1 PCI transaction ordering verification using trace inclusion refinement Mike Jones UV Meeting October 4, 1999.

Slides:



Advertisements
Similar presentations
Exploiting SAT solvers in unbounded model checking
Advertisements

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
IPC (Interprocess Communication)
A Survey of Runtime Verification Jonathan Amir 2004.
Introduction to Computer Networks Spanning Tree 1.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Computer System Organization Computer-system operation – One or more CPUs, device controllers connect through common bus providing access to shared memory.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.
A Simple Critical Section Protocol There are N concurrent processes P 1,…,P N that share some data. A process accessing the shared data is said to execute.
A look at interrupts What are interrupts and why are they needed.
Distributed Computing 8. Impossibility of consensus Shmuel Zaks ©
Distributed Algorithms – 2g1513 Lecture 10 – by Ali Ghodsi Fault-Tolerance in Asynchronous Networks.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
Section 7.4: Closures of Relations Let R be a relation on a set A. We have talked about 6 properties that a relation on a set may or may not possess: reflexive,
Distributed Computing 8. Impossibility of consensus Shmuel Zaks ©
Copyright © Cengage Learning. All rights reserved.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
20 03 TASTE OF RESEARCH SUMMER SCHOLARSHIPS Author: Wei Zhang Supervisor: Tim Moors Efficient Voice Over Wireless Network Abstract The objective of this.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Introduction to Computability Theory
1 Complexity of Network Synchronization Raeda Naamnieh.
28/6/05 ICFI05 1 A generic approach for the automatic verification of featured, parameterised systems Alice Miller and Muffy Calder University of Glasgow.
A Progressive Fault Detection and Service Recovery Mechanism in Mobile Agent Systems Wong Tsz Yeung Aug 26, 2002.
A Proof of Correctness of a Processor Implementing Tomasulo’s Algorithm without a Reorder Buffer Ravi Hosabettu (Univ. of Utah) Ganesh Gopalakrishnan (Univ.
Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000.
Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000.
Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Copyright © Cengage Learning. All rights reserved.
System Design Research Laboratory Specification-based Testing with Linear Temporal Logic Li Tan Oleg Sokolsky Insup Lee University of Pennsylvania.
Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
1 3rd of July 2009 CEA LIST Symbolic execution based model checking of open systems with unbounded variables Nicolas RAPIN CEA LIST.
A Simple Method for Extracting Models from Protocol Code David Lie, Andy Chou, Dawson Engler and David Dill Computer Systems Laboratory Stanford University.
Silberschatz, Galvin and Gagne  Operating System Concepts Cooperating Processes Independent process cannot affect or be affected by the execution.
1 New Development Techniques: New Challenges for Verification and Validation Mats Heimdahl Critical Systems Research Group Department of Computer Science.
CSE 326: Data Structures NP Completeness Ben Lerner Summer 2007.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
3.1 Silberschatz, Galvin and Gagne ©2013 Operating System Concepts Essentials – 9 th Edition Interprocess Communication Processes within a system may be.
Intrusion Tolerant Software Architectures Bruno Dutertre and Hassen Saïdi System Design Laboratory, SRI International OASIS PI Meeting.
Math 344 Winter 07 Group Theory Part 2: Subgroups and Isomorphism
Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Conversions & Pumping Lemma CPSC 388 Fall 2001 Ellen Walker Hiram College.
Fault tolerance and related issues in distributed computing Shmuel Zaks GSSI - Feb
7. RECURSIONS Rocky K. C. Chang October 12, 2015.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Principles of reliable data transfer 0.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
Formal verification of distance vector routing protocols.
Lecture #5 Advanced Computation Theory Finite Automata.
Çizge Algoritmaları.
Michael D. Jones, Ganesh Gopalakrishnan
Automatic Verification
Aspect Validation: Connecting Aspects and Formal Methods
Property Directed Reachability with Word-Level Abstraction
Chapter 10 Object States and The Statechart Diagram
Typically for using the shared memory the processes should:
Presentation transcript:

1 PCI transaction ordering verification using trace inclusion refinement Mike Jones UV Meeting October 4, 1999

2 Outline How PCI works What we are trying to verify Why the verification is so hard How we did the verification Discussion

3 How PCI works AgentBridge Bus p d d c Delayed Posted completion

4 Posted transactions Posted transaction, P, from A to B. A puts p on “the rest of the network” and forgets about it. B receives P and that’s it. A B p The Rest of the network

5 Posted transactions Pretend there are 2 bridges between A and B With the other transaction shown. Here’s how P gets from A to B... A B p cdp’

6 Posted transactions P goes to bridge 1. P is now complete at A. P can pass delayed transaction d A B p cdp’

7 Posted transactions Next, P completes to bridge 2. A B p cdp’

8 Posted transactions P is now complete at bridge 1. P can pass the completion trans. C. P can not pass the other posted trans. A B p cdp’

9 Posted transactions P waits until P’ completes on bridge 2 A B p cdp’

10 Posted transactions Pretend that P’ went to another bridge (not shown). P can now complete to destination B. A B p cd

11 Posted transactions No acknowledgement is sent to A. P is now complete at B. A B p cd

12 Delayed transactions Delayed trans., d, from A to B. A puts d on “the rest of the network” and waits for a completion. B receives d and sends a completion,c. A B d The Rest of the network

13 Delayed transactions 2 bridges between A and B Other transactions as shown. d tries to latch to bridge 1. d is now committed (called d’). A B d’ cdp’

14 Delayed transactions Eventually, d’ latches to bridge 1. bridge 1 has an uncommitted copy of d d can pass the other d entry already in bridge 1. A B d’ cdp’ d

15 Delayed transactions d can attempt to latch to bridge 2. d will then be committed at bridge 1. A B d’ cdp’ d

16 Delayed transactions Eventually, d’ latches to bridge 2. A B d’ cdp’ d’

17 Delayed transactions d can pass completion entry c. A B d’ cdp’ d’d

18 Delayed transactions But, uncommitted d entries can be dropped at any time... A B d’ cdp’ d’d

19 Delayed transactions bridge 1 has to resend d’ to bridge 2 d’ can not be deleted A B d’ cdp’ d’

20 Delayed transactions d can be dropped again... pretend it passes C again. d can not pass posted transactions. d waits till p’ completes. A B d’ cdp’ d’d

21 Delayed transactions d commits then latches to agent B. B creates a completion entry C. A B d’ cd d

22 Delayed transactions d’ in bridge 2 can complete with the completion in B. d’ will be deleted from bridge 2. c will move into into bridge 2. A B d’ cd c

23 Delayed transactions d is now complete at bridge 2. d’ in bridge 1 can complete with c in bridge 2. c can be deleted too... A B d’ cd c

24 Delayed transactions d is now complete at bridge 1. finally, d’ in agent A completes with c in bridge 1. A B d’ cd c

25 Delayed transactions d is now complete at A. no more actions! A B cd d’ c

26 Reordering and deletion P can pass anything except P. D and C can pass either D or C. uncommitted D can be dropped. oldest C in a queue can be dropped. P and committed D never dropped.

27 Producer/Consumer property if a producer agent writes a data item and the producer sets a flag and if the consumer reads the flag then the consumer will read the new data item.

28 Producer/Consumer property More formally...  p,c: agent master, d,f: agent target dw,fw: write trans, dr,fr: delayed read trans. {(p issues dw before fw)  (c issues fr before dr)  (dw completes at p before fw)  (fr completes at c before dr)  (fw completes at f before fr)}  dw completes at d before dr

29 Verifying P/C Theorem proving effort –PVS theory of PCI using NASA library –several person months of effort –too hard. Model checking effort –long-ish Promela model –does not generalize to arbitrary cases –does finish though

30 Theorem proving difficulties unconstrained environment big induction principle several months of effort... some properties were proven

31 TP contribution any configuration of p,c,d,f is in one of the following infinite classes: pd c f pc d f pd c f

32 Model checking difficulties check sample networks from each class. included only P/C transactions model checker works in finite domain couldn’t convincingly generalize the results.

33 Missing generalizations arbitrary unrelated agents, paths and transactions arbitrary path lengths pd c f... p c d f ???

34 Verification solution Use some TP properties to create an abstract model of PCI called PCI A abstract away: –arbitrary unrelated agents, paths –arbitrary unrelated transactions –arbitrarily long paths

35 Verification solution show that PCI  PCI A  s:PCI execution trace. {(s = [(i1,e1),(i2,e2),...) =>  s’:abstract PCI execution trace. (s’ = [e1,e2,...])} where e1 = abstraction of i1

36 Verification solution show that all executions of PCI A satisfy P/C Therefore, no executions of PCI violate P/C pencil & paper refinement proof model checked P/C in PCI A

37 Unrelated paths and agents... p c d f p c d f 

38 Unrelated Transactions p... fwdwdwc cdwp d’cp pc pdd dp dwc dw fw cdw 

39 Unbounded Path Lengths Ignore bridge boundaries But stacks of committed delayed transactions represent the path length. p... fwdwdwc cdwp d’cp pc pdd dp dwc...dwc dw fw cdw 

40 Unbounded path lengths Theorem from TP model: –behind any committed D transaction, there is a continuous stack of D transactions back to the issuing master agent.

41 Unbounded Path Lengths Keep only the newest committed entry! How to do completions? –where is the new newest entry after a completion?... fwdwdwc cdwp d’cp pc pdd dp  ???

42 Unbounded path lengths Which transactions behind dwc were in the same queue as dwc? New newest dwc appears behind them. frc fr dwc fw cdw frc dwc fr fw cdw dwcfrpfrcdwc p frpfrcdwc p cdw 

43 Unbounded path lengths lost queue boundaries, so don’t know consider all interleavings going to visit all states anyway... frc fr dwc fw cdw frc dwc fr fw cdw frc fr dwc fw cdw dwc frc fr fw cdw frc fr fw cdw

44 Refinement Proof internal state next internal state abstract state next abstract state next internal state next internal state next abstract state PCI transition PCI A transition   

45 P/C in PCI A SML model of PCI A SML explicit state model checker state P/C as a safety property check all 3 path configurations in 30 sec. less than 2000 states

46 Discussion combination of TP and MC Novel abstraction –unbounded branching paths –unbounded transactions Small and finite abstract model –can even be checked in a toy model checker

47 Abstract model

48 Abstract model keep only significant transactions –all forms of dw,dr,fw,fr –only the newest committed entry keep only significant agents –p,c,d,f agents keep only significant paths –paths connecting p,c,d,f ignore bridge and queue boundaries

49 Transition abstraction There is an abstract transition for each concrete transition that changes the external state. a set of 10 transition rules. see the paper for details.

50 Delayed transactions most difficult case

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.