Download
1 / 58
580 likes | 665 Views
Verifying Transaction Ordering Properties in Unbounded Multi-Bus Networks. Michael D. Jones, Ganesh Gopalakrishnan University of Utah, School of Computing FMCAD’00 Austin, Texas. Single-Bus. Multi-bus. Case Study.
E N D
Verifying Transaction Ordering Properties in Unbounded Multi-Bus Networks Michael D. Jones, Ganesh Gopalakrishnan University of Utah, School of Computing FMCAD’00 Austin, Texas
... ... Single-Bus
Multi-bus ... ... ... ... ... ... ... ...
Case Study • Abstraction, theorem proving and model checking applied to reasoning about multi-bus PCI. • HOL theorem proving too hard (for us...) • Finite state model checking impossible
Motivation • Difficult, interesting problem, but few published solutions • Application to shared memory systems, multi-bus IO
Related Work • PCI Verification • Shimizu:FMCAD’00,Clarke:Charme’99, Corella:CHDL’97 • Parameterized Branching Networks • Bhargavan:TPHOLs’00, Kesten:CAV’97
How PCI works (in our model) Bus Posted d p c Delayed completion d Agent Bridge
p Posted transactions • Posted transaction, P, from A to B. • A puts p on “the rest of the network” and forgets about it. • B receives P and that’s it. The Rest of the network B A
d Delayed transactions • Delayed trans., d, from A to B. • A puts d on “the rest of the network” and waits for a completion. • B receives d and sends a completion,c. The Rest of the network B A
d’ Delayed transactions • 2 bridges between A and B • Other transactions as shown. • d tries to latch to bridge 1. • d is now committed (called d’). d c p’ B A
d’ d Delayed transactions • Eventually, d’ latches to bridge 1. • bridge 1 has an uncommitted copy of d • d can pass the other d entry already in bridge 1. d c p’ B A
d’ d Delayed transactions • d can attempt to latch to bridge 2. • d will then be committed at bridge 1. d c p’ B A
d’ d’ Delayed transactions • Eventually, d’ latches to bridge 2. d c p’ B A
d’ d’ d Delayed transactions • d can pass completion entry c. d c p’ B A
d’ d’ d Delayed transactions • But, uncommitted d entries can be dropped at any time... d c p’ B A
d’ d’ Delayed transactions • bridge 1 has to resend d’ to bridge 2 • d’ can not be deleted d c p’ B A
d’ d’ d Delayed transactions • d can be dropped again... • pretend it passes C again. • d can not pass posted transactions. • d waits till p’ completes. d c p’ B A
d’ d’ d Delayed transactions • d commits then latches to agent B. • B creates a completion entry C. d c B A
d’ d’ d’ d’ c Delayed transactions • d’ in bridge 2 can complete with the completion in B. • d’ will be deleted from bridge 2. • c will move into into bridge 2. d c B A
d’ d’ d’ c Delayed transactions • d is now complete at bridge 2. • d’ in bridge 1 can complete with c in bridge 2. • c can be deleted too... d c B A
d’ d’ c Delayed transactions • d is now complete at bridge 1. • finally, d’ in agent A completes with c in bridge 1. d c B A
c d’ c Delayed transactions • d is now complete at A. d B A
Reordering and deletion • P can pass anything except P. • D and C can pass either D or C. • uncommitted D can be dropped. • oldest C in a queue can be dropped. • P and committed D never dropped.
Producer/Consumer property • if a producer agent writes a data item • and the producer sets a flag • and if the consumer reads the flag • then the consumer will read the new data item. in any PCI network, during any execution
Solution • C = acyclic multi-bus PCI networks • = Producer/Consumer property L = Labelings assigned by Producer/Consumer
Solution • C = acyclic multi-bus PCI networks • = Producer/Consumer property L = Labelings assigned by Producer/Consumer • = Project a finite state model out of n v = Add non-determinism to PCI on n
State Projection
State Transitions
Unreachable states
Adding Non-determinism
What is actually modeled
Despite the spurious behaviors in PCI’, PCI’ can still be used to prove useful properties of PCI.
Refinement Proof post(t,s) s t t’ (s) post(t’, (s))
Proof Metrics • ~1,500 lines to model transitions and abstraction • ~1,000 proof commands in final proof • ~1 month of effort to build models and do the proof.
P P P F F C F D C D D C P C F D Checking the Reduced Model States CPU time (sec) 2,690 51.20 1,614 35.35 914 18.68 648 12.56 Total 5,866 117.79
Solution Summary PCI is a refinement of PCI’ PVS proof All traces of PCI on all configs satisfy PC. Four network topologies in n All traces of PCI’ on all topologies satisfy PC. Murphi model check
P Q rd(A,1) rd(A,-) M M M M2 M wr(A,0) P rd(A,0) wr(A,1) M M M1 E wr(A,2) E rd(A,-) rd(A,1) rd(A,0) rd(A,1) rd(A,-) wr(A,1) rd(A,-) wr(A,1) M0 rd(A,0) rd(A,-) wr(A,2) Hierarchical caching networks Model Checker
Model Checking Results States CPU time (sec) P P Q 110,995 87.57 P Q P 151,598 65.51 P P Q * 618,874 282.40 Total 881,467 435.48
Discussion and Future Work • Abstraction technique that yields a finite state model which preserves enough information to reason about useful properties in networks where the behavior and arrangement of the intermediate nodes matters. • General refinement proof and tool. • www.cs.utah.edu/formal_verification
... p d ... c f Producer/Consumer for PCI ...for all networks and all executions.
F P D C Abstracting PCI Networks
F P F P C D D C Abstracting PCI Networks
F P P P F C F P C F D D C D D C P C F D Abstracting PCI Networks
dc p c c dwc dwc d d d c dwc p c dwc dc c ... dwc d dw d p fw P d d d c ... p p c cdw Abstracting PCI Messages dwc d dw d p fw d P ... ... p p c cdw
dwc dwc ... dwc dw fw P cdw Abstracting PCI Messages dwc p c dwc d dw d p fw dc c dwc d P ... ... d d p p c cdw d c
dwc dw fw P cdw Abstracting PCI Messages dwc p c dwc d dw d p fw dc c dwc d P ... ... d d p p c cdw d c
Solution #1 All traces, all configs. satisfy P/C PCI model PVS proof Proofs of obvious lemmas hard: “if a message is present in a queue, then it was created previously”
