1 / 58

Verifying Transaction Ordering Properties in Unbounded Multi-Bus Networks

Verifying Transaction Ordering Properties in Unbounded Multi-Bus Networks. Michael D. Jones, Ganesh Gopalakrishnan University of Utah, School of Computing FMCAD’00 Austin, Texas. Single-Bus. Multi-bus. Case Study.

ziya
Download Presentation

Verifying Transaction Ordering Properties in Unbounded Multi-Bus Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Verifying Transaction Ordering Properties in Unbounded Multi-Bus Networks Michael D. Jones, Ganesh Gopalakrishnan University of Utah, School of Computing FMCAD’00 Austin, Texas

  2. ... ... Single-Bus

  3. Multi-bus ... ... ... ... ... ... ... ...

  4. Case Study • Abstraction, theorem proving and model checking applied to reasoning about multi-bus PCI. • HOL theorem proving too hard (for us...) • Finite state model checking impossible

  5. Motivation • Difficult, interesting problem, but few published solutions • Application to shared memory systems, multi-bus IO

  6. Related Work • PCI Verification • Shimizu:FMCAD’00,Clarke:Charme’99, Corella:CHDL’97 • Parameterized Branching Networks • Bhargavan:TPHOLs’00, Kesten:CAV’97

  7. How PCI works (in our model) Bus Posted d p c Delayed completion d Agent Bridge

  8. p Posted transactions • Posted transaction, P, from A to B. • A puts p on “the rest of the network” and forgets about it. • B receives P and that’s it. The Rest of the network B A

  9. d Delayed transactions • Delayed trans., d, from A to B. • A puts d on “the rest of the network” and waits for a completion. • B receives d and sends a completion,c. The Rest of the network B A

  10. d’ Delayed transactions • 2 bridges between A and B • Other transactions as shown. • d tries to latch to bridge 1. • d is now committed (called d’). d c p’ B A

  11. d’ d Delayed transactions • Eventually, d’ latches to bridge 1. • bridge 1 has an uncommitted copy of d • d can pass the other d entry already in bridge 1. d c p’ B A

  12. d’ d Delayed transactions • d can attempt to latch to bridge 2. • d will then be committed at bridge 1. d c p’ B A

  13. d’ d’ Delayed transactions • Eventually, d’ latches to bridge 2. d c p’ B A

  14. d’ d’ d Delayed transactions • d can pass completion entry c. d c p’ B A

  15. d’ d’ d Delayed transactions • But, uncommitted d entries can be dropped at any time... d c p’ B A

  16. d’ d’ Delayed transactions • bridge 1 has to resend d’ to bridge 2 • d’ can not be deleted d c p’ B A

  17. d’ d’ d Delayed transactions • d can be dropped again... • pretend it passes C again. • d can not pass posted transactions. • d waits till p’ completes. d c p’ B A

  18. d’ d’ d Delayed transactions • d commits then latches to agent B. • B creates a completion entry C. d c B A

  19. d’ d’ d’ d’ c Delayed transactions • d’ in bridge 2 can complete with the completion in B. • d’ will be deleted from bridge 2. • c will move into into bridge 2. d c B A

  20. d’ d’ d’ c Delayed transactions • d is now complete at bridge 2. • d’ in bridge 1 can complete with c in bridge 2. • c can be deleted too... d c B A

  21. d’ d’ c Delayed transactions • d is now complete at bridge 1. • finally, d’ in agent A completes with c in bridge 1. d c B A

  22. c d’ c Delayed transactions • d is now complete at A. d B A

  23. Reordering and deletion • P can pass anything except P. • D and C can pass either D or C. • uncommitted D can be dropped. • oldest C in a queue can be dropped. • P and committed D never dropped.

  24. Producer/Consumer property • if a producer agent writes a data item • and the producer sets a flag • and if the consumer reads the flag • then the consumer will read the new data item.  in any PCI network, during any execution

  25. Solution • C = acyclic multi-bus PCI networks • = Producer/Consumer property L = Labelings assigned by Producer/Consumer

  26. Solution • C = acyclic multi-bus PCI networks • = Producer/Consumer property L = Labelings assigned by Producer/Consumer • = Project a finite state model out of n v = Add non-determinism to PCI on n

  27. State Projection  

  28. State Transitions    

  29. Unreachable states     

  30. Adding Non-determinism     

  31. What is actually modeled     

  32. Despite the spurious behaviors in PCI’, PCI’ can still be used to prove useful properties of PCI.     

  33. Refinement Proof post(t,s) s t   t’ (s) post(t’, (s))

  34. Proof Metrics • ~1,500 lines to model transitions and abstraction • ~1,000 proof commands in final proof • ~1 month of effort to build models and do the proof.

  35. P P P F F C F D C D D C P C F D Checking the Reduced Model States CPU time (sec) 2,690 51.20 1,614 35.35 914 18.68 648 12.56 Total 5,866 117.79

  36. Solution Summary PCI is a refinement of PCI’ PVS proof All traces of PCI on all configs satisfy PC. Four network topologies in n All traces of PCI’ on all topologies satisfy PC. Murphi model check

  37. P Q rd(A,1) rd(A,-) M M M M2 M wr(A,0) P rd(A,0) wr(A,1) M M M1 E wr(A,2) E rd(A,-) rd(A,1) rd(A,0) rd(A,1) rd(A,-) wr(A,1) rd(A,-) wr(A,1) M0 rd(A,0) rd(A,-) wr(A,2) Hierarchical caching networks Model Checker

  38. Model Checking Results States CPU time (sec) P P Q 110,995 87.57 P Q P 151,598 65.51 P P Q * 618,874 282.40 Total 881,467 435.48

  39. Discussion and Future Work • Abstraction technique that yields a finite state model which preserves enough information to reason about useful properties in networks where the behavior and arrangement of the intermediate nodes matters. • General refinement proof and tool. • www.cs.utah.edu/formal_verification

  40. State Transitions

  41. State Transitions

  42. ... p d ... c f Producer/Consumer for PCI ...for all networks and all executions.

  43. F P D C Abstracting PCI Networks

  44. F P F P C D D C Abstracting PCI Networks

  45. F P P P F C F P C F D D C D D C P C F D Abstracting PCI Networks

  46. dc p c c dwc dwc d d d c dwc p c dwc dc c ... dwc d dw d p fw P d d d c ... p p c cdw Abstracting PCI Messages dwc d dw d p fw d P ... ... p p c cdw

  47. dwc dwc ... dwc dw fw P cdw Abstracting PCI Messages dwc p c dwc d dw d p fw dc c dwc d P ... ... d d p p c cdw d c

  48. dwc dw fw P cdw Abstracting PCI Messages dwc p c dwc d dw d p fw dc c dwc d P ... ... d d p p c cdw d c

  49. Solution #1 All traces, all configs. satisfy P/C PCI model PVS proof Proofs of obvious lemmas hard: “if a message is present in a queue, then it was created previously”

More Related