Embed Size (px)
Citation preview
Transaction Ordering Verification using Trace
Inclusion Refinement
Mike Jones11 January 2000
2
Case Study
• Check the producer consumer property for PCI 2.1 protocol.
• Which formal methods are best suited for reasoning about large protocols over unbounded branching networks?
• Resulting tools apply to designing, not implementing, a protocol over unbounded branching networks.
3
Formal methods (in 1 slide)
• Formal = truth is based on form, not meaning.• Syntax, not semantics, matters.• Theorem proving
– expressive, interactive, machine-checked
• Model checking – unexpressive, automatic, complexity
• Hybrid techniques• Intel, HP, Compaq, Microsoft, AMD, SRI, Lucent,
VSIA ...
4
Why PCI?
• It works. Why verify it? • Published standard violated prod/cons. • Stationary target.• Beyond current formal techniques.
5
Producer/Consumer for PCI
...
...p
c
d
f
...for all networks and all executions.
6
Solution
• Carefully reduce the problem• Check the reduced problem• Generalize results
7
Related work
• Other PCI work. – liveness [Corella,97]– state machine specifications [Clarke,99]– U of Utah [Mokkedem et al,00]
• Unbounded branching networks. – predicate transformers[Kesten,97]– predicate abstraction[Das,99]– Combined method [Abdulla,99]
8
Careful reduction
• Reduce arbitrary PCI networks to N networks.
• Reduce infinite state to finite states.• Show that PCI is a trace inclusion
refinement of the reduced protocol.
9
Structural Reduction
10
Structural Reduction
11
Structural Reduction
p d
c f
p c
d f
p d
c f
12
Unrelated paths and agents
...
...p
c
d
f
p
c
d
f
13
State reduction
• PCI networks have an infinite # of states. • Ignore certain transactions while preserving
the PC property.
14
Unrelated Transactions
p
... fwdwdwcdwc
cdwp
d’cp
p c
pdd
d p
dwc dw fw
cdw
p
15
Trace Inclusion Refinement
For every trace in the concrete protocol.
16
Trace Inclusion Refinement
For every trace in the concrete protocol.
There exists a trace in the reduced protocol...
17
Trace Inclusion Refinement
For every trace in the concrete protocol.
There exists a trace in the reduced protocol...
Such that the reduction of each concrete state is equal to the corresponding abstract state.
18
...Applied to PCI• Write a set of rules inductively defining the
reachable states in PCI and reduced model.
19
Check reduced model
• Used SML and murphi model checker. • Rules based input languages• 3,176 states checked in 67 seconds.• Property was satisfied.
20
Changing the model
• A different protocol – PCI without local master IDs – About 1/2 a day of effort– Plausible violation found in under 10 minutes
• A different property – When are two transactions received in order?– Useful for an on-chip bus being considered for
SOC– 1/2 an hour additional effort
21
Conclusions
• A combination of rule-based notation, theorem proving and model checking works.
• Easy to modify both the protocol and the property being checked.
22
Future work
• Automate the refinement proof.• Tools for deriving reduced protocols for
mutations of protocols. • Anyone have a protocol over an unbounded
network they need studied?
23
24
Outline
• Lay the groundwork• Overview PCI and the property• Our solution• What makes our solution so good• Discussion and conclusions
25
Why Formal Methods?
• simulation impossible: infinite states.• Does not guaruntee correctness. • Forced to identify assumptions.• Capitol critical applications.
26
Structural Reduction
• Reduce any instance of PC to one of 3 abstract instances.
• Allows us to get complete structural coverage by checking 3 networks.
• Supported by a machine-checked proof.
p d
c f
p c
d f
p d
c f
27
Producer/Consumer for PCI
• Producer writes a data value and sets a flag.• Consumer reads the flag then reads the data• Assuming
– no intervening writes– flag gets written before it gets read
• Then the consumer gets the new data value.
• Check this for ALL executions in ALL networks
28
What makes this problem hard
• All networks and all executions. • Reasoning about PCI networks in general,
using induction, is hard. • Reasoning about individual PCI networks
equals inefficient simulation.
29
Trace Inclusion Refinement
