1 / 54

Transaction Ordering Verification using Trace Inclusion Refinement

Investigating formal methods for large protocols over unbounded networks and applying them to design the PCI 2.1 protocol, focusing on checking the producer/consumer property. Learn about theorem proving, model checking, and hybrid techniques for protocol design.

Download Presentation

Transaction Ordering Verification using Trace Inclusion Refinement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000

  2. Case Study • Check the producer consumer property for PCI 2.1 protocol. • Which formal methods are best suited for reasoning about large protocols over unbounded branching networks? • Resulting tools apply to designing, not implementing, a protocol over unbounded branching networks.

  3. Formal methods (in 1 slide) • Formal = truth is based on form, not meaning. • Syntax, not semantics, matters. • Theorem proving • expressive, interactive, machine-checked • Model checking • unexpressive, automatic, complexity • Hybrid techniques • Intel, HP, Compaq, Microsoft, AMD, SRI, Lucent, VSIA ...

  4. Why PCI? • It works. Why verify it? • Published standard violated prod/cons. • Stationary target. • Beyond current formal techniques.

  5. How PCI works Bus Posted d p c Delayed completion d Agent Bridge

  6. p Posted transactions • Posted transaction, P, from A to B. • A puts p on “the rest of the network” and forgets about it. • B receives P and that’s it. The Rest of the network B A

  7. p Posted transactions • Pretend there are 2 bridges between A and B • With the other transaction shown. • Here’s how P gets from A to B... d c p’ B A

  8. p Posted transactions • P goes to bridge 1. • P is now complete at A. • P can pass delayed transaction d d c p’ B A

  9. p Posted transactions • Next, P completes to bridge 2. d c p’ B A

  10. p Posted transactions • P is now complete at bridge 1. • P can pass the completion trans. C. • P can not pass the other posted trans. d c p’ B A

  11. p Posted transactions • P waits until P’ completes on bridge 2 d c p’ B A

  12. p Posted transactions • Pretend that P’ went to another bridge (not shown). • P can now complete to destination B. d c B A

  13. p Posted transactions • No acknowledgement is sent to A. • P is now complete at B. d c B A

  14. d Delayed transactions • Delayed trans., d, from A to B. • A puts d on “the rest of the network” and waits for a completion. • B receives d and sends a completion,c. The Rest of the network B A

  15. d’ Delayed transactions • 2 bridges between A and B • Other transactions as shown. • d tries to latch to bridge 1. • d is now committed (called d’). d c p’ B A

  16. d’ d Delayed transactions • Eventually, d’ latches to bridge 1. • bridge 1 has an uncommitted copy of d • d can pass the other d entry already in bridge 1. d c p’ B A

  17. d’ d Delayed transactions • d can attempt to latch to bridge 2. • d will then be committed at bridge 1. d c p’ B A

  18. d’ d’ Delayed transactions • Eventually, d’ latches to bridge 2. d c p’ B A

  19. d’ d’ d Delayed transactions • d can pass completion entry c. d c p’ B A

  20. d’ d’ d Delayed transactions • But, uncommitted d entries can be dropped at any time... d c p’ B A

  21. d’ d’ Delayed transactions • bridge 1 has to resend d’ to bridge 2 • d’ can not be deleted d c p’ B A

  22. d’ d’ d Delayed transactions • d can be dropped again... • pretend it passes C again. • d can not pass posted transactions. • d waits till p’ completes. d c p’ B A

  23. d’ d’ d Delayed transactions • d commits then latches to agent B. • B creates a completion entry C. d c B A

  24. d’ d’ d’ d’ c Delayed transactions • d’ in bridge 2 can complete with the completion in B. • d’ will be deleted from bridge 2. • c will move into into bridge 2. d c B A

  25. d’ d’ d’ c Delayed transactions • d is now complete at bridge 2. • d’ in bridge 1 can complete with c in bridge 2. • c can be deleted too... d c B A

  26. d’ d’ c Delayed transactions • d is now complete at bridge 1. • finally, d’ in agent A completes with c in bridge 1. d c B A

  27. d’ c Delayed transactions • d is now complete at A. • no more actions! d c B A

  28. Reordering and deletion • P can pass anything except P. • D and C can pass either D or C. • uncommitted D can be dropped. • oldest C in a queue can be dropped. • P and committed D never dropped.

  29. Producer/Consumer property • if a producer agent writes a data item • and the producer sets a flag • and if the consumer reads the flag • then the consumer will read the new data item.

  30. ... p d ... c f Producer/Consumer for PCI ...for all networks and all executions.

  31. Solution • Carefully reduce the problem • Check the reduced problem • Generalize results

  32. Related work • Other PCI work. • liveness [Corella,97] • state machine specifications [Clarke,99] • U of Utah [Mokkedem et al,00] • Unbounded branching networks. • predicate transformers[Kesten,97] • predicate abstraction[Das,99] • Combined method [Abdulla,99]

  33. Careful reduction • Reduce arbitrary PCI networks to N networks. • Reduce infinite state to finite states. • Show that PCI is a trace inclusion refinement of the reduced protocol.

  34. Structural Reduction

  35. Structural Reduction

  36. Structural Reduction p d p d p c f f f c c d

  37. Unrelated paths and agents ... p d ... c f  p d f c

  38. State reduction • PCI networks have an infinite # of states. • Ignore certain transactions while preserving the PC property.

  39. Unrelated Transactions dwc p c dwc d dw d’ d p fw ... p d p p p c cdw  dwc dw fw p cdw

  40. Trace Inclusion Refinement For every trace in the concrete protocol.

  41. Trace Inclusion Refinement For every trace in the concrete protocol. There exists a trace in the reduced protocol...

  42. Trace Inclusion Refinement For every trace in the concrete protocol. There exists a trace in the reduced protocol... Such that the reduction of each concrete state is equal to the corresponding abstract state.

  43. ...Applied to PCI • Write a set of rules inductively defining the reachable states in PCI and reduced model.

  44. Check reduced model • Used SML and murphi model checker. • Rules based input languages • 3,176 states checked in 67 seconds. • Property was satisfied.

  45. Changing the model • A different protocol • PCI without local master IDs • About 1/2 a day of effort • Plausible violation found in under 10 minutes • A different property • When are two transactions received in order? • Useful for an on-chip bus being considered for SOC • 1/2 an hour additional effort

  46. Conclusions • A combination of rule-based notation, theorem proving and model checking works. • Easy to modify both the protocol and the property being checked.

  47. Future work • Automate the refinement proof. • Tools for deriving reduced protocols for mutations of protocols. • Anyone have a protocol over an unbounded network they need studied?

  48. Outline • Lay the groundwork • Overview PCI and the property • Our solution • What makes our solution so good • Discussion and conclusions

  49. Why Formal Methods? • simulation impossible: infinite states. • Does not guaruntee correctness. • Forced to identify assumptions. • Capitol critical applications.

More Related