1 pci transaction ordering verification using trace inclusion refinement mike jones uv meeting...

1

PCI transaction ordering verification using trace inclusion refinement

Mike JonesUV Meeting

October 4, 1999

2

Outline

• How PCI works• What we are trying to verify• Why the verification is so hard• How we did the verification • Discussion

3

How PCI works

Agent Bridge

Bus

p

d

dc

Delayed

Posted

completion

4

Posted transactions

• Posted transaction, P, from A to B.• A puts p on “the rest of the network” and forgets

about it. • B receives P and that’s it.

A B

p The Rest ofthe network

5

Posted transactions

• Pretend there are 2 bridges between A and B• With the other transaction shown. • Here’s how P gets from A to B...

A B

p cd p’

6

Posted transactions

• P goes to bridge 1. • P is now complete at A.• P can pass delayed transaction d

A B

p cd p’

7

Posted transactions

• Next, P completes to bridge 2.

A B

p cd p’

8

Posted transactions

• P is now complete at bridge 1.• P can pass the completion trans. C. • P can not pass the other posted trans.

A B

p cd p’

9

Posted transactions

• P waits until P’ completes on bridge 2

A B

pcd p’

10

Posted transactions

• Pretend that P’ went to another bridge (not shown).

• P can now complete to destination B.

A B

pcd

11

Posted transactions

• No acknowledgement is sent to A. • P is now complete at B.

A B

pcd

12

Delayed transactions

• Delayed trans., d, from A to B. • A puts d on “the rest of the network”

and waits for a completion.• B receives d and sends a completion,c.

A B

d The Rest ofthe network

13

Delayed transactions

• 2 bridges between A and B• Other transactions as shown. • d tries to latch to bridge 1. • d is now committed (called d’).

A B

d’ cd p’

14

Delayed transactions

• Eventually, d’ latches to bridge 1. • bridge 1 has an uncommitted copy

of d• d can pass the other d entry already

in bridge 1.

A B

d’ cd p’d

15

Delayed transactions

• d can attempt to latch to bridge 2.• d will then be committed at bridge

1.

A B

d’ cd p’d

16

Delayed transactions

• Eventually, d’ latches to bridge 2.

A B

d’ cd p’d’

17

Delayed transactions

• d can pass completion entry c.

A B

d’ cd p’d’ d

18

Delayed transactions

• But, uncommitted d entries can be dropped at any time...

A B

d’ cd p’d’ d

19

Delayed transactions

• bridge 1 has to resend d’ to bridge 2

• d’ can not be deleted

A B

d’ cd p’d’

20

Delayed transactions

• d can be dropped again... • pretend it passes C again. • d can not pass posted transactions.• d waits till p’ completes.

A B

d’ cd p’d’ d

21

Delayed transactions

• d commits then latches to agent B. • B creates a completion entry C.

A B

d’ cd d’ d

22

Delayed transactions

• d’ in bridge 2 can complete with the completion in B.

• d’ will be deleted from bridge 2. • c will move into into bridge 2.

A B

d’ cd d’ d’ d’ c

23

Delayed transactions

• d is now complete at bridge 2. • d’ in bridge 1 can complete with c

in bridge 2. • c can be deleted too...

A B

d’ cd d’ d’ c

24

Delayed transactions

• d is now complete at bridge 1. • finally, d’ in agent A completes with

c in bridge 1.

A B

d’ cd d’ c

25

Delayed transactions

• d is now complete at A. • no more actions!

A B

cd d’ c

26

Reordering and deletion

• P can pass anything except P. • D and C can pass either D or C. • uncommitted D can be dropped. • oldest C in a queue can be

dropped. • P and committed D never dropped.

27

Producer/Consumer property

• if a producer agent writes a data item

• and the producer sets a flag• and if the consumer reads the flag

• then the consumer will read the new data item.

28

Producer/Consumer property

• More formally...

p,c: agent master, d,f: agent target dw,fw: write trans, dr,fr: delayed read trans.{(p issues dw before fw) (c issues fr before dr) (dw completes at p before fw) (fr completes at c before dr) (fw completes at f before fr)} dw completes at d before dr

29

Verifying P/C

• Theorem proving effort – PVS theory of PCI using NASA library– several person months of effort – too hard.

• Model checking effort– long-ish Promela model – does not generalize to arbitrary cases– does finish though

30

Theorem proving difficulties

• unconstrained environment• big induction principle• several months of effort

• ... some properties were proven

31

TP contribution

• any configuration of p,c,d,f is in one of the following infinite classes:

p d

c f

p c

d f

p d

c f

32

Model checking difficulties

• check sample networks from each class.

• included only P/C transactions• model checker works in finite

domain• couldn’t convincingly generalize

the results.

33

Missing generalizations

• arbitrary unrelated agents, paths and transactions

• arbitrary path lengths

p d

c f

...

...

p

c

d

f

???

34

Verification solution

• Use some TP properties to create an abstract model of PCI called PCIA

• abstract away: – arbitrary unrelated agents, paths– arbitrary unrelated transactions– arbitrarily long paths

35

Verification solution

• show that PCI PCIA

s:PCI execution trace. {(s = [(i1,e1),(i2,e2),...) => s’:abstract PCI execution trace.

(s’ = [e1,e2,...])}where e1 = abstraction of i1

36

Verification solution• show that all executions of PCIA satisfy P/C• Therefore, no executions of PCI violate P/C

• pencil & paper refinement proof• model checked P/C in PCIA

37

Unrelated paths and agents

...

...p

c

d

f

p

c

d

f

38

Unrelated Transactions

p

... fwdwdwcdwc

cdwp

d’cp

p c

pdd

d p

dwc dw fw

cdw

39

Unbounded Path Lengths

• Ignore bridge boundaries• But stacks of committed delayed

transactions represent the path length.

p

... fwdwdwcdwccdwp

d’cpp c

pdddp

dwc ...dwc dw fwcdw

40

Unbounded path lengths

• Theorem from TP model:– behind any committed D transaction, there

is a continuous stack of D transactions back to the issuing master agent.

41

Unbounded Path Lengths

• Keep only the newest committed entry!• How to do completions?

– where is the new newest entry after a completion?

... fwdwdwcdwccdwp

d’cpp c

pdddp

???

42

Unbounded path lengths

• Which transactions behind dwc were in the same queue as dwc?

• New newest dwc appears behind them.

frc fr dwc fwcdw

frc dwc fr fwcdw

dwcfrpfrcdwcp frpfrcdwcp

cdw

43

Unbounded path lengths• lost queue boundaries, so don’t know• consider all interleavings• going to visit all states anyway...

frc fr dwc fwcdw frc dwc fr fw

cdw

frc fr dwc fwcdw

dwc frc fr fwcdw

frc fr fwcdw

44

Refinement Proof

internalstate

nextinternal

state

abstractstate

nextabstract

state

nextinternal

state

nextinternal

state

nextabstract

state

PCI transition

PCIA transition

45

P/C in PCIA

• SML model of PCIA• SML explicit state model checker• state P/C as a safety property• check all 3 path configurations in 30

sec.• less than 2000 states

46

Discussion

• combination of TP and MC• Novel abstraction

– unbounded branching paths– unbounded transactions

• Small and finite abstract model– can even be checked in a toy model

checker

47

Abstract model

48

Abstract model

• keep only significant transactions– all forms of dw,dr,fw,fr– only the newest committed entry

• keep only significant agents– p,c,d,f agents

• keep only significant paths– paths connecting p,c,d,f

• ignore bridge and queue boundaries

49

Transition abstraction

• There is an abstract transition for each concrete transition that changes the external state.

• a set of 10 transition rules.• see the paper for details.

50

Delayed transactions

• most difficult case