540 likes | 553 Views
Investigating formal methods for large protocols over unbounded networks and applying them to design the PCI 2.1 protocol, focusing on checking the producer/consumer property. Learn about theorem proving, model checking, and hybrid techniques for protocol design.
E N D
Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000
Case Study • Check the producer consumer property for PCI 2.1 protocol. • Which formal methods are best suited for reasoning about large protocols over unbounded branching networks? • Resulting tools apply to designing, not implementing, a protocol over unbounded branching networks.
Formal methods (in 1 slide) • Formal = truth is based on form, not meaning. • Syntax, not semantics, matters. • Theorem proving • expressive, interactive, machine-checked • Model checking • unexpressive, automatic, complexity • Hybrid techniques • Intel, HP, Compaq, Microsoft, AMD, SRI, Lucent, VSIA ...
Why PCI? • It works. Why verify it? • Published standard violated prod/cons. • Stationary target. • Beyond current formal techniques.
How PCI works Bus Posted d p c Delayed completion d Agent Bridge
p Posted transactions • Posted transaction, P, from A to B. • A puts p on “the rest of the network” and forgets about it. • B receives P and that’s it. The Rest of the network B A
p Posted transactions • Pretend there are 2 bridges between A and B • With the other transaction shown. • Here’s how P gets from A to B... d c p’ B A
p Posted transactions • P goes to bridge 1. • P is now complete at A. • P can pass delayed transaction d d c p’ B A
p Posted transactions • Next, P completes to bridge 2. d c p’ B A
p Posted transactions • P is now complete at bridge 1. • P can pass the completion trans. C. • P can not pass the other posted trans. d c p’ B A
p Posted transactions • P waits until P’ completes on bridge 2 d c p’ B A
p Posted transactions • Pretend that P’ went to another bridge (not shown). • P can now complete to destination B. d c B A
p Posted transactions • No acknowledgement is sent to A. • P is now complete at B. d c B A
d Delayed transactions • Delayed trans., d, from A to B. • A puts d on “the rest of the network” and waits for a completion. • B receives d and sends a completion,c. The Rest of the network B A
d’ Delayed transactions • 2 bridges between A and B • Other transactions as shown. • d tries to latch to bridge 1. • d is now committed (called d’). d c p’ B A
d’ d Delayed transactions • Eventually, d’ latches to bridge 1. • bridge 1 has an uncommitted copy of d • d can pass the other d entry already in bridge 1. d c p’ B A
d’ d Delayed transactions • d can attempt to latch to bridge 2. • d will then be committed at bridge 1. d c p’ B A
d’ d’ Delayed transactions • Eventually, d’ latches to bridge 2. d c p’ B A
d’ d’ d Delayed transactions • d can pass completion entry c. d c p’ B A
d’ d’ d Delayed transactions • But, uncommitted d entries can be dropped at any time... d c p’ B A
d’ d’ Delayed transactions • bridge 1 has to resend d’ to bridge 2 • d’ can not be deleted d c p’ B A
d’ d’ d Delayed transactions • d can be dropped again... • pretend it passes C again. • d can not pass posted transactions. • d waits till p’ completes. d c p’ B A
d’ d’ d Delayed transactions • d commits then latches to agent B. • B creates a completion entry C. d c B A
d’ d’ d’ d’ c Delayed transactions • d’ in bridge 2 can complete with the completion in B. • d’ will be deleted from bridge 2. • c will move into into bridge 2. d c B A
d’ d’ d’ c Delayed transactions • d is now complete at bridge 2. • d’ in bridge 1 can complete with c in bridge 2. • c can be deleted too... d c B A
d’ d’ c Delayed transactions • d is now complete at bridge 1. • finally, d’ in agent A completes with c in bridge 1. d c B A
d’ c Delayed transactions • d is now complete at A. • no more actions! d c B A
Reordering and deletion • P can pass anything except P. • D and C can pass either D or C. • uncommitted D can be dropped. • oldest C in a queue can be dropped. • P and committed D never dropped.
Producer/Consumer property • if a producer agent writes a data item • and the producer sets a flag • and if the consumer reads the flag • then the consumer will read the new data item.
... p d ... c f Producer/Consumer for PCI ...for all networks and all executions.
Solution • Carefully reduce the problem • Check the reduced problem • Generalize results
Related work • Other PCI work. • liveness [Corella,97] • state machine specifications [Clarke,99] • U of Utah [Mokkedem et al,00] • Unbounded branching networks. • predicate transformers[Kesten,97] • predicate abstraction[Das,99] • Combined method [Abdulla,99]
Careful reduction • Reduce arbitrary PCI networks to N networks. • Reduce infinite state to finite states. • Show that PCI is a trace inclusion refinement of the reduced protocol.
Structural Reduction p d p d p c f f f c c d
Unrelated paths and agents ... p d ... c f p d f c
State reduction • PCI networks have an infinite # of states. • Ignore certain transactions while preserving the PC property.
Unrelated Transactions dwc p c dwc d dw d’ d p fw ... p d p p p c cdw dwc dw fw p cdw
Trace Inclusion Refinement For every trace in the concrete protocol.
Trace Inclusion Refinement For every trace in the concrete protocol. There exists a trace in the reduced protocol...
Trace Inclusion Refinement For every trace in the concrete protocol. There exists a trace in the reduced protocol... Such that the reduction of each concrete state is equal to the corresponding abstract state.
...Applied to PCI • Write a set of rules inductively defining the reachable states in PCI and reduced model.
Check reduced model • Used SML and murphi model checker. • Rules based input languages • 3,176 states checked in 67 seconds. • Property was satisfied.
Changing the model • A different protocol • PCI without local master IDs • About 1/2 a day of effort • Plausible violation found in under 10 minutes • A different property • When are two transactions received in order? • Useful for an on-chip bus being considered for SOC • 1/2 an hour additional effort
Conclusions • A combination of rule-based notation, theorem proving and model checking works. • Easy to modify both the protocol and the property being checked.
Future work • Automate the refinement proof. • Tools for deriving reduced protocols for mutations of protocols. • Anyone have a protocol over an unbounded network they need studied?
Outline • Lay the groundwork • Overview PCI and the property • Our solution • What makes our solution so good • Discussion and conclusions
Why Formal Methods? • simulation impossible: infinite states. • Does not guaruntee correctness. • Forced to identify assumptions. • Capitol critical applications.