PCI transaction ordering
verification using trace
inclusion refinement
Mike Jones
UV Meeting
October 4, 1999
1
Outline
•
•
•
•
•
How PCI works
What we are trying to verify
Why the verification is so hard
How we did the verification
Discussion
2
How PCI works
Bus
Posted
d p
Delayed
c
completion
d
Agent
Bridge
3
Posted transactions
• Posted transaction, P, from A to B.
• A puts p on “the rest of the network”
and forgets about it.
• B receives P and that’s it.
p
A
The Rest of
the network
B
4
Posted transactions
• Pretend there are 2 bridges between
A and B
• With the other transaction shown.
• Here’s how P gets from A to B...
p
A
d
c p’
B
5
Posted transactions
• P goes to bridge 1.
• P is now complete at A.
• P can pass delayed transaction d
p d
A
c p’
B
6
Posted transactions
• Next, P completes to bridge 2.
d p
A
c p’
B
7
Posted transactions
• P is now complete at bridge 1.
• P can pass the completion trans. C.
• P can not pass the other posted trans.
d
A
p c p’
B
8
Posted transactions
• P waits until P’ completes on bridge 2
d
A
c p p’
B
9
Posted transactions
• Pretend that P’ went to another
bridge (not shown).
• P can now complete to destination B.
d
A
c p
B
10
Posted transactions
• No acknowledgement is sent to A.
• P is now complete at B.
d
A
p
c
B
11
Delayed transactions
• Delayed trans., d, from A to B.
• A puts d on “the rest of the network”
and waits for a completion.
• B receives d and sends a completion,c.
d
A
The Rest of
the network
B
12
Delayed transactions
•
•
•
•
2 bridges between A and B
Other transactions as shown.
d tries to latch to bridge 1.
d is now committed (called d’).
d’
A
d
c p’
B
13
Delayed transactions
• Eventually, d’ latches to bridge 1.
• bridge 1 has an uncommitted copy of d
• d can pass the other d entry already in
bridge 1.
d’
A
d d
c p’
B
14
Delayed transactions
• d can attempt to latch to bridge 2.
• d will then be committed at bridge 1.
d’
A
d d
c p’
B
15
Delayed transactions
• Eventually, d’ latches to bridge 2.
d’
A
d d’
c p’
B
16
Delayed transactions
• d can pass completion entry c.
d’
A
d d’
d c p’
B
17
Delayed transactions
• But, uncommitted d entries can be
dropped at any time...
d’
A
d d’
c d p’
B
18
Delayed transactions
• bridge 1 has to resend d’ to bridge 2
• d’ can not be deleted
d’
A
d d’
c p’
B
19
Delayed transactions
•
•
•
•
d can be dropped again...
pretend it passes C again.
d can not pass posted transactions.
d waits till p’ completes.
d’
A
d d’
d c p’
B
20
Delayed transactions
• d commits then latches to agent B.
• B creates a completion entry C.
d’
A
d d’
c d
B
21
Delayed transactions
• d’ in bridge 2 can complete with the
completion in B.
• d’ will be deleted from bridge 2.
• c will move into into bridge 2.
d’
A
d d’
c d’
d’
c
B
22
Delayed transactions
• d is now complete at bridge 2.
• d’ in bridge 1 can complete with c in
bridge 2.
• c can be deleted too...
d’
A
d d’
c
d’
c
B
23
Delayed transactions
• d is now complete at bridge 1.
• finally, d’ in agent A completes with c
in bridge 1.
d’
A
c
d
d’
c
B
24
Delayed transactions
• d is now complete at A.
• no more actions!
d
c
A
d’
c
B
25
Reordering and deletion
•
•
•
•
•
P can pass anything except P.
D and C can pass either D or C.
uncommitted D can be dropped.
oldest C in a queue can be dropped.
P and committed D never dropped.
26
Producer/Consumer property
• if a producer agent writes a data item
• and the producer sets a flag
• and if the consumer reads the flag
• then the consumer will read the new
data item.
27
Producer/Consumer property
• More formally...
 p,c: agent master, d,f: agent target
dw,fw: write trans,
dr,fr: delayed read trans.
{(p issues dw before fw) 
(c issues fr before dr) 
(dw completes at p before fw) 
(fr completes at c before dr) 
(fw completes at f before fr)} 
dw completes at d before dr
28
Verifying P/C
• Theorem proving effort
– PVS theory of PCI using NASA library
– several person months of effort
– too hard.
• Model checking effort
– long-ish Promela model
– does not generalize to arbitrary cases
– does finish though
29
Theorem proving difficulties
• unconstrained environment
• big induction principle
• several months of effort
• ... some properties were proven
30
TP contribution
• any configuration of p,c,d,f is in one
of the following infinite classes:
p
d
p
d
p
c
c
f
c
f
d
f
31
Model checking difficulties
• check sample networks from each
class.
• included only P/C transactions
• model checker works in finite domain
• couldn’t convincingly generalize the
results.
32
Missing generalizations
• arbitrary unrelated agents, paths and
transactions
• arbitrary path lengths
p
p
d
c
f
d
...
...
???
c
f
33
Verification solution
• Use some TP properties to create an
abstract model of PCI called PCIA
• abstract away:
– arbitrary unrelated agents, paths
– arbitrary unrelated transactions
– arbitrarily long paths
34
Verification solution
• show that PCI  PCIA
 s:PCI execution trace.
{(s = [(i1,e1),(i2,e2),...) =>
 s’:abstract PCI execution trace.
(s’ = [e1,e2,...])}
where
e1 = abstraction of i1
35
Verification solution
• show that all executions of PCIA
satisfy P/C
• Therefore, no executions of PCI
violate P/C
• pencil & paper refinement proof
• model checked P/C in PCIA
36
Unrelated paths and agents
...
p
d
...
c
f

p
d
c
f
37
Unrelated Transactions
dwc
p c dwc
d p
d dwd’
p p c
...
d p fw
cdw

p
dwc dw fw
cdw
38
Unbounded Path Lengths
• Ignore bridge boundaries
• But stacks of committed delayed
transactions represent the path
length.
dwc
p cdwc
dp
ddwd’ ...
ppc
d pfw
cdw

p
dwc ...dwc dw fw
cdw
39
Unbounded path lengths
• Theorem from TP model:
– behind any committed D transaction, there
is a continuous stack of D transactions back
to the issuing master agent.
40
Unbounded Path Lengths
• Keep only the newest committed entry!
• How to do completions?
– where is the new newest entry after a
completion?
dwc
p cdwc
dp
ddwd’ ...
ppc
d pfw
cdw

???
41
Unbounded path lengths
• Which transactions behind dwc were in
the same queue as dwc?
• New newest dwc appears behind them.
p dwc frc
p
fr dwc
p dwc frc
p fr
cdw

frc fr dwc fw
cdw

frc dwc fr fw
42
cdw
Unbounded path lengths
• lost queue boundaries, so don’t know
• consider all interleavings
• going to visit all states anyway...
frc fr fw
frc fr dwc fw
cdw
cdw
frc fr dwc fw
cdw
frc dwc fr fw
cdw
dwc frc fr fw
43
cdw
Refinement Proof
PCI transition
internal
state
next
internal
state


next
abstract
state
abstract
state
PCIA transition
next
internal
state
next
internal
state

next
abstract
44
P/C in PCIA
•
•
•
•
•
SML model of PCIA
SML explicit state model checker
state P/C as a safety property
check all 3 path configurations in 30 sec.
less than 2000 states
45
Discussion
• combination of TP and MC
• Novel abstraction
– unbounded branching paths
– unbounded transactions
• Small and finite abstract model
– can even be checked in a toy model
checker
46
Abstract model
47
Abstract model
• keep only significant transactions
– all forms of dw,dr,fw,fr
– only the newest committed entry
• keep only significant agents
– p,c,d,f agents
• keep only significant paths
– paths connecting p,c,d,f
• ignore bridge and queue boundaries
48
Transition abstraction
• There is an abstract transition for
each concrete transition that changes
the external state.
• a set of 10 transition rules.
• see the paper for details.
49
Delayed transactions
• most difficult case
50