September 1999Compaq Computer CorporationSlide 1 of 16 Verification of cache-coherence protocols with TLA+ Homayoon Akhiani, Damien Doligez, Paul Harter,

Slides:



Advertisements
Similar presentations
September 1999Compaq Computer CorporationSlide 1 of 18 Proving cache coherence for the Alpha (EV6) processor Paul Harter, Leslie Lamport, Mark Tuttle,
Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Javascript Code Quality Check Tools Javascript Code Quality Check Tools JavaScript was originally intended to do small tasks in webpages, but now JavaScript.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ISBN Chapter 3 Describing Syntax and Semantics.
CS 355 – Programming Languages
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
Using a Formal Specification and a Model Checker to Monitor and Guide Simulation Verifying the Multiprocessing Hardware of the Alpha Microprocessor.
Algorithms and Problem Solving-1 Algorithms and Problem Solving.
Formal Methods. Importance of high quality software ● Software has increasingly significant in our everyday activities - manages our bank accounts - pays.
Algorithms and Problem Solving. Learn about problem solving skills Explore the algorithmic approach for problem solving Learn about algorithm development.
1 New Architectures Need New Languages A triumph of optimism over experience! Ian Watson 3 rd July 2009.
Utah Verifier Group Research Overview Robert Palmer.
Describing Syntax and Semantics
EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
Real-Time System Requirements & Design Specs Shaw - Chapters 3 & 4 Homework #2: 3.3.1, 3.4.1, Add Error states to Fig 4.1 Lecture 4/17.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
Using a Formal Specification and a Model Checker to Monitor and Guide Simulation Verifying the Multiprocessing Hardware of the Alpha Microprocessor.
© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.
High level & Low level language High level programming languages are more structured, are closer to spoken language and are more intuitive than low level.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
An Introduction to Programming and Object-Oriented Design Using Java By Jaime Niño and Fred Hosch Slides by Darwin Baines and Robert Burton.
A Simple Method for Extracting Models from Protocol Code David Lie, Andy Chou, Dawson Engler and David Dill Computer Systems Laboratory Stanford University.
Course: Software Engineering © Alessandra RussoUnit 1 - Introduction, slide Number 1 Unit 1: Introduction Course: C525 Software Engineering Lecturer: Alessandra.
A Z Approach in Validating ORA-SS Data Models Scott Uk-Jin Lee Jing Sun Gillian Dobbie Yuan Fang Li.
Invariant Based Programming in Education Tutorial, FM’08 Linda Mannila
Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.
COP 3530 PROGRAM, FILE & DATA STRUCTURES Syllabus Syllabus Lab Information Lab Information Overrides Overrides Questions? Questions?
Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.
Survey on Trace Analyzer (2) Hong, Shin /34Survey on Trace Analyzer (2) KAIST.
Introduction to Object Oriented Programming CMSC 331.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
INTRODUCTION TO COMPUTING CHAPTER NO. 04. Programming Languages Program Algorithms and Pseudo Code Properties and Advantages of Algorithms Flowchart (Symbols.
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell.
CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.
1 Ch. 1: Software Development (Read) 5 Phases of Software Life Cycle: Problem Analysis and Specification Design Implementation (Coding) Testing, Execution.
Syntax and Semantics CIS 331 Syntax: the form or structure of the expressions, statements, and program units. Semantics: the meaning of the expressions,
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
1 Program Planning and Design Important stages before actual program is written.
1 Quality Attributes of Requirements Documents Lecture # 25.
Software Development Problem Analysis and Specification Design Implementation (Coding) Testing, Execution and Debugging Maintenance.
1 IOA: Distributed Algorithms  Distributed Programs Nancy Lynch PODC 2000 Collaborators: Steve Garland, Josh Tauber, Anna Chefter, Antonio Ramirez, Michael.
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
Lecture #1: Introduction to Algorithms and Problem Solving Dr. Hmood Al-Dossari King Saud University Department of Computer Science 6 February 2012.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Copyright 1999 G.v. Bochmann ELG 7186C ch.1 1 Course Notes ELG 7186C Formal Methods for the Development of Real-Time System Applications Gregor v. Bochmann.
Principles of Programming & Software Engineering
Advanced Computer Systems
Algorithms and Problem Solving
Introduction to Compiler Construction
Definition CASE tools are software systems that are intended to provide automated support for routine activities in the software process such as editing.
C++ Plus Data Structures
CSCI-235 Micro-Computer Applications
Synthesis from scenarios and requirements
Algorithms and Problem Solving
Department of Computer Science Abdul Wali Khan University Mardan
Presentation transcript:

September 1999Compaq Computer CorporationSlide 1 of 16 Verification of cache-coherence protocols with TLA+ Homayoon Akhiani, Damien Doligez, Paul Harter, Leslie Lamport, Joshua Scheid, Mark Tuttle, Yuan Yu Compaq Computer Corporation

September 1999Compaq Computer CorporationSlide 2 of 16 TLA+ A formal specification language based on set theory, first-order logic, temporal logic Hierarchical style clarifies written –specifications: becomes –proofs: becomes Engineers find reading easy, writing not too hard CASE 2. CASE 3. QED

September 1999Compaq Computer CorporationSlide 3 of 16 Used TLA+ to demonstrate formal methods to engineering Analyzed cache-coherence protocols for –EV6: Alpha processor –EV7: Alpha processor Built TLC, a model-checker for TLA+ Analyzed proposals for industry standards –PCI-X, …

September 1999Compaq Computer CorporationSlide 4 of 16 Cache coherence protocols Goal: prove the cache coherence protocol is correct. processor cache memory x=2 Alpha memory model defines ordering of reads and writes to x. Cache coherence protocol enforces the Alpha memory model. cache x=2 cache x=1 processor

September 1999Compaq Computer CorporationSlide 5 of 16 EV6 cache coherence in “three easy steps”+“two-man years” Model Alpha memory model. (200 lines) Model complete protocol. (2000 lines, 3 months) Prove implementation (5500 lines, 4+ months, incomplete) Model abstract protocol. (500 lines) Prove implementation (550 lines, 2 months, informal)

September 1999Compaq Computer CorporationSlide 6 of 16 Step 1: Alpha memory model We specified the Alpha memory memory model: –The official specification is an informal description of the allowed sequences of reads and writes. –We needed a precise, state-based specification. –We specified a slightly simplified memory model. Compare the specifications: –Official, English specification: 12 pages –Logical, precise specification: 200 lines

September 1999Compaq Computer CorporationSlide 7 of 16 Step 2: Model abstract protocol protocol = abstract protocol + implementation junk Surprisingly, –abstract protocol’s correctness was far from obvious –we discovered a bug… in the memory model Proved hardest part of correctness: –35-line invariant based on 300 lines of definitions –550-line proof, cases nested 10 levels deep

September 1999Compaq Computer CorporationSlide 8 of 16 Obstacle 1: find a single, complete description –English documents: 20 documents, 4-inch stack –Lisp simulator: crucial to understanding some details Obstacle 2: algorithm complexity –60 different kinds of messages –15 “quarks” could combine to model all 60 messages Protocol: 9 man-months, 1900 lines of TLA+ Partial proof: 7 man-months, 1000-line invariant Step 3: Model complete protocol

September 1999Compaq Computer CorporationSlide 9 of 16 Results: one bug Quite unexpected to find only one bug! Heavy simulation had found the easy bugs Demonstrating our bug requires –four processors –two memory locations –fifteen messages Hand proof appears essential to finding this bug: –extensive simulation did not find it –state space too large for exhaustive model checking

September 1999Compaq Computer CorporationSlide 10 of 16 Lessons learned The designers had no trouble reading our spec. The level of rigorous analysis resulting even from a partial proof delighted the designers The demonstration convinced engineers to consider doing the same thing on their own... The basic methodology worked as expected Tools, even simple tools, are essential…

September 1999Compaq Computer CorporationSlide 11 of 16 TLC model checker State machine in rich subset of TLA+ (Initial, NextState) Configuration file making state machine finite Invariant Minimal state trace from an initial state to a bad state Check for Invariant false Deadlock

September 1999Compaq Computer CorporationSlide 12 of 16 TLC implementation Require no changes to TLA+ specifications –use the richness of TLA+, no primitive language –use configuration files instead Interpret specifications, don’t compile them –better user interaction possible Use explicit state representation, not BDDs –BDD encoding of TLA+ formulas difficult –use canonical state representation + fingerprinting –use efficient disk-based state set and queue implem.

September 1999Compaq Computer CorporationSlide 13 of 16 TLC status 20,000 lines of Java Compaq internal distribution available now Performance is good, sometimes slow: threaded and distributed implementations now exist. Liveness checking/livelock detection coming Coverage analysis is desired: What does lack of an error mean: a correct spec or a buggy spec?

September 1999Compaq Computer CorporationSlide 14 of 16 EV7 cache coherence First intense application of TLC model checker First TLA+ specification written by engineers Specification is 1800 lines Specification accepted by TLC w/o modification State space reduced 50% by adding 15 lines to remove a lot of symmetry in state space

September 1999Compaq Computer CorporationSlide 15 of 16 Results 73 bugs found (90% found by TLC): –37 minor: typos, type errors, etc –12 bugs: wrong message/wrong state –14 missing cases –7 spurious cases (dead code) –3 miscellaneous (1 TLA+, 1 MC, 1 spec design) War story: Find bug B by hand; find bug B’ like B by simulation; find bug B’’ in bug-fix for B; find “???” written in original documentation!

September 1999Compaq Computer CorporationSlide 16 of 16 Lessons learned Learning TLA+ is not a major task, but writing good specifications still requires experience EV6 verification was –humbling: only one error actually found –encouraging: the basic method works as expected EV7 verification was very satisfying: –TLA+ specifications can be written by engineers –TLC can handle industrial-sized specifications Formal specification belongs in design process…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.