formal design and verification methods for shared memory systems
DESCRIPTION
Formal Design and Verification Methods for Shared Memory Systems. Ratan Nalumasu Dissertation Defense September 10, 1998. Problems Facing Digital Design. Complexity Longer design time Shorter time to market. Current Debugging Technology. Full model Partial examination No assurance - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/1.jpg)
Formal Design and Verification Methods for Shared Memory
Systems
Ratan Nalumasu
Dissertation Defense
September 10, 1998
![Page 2: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/2.jpg)
9/10/1998 Design Complexity 2
Problems Facing Digital Design
• Complexity
• Longer design time
• Shorter time to market
![Page 3: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/3.jpg)
9/10/1998 Design Complexity 3
Current Debugging Technology
+ Full model– Partial examination No assurance– Weaker properties– Difficult correctness metrics– Full model
![Page 4: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/4.jpg)
9/10/1998 Introduction to FM 4
Formal Methods
• Formal methods = Math based techniques
• Continuous math : Engineering =
Discrete math : Digital system design
“It is what the designers want. It’s just challenging to prove.”
![Page 5: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/5.jpg)
9/10/1998 Introduction to FM 5
Formal Methods based Design
– Reduced model+ Complete examination+ Better assurances (on the reduced model)+ Stronger property language+ Better correctness metrics+ Reduced model
![Page 6: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/6.jpg)
9/10/1998 Introduction to FM 6
FM Taxonomy
• Manual verification techniques: Interactive theorem provers
• Automatic verification techniques: Model checkers
• Compilation techniques:
Refinement rules
![Page 7: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/7.jpg)
9/10/1998 Theorem Provers 7
Interactive Theorem Provers
+ Can deal with infinite state systems
– Extensive manual reasoning
Proof of a compilation scheme
+ Good for algorithm verification
![Page 8: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/8.jpg)
9/10/1998 Model Checking 8
Model Checking
process p(x) { global G; local L;
while (...) { recv ...; send ...; }}process q(x,y) ...
2
0
1
3
(G=0, p.L=0, ...)
![Page 9: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/9.jpg)
9/10/1998 Model Checking 9
Model Checking Strengths
• Automatic
• If property fails, model checker shows the error trace– Deadlock: How initial state reached it– Assertion: How initial state reached it– Starvation: A loop where no progress is
made
![Page 10: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/10.jpg)
9/10/1998 Model Checking 10
Model Checking: Example
• Construct graph of the system, and check the property: Deadlock at (22)
0
1
2
0
1
2
00
10
20
21
22
01
11 02
12
• State ExplosionPartial Order Reductions
![Page 11: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/11.jpg)
9/10/1998 Refinement Algorithms 11
Refinement Algorithms
• Need to verify only high-level protocols
• Domain-specific compilers can generate efficient implementations
Refinement rules for DSM protocols
![Page 12: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/12.jpg)
9/10/1998 Applied FM 12
State of the art of Applied FM
+ General purpose
+ Widely applicable techniques
– Inefficient algorithms
– Inefficient “compilers”
– Do not help with domain specific concerns
![Page 13: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/13.jpg)
9/10/1998 13
Thesis Statement
Domain specific formal methods• Efficient verification techniques• Address domain specific concerns
Domain:
Memory
CPUCPU
Memory
![Page 14: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/14.jpg)
9/10/1998 14
Overview
• Introduction to formal verification Shared memory systems
• Contributions
• Conclusions
![Page 15: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/15.jpg)
9/10/1998 Memory Bottleneck 15
Memory Bottleneck
• Processor speed increases at 55% a year, while memory speed increases at 7%– Caches
• Tendency toward multiprocessors– Further imbalance complex protocols– SMP systems– DSM systems
![Page 16: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/16.jpg)
9/10/1998 SMP Architecture 16
Symmetric Multiprocessors
Can scale upto 10s of processorsModern caches have support for such SMP
protocols
CPU$
Memory
CPU$
CPU$
![Page 17: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/17.jpg)
9/10/1998 SMP Protocols 17
SMP Protocol Design
• Bus protocols– Bus arbitration algorithm– Cache invalidation scheme– Lack of atomicity on the bus
• Bus and CPU interaction– Does CPU have out-of-order execution?– Does bus allow out-of-order completion?
• Are these decisions visible to software?
![Page 18: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/18.jpg)
9/10/1998 DSM Architecture 18
Distributed Shared Memory
NODE NODE NODE
MEM MEM MEM
Network
Each node may be a SMP or a single CPU
![Page 19: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/19.jpg)
9/10/1998 DSM Protocols 19
DSM Protocol Design
• Network port arbitration
• Coherency maintenance across the network– Maintaining distributed state– Little atomicity– “Ghost” messages– Transient states
• Are these decisions visible to software?
![Page 20: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/20.jpg)
9/10/1998 Shared Memory Systems 20
Shared Memory Correctness
• Low level:– deadlock– forward progress– bus arbitration
• Intermediate level:– at most one owner of a cache line at a
time
• High-level:– abstraction provided to the software
![Page 21: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/21.jpg)
9/10/1998 Software Interface 21
Abstraction Provided to Software
Multiprocessor:P1write(a,new)read(b)
P2write(b,new)read(a)
P1read(b)write(a,new)
P2read(a)write(b, new)
Not okunderS.C.
Uniprocessor: P1write(a,new)read(b)
P1read(b)write(a,new)
okcache/compiler/out-of-order execution
Test model checking
![Page 22: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/22.jpg)
9/10/1998 22
Overview• Introduction to formal verification• Shared Memory systems Contributions
– mitigating state explosion • Partial order reduction algorithm
– facilitating high-level design• Protocol synthesis algorithm
– enhancing applicability• High-level correctness such as SC
• Conclusions
![Page 23: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/23.jpg)
9/10/1998 Contributions 23
Contributions
Protocol
PO algorithm1
TestModel checking
2
2
Refinement rules3
Efficient implementation3
![Page 24: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/24.jpg)
Contribution #1
Mitigating State Explosion Problem
Partial Order Reductions
![Page 25: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/25.jpg)
9/10/1998 PO Reductions 25
Partial Order Reductions
00
10
20
21
22
0
1
2
0
1
2
00
10
20
21
22
01
11 02
12
If two transitions are independent, thenexplore one of them postponing the other
![Page 26: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/26.jpg)
9/10/1998 PO Reductions 26
Ignoring Problem
Select some transitions, and postpone others but do not postpone forever
S0
S1
Postponed
Postponed
![Page 27: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/27.jpg)
9/10/1998 PO Reductions 27
Proviso based Solution
Godefroid, Valmari, Holzmann, Peled’s solutions are very similar: Proviso– Expands the “last” state of the loop
completely
S0
S1
Postponed
Expand
![Page 28: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/28.jpg)
9/10/1998 PO Reductions 28
Problem with Proviso
12
11 01 21
00
Q postponed
10
202202
ALL 9 states
0
1 2P
0
1 2Q
![Page 29: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/29.jpg)
9/10/1998 PO Reductions 29
Our Algorithm: 2-phase
00
0110 20 02
0
1 2P
0
1 2Q
Only 5 states
![Page 30: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/30.jpg)
9/10/1998 PO Reductions 30
States TimeMig (Spin) 113,628 13.6
Mig (2 PV) 9,185 1.7
Inv (Spin) > 620,446 DNF
Inv (2 PV) 135,404 21.2
Performance Comparison
05,000
10,00015,00020,000
SC2 SC3 SC4 Pftp Snpy
SPIN
PV
(20x)
![Page 31: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/31.jpg)
Contribution #2
Facilitating High-level Design
Protocol Refinement
![Page 32: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/32.jpg)
9/10/1998 Refinement Algorithms 32
Protocol Refinement
• PO reductions not sufficient, theorem provers ruled out
• Compile from high-level protocol specification– easier to design– easier to verify– can generate efficient implementation
using domain knowledge
![Page 33: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/33.jpg)
9/10/1998 Refinement Algorithms 33
Unexpected Messages
PP
recv ack
from Q
Send a
req to Q
Some request ???Always nack no forward progressAlways Silence Deadlock
![Page 34: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/34.jpg)
9/10/1998 Refinement Algorithms 34
Refinement Procedures
• Debug the high-level specification: Synchronous communication with no transient states
• Automatic refinement procedures transforms it into detailed implementation– No need to verify the implementation– Needs domain specific knowledge for
efficiency
![Page 35: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/35.jpg)
9/10/1998 Refinement Algorithms 35
Related Work
• Buckley & Silberschatz, 83– For OS environments, not fit for
hardware
• Gribomont,90– Protocols where synchronous
messages can be simply replaced by asynchronous messages
![Page 36: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/36.jpg)
9/10/1998 Refinement Algorithms 36
Related Work (contd)
• Teapot, 96 for DSM systems (Chandra)– Protocol programming language– “Suspend” construct for transient states– Not high-level: Suspend states still
specify what to do in a transient state
![Page 37: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/37.jpg)
9/10/1998 Refinement Algorithms 37
Context: DSM Protocols
Network
Protocol per each cache line1 home, n “remote” nodes per each lineHome is responsible for maintaining
consistency (Hub)
NODE
MEM
NODE
MEM
NODE
MEM
![Page 38: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/38.jpg)
9/10/1998 Refinement Algorithms 38
Refinement Rules
Req
Ack orNack
Home Remote
Req
Ack orNack
Home Remote
![Page 39: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/39.jpg)
9/10/1998 Refinement Algorithms 39
Refinement Rules (2)
Req1 isignored bybothprocesses
Home Remote
Req1 Req2
Ack orNack
![Page 40: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/40.jpg)
9/10/1998 Refinement Algorithms 40
Debugging EffortProtocol N Low-level High-level
specMig 2 54 23,164/2.8
4 235/0.4
8 965/0.5
Inv 2 546/0.6 193389/20.6
4 18686/18.4
Protocol compilation scheme has beenproved using a theorem prover
![Page 41: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/41.jpg)
Contribution #3
Enhancing Applicability
Shared Memory Model Verification
![Page 42: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/42.jpg)
9/10/1998 Test Model Checking 42
Relaxing Instruction Orders
P1write(a,new)read(b)
P2write(b,new)read(a)
P1read(b)write(a,new)
P2read(a)write(b,new)
UnderSC
![Page 43: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/43.jpg)
9/10/1998 Test Model Checking 43
Verification of HW/SW Interface
SC:SC:The result can be explained bysome interleaving of the instructions.
Test modelchecking
CPU $
Memory
CPU $
CPU $
![Page 44: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/44.jpg)
9/10/1998 Test Model Checking 44
Current Verification Techniques
• Simulation– Must study lengthy executions– Must choose non-trivial programs
• Formal techniques (next slide)
![Page 45: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/45.jpg)
9/10/1998 Test Model Checking 45
Related Work
• Graf’s Lazy caching in ACTL*
• Gibbons approach run programs and check if the results are SC
• McMillan’s thesis data abstraction for a test
• Hojati data abstraction in a different context
• Undecidability result by Alur et al
![Page 46: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/46.jpg)
9/10/1998 Test Model Checking 46
ACTL* for (stronger than) SC
• AG(enabled( read(a,d) )) avail(a,d)• AG(avail(a,d) AND EF(enable(read(a,d))))
A[NOT avail(a,d) W AG NOT avail(a,d)]• ...• init AG[after(write(a,d))
A(NOT enabled(read(a,d) W avail(a,d))]
Such MODEL DEPENDENT SPECS do not fit in an iterative industrial frame
![Page 47: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/47.jpg)
9/10/1998 Test Model Checking 47
Test Model Checking
• Adaptation of simulation to model checking– model checking (full coverage) + testing (“black box approach’’)
• Tests are independent of the model being verified manual effort is considerably reduced – Test model-checking can be used early
in the design cycle
![Page 48: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/48.jpg)
9/10/1998 Test Model Checking 48
Results
• Defined a shared memory description language– “data is not used for control decisions”– “addresses are symmetric”– Can specify HP’s Runway/PA, ...
• Model checking technique– “Small number of addresses is
sufficient”
• Application to runway/PA using PV
![Page 49: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/49.jpg)
9/10/1998 Test Model Checking 49
If P1 executes two write instructions, then P2 sees them in the program order of P1
P1A := 1A := 2A := 3
....A := k
P2X1 := AX2 := AX3 := A
....Xk := A
Many deficiencies
Read Order, Write Order
X(i+1) X(i)
![Page 50: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/50.jpg)
9/10/1998 Test Model Checking 50
Deficiencies of the Test
• Finite k– What if an error occurs for a really large
k?
• Location “A” is never written by P2– What if an error occurs when the
ownership changes?
• Only 1-address– The definitions of RO and WO are not
restricted to a single address at a time– How many addresses to consider?
![Page 51: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/51.jpg)
9/10/1998 Test Model Checking 51
Data abstraction + non-determinism
Unbounded k
rd(1)
rd(0)
rd(0)
rd(1)
wr(0)
wr(1)
wr(1)
Non-deterministicchange
![Page 52: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/52.jpg)
9/10/1998 Test Model Checking 52
Ownership Changes
rd(1)
rd(0)
rd(0)
rd(1)
wr(0)
wr(1)
wr(1)or rd(-)
or rd(-)
or wr(2)
or wr(2)
Complete 1-address test
![Page 53: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/53.jpg)
9/10/1998 Test Model Checking 53
2-address (RO, WO) test
wr(1)
rd(0)
rd(-) OR wr(0) rd(-) OR wr(2)
rd(-) OR wr(1)
rd(1)
rd(A,-) OR rd(B,-) ORwr(A,0) OR wr(B,0)
rd(A,-) OR wr(A,1) ORrd(B,-) OR wr(B,1)
rd(A,-) OR or rd(B-) ORwr(A,2) OR wr(B,2)
rd(B,1)wr(A,1)
rd(A,0)
![Page 54: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/54.jpg)
9/10/1998 Test Model Checking 54
2-address (RO, WO) test
rd(A,-) OR rd(B,-) ORwr(A,0) OR wr(B,0)
rd(A,-) OR wr(A,1) ORrd(B,-) OR wr(B,1)
rd(A,-) OR or rd(B-) ORwr(A,2) OR wr(B,2)
rd(B,1)wr(A,1)
rd(A,0)
![Page 55: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/55.jpg)
9/10/1998 Test Model Checking 55
Complete Test for (RO, WO)
• Theorem: A system implements (RO, WO) if and only if it has no errors on all 1- and 2-address programs
• Complete 1-address and 2-address tests
![Page 56: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/56.jpg)
9/10/1998 Test Model Checking 56
Program Order
• PO generalizes RO and WO to include orderings between a read followed by write, and write followed by read
rd(A)
rd(B)
wr(A)
rd(B)
RO
RW
WR
PO
![Page 57: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/57.jpg)
9/10/1998 Test Model Checking 57
• All processors agree on the order of writes– WO imposes the order only if the writes are
from same program
Write Atomicity
wr(A,0)
wr(B,1)
SC is (PO, WA)
![Page 58: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/58.jpg)
9/10/1998 Test Model Checking 58
1-address SC test
ORDER:ORDER:1, 4OR4, 1
P0P0
A := 0rd(A)
A := 1
A := 2rd(A)
P1P1
A := 3rd(A)
A := 4
A := 5rd(A)
Barrier
![Page 59: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/59.jpg)
9/10/1998 Test Model Checking 59
Complete Tests for SC
• Theorem: A system with N processors implements SC if and only if it has no errors on programs n<N address programs
• Scheme for N processors– N barriers– Data written before, at, and after barrier
are different• data 0, 1, 2 for P0, and data 3, 4, 5 for
P1
![Page 60: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/60.jpg)
9/10/1998 Test Model Checking 60
Case Studies
• Serial memory (operational semantics of SC)
• Lazy caching• Runway/PA system model
– Bus based design
– An aggressive split transaction protocol
– Out-of-order completion of transactions on Runway for high-performance
– In-order completion of instructions in PA for sequential consistency
![Page 61: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/61.jpg)
9/10/1998 Test Model Checking 61
Test Model checking of HP/RunwaySpin PV
PO-1 56K 2412
PO-2 > 5M/DNF 285K
SC-1 499K 7880
SC-2a > 5M/DNF 5.9M
SC-2b > 4M/DNF 574K
![Page 62: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/62.jpg)
9/10/1998 62
Conclusion
Showed that specializing formal methods for a particular domain (shared memory) leads to efficient verification techniques for the domain, and increases the applicability of the formal methods– Two phase algorithm– Refinement procedure– Memory model verification
![Page 63: Formal Design and Verification Methods for Shared Memory Systems](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681437c550346895daffb83/html5/thumbnails/63.jpg)
9/10/1998 63
Future Work
• Model checking algorithms– better partial order algorithms– tune for test model checking
• Protocol synthesis– More optimizations
• Test model checking– Weaker memory models, other objects– Application to other fields