Pci transaction ordering verification using trace inclusion refinement
This presentation is the property of its rightful owner.
Sponsored Links
1 / 50

PCI transaction ordering verification using trace inclusion refinement PowerPoint PPT Presentation


  • 52 Views
  • Uploaded on
  • Presentation posted in: General

PCI transaction ordering verification using trace inclusion refinement. Mike Jones UV Meeting October 4, 1999. Outline. How PCI works What we are trying to verify Why the verification is so hard How we did the verification Discussion. How PCI works. Bus. Posted. d. p. c. Delayed.

Download Presentation

PCI transaction ordering verification using trace inclusion refinement

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Pci transaction ordering verification using trace inclusion refinement

PCI transaction ordering verification using trace inclusion refinement

Mike Jones

UV Meeting

October 4, 1999


Outline

Outline

  • How PCI works

  • What we are trying to verify

  • Why the verification is so hard

  • How we did the verification

  • Discussion


How pci works

How PCI works

Bus

Posted

d

p

c

Delayed

completion

d

Agent

Bridge


Posted transactions

p

Posted transactions

  • Posted transaction, P, from A to B.

  • A puts p on “the rest of the network” and forgets about it.

  • B receives P and that’s it.

The Rest of

the network

B

A


Posted transactions1

p

Posted transactions

  • Pretend there are 2 bridges between A and B

  • With the other transaction shown.

  • Here’s how P gets from A to B...

d

c

p’

B

A


Posted transactions2

p

Posted transactions

  • P goes to bridge 1.

  • P is now complete at A.

  • P can pass delayed transaction d

d

c

p’

B

A


Posted transactions3

p

Posted transactions

  • Next, P completes to bridge 2.

d

c

p’

B

A


Posted transactions4

p

Posted transactions

  • P is now complete at bridge 1.

  • P can pass the completion trans. C.

  • P can not pass the other posted trans.

d

c

p’

B

A


Posted transactions5

p

Posted transactions

  • P waits until P’ completes on bridge 2

d

c

p’

B

A


Posted transactions6

p

Posted transactions

  • Pretend that P’ went to another bridge (not shown).

  • P can now complete to destination B.

d

c

B

A


Posted transactions7

p

Posted transactions

  • No acknowledgement is sent to A.

  • P is now complete at B.

d

c

B

A


Delayed transactions

d

Delayed transactions

  • Delayed trans., d, from A to B.

  • A puts d on “the rest of the network” and waits for a completion.

  • B receives d and sends a completion,c.

The Rest of

the network

B

A


Delayed transactions1

d’

Delayed transactions

  • 2 bridges between A and B

  • Other transactions as shown.

  • d tries to latch to bridge 1.

  • d is now committed (called d’).

d

c

p’

B

A


Delayed transactions2

d’

d

Delayed transactions

  • Eventually, d’ latches to bridge 1.

  • bridge 1 has an uncommitted copy of d

  • d can pass the other d entry already in bridge 1.

d

c

p’

B

A


Delayed transactions3

d’

d

Delayed transactions

  • d can attempt to latch to bridge 2.

  • d will then be committed at bridge 1.

d

c

p’

B

A


Delayed transactions4

d’

d’

Delayed transactions

  • Eventually, d’ latches to bridge 2.

d

c

p’

B

A


Delayed transactions5

d’

d’

d

Delayed transactions

  • d can pass completion entry c.

d

c

p’

B

A


Delayed transactions6

d’

d’

d

Delayed transactions

  • But, uncommitted d entries can be dropped at any time...

d

c

p’

B

A


Delayed transactions7

d’

d’

Delayed transactions

  • bridge 1 has to resend d’ to bridge 2

  • d’ can not be deleted

d

c

p’

B

A


Delayed transactions8

d’

d’

d

Delayed transactions

  • d can be dropped again...

  • pretend it passes C again.

  • d can not pass posted transactions.

  • d waits till p’ completes.

d

c

p’

B

A


Delayed transactions9

d’

d’

d

Delayed transactions

  • d commits then latches to agent B.

  • B creates a completion entry C.

d

c

B

A


Delayed transactions10

d’

d’

d’

d’

c

Delayed transactions

  • d’ in bridge 2 can complete with the completion in B.

  • d’ will be deleted from bridge 2.

  • c will move into into bridge 2.

d

c

B

A


Delayed transactions11

d’

d’

d’

c

Delayed transactions

  • d is now complete at bridge 2.

  • d’ in bridge 1 can complete with c in bridge 2.

  • c can be deleted too...

d

c

B

A


Delayed transactions12

d’

d’

c

Delayed transactions

  • d is now complete at bridge 1.

  • finally, d’ in agent A completes with c in bridge 1.

d

c

B

A


Delayed transactions13

d’

c

Delayed transactions

  • d is now complete at A.

  • no more actions!

d

c

B

A


Reordering and deletion

Reordering and deletion

  • P can pass anything except P.

  • D and C can pass either D or C.

  • uncommitted D can be dropped.

  • oldest C in a queue can be dropped.

  • P and committed D never dropped.


Producer consumer property

Producer/Consumer property

  • if a producer agent writes a data item

  • and the producer sets a flag

  • and if the consumer reads the flag

  • then the consumer will read the new data item.


Producer consumer property1

Producer/Consumer property

  • More formally...

 p,c: agent master, d,f: agent target

dw,fw: write trans,

dr,fr: delayed read trans.

{(p issues dw before fw) 

(c issues fr before dr) 

(dw completes at p before fw) 

(fr completes at c before dr) 

(fw completes at f before fr)} 

dw completes at d before dr


Verifying p c

Verifying P/C

  • Theorem proving effort

    • PVS theory of PCI using NASA library

    • several person months of effort

    • too hard.

  • Model checking effort

    • long-ish Promela model

    • does not generalize to arbitrary cases

    • does finish though


Theorem proving difficulties

Theorem proving difficulties

  • unconstrained environment

  • big induction principle

  • several months of effort

  • ... some properties were proven


Tp contribution

TP contribution

  • any configuration of p,c,d,f is in one of the following infinite classes:

p

d

p

d

p

c

f

f

f

c

c

d


Model checking difficulties

Model checking difficulties

  • check sample networks from each class.

  • included only P/C transactions

  • model checker works in finite domain

  • couldn’t convincingly generalize the results.


Missing generalizations

Missing generalizations

  • arbitrary unrelated agents, paths and transactions

  • arbitrary path lengths

p

d

...

p

d

...

???

c

f

c

f


Verification solution

Verification solution

  • Use some TP properties to create an abstract model of PCI called PCIA

  • abstract away:

    • arbitrary unrelated agents, paths

    • arbitrary unrelated transactions

    • arbitrarily long paths


Verification solution1

Verification solution

  • show that PCI  PCIA

 s:PCI execution trace.

{(s = [(i1,e1),(i2,e2),...) =>

 s’:abstract PCI execution trace.

(s’ = [e1,e2,...])}

where

e1 = abstraction of i1


Verification solution2

Verification solution

  • show that all executions of PCIA satisfy P/C

  • Therefore, no executions of PCI violate P/C

  • pencil & paper refinement proof

  • model checked P/C in PCIA


Unrelated paths and agents

Unrelated paths and agents

...

p

d

...

c

f

p

d

f

c


Unrelated transactions

Unrelated Transactions

dwc

p

c

dwc

d

dw

d’

d

p

fw

...

d

p

p

p

c

cdw

dwc dw fw

p

cdw


Unbounded path lengths

Unbounded Path Lengths

  • Ignore bridge boundaries

  • But stacks of committed delayed transactions represent the path length.

dwc

p

c

dwc

d

dw

d’

d

p

fw

...

d

p

p

p

c

cdw

dwc ...dwc dw fw

p

cdw


Unbounded path lengths1

Unbounded path lengths

  • Theorem from TP model:

    • behind any committed D transaction, there is a continuous stack of D transactions back to the issuing master agent.


Unbounded path lengths2

Unbounded Path Lengths

  • Keep only the newest committed entry!

  • How to do completions?

    • where is the new newest entry after a completion?

dwc

p

c

dwc

d

dw

d’

d

p

fw

...

d

p

p

p

c

cdw

???


Unbounded path lengths3

frc fr dwc fw

frc dwc fr fw

cdw

cdw

Unbounded path lengths

  • Which transactions behind dwc were in the same queue as dwc?

  • New newest dwc appears behind them.

dwc

frc

p

fr

dwc

dwc

frc

p

fr

p

p

cdw


Unbounded path lengths4

frc fr fw

frc dwc fr fw

frc fr dwc fw

dwc frc fr fw

frc fr dwc fw

cdw

cdw

cdw

cdw

cdw

Unbounded path lengths

  • lost queue boundaries, so don’t know

  • consider all interleavings

  • going to visit all states anyway...


Refinement proof

Refinement Proof

next

internal

state

PCI transition

next

internal

state

internal

state

next

internal

state

next

abstract

state

abstract

state

next

abstract

state

PCIA transition


P c in pci a

P/C in PCIA

  • SML model of PCIA

  • SML explicit state model checker

  • state P/C as a safety property

  • check all 3 path configurations in 30 sec.

  • less than 2000 states


Discussion

Discussion

  • combination of TP and MC

  • Novel abstraction

    • unbounded branching paths

    • unbounded transactions

  • Small and finite abstract model

    • can even be checked in a toy model checker


Abstract model

Abstract model


Abstract model1

Abstract model

  • keep only significant transactions

    • all forms of dw,dr,fw,fr

    • only the newest committed entry

  • keep only significant agents

    • p,c,d,f agents

  • keep only significant paths

    • paths connecting p,c,d,f

  • ignore bridge and queue boundaries


Transition abstraction

Transition abstraction

  • There is an abstract transition for each concrete transition that changes the external state.

  • a set of 10 transition rules.

  • see the paper for details.


Delayed transactions14

Delayed transactions

  • most difficult case


  • Login