- 52 Views
- Uploaded on
- Presentation posted in: General

PCI transaction ordering verification using trace inclusion refinement

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

PCI transaction ordering verification using trace inclusion refinement

Mike Jones

UV Meeting

October 4, 1999

- How PCI works
- What we are trying to verify
- Why the verification is so hard
- How we did the verification
- Discussion

Bus

Posted

d

p

c

Delayed

completion

d

Agent

Bridge

p

- Posted transaction, P, from A to B.
- A puts p on “the rest of the network” and forgets about it.
- B receives P and that’s it.

The Rest of

the network

B

A

p

- Pretend there are 2 bridges between A and B
- With the other transaction shown.
- Here’s how P gets from A to B...

d

c

p’

B

A

p

- P goes to bridge 1.
- P is now complete at A.
- P can pass delayed transaction d

d

c

p’

B

A

p

- Next, P completes to bridge 2.

d

c

p’

B

A

p

- P is now complete at bridge 1.
- P can pass the completion trans. C.
- P can not pass the other posted trans.

d

c

p’

B

A

p

- P waits until P’ completes on bridge 2

d

c

p’

B

A

p

- Pretend that P’ went to another bridge (not shown).
- P can now complete to destination B.

d

c

B

A

p

- No acknowledgement is sent to A.
- P is now complete at B.

d

c

B

A

d

- Delayed trans., d, from A to B.
- A puts d on “the rest of the network” and waits for a completion.
- B receives d and sends a completion,c.

The Rest of

the network

B

A

d’

- 2 bridges between A and B
- Other transactions as shown.
- d tries to latch to bridge 1.
- d is now committed (called d’).

d

c

p’

B

A

d’

d

- Eventually, d’ latches to bridge 1.
- bridge 1 has an uncommitted copy of d
- d can pass the other d entry already in bridge 1.

d

c

p’

B

A

d’

d

- d can attempt to latch to bridge 2.
- d will then be committed at bridge 1.

d

c

p’

B

A

d’

d’

- Eventually, d’ latches to bridge 2.

d

c

p’

B

A

d’

d’

d

- d can pass completion entry c.

d

c

p’

B

A

d’

d’

d

- But, uncommitted d entries can be dropped at any time...

d

c

p’

B

A

d’

d’

- bridge 1 has to resend d’ to bridge 2
- d’ can not be deleted

d

c

p’

B

A

d’

d’

d

- d can be dropped again...
- pretend it passes C again.
- d can not pass posted transactions.
- d waits till p’ completes.

d

c

p’

B

A

d’

d’

d

- d commits then latches to agent B.
- B creates a completion entry C.

d

c

B

A

d’

d’

d’

d’

c

- d’ in bridge 2 can complete with the completion in B.
- d’ will be deleted from bridge 2.
- c will move into into bridge 2.

d

c

B

A

d’

d’

d’

c

- d is now complete at bridge 2.
- d’ in bridge 1 can complete with c in bridge 2.
- c can be deleted too...

d

c

B

A

d’

d’

c

- d is now complete at bridge 1.
- finally, d’ in agent A completes with c in bridge 1.

d

c

B

A

d’

c

- d is now complete at A.
- no more actions!

d

c

B

A

- P can pass anything except P.
- D and C can pass either D or C.
- uncommitted D can be dropped.
- oldest C in a queue can be dropped.
- P and committed D never dropped.

- if a producer agent writes a data item
- and the producer sets a flag
- and if the consumer reads the flag
- then the consumer will read the new data item.

- More formally...

p,c: agent master, d,f: agent target

dw,fw: write trans,

dr,fr: delayed read trans.

{(p issues dw before fw)

(c issues fr before dr)

(dw completes at p before fw)

(fr completes at c before dr)

(fw completes at f before fr)}

dw completes at d before dr

- Theorem proving effort
- PVS theory of PCI using NASA library
- several person months of effort
- too hard.

- Model checking effort
- long-ish Promela model
- does not generalize to arbitrary cases
- does finish though

- unconstrained environment
- big induction principle
- several months of effort
- ... some properties were proven

- any configuration of p,c,d,f is in one of the following infinite classes:

p

d

p

d

p

c

f

f

f

c

c

d

- check sample networks from each class.
- included only P/C transactions
- model checker works in finite domain
- couldn’t convincingly generalize the results.

- arbitrary unrelated agents, paths and transactions
- arbitrary path lengths

p

d

...

p

d

...

???

c

f

c

f

- Use some TP properties to create an abstract model of PCI called PCIA
- abstract away:
- arbitrary unrelated agents, paths
- arbitrary unrelated transactions
- arbitrarily long paths

- show that PCI PCIA

s:PCI execution trace.

{(s = [(i1,e1),(i2,e2),...) =>

s’:abstract PCI execution trace.

(s’ = [e1,e2,...])}

where

e1 = abstraction of i1

- show that all executions of PCIA satisfy P/C
- Therefore, no executions of PCI violate P/C
- pencil & paper refinement proof
- model checked P/C in PCIA

...

p

d

...

c

f

p

d

f

c

dwc

p

c

dwc

d

dw

d’

d

p

fw

...

d

p

p

p

c

cdw

dwc dw fw

p

cdw

- Ignore bridge boundaries
- But stacks of committed delayed transactions represent the path length.

dwc

p

c

dwc

d

dw

d’

d

p

fw

...

d

p

p

p

c

cdw

dwc ...dwc dw fw

p

cdw

- Theorem from TP model:
- behind any committed D transaction, there is a continuous stack of D transactions back to the issuing master agent.

- Keep only the newest committed entry!
- How to do completions?
- where is the new newest entry after a completion?

dwc

p

c

dwc

d

dw

d’

d

p

fw

...

d

p

p

p

c

cdw

???

frc fr dwc fw

frc dwc fr fw

cdw

cdw

- Which transactions behind dwc were in the same queue as dwc?
- New newest dwc appears behind them.

dwc

frc

p

fr

dwc

dwc

frc

p

fr

p

p

cdw

frc fr fw

frc dwc fr fw

frc fr dwc fw

dwc frc fr fw

frc fr dwc fw

cdw

cdw

cdw

cdw

cdw

- lost queue boundaries, so don’t know
- consider all interleavings
- going to visit all states anyway...

next

internal

state

PCI transition

next

internal

state

internal

state

next

internal

state

next

abstract

state

abstract

state

next

abstract

state

PCIA transition

- SML model of PCIA
- SML explicit state model checker
- state P/C as a safety property
- check all 3 path configurations in 30 sec.
- less than 2000 states

- combination of TP and MC
- Novel abstraction
- unbounded branching paths
- unbounded transactions

- Small and finite abstract model
- can even be checked in a toy model checker

- keep only significant transactions
- all forms of dw,dr,fw,fr
- only the newest committed entry

- keep only significant agents
- p,c,d,f agents

- keep only significant paths
- paths connecting p,c,d,f

- ignore bridge and queue boundaries

- There is an abstract transition for each concrete transition that changes the external state.
- a set of 10 transition rules.
- see the paper for details.

- most difficult case