pci transaction ordering verification using trace inclusion refinement
DESCRIPTION
PCI transaction ordering verification using trace inclusion refinement. Mike Jones UV Meeting October 4, 1999. Outline. How PCI works What we are trying to verify Why the verification is so hard How we did the verification Discussion. How PCI works. Bus. Posted. d. p. c. Delayed. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/1.jpg)
1
PCI transaction ordering verification using trace inclusion refinement
Mike JonesUV Meeting
October 4, 1999
![Page 2: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/2.jpg)
2
Outline
• How PCI works• What we are trying to verify• Why the verification is so hard• How we did the verification • Discussion
![Page 3: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/3.jpg)
3
How PCI works
Agent Bridge
Bus
p
d
dc
Delayed
Posted
completion
![Page 4: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/4.jpg)
4
Posted transactions
• Posted transaction, P, from A to B.• A puts p on “the rest of the network” and forgets
about it. • B receives P and that’s it.
A B
p The Rest ofthe network
![Page 5: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/5.jpg)
5
Posted transactions
• Pretend there are 2 bridges between A and B• With the other transaction shown. • Here’s how P gets from A to B...
A B
p cd p’
![Page 6: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/6.jpg)
6
Posted transactions
• P goes to bridge 1. • P is now complete at A.• P can pass delayed transaction d
A B
p cd p’
![Page 7: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/7.jpg)
7
Posted transactions
• Next, P completes to bridge 2.
A B
p cd p’
![Page 8: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/8.jpg)
8
Posted transactions
• P is now complete at bridge 1.• P can pass the completion trans. C. • P can not pass the other posted trans.
A B
p cd p’
![Page 9: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/9.jpg)
9
Posted transactions
• P waits until P’ completes on bridge 2
A B
pcd p’
![Page 10: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/10.jpg)
10
Posted transactions
• Pretend that P’ went to another bridge (not shown).
• P can now complete to destination B.
A B
pcd
![Page 11: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/11.jpg)
11
Posted transactions
• No acknowledgement is sent to A. • P is now complete at B.
A B
pcd
![Page 12: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/12.jpg)
12
Delayed transactions
• Delayed trans., d, from A to B. • A puts d on “the rest of the network”
and waits for a completion.• B receives d and sends a completion,c.
A B
d The Rest ofthe network
![Page 13: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/13.jpg)
13
Delayed transactions
• 2 bridges between A and B• Other transactions as shown. • d tries to latch to bridge 1. • d is now committed (called d’).
A B
d’ cd p’
![Page 14: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/14.jpg)
14
Delayed transactions
• Eventually, d’ latches to bridge 1. • bridge 1 has an uncommitted copy
of d• d can pass the other d entry already
in bridge 1.
A B
d’ cd p’d
![Page 15: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/15.jpg)
15
Delayed transactions
• d can attempt to latch to bridge 2.• d will then be committed at bridge
1.
A B
d’ cd p’d
![Page 16: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/16.jpg)
16
Delayed transactions
• Eventually, d’ latches to bridge 2.
A B
d’ cd p’d’
![Page 17: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/17.jpg)
17
Delayed transactions
• d can pass completion entry c.
A B
d’ cd p’d’ d
![Page 18: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/18.jpg)
18
Delayed transactions
• But, uncommitted d entries can be dropped at any time...
A B
d’ cd p’d’ d
![Page 19: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/19.jpg)
19
Delayed transactions
• bridge 1 has to resend d’ to bridge 2
• d’ can not be deleted
A B
d’ cd p’d’
![Page 20: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/20.jpg)
20
Delayed transactions
• d can be dropped again... • pretend it passes C again. • d can not pass posted transactions.• d waits till p’ completes.
A B
d’ cd p’d’ d
![Page 21: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/21.jpg)
21
Delayed transactions
• d commits then latches to agent B. • B creates a completion entry C.
A B
d’ cd d’ d
![Page 22: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/22.jpg)
22
Delayed transactions
• d’ in bridge 2 can complete with the completion in B.
• d’ will be deleted from bridge 2. • c will move into into bridge 2.
A B
d’ cd d’ d’ d’ c
![Page 23: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/23.jpg)
23
Delayed transactions
• d is now complete at bridge 2. • d’ in bridge 1 can complete with c
in bridge 2. • c can be deleted too...
A B
d’ cd d’ d’ c
![Page 24: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/24.jpg)
24
Delayed transactions
• d is now complete at bridge 1. • finally, d’ in agent A completes with
c in bridge 1.
A B
d’ cd d’ c
![Page 25: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/25.jpg)
25
Delayed transactions
• d is now complete at A. • no more actions!
A B
cd d’ c
![Page 26: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/26.jpg)
26
Reordering and deletion
• P can pass anything except P. • D and C can pass either D or C. • uncommitted D can be dropped. • oldest C in a queue can be
dropped. • P and committed D never dropped.
![Page 27: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/27.jpg)
27
Producer/Consumer property
• if a producer agent writes a data item
• and the producer sets a flag• and if the consumer reads the flag
• then the consumer will read the new data item.
![Page 28: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/28.jpg)
28
Producer/Consumer property
• More formally...
p,c: agent master, d,f: agent target dw,fw: write trans, dr,fr: delayed read trans.{(p issues dw before fw) (c issues fr before dr) (dw completes at p before fw) (fr completes at c before dr) (fw completes at f before fr)} dw completes at d before dr
![Page 29: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/29.jpg)
29
Verifying P/C
• Theorem proving effort – PVS theory of PCI using NASA library– several person months of effort – too hard.
• Model checking effort– long-ish Promela model – does not generalize to arbitrary cases– does finish though
![Page 30: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/30.jpg)
30
Theorem proving difficulties
• unconstrained environment• big induction principle• several months of effort
• ... some properties were proven
![Page 31: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/31.jpg)
31
TP contribution
• any configuration of p,c,d,f is in one of the following infinite classes:
p d
c f
p c
d f
p d
c f
![Page 32: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/32.jpg)
32
Model checking difficulties
• check sample networks from each class.
• included only P/C transactions• model checker works in finite
domain• couldn’t convincingly generalize
the results.
![Page 33: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/33.jpg)
33
Missing generalizations
• arbitrary unrelated agents, paths and transactions
• arbitrary path lengths
p d
c f
...
...
p
c
d
f
???
![Page 34: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/34.jpg)
34
Verification solution
• Use some TP properties to create an abstract model of PCI called PCIA
• abstract away: – arbitrary unrelated agents, paths– arbitrary unrelated transactions– arbitrarily long paths
![Page 35: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/35.jpg)
35
Verification solution
• show that PCI PCIA
s:PCI execution trace. {(s = [(i1,e1),(i2,e2),...) => s’:abstract PCI execution trace.
(s’ = [e1,e2,...])}where e1 = abstraction of i1
![Page 36: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/36.jpg)
36
Verification solution• show that all executions of PCIA satisfy P/C• Therefore, no executions of PCI violate P/C
• pencil & paper refinement proof• model checked P/C in PCIA
![Page 37: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/37.jpg)
37
Unrelated paths and agents
...
...p
c
d
f
p
c
d
f
![Page 38: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/38.jpg)
38
Unrelated Transactions
p
... fwdwdwcdwc
cdwp
d’cp
p c
pdd
d p
dwc dw fw
cdw
![Page 39: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/39.jpg)
39
Unbounded Path Lengths
• Ignore bridge boundaries• But stacks of committed delayed
transactions represent the path length.
p
... fwdwdwcdwccdwp
d’cpp c
pdddp
dwc ...dwc dw fwcdw
![Page 40: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/40.jpg)
40
Unbounded path lengths
• Theorem from TP model:– behind any committed D transaction, there
is a continuous stack of D transactions back to the issuing master agent.
![Page 41: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/41.jpg)
41
Unbounded Path Lengths
• Keep only the newest committed entry!• How to do completions?
– where is the new newest entry after a completion?
... fwdwdwcdwccdwp
d’cpp c
pdddp
???
![Page 42: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/42.jpg)
42
Unbounded path lengths
• Which transactions behind dwc were in the same queue as dwc?
• New newest dwc appears behind them.
frc fr dwc fwcdw
frc dwc fr fwcdw
dwcfrpfrcdwcp frpfrcdwcp
cdw
![Page 43: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/43.jpg)
43
Unbounded path lengths• lost queue boundaries, so don’t know• consider all interleavings• going to visit all states anyway...
frc fr dwc fwcdw frc dwc fr fw
cdw
frc fr dwc fwcdw
dwc frc fr fwcdw
frc fr fwcdw
![Page 44: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/44.jpg)
44
Refinement Proof
internalstate
nextinternal
state
abstractstate
nextabstract
state
nextinternal
state
nextinternal
state
nextabstract
state
PCI transition
PCIA transition
![Page 45: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/45.jpg)
45
P/C in PCIA
• SML model of PCIA• SML explicit state model checker• state P/C as a safety property• check all 3 path configurations in 30
sec.• less than 2000 states
![Page 46: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/46.jpg)
46
Discussion
• combination of TP and MC• Novel abstraction
– unbounded branching paths– unbounded transactions
• Small and finite abstract model– can even be checked in a toy model
checker
![Page 47: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/47.jpg)
47
Abstract model
![Page 48: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/48.jpg)
48
Abstract model
• keep only significant transactions– all forms of dw,dr,fw,fr– only the newest committed entry
• keep only significant agents– p,c,d,f agents
• keep only significant paths– paths connecting p,c,d,f
• ignore bridge and queue boundaries
![Page 49: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/49.jpg)
49
Transition abstraction
• There is an abstract transition for each concrete transition that changes the external state.
• a set of 10 transition rules.• see the paper for details.
![Page 50: PCI transaction ordering verification using trace inclusion refinement](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681469c550346895db3b5a5/html5/thumbnails/50.jpg)
50
Delayed transactions
• most difficult case