Pci transaction ordering verification using trace inclusion refinement
Download
1 / 50

PCI transaction ordering verification using trace inclusion refinement - PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on

PCI transaction ordering verification using trace inclusion refinement. Mike Jones UV Meeting October 4, 1999. Outline. How PCI works What we are trying to verify Why the verification is so hard How we did the verification Discussion. How PCI works. Bus. Posted. d. p. c. Delayed.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' PCI transaction ordering verification using trace inclusion refinement' - tivona


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Pci transaction ordering verification using trace inclusion refinement

PCI transaction ordering verification using trace inclusion refinement

Mike Jones

UV Meeting

October 4, 1999


Outline
Outline refinement

  • How PCI works

  • What we are trying to verify

  • Why the verification is so hard

  • How we did the verification

  • Discussion


How pci works
How PCI works refinement

Bus

Posted

d

p

c

Delayed

completion

d

Agent

Bridge


Posted transactions

p refinement

Posted transactions

  • Posted transaction, P, from A to B.

  • A puts p on “the rest of the network” and forgets about it.

  • B receives P and that’s it.

The Rest of

the network

B

A


Posted transactions1

p refinement

Posted transactions

  • Pretend there are 2 bridges between A and B

  • With the other transaction shown.

  • Here’s how P gets from A to B...

d

c

p’

B

A


Posted transactions2

p refinement

Posted transactions

  • P goes to bridge 1.

  • P is now complete at A.

  • P can pass delayed transaction d

d

c

p’

B

A


Posted transactions3

p refinement

Posted transactions

  • Next, P completes to bridge 2.

d

c

p’

B

A


Posted transactions4

p refinement

Posted transactions

  • P is now complete at bridge 1.

  • P can pass the completion trans. C.

  • P can not pass the other posted trans.

d

c

p’

B

A


Posted transactions5

p refinement

Posted transactions

  • P waits until P’ completes on bridge 2

d

c

p’

B

A


Posted transactions6

p refinement

Posted transactions

  • Pretend that P’ went to another bridge (not shown).

  • P can now complete to destination B.

d

c

B

A


Posted transactions7

p refinement

Posted transactions

  • No acknowledgement is sent to A.

  • P is now complete at B.

d

c

B

A


Delayed transactions

d refinement

Delayed transactions

  • Delayed trans., d, from A to B.

  • A puts d on “the rest of the network” and waits for a completion.

  • B receives d and sends a completion,c.

The Rest of

the network

B

A


Delayed transactions1

d’ refinement

Delayed transactions

  • 2 bridges between A and B

  • Other transactions as shown.

  • d tries to latch to bridge 1.

  • d is now committed (called d’).

d

c

p’

B

A


Delayed transactions2

d’ refinement

d

Delayed transactions

  • Eventually, d’ latches to bridge 1.

  • bridge 1 has an uncommitted copy of d

  • d can pass the other d entry already in bridge 1.

d

c

p’

B

A


Delayed transactions3

d’ refinement

d

Delayed transactions

  • d can attempt to latch to bridge 2.

  • d will then be committed at bridge 1.

d

c

p’

B

A


Delayed transactions4

d’ refinement

d’

Delayed transactions

  • Eventually, d’ latches to bridge 2.

d

c

p’

B

A


Delayed transactions5

d’ refinement

d’

d

Delayed transactions

  • d can pass completion entry c.

d

c

p’

B

A


Delayed transactions6

d’ refinement

d’

d

Delayed transactions

  • But, uncommitted d entries can be dropped at any time...

d

c

p’

B

A


Delayed transactions7

d’ refinement

d’

Delayed transactions

  • bridge 1 has to resend d’ to bridge 2

  • d’ can not be deleted

d

c

p’

B

A


Delayed transactions8

d’ refinement

d’

d

Delayed transactions

  • d can be dropped again...

  • pretend it passes C again.

  • d can not pass posted transactions.

  • d waits till p’ completes.

d

c

p’

B

A


Delayed transactions9

d’ refinement

d’

d

Delayed transactions

  • d commits then latches to agent B.

  • B creates a completion entry C.

d

c

B

A


Delayed transactions10

d’ refinement

d’

d’

d’

c

Delayed transactions

  • d’ in bridge 2 can complete with the completion in B.

  • d’ will be deleted from bridge 2.

  • c will move into into bridge 2.

d

c

B

A


Delayed transactions11

d’ refinement

d’

d’

c

Delayed transactions

  • d is now complete at bridge 2.

  • d’ in bridge 1 can complete with c in bridge 2.

  • c can be deleted too...

d

c

B

A


Delayed transactions12

d’ refinement

d’

c

Delayed transactions

  • d is now complete at bridge 1.

  • finally, d’ in agent A completes with c in bridge 1.

d

c

B

A


Delayed transactions13

d’ refinement

c

Delayed transactions

  • d is now complete at A.

  • no more actions!

d

c

B

A


Reordering and deletion
Reordering and deletion refinement

  • P can pass anything except P.

  • D and C can pass either D or C.

  • uncommitted D can be dropped.

  • oldest C in a queue can be dropped.

  • P and committed D never dropped.


Producer consumer property
Producer/Consumer property refinement

  • if a producer agent writes a data item

  • and the producer sets a flag

  • and if the consumer reads the flag

  • then the consumer will read the new data item.


Producer consumer property1
Producer/Consumer property refinement

  • More formally...

 p,c: agent master, d,f: agent target

dw,fw: write trans,

dr,fr: delayed read trans.

{(p issues dw before fw) 

(c issues fr before dr) 

(dw completes at p before fw) 

(fr completes at c before dr) 

(fw completes at f before fr)} 

dw completes at d before dr


Verifying p c
Verifying P/C refinement

  • Theorem proving effort

    • PVS theory of PCI using NASA library

    • several person months of effort

    • too hard.

  • Model checking effort

    • long-ish Promela model

    • does not generalize to arbitrary cases

    • does finish though


Theorem proving difficulties
Theorem proving difficulties refinement

  • unconstrained environment

  • big induction principle

  • several months of effort

  • ... some properties were proven


Tp contribution
TP contribution refinement

  • any configuration of p,c,d,f is in one of the following infinite classes:

p

d

p

d

p

c

f

f

f

c

c

d


Model checking difficulties
Model checking difficulties refinement

  • check sample networks from each class.

  • included only P/C transactions

  • model checker works in finite domain

  • couldn’t convincingly generalize the results.


Missing generalizations
Missing generalizations refinement

  • arbitrary unrelated agents, paths and transactions

  • arbitrary path lengths

p

d

...

p

d

...

???

c

f

c

f


Verification solution
Verification solution refinement

  • Use some TP properties to create an abstract model of PCI called PCIA

  • abstract away:

    • arbitrary unrelated agents, paths

    • arbitrary unrelated transactions

    • arbitrarily long paths


Verification solution1
Verification solution refinement

  • show that PCI  PCIA

 s:PCI execution trace.

{(s = [(i1,e1),(i2,e2),...) =>

 s’:abstract PCI execution trace.

(s’ = [e1,e2,...])}

where

e1 = abstraction of i1


Verification solution2
Verification solution refinement

  • show that all executions of PCIA satisfy P/C

  • Therefore, no executions of PCI violate P/C

  • pencil & paper refinement proof

  • model checked P/C in PCIA


Unrelated paths and agents
Unrelated paths and agents refinement

...

p

d

...

c

f

p

d

f

c


Unrelated transactions
Unrelated Transactions refinement

dwc

p

c

dwc

d

dw

d’

d

p

fw

...

d

p

p

p

c

cdw

dwc dw fw

p

cdw


Unbounded path lengths
Unbounded Path Lengths refinement

  • Ignore bridge boundaries

  • But stacks of committed delayed transactions represent the path length.

dwc

p

c

dwc

d

dw

d’

d

p

fw

...

d

p

p

p

c

cdw

dwc ...dwc dw fw

p

cdw


Unbounded path lengths1
Unbounded path lengths refinement

  • Theorem from TP model:

    • behind any committed D transaction, there is a continuous stack of D transactions back to the issuing master agent.


Unbounded path lengths2
Unbounded Path Lengths refinement

  • Keep only the newest committed entry!

  • How to do completions?

    • where is the new newest entry after a completion?

dwc

p

c

dwc

d

dw

d’

d

p

fw

...

d

p

p

p

c

cdw

???


Unbounded path lengths3

frc fr dwc fw refinement

frc dwc fr fw

cdw

cdw

Unbounded path lengths

  • Which transactions behind dwc were in the same queue as dwc?

  • New newest dwc appears behind them.

dwc

frc

p

fr

dwc

dwc

frc

p

fr

p

p

cdw


Unbounded path lengths4

frc fr fw refinement

frc dwc fr fw

frc fr dwc fw

dwc frc fr fw

frc fr dwc fw

cdw

cdw

cdw

cdw

cdw

Unbounded path lengths

  • lost queue boundaries, so don’t know

  • consider all interleavings

  • going to visit all states anyway...


Refinement proof
Refinement Proof refinement

next

internal

state

PCI transition

next

internal

state

internal

state

next

internal

state

next

abstract

state

abstract

state

next

abstract

state

PCIA transition


P c in pci a
P/C in PCI refinementA

  • SML model of PCIA

  • SML explicit state model checker

  • state P/C as a safety property

  • check all 3 path configurations in 30 sec.

  • less than 2000 states


Discussion
Discussion refinement

  • combination of TP and MC

  • Novel abstraction

    • unbounded branching paths

    • unbounded transactions

  • Small and finite abstract model

    • can even be checked in a toy model checker


Abstract model
Abstract model refinement


Abstract model1
Abstract model refinement

  • keep only significant transactions

    • all forms of dw,dr,fw,fr

    • only the newest committed entry

  • keep only significant agents

    • p,c,d,f agents

  • keep only significant paths

    • paths connecting p,c,d,f

  • ignore bridge and queue boundaries


Transition abstraction
Transition abstraction refinement

  • There is an abstract transition for each concrete transition that changes the external state.

  • a set of 10 transition rules.

  • see the paper for details.


Delayed transactions14
Delayed transactions refinement

  • most difficult case


ad