Pci transaction ordering verification using trace inclusion refinement
This presentation is the property of its rightful owner.
Sponsored Links
1 / 50

PCI transaction ordering verification using trace inclusion refinement PowerPoint PPT Presentation


  • 55 Views
  • Uploaded on
  • Presentation posted in: General

PCI transaction ordering verification using trace inclusion refinement. Mike Jones UV Meeting October 4, 1999. Outline. How PCI works What we are trying to verify Why the verification is so hard How we did the verification Discussion. How PCI works. Bus. Posted. d. p. c. Delayed.

Download Presentation

PCI transaction ordering verification using trace inclusion refinement

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


PCI transaction ordering verification using trace inclusion refinement

Mike Jones

UV Meeting

October 4, 1999


Outline

  • How PCI works

  • What we are trying to verify

  • Why the verification is so hard

  • How we did the verification

  • Discussion


How PCI works

Bus

Posted

d

p

c

Delayed

completion

d

Agent

Bridge


p

Posted transactions

  • Posted transaction, P, from A to B.

  • A puts p on “the rest of the network” and forgets about it.

  • B receives P and that’s it.

The Rest of

the network

B

A


p

Posted transactions

  • Pretend there are 2 bridges between A and B

  • With the other transaction shown.

  • Here’s how P gets from A to B...

d

c

p’

B

A


p

Posted transactions

  • P goes to bridge 1.

  • P is now complete at A.

  • P can pass delayed transaction d

d

c

p’

B

A


p

Posted transactions

  • Next, P completes to bridge 2.

d

c

p’

B

A


p

Posted transactions

  • P is now complete at bridge 1.

  • P can pass the completion trans. C.

  • P can not pass the other posted trans.

d

c

p’

B

A


p

Posted transactions

  • P waits until P’ completes on bridge 2

d

c

p’

B

A


p

Posted transactions

  • Pretend that P’ went to another bridge (not shown).

  • P can now complete to destination B.

d

c

B

A


p

Posted transactions

  • No acknowledgement is sent to A.

  • P is now complete at B.

d

c

B

A


d

Delayed transactions

  • Delayed trans., d, from A to B.

  • A puts d on “the rest of the network” and waits for a completion.

  • B receives d and sends a completion,c.

The Rest of

the network

B

A


d’

Delayed transactions

  • 2 bridges between A and B

  • Other transactions as shown.

  • d tries to latch to bridge 1.

  • d is now committed (called d’).

d

c

p’

B

A


d’

d

Delayed transactions

  • Eventually, d’ latches to bridge 1.

  • bridge 1 has an uncommitted copy of d

  • d can pass the other d entry already in bridge 1.

d

c

p’

B

A


d’

d

Delayed transactions

  • d can attempt to latch to bridge 2.

  • d will then be committed at bridge 1.

d

c

p’

B

A


d’

d’

Delayed transactions

  • Eventually, d’ latches to bridge 2.

d

c

p’

B

A


d’

d’

d

Delayed transactions

  • d can pass completion entry c.

d

c

p’

B

A


d’

d’

d

Delayed transactions

  • But, uncommitted d entries can be dropped at any time...

d

c

p’

B

A


d’

d’

Delayed transactions

  • bridge 1 has to resend d’ to bridge 2

  • d’ can not be deleted

d

c

p’

B

A


d’

d’

d

Delayed transactions

  • d can be dropped again...

  • pretend it passes C again.

  • d can not pass posted transactions.

  • d waits till p’ completes.

d

c

p’

B

A


d’

d’

d

Delayed transactions

  • d commits then latches to agent B.

  • B creates a completion entry C.

d

c

B

A


d’

d’

d’

d’

c

Delayed transactions

  • d’ in bridge 2 can complete with the completion in B.

  • d’ will be deleted from bridge 2.

  • c will move into into bridge 2.

d

c

B

A


d’

d’

d’

c

Delayed transactions

  • d is now complete at bridge 2.

  • d’ in bridge 1 can complete with c in bridge 2.

  • c can be deleted too...

d

c

B

A


d’

d’

c

Delayed transactions

  • d is now complete at bridge 1.

  • finally, d’ in agent A completes with c in bridge 1.

d

c

B

A


d’

c

Delayed transactions

  • d is now complete at A.

  • no more actions!

d

c

B

A


Reordering and deletion

  • P can pass anything except P.

  • D and C can pass either D or C.

  • uncommitted D can be dropped.

  • oldest C in a queue can be dropped.

  • P and committed D never dropped.


Producer/Consumer property

  • if a producer agent writes a data item

  • and the producer sets a flag

  • and if the consumer reads the flag

  • then the consumer will read the new data item.


Producer/Consumer property

  • More formally...

 p,c: agent master, d,f: agent target

dw,fw: write trans,

dr,fr: delayed read trans.

{(p issues dw before fw) 

(c issues fr before dr) 

(dw completes at p before fw) 

(fr completes at c before dr) 

(fw completes at f before fr)} 

dw completes at d before dr


Verifying P/C

  • Theorem proving effort

    • PVS theory of PCI using NASA library

    • several person months of effort

    • too hard.

  • Model checking effort

    • long-ish Promela model

    • does not generalize to arbitrary cases

    • does finish though


Theorem proving difficulties

  • unconstrained environment

  • big induction principle

  • several months of effort

  • ... some properties were proven


TP contribution

  • any configuration of p,c,d,f is in one of the following infinite classes:

p

d

p

d

p

c

f

f

f

c

c

d


Model checking difficulties

  • check sample networks from each class.

  • included only P/C transactions

  • model checker works in finite domain

  • couldn’t convincingly generalize the results.


Missing generalizations

  • arbitrary unrelated agents, paths and transactions

  • arbitrary path lengths

p

d

...

p

d

...

???

c

f

c

f


Verification solution

  • Use some TP properties to create an abstract model of PCI called PCIA

  • abstract away:

    • arbitrary unrelated agents, paths

    • arbitrary unrelated transactions

    • arbitrarily long paths


Verification solution

  • show that PCI  PCIA

 s:PCI execution trace.

{(s = [(i1,e1),(i2,e2),...) =>

 s’:abstract PCI execution trace.

(s’ = [e1,e2,...])}

where

e1 = abstraction of i1


Verification solution

  • show that all executions of PCIA satisfy P/C

  • Therefore, no executions of PCI violate P/C

  • pencil & paper refinement proof

  • model checked P/C in PCIA


Unrelated paths and agents

...

p

d

...

c

f

p

d

f

c


Unrelated Transactions

dwc

p

c

dwc

d

dw

d’

d

p

fw

...

d

p

p

p

c

cdw

dwc dw fw

p

cdw


Unbounded Path Lengths

  • Ignore bridge boundaries

  • But stacks of committed delayed transactions represent the path length.

dwc

p

c

dwc

d

dw

d’

d

p

fw

...

d

p

p

p

c

cdw

dwc ...dwc dw fw

p

cdw


Unbounded path lengths

  • Theorem from TP model:

    • behind any committed D transaction, there is a continuous stack of D transactions back to the issuing master agent.


Unbounded Path Lengths

  • Keep only the newest committed entry!

  • How to do completions?

    • where is the new newest entry after a completion?

dwc

p

c

dwc

d

dw

d’

d

p

fw

...

d

p

p

p

c

cdw

???


frc fr dwc fw

frc dwc fr fw

cdw

cdw

Unbounded path lengths

  • Which transactions behind dwc were in the same queue as dwc?

  • New newest dwc appears behind them.

dwc

frc

p

fr

dwc

dwc

frc

p

fr

p

p

cdw


frc fr fw

frc dwc fr fw

frc fr dwc fw

dwc frc fr fw

frc fr dwc fw

cdw

cdw

cdw

cdw

cdw

Unbounded path lengths

  • lost queue boundaries, so don’t know

  • consider all interleavings

  • going to visit all states anyway...


Refinement Proof

next

internal

state

PCI transition

next

internal

state

internal

state

next

internal

state

next

abstract

state

abstract

state

next

abstract

state

PCIA transition


P/C in PCIA

  • SML model of PCIA

  • SML explicit state model checker

  • state P/C as a safety property

  • check all 3 path configurations in 30 sec.

  • less than 2000 states


Discussion

  • combination of TP and MC

  • Novel abstraction

    • unbounded branching paths

    • unbounded transactions

  • Small and finite abstract model

    • can even be checked in a toy model checker


Abstract model


Abstract model

  • keep only significant transactions

    • all forms of dw,dr,fw,fr

    • only the newest committed entry

  • keep only significant agents

    • p,c,d,f agents

  • keep only significant paths

    • paths connecting p,c,d,f

  • ignore bridge and queue boundaries


Transition abstraction

  • There is an abstract transition for each concrete transition that changes the external state.

  • a set of 10 transition rules.

  • see the paper for details.


Delayed transactions

  • most difficult case


  • Login