Presentation is loading. Please wait.

Presentation is loading. Please wait.

Michael D. Jones, Ganesh Gopalakrishnan

Published byAmberly Marsh Modified over 6 years ago

Similar presentations

Presentation on theme: "Michael D. Jones, Ganesh Gopalakrishnan"— Presentation transcript:

1 Verifying Transaction Ordering Properties in Unbounded Multi-Bus Networks
Michael D. Jones, Ganesh Gopalakrishnan University of Utah, School of Computing FMCAD’00 Austin, Texas

2 Single-Bus ...

3 Multi-bus ... ... ... ... ... ... Verifying safety properties of networks when the network topology matters. Reorderings, deletions happen in internal nodes. ... ...

4 Case Study Abstraction, theorem proving and model checking applied to reasoning about multi-bus PCI. HOL theorem proving too hard (for us...) Finite state model checking impossible

5 Motivation Difficult, interesting problem, but few published solutions
Application to shared memory systems, multi-bus IO

6 Related Work PCI Verification Parameterized Branching Networks
Shimizu:FMCAD’00,Clarke:Charme’99, Corella:CHDL’97 Parameterized Branching Networks Bhargavan:TPHOLs’00, Kesten:CAV’97

7 How PCI works (in our model)
Bus Posted d p c Delayed completion this is a definitional slide. What is an agent, a bridge, how do you hook them up? an agent is at the end of a network of busses. Every agent can talk to every other agent. No cycles. What kinds of transactions are there? Posted and delayed. d Agent Bridge

8 Posted transactions Posted transaction, P, from A to B.
A puts p on “the rest of the network” and forgets about it. B receives P and that’s it. big animation of a posted transaction. Highlighting that a P trans is complete at the master when it leaves. The Rest of the network p B A

9 Delayed transactions Delayed trans., d, from A to B.
A puts d on “the rest of the network” and waits for a completion. B receives d and sends a completion,c. even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. The Rest of the network d B A

10 Delayed transactions 2 bridges between A and B
Other transactions as shown. d tries to latch to bridge 1. d is now committed (called d’). even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. d’ d c p’ B A

11 Delayed transactions Eventually, d’ latches to bridge 1.
bridge 1 has an uncommitted copy of d d can pass the other d entry already in bridge 1. even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. d’ d d c p’ B A

12 Delayed transactions d can attempt to latch to bridge 2.
d will then be committed at bridge 1. even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. d’ d d c p’ B A

13 Delayed transactions Eventually, d’ latches to bridge 2. d’ d’ d c p’
even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. d’ d’ d c p’ B A

14 Delayed transactions d can pass completion entry c. d’ d’ d d c p’ B A
even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. d’ d’ d d c p’ B A

15 Delayed transactions But, uncommitted d entries can be dropped at any time... even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. d’ d’ d d c p’ B A

16 Delayed transactions bridge 1 has to resend d’ to bridge 2
d’ can not be deleted even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. d’ d’ d c p’ B A

17 Delayed transactions d can be dropped again...
pretend it passes C again. d can not pass posted transactions. d waits till p’ completes. even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. d’ d’ d d c p’ B A

18 Delayed transactions d commits then latches to agent B.
B creates a completion entry C. even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. d’ d’ d d c B A

19 Delayed transactions d’ in bridge 2 can complete with the completion in B. d’ will be deleted from bridge 2. c will move into into bridge 2. even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. d’ d’ d’ d’ d c c B A

20 Delayed transactions d is now complete at bridge 2.
d’ in bridge 1 can complete with c in bridge 2. c can be deleted too... even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. d’ d’ d’ d c c B A

21 Delayed transactions d is now complete at bridge 1.
finally, d’ in agent A completes with c in bridge 1. even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. d’ d’ d c c B A

22 Delayed transactions d is now complete at A. c d’ d c B A
even bigger annimation showing a delayed transaction building its path of committed entries, an uncommitted transaction getting deleted. Then show a completion getting issued. Show the completion coming back through and deleting the stack of committed entries. Show a commit getting dropped. c d’ d c B A

23 Reordering and deletion
P can pass anything except P. D and C can pass either D or C. uncommitted D can be dropped. oldest C in a queue can be dropped. P and committed D never dropped. Have already shown some deletion rules. Maybe reproduce the passing table from the FMSD paper?

24 Producer/Consumer property
if a producer agent writes a data item and the producer sets a flag and if the consumer reads the flag then the consumer will read the new data item.  in any PCI network, during any execution sort of reproduce the definition from the paper. Do an example in the next slide. move the example to be a running example over several slides fake animated. maybe no running example? Pretty simple concept. then move the formal definition to the next slide.

25 Solution C = acyclic multi-bus PCI networks
= Producer/Consumer property L = Labelings assigned by Producer/Consumer

26 Solution C = acyclic multi-bus PCI networks
= Producer/Consumer property L = Labelings assigned by Producer/Consumer = Project a finite state model out of n v = Add non-determinism to PCI on n

27 State Projection

28 State Transitions

29 Unreachable states

30 Adding Non-determinism

31 What is actually modeled

32 Despite the spurious behaviors in PCI’, PCI’ can still be used to prove useful properties of PCI.

33 Refinement Proof s t post(t,s) (s) t’ post(t’, (s))

34 Proof Metrics ~1,500 lines to model transitions and abstraction
~1,000 proof commands in final proof ~1 month of effort to build models and do the proof.

35 Checking the Reduced Model
States CPU time (sec) P D C F 2, P C D F 1, P F D C P F D C Total ,

36 Solution Summary PCI is a refinement of PCI’ PVS proof
All traces of PCI on all configs satisfy PC. Four network topologies in n All traces of PCI’ on all topologies satisfy PC. Murphi model check

37 Hierarchical caching networks
wr(A,2) rd(A,-) rd(A,1) rd(A,0) E wr(A,0) wr(A,1) M M2 M0 M1 P Q Model Checker

38 Model Checking Results
States CPU time (sec) P P Q 110, P Q P 151, P P Q * 618, Total ,

39 Discussion and Future Work
Abstraction technique that yields a finite state model which preserves enough information to reason about useful properties in networks where the behavior and arrangement of the intermediate nodes matters. General refinement proof and tool.

40

41 State Transitions

42 State Transitions

43 Producer/Consumer for PCI
... p c d f ...for all networks and all executions.

44 Abstracting PCI Networks
D F

45 Abstracting PCI Networks
D F P C D F

46 Abstracting PCI Networks
D C F P C D F P C D F P F D C P F D C

47 Abstracting PCI Messages
dwc c p d dwc c dc d dwc d dw d d p fw P ... ... p p c cdw dwc p c dwc dc c ... dwc d dw d p fw P d d d c ... p p c cdw

48 Abstracting PCI Messages
dwc p c dwc dc c dwc d dw d d p fw P ... ... d d d c p p c cdw dwc dwc ... dwc dw fw P cdw

49 Abstracting PCI Messages
dwc p c dwc dc c dwc d dw d d p fw P ... ... d d d c p p c cdw dwc dw fw P cdw

50 Solution #1 Proofs of obvious lemmas hard:
All traces, all configs. satisfy P/C PVS proof PCI model Proofs of obvious lemmas hard: “if a message is present in a queue, then it was created previously”

51 Solution #2 1 SPIN some traces in these Model Check
configs. satisfy P/C. 2 3

52 Posted transactions Pretend there are 2 bridges between A and B
With the other transaction shown. Here’s how P gets from A to B... big animation of a posted transaction. Highlighting that a P trans is complete at the master when it leaves. p d c p’ B A

53 Posted transactions P goes to bridge 1. P is now complete at A.
P can pass delayed transaction d big animation of a posted transaction. Highlighting that a P trans is complete at the master when it leaves. p d c p’ B A

54 Posted transactions Next, P completes to bridge 2. p d c p’ B A
big animation of a posted transaction. Highlighting that a P trans is complete at the master when it leaves. p d c p’ B A

55 Posted transactions P is now complete at bridge 1.
P can pass the completion trans. C. P can not pass the other posted trans. big animation of a posted transaction. Highlighting that a P trans is complete at the master when it leaves. p d c p’ B A

56 Posted transactions P waits until P’ completes on bridge 2 p d c p’ B
big animation of a posted transaction. Highlighting that a P trans is complete at the master when it leaves. p d c p’ B A

57 Posted transactions Pretend that P’ went to another bridge (not shown). P can now complete to destination B. big animation of a posted transaction. Highlighting that a P trans is complete at the master when it leaves. p d c B A

58 Posted transactions No acknowledgement is sent to A.
P is now complete at B. big animation of a posted transaction. Highlighting that a P trans is complete at the master when it leaves. p d c B A

Download ppt "Michael D. Jones, Ganesh Gopalakrishnan"

Similar presentations

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
AI Pathfinding Representing the Search Space

AI Pathfinding Representing the Search Space
Global States.

Global States.
A Survey of Runtime Verification Jonathan Amir 2004.

A Survey of Runtime Verification Jonathan Amir 2004.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Theory Of Automata By Dr. MM Alam

Theory Of Automata By Dr. MM Alam
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.

Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Introduction to Graphs

Introduction to Graphs
1 Transportation Model. 2 Basic Problem The basic idea in a transportation problem is that there are sites or sources of product that need to be shipped.

1 Transportation Model. 2 Basic Problem The basic idea in a transportation problem is that there are sites or sources of product that need to be shipped.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.
Distributed Algorithms – 2g1513 Lecture 10 – by Ali Ghodsi Fault-Tolerance in Asynchronous Networks.

Distributed Algorithms – 2g1513 Lecture 10 – by Ali Ghodsi Fault-Tolerance in Asynchronous Networks.
Section 7.4: Closures of Relations Let R be a relation on a set A. We have talked about 6 properties that a relation on a set may or may not possess: reflexive,

Section 7.4: Closures of Relations Let R be a relation on a set A. We have talked about 6 properties that a relation on a set may or may not possess: reflexive,
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

Similar presentations

Ads by Google