Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Compositional Approach to Verifying Hierarchical Cache Coherence Protocols Xiaofang Chen 1 Yu Yang 1 Ganesh Gopalakrishnan 1 Ching-Tsun Chou 2 1 University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 A Compositional Approach to Verifying Hierarchical Cache Coherence Protocols Xiaofang Chen 1 Yu Yang 1 Ganesh Gopalakrishnan 1 Ching-Tsun Chou 2 1 University."— Presentation transcript:

1 1 A Compositional Approach to Verifying Hierarchical Cache Coherence Protocols Xiaofang Chen 1 Yu Yang 1 Ganesh Gopalakrishnan 1 Ching-Tsun Chou 2 1 University of Utah 2 Intel Corporation * Supported in part by Intel SRC Customization Award 2005-TJ-1318

2 FMCAD 2006 2 Hierarchical Cache Coherence Protocols Chip-level protocols Inter-cluster protocols Intra-cluster protocols dir mem dir mem …

3 FMCAD 2006 3 Verification Challenges  No public domain benchmarks  More complicated with more Corner cases State space

4 FMCAD 2006 4 Outline  Two hierarchical protocols Inclusive Non-inclusive  A compositional approach Abstraction Counter-example guided refinement Soundness

5 FMCAD 2006 5 A Multicore Coherence Protocol RAC L2 Cache+Local Dir L1 Cache L1 Cache Global Dir Main Memory Home ClusterRemote Cluster 1Remote Cluster 2 RAC L2 Cache+Local Dir L1 Cache L1 Cache RAC L2 Cache+Local Dir L1 Cache L1 Cache

6 FMCAD 2006 6 Protocol Features  Both levels use MESI protocols Level-1: FLASH Level-2: DASH  Silent drop on non-Modified cache lines  Network channels are non-FIFO

7 FMCAD 2006 7 Livelock Problem Dir Agent1Agent2 1. Req_E 2. Grant_E 4. Req_S 3. Silent-drop 5. Fwd_Req6. NACK Invld Excl

8 FMCAD 2006 8 Blocking WB + NACK_SD Dir A1A2 Req_E Gnt_E Req_S Modify WB Fwd_S WB_Ack NAck_SD NAck (I) (E) (M) (I)

9 FMCAD 2006 9 Complexity of the Protocol  Multiplicative effect of four protocols running concurrently  Model check failed after 161,876,000 of states

10 FMCAD 2006 10 Outline  Two hierarchical protocols Inclusive Non-inclusive  A compositional approach Abstraction Counter-example guided refinement Soundness

11 FMCAD 2006 11 A Compositional Approach Constraining Original protocol Abstraction … Abstracted protocol

12 FMCAD 2006 12 Non-Circular Assume/Guarantee  We can’t Verify: h ║ r1 ║ r2 ╞ Coh  Instead Check-1: h ║ R1 ║ R2 ╞ Coh1 Λ Constrains1 Check-2: H ║ r1 ║ R2 ╞ Coh2 Λ Constrains2

13 FMCAD 2006 13 Verification Methodology  Abstraction Two abstracted protocols  Fixing real bugs in M  Refinement

14 FMCAD 2006 14 Abstracted Protocol #1 RAC L2 Cache+Local Dir’ Global Dir Main Memory Home Cluster Remote Cluster 1Remote Cluster 2 RAC L2 Cache+Local Dir L1 Cache L1 Cache RAC L2 Cache+Local Dir’

15 FMCAD 2006 15 Abstracted Protocol #2 RAC L2 Cache+Local Dir’ Global Dir Main Memory Home Cluster Remote Cluster 1 Remote Cluster 2 RAC L2 Cache+Local Dir L1 Cache L1 Cache RAC L2 Cache+Local Dir’

16 FMCAD 2006 16 Abstraction  States Projection  Transitions Overapproximation

17 FMCAD 2006 17 Abstraction on States Intra-cluster details Inter-cluster details

18 FMCAD 2006 18 Abstracting Transitions  Rule-based system: guard  action; Relaxing guards Relaxing expr values Remove stmt Procs[p].WbMsg.Cmd = WB_Wb → Procs[p].L2.Data := Procs[p].WbMsg.Data; Procs[p].L2.HeadPtr := L2; … true → Procs[p].L2.Data := d; …

19 FMCAD 2006 19 Detecting Bugs in M  When a real error is found in M i Fix bug in M Regenerate M i ’s Iterate the process

20 FMCAD 2006 20 Refinement  When a bogus error found in M i Analyze and find out problematic rule g → a Locate original rule in M G → A Add a new lemma in one abstracted protocol G => P Strengthen rule into g Λ P → a

21 FMCAD 2006 21 1 M1M1 1. False alarm found Remote cluster-1 can modify its L2 line arbitrarily Details of Refinement (I) true → …

22 FMCAD 2006 22 2. Locate the original rule in M before abstraction Guard: when the local dir receives a WB from an L1 cache Details of Refinement (II) 1 M1M1 Procs[p].WbMsg.Cmd = WB → …

23 FMCAD 2006 23 3. Strengthen problematic rule in 1. Only when local dir is exclusive, could L2 modify its line Details of Refinement (III) 1 M1M1 3 true & Procs[p].L2.State = Excl → …

24 FMCAD 2006 24 4. Why strengthening is sound? Details of Refinement (IV) 1 M1M1 3

25 FMCAD 2006 25 4. We can add a new lemma in M 2 Details of Refinement (V) M1M1 1 3 M2M2 4 Procs[p].WbMsg.Cmd = WB => Procs[p].L2.State = Excl

26 FMCAD 2006 26 One Detail Excl: 1 Home Cluster Remote Cluster 1Remote Cluster 2 Excl Invld 1 23 45 1 Req_E2 Req_E3 Fwd_ReqE 4 Fwd_ReqE5 Gnt_E

27 FMCAD 2006 27 Original Transitions (I) GUniMsg[src].Cmd = RDX_RAC & GUniMsg[src].Cluster = r & Procs[r].L2.Gblock_WB = false & Procs[r].L2.State = Excl & Procs[r].L2.HeadPtr != L2  … undefine GUniMsg[src]; GUniMsg[src].Cmd := GUNI_None;

28 FMCAD 2006 28 Original Transitions (II) Procs[r].ShWbMsg.Cmd = SHWB_FAck & src_node = L2  … true & A BSProcs[r].L2.State = Excl & ABSProcs[r].RAC.State = Inval & ABSProcs[r].L2.Gblock_WB = false & GUniMsg[src].Cmd = RDX_RAC & GUniMsg[src].Cluster = p  …

29 FMCAD 2006 29 Adding A Variable Excl: 1 Home Cluster Remote Cluster 1Remote Cluster 2 Excl Invld 1 23 45 ifKeepMsg: boolean

30 FMCAD 2006 30 Soundness of the Approach  Goal If M 1 and M 2 can be model checked correct w.r.t. the coherence property Ф in M, M must also be correct w.r.t Ф

31 FMCAD 2006 31 Soundness Proof  Temporal Induction Initial states  Each var has the same value in M, M 1 and M 2  Each newly added lemma is checked in M 1 and M 2  Each property is checked Suppose soundness in state s

32 FMCAD 2006 32 Soundness Proof (II) h1, h2, r11, r12, r21, r22 h1, h2, r12, r22 h1, r11, r12, r22 h1’, h2’, r11’, r12’, r21’, r22’ g  a g 1 & p 1  a 1 h1’, h2’, r12’, r22’ g 2 & p 2  a 2 h2’, r11’, r12’, r22’ M M1M1 M2M2

33 FMCAD 2006 33 Experiment Results  A real bug found  10 iterations of refinements The size of each error trace is < 12 One person-day of work

34 FMCAD 2006 34 ProtocolNumber of states M> 161,876,000 M1M1 31,919,219 M2M2 78,689,678 Reduction  64-bit Murphi  IA-64 with 20GB of memory

35 FMCAD 2006 35 Outline  Two hierarchical protocols Inclusive Non-inclusive A compositional approach Abstraction Counter-example guided refinement Soundness

36 FMCAD 2006 36 Caching Hierarchy  Inclusive  Exclusive  Non-inclusive

37 FMCAD 2006 37 A Non-Inclusive Hierarchical Protocol RAC L2 Cache+Local Dir L1 Cache L1 Cache Global Dir Main Memory Home ClusterRemote Cluster 1Remote Cluster 2 RAC L2 Cache+Local Dir L1 Cache L1 Cache RAC L2 Cache+Local Dir L1 Cache L1 Cache

38 FMCAD 2006 38 Protocol Differences  Broadcasting channels RAC L2 Cache+Local Dir L1 Cache L1 Cache SnoopMsg[]

39 FMCAD 2006 39 Imprecise Local Directory LDir L1-1 GDir Req_S (S) S: L1-1 L1-2 (I) Swap Broadcast NAck Fwd_Req Gnt_S S: L1-2 Imprecision!

40 FMCAD 2006 40 Verification Difficulty  Coherence properties Can involve multiple L1 caches  Refinement Noninterference lemmas cannot infer L2 cache line states, from local behaviors

41 FMCAD 2006 41 An Example Excl Invld Excl Invld WB L2: (Excl, data1)  (Excl, data2) L2: (Invld, *)  (Excl, data2)

42 FMCAD 2006 42 Two Approaches of Refinement  Inferring “exclusive” from Outside the cluster Inside the cluster

43 FMCAD 2006 43 Infer exclusive From Outside Invld Excl Invld WB L2: (Invld, *)  (Excl, data2) IsExcl(p) Ξ Dir.State = Excl & GUniMsg[p].Cmd != (ACK || IACK || ImACK) & GUniMsg[h].Cmd != (ACK || IACK || ImACK) & GWbMsg.Cmd = GWB_None & ( (GShWbMsg.Cmd = GSHWB_None & Dir.Headptr = p) || (GShWbMsg.Cmd = DXFER & GShWbMsg.Cluster = p)) Cluster p

44 FMCAD 2006 44 Refinement Example Invld Excl Invld WB L2: (Invld, *)  (Excl, data2) Cluster p p.WbMsg.Cmd = WB => IsExcl(p) (Invld & IsExcl(p), *)  (Excl, data2)

45 FMCAD 2006 45 Infer exclusive From Inside M1M1 M2M2

46 FMCAD 2006 46 Definition of IE IE(p): exists i: L1_caches (p.L1(i).state = Excl or p.SnoopMsg(i).Cmd = (Put or PutX) or p.UniMsg(i).Cmd = PutX) or p.WbMsg.Cmd = WB or p.ShWbMsg.Cmd = ShWb or p.ShWbMsg.Cmd = FAck

47 FMCAD 2006 47 Refinement Invld Excl Invld WB L2: (Invld, *)  (Excl, data2) Cluster p Procs[p].WbMsg.Cmd = WB & Procs[p].L2.Stae = Invld => IE(p) (Invld & IE(p), *)  (Excl, data2)

48 FMCAD 2006 48 Soundness  Still holds by adding the extra bits “IE”

49 FMCAD 2006 49 Experiment Results  17 iterations of refinements  Size of each error trace is < 8 ProtocolNumber of states M> 1,521,900,000 M1M1 234,478,105 M2M2 283,124,383

50 FMCAD 2006 50 Outline Two hierarchical protocols Inclusive Non-inclusive A compositional approach Abstraction Counter-example guided refinement Soundness

51 FMCAD 2006 51 Conclusion  Developed 2-level hierarchical protocols  Proposed a compositional approach Abstraction Bug fixing Refinement  Proved the soundness

52 FMCAD 2006 52 Related Work  FMCAD’04 Chou et. al., A simple method for parameterized verification of cache coherence protocols  CHARME’99 McMillan, Verification of infinite state systems by compositional model checking

53 FMCAD 2006 53 For Details http://www.cs.utah.edu/formal_verification/

54 FMCAD 2006 54 A Multicore Coherence Protocol RAC L2 Cache+Local Dir L1 Cache L1 Cache Global Dir Main Memory Home ClusterRemote Cluster 1Remote Cluster 2 RAC L2 Cache+Local Dir L1 Cache L1 Cache RAC L2 Cache+Local Dir L1 Cache L1 Cache

55 FMCAD 2006 55 About the Bug IACK

56 FMCAD 2006 56 Another Decomposing Approach  Split protocols hierarchically Intra-cluster protocol Inter-cluster protocol

57 FMCAD 2006 57 Intra-cluster Protocol RAC L2 Cache+Local Dir L1 Cache L1 Cache Cluster Environment

58 FMCAD 2006 58 Inter-cluster Protocol RAC L2 Cache+Local Dir’ Global Dir Main Memory Home ClusterRemote Cluster 1Remote Cluster 2 RAC L2 Cache+Local Dir’ RAC L2 Cache+Local Dir’

59 FMCAD 2006 59 Verification Difficulty Environment RAC L2 Cache+Local Dir L1 Cache L1 Cache Global Dir Main Memory Home ClusterRemote Cluster 1Remote Cluster 2 RAC L2 Cache+Local Dir L1 Cache L1 Cache RAC L2 Cache+Local Dir L1 Cache L1 Cache

60 FMCAD 2006 60 An Example Scenario Excl: 1 Home Cluster Remote Cluster 1Remote Cluster 2 Excl Invld 1 23 6 4 5 7 NACK 1 Req_E2 Req_E3 Fwd_ReqE 4 Swap5 Req_E6 Fwd_ReqE 7

Download ppt "1 A Compositional Approach to Verifying Hierarchical Cache Coherence Protocols Xiaofang Chen 1 Yu Yang 1 Ganesh Gopalakrishnan 1 Ching-Tsun Chou 2 1 University."

Similar presentations

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Implementation and Verification of a Cache Coherence protocol using Spin Steven Farago.

Implementation and Verification of a Cache Coherence protocol using Spin Steven Farago.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
1 Lecture 6: Directory Protocols Topics: directory-based cache coherence implementations (wrap-up of SGI Origin and Sequent NUMA case study)

1 Lecture 6: Directory Protocols Topics: directory-based cache coherence implementations (wrap-up of SGI Origin and Sequent NUMA case study)
Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.

Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.
Department of Computer Sciences Revisiting the Complexity of Hardware Cache Coherence and Some Implications Rakesh Komuravelli Sarita Adve, Ching-Tsun.

Department of Computer Sciences Revisiting the Complexity of Hardware Cache Coherence and Some Implications Rakesh Komuravelli Sarita Adve, Ching-Tsun.
Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.

Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.
Compositional reasoning for Parameterized Verification Murali Talupur Joint work with Sava Krstic, John O’leary, Mark Tuttle.

Compositional reasoning for Parameterized Verification Murali Talupur Joint work with Sava Krstic, John O’leary, Mark Tuttle.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
The Stanford Directory Architecture for Shared Memory (DASH)* Presented by: Michael Bauer ECE 259/CPS 221 Spring Semester 2008 Dr. Lebeck * Based on “The.

The Stanford Directory Architecture for Shared Memory (DASH)* Presented by: Michael Bauer ECE 259/CPS 221 Spring Semester 2008 Dr. Lebeck * Based on “The.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Slide 0 FMCAD 2004 How To Specify and Verify Cache Coherence Protocols: An Elementary Tutorial Ching-Tsun Chou Microprocessor Technology Lab Corporate.

Slide 0 FMCAD 2004 How To Specify and Verify Cache Coherence Protocols: An Elementary Tutorial Ching-Tsun Chou Microprocessor Technology Lab Corporate.
1 Scaling Formal Methods toward Hierarchical Protocols in Shared Memory Processors: Annual Review Presentation – April 2007 Presenters: Ganesh Gopalakrishnan.

1 Scaling Formal Methods toward Hierarchical Protocols in Shared Memory Processors: Annual Review Presentation – April 2007 Presenters: Ganesh Gopalakrishnan.

Similar presentations

Ads by Google