transaction ordering verification using trace inclusion refinement mike jones 11 january 2000
Post on 20-Dec-2015
221 views
TRANSCRIPT
![Page 1: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/1.jpg)
Transaction Ordering Verification using Trace
Inclusion Refinement
Mike Jones11 January 2000
![Page 2: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/2.jpg)
2
Case Study
• Check the producer consumer property for PCI 2.1 protocol.
• Which formal methods are best suited for reasoning about large protocols over unbounded branching networks?
• Resulting tools apply to designing, not implementing, a protocol over unbounded branching networks.
![Page 3: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/3.jpg)
3
Formal methods (in 1 slide)
• Formal = truth is based on form, not meaning.• Syntax, not semantics, matters.• Theorem proving
– expressive, interactive, machine-checked
• Model checking – unexpressive, automatic, complexity
• Hybrid techniques• Intel, HP, Compaq, Microsoft, AMD, SRI, Lucent,
VSIA ...
![Page 4: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/4.jpg)
4
Why PCI?
• It works. Why verify it? • Published standard violated prod/cons. • Stationary target.• Beyond current formal techniques.
![Page 5: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/5.jpg)
5
Producer/Consumer for PCI
...
...p
c
d
f
...for all networks and all executions.
![Page 6: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/6.jpg)
6
Solution
• Carefully reduce the problem• Check the reduced problem• Generalize results
![Page 7: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/7.jpg)
7
Related work
• Other PCI work. – liveness [Corella,97]– state machine specifications [Clarke,99]– U of Utah [Mokkedem et al,00]
• Unbounded branching networks. – predicate transformers[Kesten,97]– predicate abstraction[Das,99]– Combined method [Abdulla,99]
![Page 8: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/8.jpg)
8
Careful reduction
• Reduce arbitrary PCI networks to N networks.
• Reduce infinite state to finite states.• Show that PCI is a trace inclusion
refinement of the reduced protocol.
![Page 9: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/9.jpg)
9
Structural Reduction
![Page 10: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/10.jpg)
10
Structural Reduction
![Page 11: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/11.jpg)
11
Structural Reduction
p d
c f
p c
d f
p d
c f
![Page 12: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/12.jpg)
12
Unrelated paths and agents
...
...p
c
d
f
p
c
d
f
![Page 13: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/13.jpg)
13
State reduction
• PCI networks have an infinite # of states. • Ignore certain transactions while preserving
the PC property.
![Page 14: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/14.jpg)
14
Unrelated Transactions
p
... fwdwdwcdwc
cdwp
d’cp
p c
pdd
d p
dwc dw fw
cdw
p
![Page 15: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/15.jpg)
15
Trace Inclusion Refinement
For every trace in the concrete protocol.
![Page 16: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/16.jpg)
16
Trace Inclusion Refinement
For every trace in the concrete protocol.
There exists a trace in the reduced protocol...
![Page 17: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/17.jpg)
17
Trace Inclusion Refinement
For every trace in the concrete protocol.
There exists a trace in the reduced protocol...
Such that the reduction of each concrete state is equal to the corresponding abstract state.
![Page 18: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/18.jpg)
18
...Applied to PCI• Write a set of rules inductively defining the
reachable states in PCI and reduced model.
![Page 19: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/19.jpg)
19
Check reduced model
• Used SML and murphi model checker. • Rules based input languages• 3,176 states checked in 67 seconds.• Property was satisfied.
![Page 20: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/20.jpg)
20
Changing the model
• A different protocol – PCI without local master IDs – About 1/2 a day of effort– Plausible violation found in under 10 minutes
• A different property – When are two transactions received in order?– Useful for an on-chip bus being considered for
SOC– 1/2 an hour additional effort
![Page 21: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/21.jpg)
21
Conclusions
• A combination of rule-based notation, theorem proving and model checking works.
• Easy to modify both the protocol and the property being checked.
![Page 22: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/22.jpg)
22
Future work
• Automate the refinement proof.• Tools for deriving reduced protocols for
mutations of protocols. • Anyone have a protocol over an unbounded
network they need studied?
![Page 23: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/23.jpg)
23
![Page 24: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/24.jpg)
24
Outline
• Lay the groundwork• Overview PCI and the property• Our solution• What makes our solution so good• Discussion and conclusions
![Page 25: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/25.jpg)
25
Why Formal Methods?
• simulation impossible: infinite states.• Does not guaruntee correctness. • Forced to identify assumptions.• Capitol critical applications.
![Page 26: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/26.jpg)
26
Structural Reduction
• Reduce any instance of PC to one of 3 abstract instances.
• Allows us to get complete structural coverage by checking 3 networks.
• Supported by a machine-checked proof.
p d
c f
p c
d f
p d
c f
![Page 27: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/27.jpg)
27
Producer/Consumer for PCI
• Producer writes a data value and sets a flag.• Consumer reads the flag then reads the data• Assuming
– no intervening writes– flag gets written before it gets read
• Then the consumer gets the new data value.
• Check this for ALL executions in ALL networks
![Page 28: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/28.jpg)
28
What makes this problem hard
• All networks and all executions. • Reasoning about PCI networks in general,
using induction, is hard. • Reasoning about individual PCI networks
equals inefficient simulation.
![Page 29: Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d4e5503460f94a2e99f/html5/thumbnails/29.jpg)
29
Trace Inclusion Refinement