthemessage isasend(tt)orareceive(ff).theremainingcomponentsarethesender, receiver,andmessage(typemesg).messagetypessuchasreadcachefreshqare x:=e==s.<y.if(x=y)then(es)else(ys),s.h> com==state!state wegivethedenitionoftheassignmentcommand. Expressionsandcommandsaredenedasfunctionsonstate.Asanexample, uationdenedas(es)and(ys)mapsidentierstovaluesandisdenedas Nuprl'sdisplayformsareusedtodene:=andasinxoperators.Thedot rstcomponentofthestate.thesendcommandupdatesthesecondcomponent commandsaredenedsimilarly.notethattheassignmentstatementupdatesthe (s.1y)(where.1denotestheprojectionoftherstelementofapair).other isusedforevaluationinastateandisoverloaded.hereesisexpressionevalementtothefrontofthehistory,butismorecomplicatedbecauseitcomputes thiselementfromthecontentsofthecurrenthistoryh.itusesanoperation arerepresentedinreverseorder.)thereceivecommandalsoaddsahistoryel- componentandthenewmessageasitslastcomponent.(historiesandbuers bysimplyaddingahistoryelementtothefrontofthehistorywithttasitsrst queue(p;h)whichltersoutthosehistoryelementsthatcontainmessagesthat projectedout. Inthiscase,themessagecomponentsoftheelementsoflistqueue(p;s.2)are havebeensentandnotyetreceivedbyprocessp.itthenchoosesthelast(oldest) ofaprocesspinstates,denoted(buf[p])s,isalsocomputedusingqueue. elementandcreatesanewcopywhoserstcomponentisff.themessagebuer conditionwhichisapredicateonstate(oftypestate!p1wherep1isthe Aprogramisdenedasapaircontainingalistofcommandsandaninitial 5

typeofnuprlpropositions).inourmodel,acommandisenabledifitchangesthe statewhenapplied.thuscommandswhoseguardsaretruebutdonotchange thestateareconsidereddisabled.atraceisdenedintheusualwayasafunction fromnaturalnumberstostatessuchthatforanyn,thereisanaction(enabled ornot)suchthatwhenappliedtostatenresultsinstaten+1. cache,thenmemoryistheowner.otherwise,theownerroughlycorrespondsto distributednatureoftheprotocol.ifnoprocessorhasrequestedtowritetothe temporallogicformulas.therst,forexample,expressesthatthereisalwaysa uniquecacheowner.thenotionofcacheownerisfairlycomplexbecauseofthe ThecorrectnessoftheSCIcachecoherenceprotocolisstatedasvelinear Inordertoshowthatthisuniquenesspropertyandtheotherfourproperties theprocessorpwhosevariablecsphasvaluedirty.however,therearevarious hold,weproveaseriesofcomplexinvariantsfromwhichthesepropertiesfollow. todirtyortosomethingelsemakingitorsomeotherprocessortheuniqueowner. alwaysamessageinsomeprocessor'sbuerthatwillcauseittosetitsvalueofcsp caseswhere0ormorethan1processorhasthisvalue.insuchcasesthereisa Theseinvariantsareexpressedas14lemmas(spanningseveralpagesin[3]), eachwithseveralinterdependentclauses.therearealsomanyauxiliaryconcepts thatappearintheinvariants.forexample,thereare6predicatesonprocessors indicatingtheirdegreeofprogressingettingonorothedoublylinkedlist.the mostcomplexconceptisafunctioncalledrankwhosevaluereectshowclosea processistogettingpermissiontowrite. smallerexample.themodeltheyusedwasextractedfromtheccodedescribing employsexplicitstateenumeration,toanalyzescicachecoherence.theirlargest oneaddressandtwodatavalues,andtheyreportedndingseveralerrorsusinga exampleincludedthreeprocessorswithonecachelineeach,onememorywith Inrelatedwork,SternandDill[11]useMur,avericationsystemthat theprotocolin[8],whereasourmodelhasbeenconstructedfromtheinformal Englishexplanation.Byabstractingatthislevel,inconsistenciesinthelowerleveldescriptionwereremoved.Ourmodelalsodiersfromtheirs(andfrom thesciprotocolstandard)inthatwehaveassumedthatmessagessentfrom cache.theotherisessentiallythesameasaninvariantinoneofoursupporting anddillcheckforcertainsafetyproperties,twoofwhichareformulatedas propertiesstatingthatprocessorsinacertainstatehaveaconsistentviewofthe invariants.oneoftheirinvariantscorrespondstooneofourvecorrectness oneprocessortoanotherprocessorarealwaysreceivedintheordersent.stern lemmasstatingatwhatpointaprocessorisattheheadofthelinkedlist. notbeapplicabletosci. seemssimpler,andalsoitseemsthattheabstractionmethodtheyemploymay BecausetheprotocolusesdirectoriesinsteadofthedistributedlistofSCI,it In[10],ParkandDillusePVStoverifytheFLASHcachecoherenceprotocol. 6

marizehowitwasusedinourproof. 3ImportedMathematics InthissectionwedescribetheconnectionbetweenHOLandNuprl,andsum- 3.1TheImportationMechanism sharable,includingtheoriesofbasicdatatypes,andalsoagooddealofthe Webelievethatmuchofthemathematicsusedinpracticalvericationishighly level.anholtheoryconsistsofsometypeandindividualconstants,some mathematicsrelatedtosoftwaremodelingandsemanticconnectionstoexternal tools.wehavetakenarststeptowardthiskindofsharingbyborrowingsome axioms(usuallydenitional)constrainingtheconstants,andasetoftheorems ofthemathematicsweneededforourvericationfromhol. theory,oneinterpretsthetypeconstantswithnuprltypesandthetermconstants followingfromtheaxioms(andtheaxiomsofancestortheories).toimporta ImportationofmathematicsfromHOLintoNuprlisdoneatthetheory isdone,thetheoremscanthenallbeacceptedimmediatelyasnuprltheorems. mustbeprovenexplicitly. withmembersoftheappropriatetypes,andthenprovestheaxioms.whenthis TypecheckingisundecidableinNuprl,sothewell-typednessofinterpretingterms mathematics,consideranexamplefromlisttheory.thefollowingisarawimportofaholtheoremstatingthatanon-emptylistisacons.becausenuprl erquantiesoverthetypesofall(small)non-emptytypes(thisquantieris currentlyhasasingleatnamespace,thenamesofallimportedconstantshave an\h"prependedtoavoidconictswithnuprlobjects.theoutermostquanti- 8'a:S"(hall(l:hlist('a). theoremsintothedesiredformispossible,andislargelyautomatable. uselessfordirectapplicationinnuprlproofs.itturnsoutthatmassagingthe Toillustratewhatkindoftransformationsareneededondirectlyimported TheoremsdirectlyimportedfromHOLareusuallyofaformthatmakesthem implicitinhol). portedconstants.thetransformed,\nuprl-friendly"theoremgeneratedfrom Apartfromtheoutermostquantier,thelogicalconnectivesthemselvesareim- himplies(hnot(hnulll)) theaboveis (hequal(hcons(hhdl)(htll))l))) theseconnectivesusebooleanlogicdenedwithinnuprl.thebooleanconnectivesarerewritteninthesecondtheoremtonuprl'snormallogicalconnectives, whicharedenedusingapropositions-as-typescorrespondence.theoperator ThelogicalconnectivesinHOLareallboolean-valuedfunctions,possiblytaking functionalarguments,asinthecaseofthequantiers.theinterpretationsof 8'a:S.8l:'aList.:mt(l))hd(l)::tl(l)=l. 7

importedlisttypeisinterpretedasnuprl'slisttype,andtheimportedtailfunctionisinterpretedasnuprl'stailfunction.notehoweverthathtlisapplied,asa "intheimportedtheoremcoercesabooleanintoanuprlproposition.the function,toitsargument,whilethenuprltlisadenedoperatorwithasingle importedtheorem.eachoftheimportedconstantsinthetheoremactuallyhas operand(nuprlalsohasanoperatorforfunctionapplication,ofcourse).we atleastonetypeargument.intherewrittentheorem,therearenohiddentype arguments(thenuprloperationsare\implicitlypolymorphic"). haveusedanotationaldevicetosuppresstypeargumentsinthe(pre-rewrite) list.inhol,thisisatotalfunctiononlists.whenweimportitintonuprl, not.sincehhdispolymorphic,givenanarbitrarytypeandtheemptylistasan argument,itmustchoosesomearbitrarymemberofthetypeasoutput.thus wemustprovethattheinterpretationreturnsavalueoneverylist,emptyor Themostinterestingpointinthistranslationisthefunctionforheadofa wemustgivehhdanoncomputabledenitioninnuprl.however,wecanprove givesusaconditionalrewritewhichgoesthroughforthisexampletheorem. 3.2HOLMathUsedintheSCIVerication thatthisfunctionisthesameasnuprl'shdwhenthelistisnon-empty.this oftheoremsaboutlists.listsareimportantintwocentralareasoftheproof. sophisticatedlistmanipulationsince,asmentioned,theyarecomputedfromthe ThemainsourceofHOLtheoremsusedintheSCIvericationisalargebody First,thedenitionandproofofpropertiesaboutthecontentsofbuersrequire thatbut_last_el((buf[p])s)isthecontentsofp'sbuerafterpreceivesa itsbuerbecomesm::((buf[p])s)where::istheconsoperator.theproof isstraightforwardtoprovethatwhenamessagemissenttoprocesspinstates, messageissignicantlymorecomplex.theoperatorbut_last_elisdenedin historycomponentofastate.forexample,fromthedenitionofbuer,itfairly anhollibraryintermsofthelastnoperator(theoperationwhichextractsthe reasoningabouttheseoperators.theexistingholtheoremsabouttheseanda lastnelementsofalist)whichisalsodenedinhol.thesnocoperator,which holds,where@istheappendoperator),isalsodenedinholandisusefulfor istheoppositeofcons(inparticular,thepropertysnoc(x;l)=l@(x::[]) useofthismachineryisessentialforalargeproofsuchasthesciverication. providespowerfulautomationfortheapplicationofrewritelemmasandgood varietyofotheroperatorsweredirectlyusableinthisandotherproofs. historiesandbuers.avarietyofothertheoremsabouthistoriesandbuers Weprovedandmakeextensiveuseofnumerousotherrewritelemmasinvolving Theabovetwotheoremsareexamplesoflemmasusedasrewriterules.Nuprl havealsobeenprovedandusedassupportforotherkindsofrewritelemmas. q'sbuer,orthereis0or1rmessagesinp'sbuer,butnotboth.ourrewrite QmessageforwhichaprocessoriswaitingforthecorrespondingRmessage. Thismeansthatthereiseither0or1Qmessagesfromaprocessorpinsome oneoutstandingmessage.inparticular,foranyq/rpair,thereisatmostone Oneinvariant(partofLemma9[3])statesthatanyprocessorhasatmost 8

notionofrank.rankroughlycorrespondstotheorderinwhichprocessorshave lemmasalongwithvariousotherlistoperatorsandpropertiesfromholplaya requestedtoreadorwritetothecache.itisonlydenedforactiveprocessors, centralroleinprovingthisfact. importantpropertyisthefactthatforanyprocessor,itsrankdoesnotincrease. apropertyofprocessorsthatareonor\mostlyon"thedoublylinkedlist.an Thesecondareaoftheproofinwhichlistsareimportantisindeningthe Thispropertyinsuresthatthelistdoesnotcontaincircularities.Aslongasa eachactiveprocessorintheresultinglist.therstoccurrencecorrespondstoa processstaysactive(andafewotherpropertieshold)itsrankwilldecreaseuntil processor'smostrecentrequest.weproveavarietyoflemmasdescribinghowa hasreceived,projectingoutthesender,andkeepingonlytherstoccurrenceof isdenedbylteringfromthehistoryallreadandwriterequeststhatmemory itbecomes0atwhichpointitisallowedtowriteifithasrequestedtodoso.rank 4ATypeAnnotationSchemeforNuprl processor'srankchangeswithchangesinthestate.theselemmasarealsoused asrewriterulesinprovinginvariants. meetsthefollowinggoals. Ourtypeannotationschemeisawayofattachingtypeexpressions,whichwe callannotations,toall(oronlysome)ofthesubtermsofaterm.ourscheme 2.IfatermtisintroducedintoaproofasamemberofatypeT,andtoccurssomewhereinthecurrentgoalwithacompatibleannotation,thenthe themaretreatedasbeforebynuprl'stactics. 1.Annotationsareoptional.Termsthatdonothaveannotationsattachedto requirementtoprovet2tiseliminated. 4.Therearenoheuristicsintheschemeperse.Althoughtypeinferenceand 3.Annotationsjustifyrewriting,sothatasubtermwithanannotationAcanbe checkingarehighlyheuristicinnuprl,thisisindependentoftheannotation scheme.annotationsfortermsaregeneratedbyexaminingtheresultsof replacedbyanequalterm(quamemberofa)withoutfurtherjustication. 5.Annotationscanbeeectivelymaintained.Inprincipal,itispossiblefor intheinductionruleneedstoreannotated(orleftwithoutannotations). annotationstobelostduringinference.forexample,thegeneralizedterm applyingnuprl'sexistingmachinery. 6.Therearenoglobaltables.Weretainthetree-structuringofproofs,with annotationsarealmostneverlostduringequationalrewriting. However,suchinferencestepsformatinyfractioninpractice.Forexample, 7.Soundnessdependsonlyonaxedsetofprimitiveinferencerulesthatall dependency-directedbacktracking,andselectivereplayofsubproofs. proofsmustreduceto. independenceofproofbranches,thatallowsus,amongotherthings,todo 8.Theschemeisalmostentirelyinvisibletousers. 9

PVSusesatypingdisciplinethatachievesmostofthegoalsabove,butitwould assubtypes,(alimitedformof)dependenttypes,andundecidabletypechecking. onlybeapplicabletoaninsucientlysmallsubtheoryofnuprl.somecomplicatingaspectsofnuprl,whicharen'tpresentinpvs,are:universepolymorphism; ThetypetheoryofthePVSsystem[9]hassomesimilaritiestoNuprl,such isenlargedwhenitsdomainisshrunk;andgeneraldependenttypes.inaddition, thepvsschemedoesnotaddress7above. inonetypeandnotintheother;contravariantsubtyping,whereafunctiontype type-indexedequality,sothattwotermsmaybothbeintwotypes,butbeequal theform notypesareassociatedwiththevariablesinthissyntax.anannotatedtermhas eachoperandxi:ei,eachofthevariablesinthesequencexibindsinei.notethat Nuprltermshavetheform(x1:e1;:::;xn:en)whereisanoperatorandin notationsoftheterm,andcanbethoughtofastheexpectedtypesforthe operands,andbistheannotationtypeoftheterm.informally,ei:[i]aican wheretheeiarealsoannotatedterms.theexpressions[i]aiarethesuban- (:::;xi:ei:[i]ai;:::):b refertothevariablesinxi,andcancontain,forexample,assertionsoftheform bethoughtofasmeaningthatunderassumptioni,eihastypeai.theican x2t.examplesofannotatedtermsarefact((3:z):[true]n):n,wherefact, NandZarefactorial,thenaturalnumbersandtheintegersrespectively,and if(b:b;e1:[b]a;e2:[:b]a):a. wheretheoperande:aisitselfanannotatedterm,werequire,rst,thatfor subannotationsandtothesubannotationsofanimmediatelysurroundingterm. andsowerequireonlyrespectforequality.forexample,in((e:a):[]a0):b; Wechosetheminimalrequirementthatsupportsrewritingasdescribedabove, Oneofthekeypointsishowtheannotationtypeofatermrelatestoits presenceofbindingvariablesisstraightforward. ifx=e2athenx=e2a0.thegeneralizationofthisrequirementtothe allx2a0,ifx=e2a0then(x)=(e)2b,and,second,thatforallx2a, undecidable,andmustbeproven.onepossibilitywouldbetogenerate\type byputtingtogetherappropriateprimitiveinferencerules,andneedanopportunitytoassembleproofsofannotationvalidityatthesametimeastheproofs checkingconditions"aspvsdoes,whicharesideconditionsgeneratedwhenever anewtermisintroduced.thisisnotworkablefornuprlbecausetacticswork AswithordinarytypinginNuprl,thevalidityofanannotationofatermis terms,itisnaturaltomodifyrewritingtotakeanannotatedterm,andproduce arecorrect.wethereforehavetwokindsofannotations:onekindwecanassume anewterm,anequalityproof,andalsoaproofthatthenewterm'sannotations andproducingarewrittentermalongwithaproofofequality.forannotated justifyingthemaininference.rewritingworks,forexample,bytakingaterm ofthesemanticsofsequents.afullreportisinpreparation. arevalidduringthecourseofaproof,andtheothermustbeprovedtobevalid. Theannotationschemeisjustiedsemantically,andrequiresare-interpretation 10

Thedenitionbelowencodestheformula2Pfromlineartemporallogicand 5TheCorrectnessProofinNuprl iscentralinprovinginvariants.astatesisinanexecutionofprogramprg, inv(prg;s.i[s])==8s:state.in_exec(prg;s))i[s] Inaproofofthismagnitude,itwasessentialtoprovideahighdegreeofautomation.Ourautomationfallsroughlyintotwocategories:tacticsthatdecompose Boththedecompositionpropertiesandrewritetheoremsincludegeneraltheo- reasoningmodularly,andpropertiesexpressingequalityandequivalencethatcan beusedbynuprl'srewritingmachinerysuchasthosementionedinsect.3.2. remsandtheoremsspecictosci.therewritesformessagebuersdiscussedin Sect.3.2,forexample,arenotspecictoSCI,whilethenotionofrankis.The decompositiontacticsrelyonlemmasthatwehaveproven,suchasonestating eachactionoftheprogramandtoshowthattheinitialconditionholdsinthe whichdecomposereasoninginto21cases,oneforeachmemoryactionandone initialstate.fromthisgenerallemma,weproveddecompositionlemmasforsci thattoshowthatinv(prg;s.i[s])holds,itsucestoconsideronecasefor denotedin_exec(s;prg),ifsoccursinsometraceofprg. receive,andassignmentstatements.rewritingoperatesonthesesimpliedcases. generationoftheirstatements aswellasavarietyofotherpropertiesspecic composeconditionalstatementsintocasessothateachcasecontainsonlysend, AlthoughthesedecompositionpropertiesarespecictoSCI,weautomatedthe foreachprocessoractionforsomearbitraryprocessorp.wechosetofurtherde- tosci fromthedenitionsoftheactions.theirproofswereoftenlargely automaticalso.wealsoautomatedtheapplicationofmanyoftheselemmasby writingtacticswhichapplythemandsolvevarioussubgoalsautomatically. arefairlysimpleandexpresspropertiesaboutthevaluesthatvariousvariables cantakeonduringexecution.forexample,weprove: Ofthe14lemmasexpressinginvariants,therst8(roughly2.5pagesin[3]) HereP(n)denotesthesetofprocessorsinvolvedintheprotocol,withprocess identiers1;:::;n. readcachefreshr(p;r;cv;arg)2buf[p]) The9thlemmacontainsvestatementswhichtogetherexpresstheproperty [p=m^q2p(n)^(r=nil_r2p(n))^(arg=ok_arg=gone)]: ofoutstandingmessagesdescribedinsect.3.2aswellaseightstatementsexpressingwhichkindofoutstandingmessageaprocessorphasdependingonthe valueofstatusp.lemmas10and11expressavarietyofpropertiesoftheform proofssimilartothosefortheotherinvariants.lemma12expressessomebasic 2(PWQ)(whereWistheweakuntiloperator).Weprovedageneraldecompositiontheoremforformulasofthisformwhichmakesthestructureofthese mustbeprovenasinvariants.whiletheinvariantsuptothispointarelarge anddetailed,theyarefairlystraightforwardtoprove.themaindicultyinthe (whichisslightlydierentbutequivalenttotheonegivenin[3])andtwowhich propertiesaboutrankincludingtwowhichfollowdirectlyfromthedenition 11

proofisfoundinthe13thand14thlemmas.lemma13has17clausesandone protocol. thecomplexinvariantsaboutrankthatarerequiredtoprovecorrectnessofthe assumptionwhichlatergetsdischargedandlemma14has7clauses.theystate example,wehaveproventheinvariant: thetwopropertiesoflemma12thatfollowfromthedenitionofrank.wehave alsoproven5andnearlycompleted2moreofthe17clausesoflemma13.for TheproofsupthroughandincludingLemma11arecompleted,aswellas velopedalloftherewritelemmasabouttherankfunctionandallotherauxilliary wherevisitingprocessorsareasubsetoftheactiveones.indoingso,wehavede- predicatesthatweneedtocompletetheremainderoflemmas12,13,and14. purgeq(q)2buf[p])(visiting(p)^rank(q)=rank(p)+1) propertiesfollowfromtheseinvariantswillbedetailedbutstraightforward. Thereasoningneededtocompletetheproofbyshowingthatthedesiredsafety wehadtoaddandprovesomeadditionalclauses.oneisaninvariantexplicitly assertionswehadformulated,althoughtheyaretrue.toprovetheseconjuncts, errorsintheprotocol.however,wehavefoundtwoerrorsintheproof.twoof theconjunctsoftherstclauseoflemma13couldnotbeprovedusingthe Becausewestartedfromaproofofcorrectness[3],wedidnotexpecttond statingthattwoparticularmessagessentfromoneprocessortoanotherare receivedintheordersent. References 1.C.-T.ChouandD.Peled.Verifyingamodel-checkingalgorithm.InToolsand 2.R.L.Constable,etal.ImplementingMathematicswiththeNuprlProofDevelopmentSystem.Prentice-Hall,EnglewoodClis,NewJersey,1986. NotesinComputerScience,pages241{257.Springer-Verlag,1996. AlgorithmsfortheConstructionandAnalysisofSystems,volume1055ofLecture 4.A.P.FeltyandD.J.Howe.HybridinteractivetheoremprovingusingNuprland 3.A.FeltyandF.Stomp.Acorrectnessproofofacachecoherenceprotocol.1997. ceedingsofthe11thannualconferenceoncomputerassurance,1996. Availableatwww.cs.bell-labs.com/felty/sci/.AnearlierversionappearsinPro- 5.M.J.C.GordonandT.F.Melham.IntroductiontoHOL:ATheoremProving 6.D.J.Howe.Oncomputationalopen-endednessinMartin-Lof'stypetheory.In EnvironmentforHigherOrderLogic.CambridgeUniversityPress,1993. 1249ofLectureNotesinComputerScience,pages351{365.Springer-Verlag,1997. HOL.InFourteenthInternationalConferenceonAutomatedDeduction,volume 7.D.J.Howe.ImportingmathematicsfromHOLintoNuprl.InTheoremProving ProceedingsoftheSixthAnnualSymposiumonLogicinComputerScience,pages 8.IEEE-P1596-05Nov90-doc197-iii.PartIIIA:SCICoherenceOverview,1990.UnapprovedDraft.ApprovedstandardisdescribedinIEEEStd.1596-1992\The 267{281.Springer-Verlag,1996. 162{172.IEEEComputerSociety,1991. ScalableCoherentInterface". inhigherorderlogics,volume1125oflecturenotesincomputerscience,pages 12

10.S.ParkandD.L.Dill.VericationofFLASHcachecoherenceprotocolbyaggregationofdistributedtransactions.In8thACMSymposiumonParallelAlgorithms InCorrectHardwareDesignandVericationMethods,1995. AspectsofComputerSoftware,volume1281ofLectureNotesinComputerScience. 9.S.OwreandN.Shankar.TheformalsemanticsofPVS.Technicalreport,SRI, 11.U.SternandD.L.Dill.AutomaticvericationoftheSCIcachecoherenceprotocol. August1997. 12.B.Werner.Setsintypes,typesinsets.InInternationalSymposiumonTheoretical andarchitectures,1996. Springer-Verlag,1997. 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information