Transaction Ordering Verification using Trace

Inclusion Refinement

Mike Jones11 January 2000

2

Case Study

• Check the producer consumer property for PCI 2.1 protocol.

• Which formal methods are best suited for reasoning about large protocols over unbounded branching networks?

• Resulting tools apply to designing, not implementing, a protocol over unbounded branching networks.

3

Formal methods (in 1 slide)

• Formal = truth is based on form, not meaning.• Syntax, not semantics, matters.• Theorem proving

– expressive, interactive, machine-checked

• Model checking – unexpressive, automatic, complexity

• Hybrid techniques• Intel, HP, Compaq, Microsoft, AMD, SRI, Lucent,

VSIA ...

4

Why PCI?

• It works. Why verify it? • Published standard violated prod/cons. • Stationary target.• Beyond current formal techniques.

5

Producer/Consumer for PCI

...

...p

c

d

f

...for all networks and all executions.

6

Solution

• Carefully reduce the problem• Check the reduced problem• Generalize results

7

Related work

• Other PCI work. – liveness [Corella,97]– state machine specifications [Clarke,99]– U of Utah [Mokkedem et al,00]

• Unbounded branching networks. – predicate transformers[Kesten,97]– predicate abstraction[Das,99]– Combined method [Abdulla,99]

8

Careful reduction

• Reduce arbitrary PCI networks to N networks.

• Reduce infinite state to finite states.• Show that PCI is a trace inclusion

refinement of the reduced protocol.

9

Structural Reduction

10

Structural Reduction

11

Structural Reduction

p d

c f

p c

d f

p d

c f

12

Unrelated paths and agents

...

...p

c

d

f

p

c

d

f

13

State reduction

• PCI networks have an infinite # of states. • Ignore certain transactions while preserving

the PC property.

14

Unrelated Transactions

p

... fwdwdwcdwc

cdwp

d’cp

p c

pdd

d p

dwc dw fw

cdw

p

15

Trace Inclusion Refinement

For every trace in the concrete protocol.

16

Trace Inclusion Refinement

For every trace in the concrete protocol.

There exists a trace in the reduced protocol...

17

Trace Inclusion Refinement

For every trace in the concrete protocol.

There exists a trace in the reduced protocol...

Such that the reduction of each concrete state is equal to the corresponding abstract state.

18

...Applied to PCI• Write a set of rules inductively defining the

reachable states in PCI and reduced model.

19

Check reduced model

• Used SML and murphi model checker. • Rules based input languages• 3,176 states checked in 67 seconds.• Property was satisfied.

20

Changing the model

• A different protocol – PCI without local master IDs – About 1/2 a day of effort– Plausible violation found in under 10 minutes

• A different property – When are two transactions received in order?– Useful for an on-chip bus being considered for

SOC– 1/2 an hour additional effort

21

Conclusions

• A combination of rule-based notation, theorem proving and model checking works.

• Easy to modify both the protocol and the property being checked.

22

Future work

• Automate the refinement proof.• Tools for deriving reduced protocols for

mutations of protocols. • Anyone have a protocol over an unbounded

network they need studied?

23

24

Outline

• Lay the groundwork• Overview PCI and the property• Our solution• What makes our solution so good• Discussion and conclusions

25

Why Formal Methods?

• simulation impossible: infinite states.• Does not guaruntee correctness. • Forced to identify assumptions.• Capitol critical applications.

26

Structural Reduction

• Reduce any instance of PC to one of 3 abstract instances.

• Allows us to get complete structural coverage by checking 3 networks.

• Supported by a machine-checked proof.

p d

c f

p c

d f

p d

c f

27

Producer/Consumer for PCI

• Producer writes a data value and sets a flag.• Consumer reads the flag then reads the data• Assuming

– no intervening writes– flag gets written before it gets read

• Then the consumer gets the new data value.

• Check this for ALL executions in ALL networks

28

What makes this problem hard

• All networks and all executions. • Reasoning about PCI networks in general,

using induction, is hard. • Reasoning about individual PCI networks

equals inefficient simulation.

29

Trace Inclusion Refinement