C.N. Ip and D. Dill. Efficient Verification of Symmetric Concurrent Systems. In Proceedings of the International Conference on Computer Design: VLSI in Computers and Processors, pages 230--234, Cambridge, Maryland, USA, October 1993. IEEE Computer Society.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....quickly consumes all the memory available for the verification since Mur must remember which states have been visited. There are two techniques to reduce the number of states traversed and, therefore, Mur s memory requirements. The first technique uses symmetry to eliminate redundant states [43, 44]. Symmetry in a system allows Mur to find states that are equivalent in their current and future behavior with respect to error checking. During verification, only one member of each equivalence class needs to be examined. This technique is able to significantly reduce the total number of states ....

C. Norris Ip and David L. Dill. Efficient Verification of Symmetric Concurrent Systems. In Proceedings of the International Conference on Computer Design: VLSI in Computers and Processors, pages 230--234, 1993.

....insight into why the implementation works as it does; and proving the various theorems requires insight into what are efficient strategies for the proof checker. 5. 1 Model Checking A more widely used approach to formal verification is model checking [CGP99] which uses state enumeration [ID93a,ID93b] sometimes with symbolic techniques [CES86,McM92] to check the correctness of assertions by exhaustively exploring all reachable states of the system. For example, Stern and Dill [SD95] used the Mur system to check that all reachable states satisfied certain properties attached to protocol ....

C.N. Ip and D.L. Dill. Efficient Verification of Symmetric Concurrent Systems. In International Conference on Computer Design: VLSI in Computers and Processors, October 1993.

....state. Murj provides several features to simplify writing scalable descriptions of large systems. The normal description style uses numerous subrange types, which can be scaled easily. Of particular interest are the special scalarset and multiset types, which provide automatic symmetry reduction [7]. Scalarsets are like subranges, but without order. Multisets are like arrays, except that the array elements are unordered. Appropriate use of these data types greatly reduces the size of the state space. To simplify writing rules for all values of a subrange or scalarset, Murj provides a ruleset ....

C. N. Ip and D. L. Dill. Efficient verification of symmetric concurrent systems. Int'l Conf on Computer Design, 1993, pp. 230--234.

....by non experts, initial ease of learning and ease of use can be critical. Similarly, the guarded command semantics of Murphi proved to be very convenient for modeling the protocol. Finally, Murphi provides special data types that allow powerful symmetry reductions to be applied automatically [7]. We made extensive use of these data types, resulting in an enormous savings in the number of states explored. The hash compaction scheme, a probabilistic verification technique that compresses states stored in the hash table, proved to be absolutely vital to avoid running out of memory. The ....

C. N. Ip and D. L. Dill. Efficient verification of symmetric concurrent systems. In International Conference on Computer Design, pages 230--234. IEEE, October 1993.

....a survey of techniques to verify cache coherence protocols by exploring all the possible sequences of interactions between components in a given protocol model. We are particularly interested in methods with mechanical verification procedures, specifically, methods based on state enumeration [9, 26, 48, 54, 55], symbolic) model checking [11, 18, 67] and symbolic state model [77] In these techniques the protocol is characterized by its state and the verification is based on searching all reachable states exhaustively. From a given state, the exploration of all possible interactions among protocol ....

....the values updated by B. Note that, in this example, all state transitions are permissible. A possible approach to keep track of values is to have processors randomly write one of two predetermined values such as 0 and 1; subsequently, a check verifies that processors do not read different values [54]. However, the stale write back error might still go undetected unless the protocol model maintains a global variable to remember which write back carries the latest value. A systematic solution to such problem is suggested in [72] Every cache is associated with a variable cdata which takes value ....

[Article contains additional citation context not shown here]

Ip, C.N. and Dill, D.L., "Efficient Verification of Symmetric Concurrent Systems", Int'l Conference on Computer Design: VLSI in Computers and Processors, Oct. 1993.

....not enumerate all reachable states explicitly, the BDD size for representing transition relations may increase rapidly in proportion to the scale and the complexity of the system. Recently, it was observed that a complex system often exhibits a great deal of regularity and symmetry. Ip and Dill [17, 18] implemented the symmetric Murj that exploits the symmetry of the system by grouping 6 together states whose representations are permutations of each other. A similar idea was also applied in symbolic model checking methods by Clarke, et al. 9] and Emerson, et al. 14] By applying ....

....as , where k i denotes the number of caches in state q i Qand . Definition 5 (Counting Equivalence) Two system states and are equivalent if k i = l i for all i. Exploiting symmetry to reduce the complexity of a verification procedure is not new. Based on this system symmetry, Ip and Dill [17, 18] have implemented a symmetric version of Murj and applied it to the verification of cache protocols. A similar approach has been taken by Clarke, et al. 9] and Emerson and Sistla [14] In their approaches, a canon P i 1 = Q q i k i S i 1 = Q k i n = P i 1 = Q q i k i P i 1 = Q ....

C.N. Ip and D.L. Dill, "Efficient Verification of Symmetric Concurrent Systems," IEEE Int'l Conference on Computer Design: VLSI in Computers and Processors, Oct. 1993.

....those behaviors that are permitted by this operational model. 1. 2 Formal Verification The verification of cache coherence protocols has gained considerable attention in recent years [4, 22] Most methods verify certain invariants for cache coherence protocols, and are based on state enumeration [13, 14] and symbolic model checking [6, 7, 20] which can check correctness of assertions by exhaustively exploring all reachable states of the system. For example, Stern and Dill [27] use the Mur system to automatically check if all reachable states satisfy certain properties which are attached to ....

C. Ip and D. Dill. Efficient Verification of Symmetric Concurrent Systems. In International Conference on Computer Design: VLSI in Computers and Processors, Oct. 1993.

....not. This method does not lead to classical verification because it can merge different states with the same value of the hash function. However, it can say at least something about so big systems that other attitudes could not manage at all under given memory restrictions. 3. 2 Mur The tool Mur [4] was primarily designed for verifying communication protocols and hardware controllers and protocols (such as cache coherence protocols) The input language of Mur is based on creating sets of guarded commands (condition action rules) which are then executed repeatedly in a loop. As for data ....

C. Norris Ip and D.L. Dill. Efficient Verification of Symmetric Concurrent Systems. In IEEE International Conference on Computer Design: VLSI in Computers and Processors, IEEE Computer Science, 1993.

....public key protocol [65] 2.1 The Mur Verification System 2.1. 1 Basics Mur [17] is a protocol verification tool that has been successfully applied to several industrial protocols, especially in the domains of multiprocessor cache coherence protocols and multiprocessor memory models [18, 19, 46, 68, 76, 92]. To use Mur for verification, one has to model the protocol in the Mur language and augment this model with a specification of the desired properties. The Mur system automatically checks, by explicit state enumeration, if all reachable states of the model satisfy the given specification. For ....

C. N. Ip and D. L. Dill. Efficient verification of symmetric concurrent systems. In IEEE International Conference on Computer Design: VLSI in Computers and Processors, pages 230--4, 1993.

....any bugs that arise is extremely difficult. ffl The protocols can be modeled with finite state, making them amenable to automatic formal verification. ffl Several researchers have successfully used automatic formal verification to debug complicated, real cache coherence protocols (e.g. [13, 7, 4, 10, 15, 17, 3, 14]) Unfortunately, in addition to the growing body of verification of cache coherence protocol success literature is also a growing oral tradition of verification failure stories. In the hallways at conferences or via private email, verification researchers informally trade stories of failed ....

....relevant to the real design all of the bugs that occur while implementing the design are not modeled and hence cannot be caught by protocol level verification. Nevertheless, the fact that protocol level verification of cache coherence protocols can be very valuable has been made repeatedly [13, 7, 4, 10, 15, 17, 3, 14]. Another negative is that our methodology in applying protocol level formal verification was far from ideal [7] ffl Ideally, protocol level formal verification is done extremely early in the design cycle. In our case, we started protocol level verification as RTL coding was nearing completion. ....

[Article contains additional citation context not shown here]

C. N. Ip and D. L. Dill. Efficient verification of symmetric concurrent systems. In International Conference on Computer Design, pages 230--234. IEEE, October 1993.

....process takes a step at any time) and where the processes interact by reading and writing shared variables. The Mur verifier works by explicitly generating states and storing them in a hash table. We have put some effort into developing state reduction techniques, including symmetry reduction [ID93a, ID93b] , exploitation of reversible rules [ID96a] and verification of systems with varying numbers of replicated components [ID96b] We have also investigated probabilistic verification techniques in Mur [SD95c] The Mur description language was inspired by Misra and Chandy s Unity formalism [CM88] ....

....protocols, a hybrid byzantine agreement algorithm, mutual exclusion algorithms, memory model specifications, and probably numerous other examples. Symmetry reduction In the last few years, we have found several ways of improving the performance of Mur . The first was to exploit symmetry [ID93a, ID93b]. In some cases (particularly high level descriptions of multiprocessor cache coherence protocols) components or values of a type can be exchanged arbitrarily without affecting the future behavior of the protocol. We have exploited this in Mur by adding a new data type, called a ScalarSet, which ....

C. Norris Ip and David L. Dill. Efficient verification of symmetric concurrent systems. IEEE International Conference on Computer Design: VLSI in Computers and Processors, pages 230--234, October 1993.

....as state space explosion. State space explosion occurs because every additional bit added to the state description potentially doubles the state space. There have been techniques developed that can find reductions in the state space that needs to be explored without compromising the property check [IpD93], but these also are best applied to protocol verification. An alternative to using an explicit representation to store the set of reachable states is to use binary decision diagrams (BDD) Bry86] BDDs are a compact and canonical representation of a boolean expression. They can be used to ....

C. Norris Ip and David L. Dill, "Efficient Verification of Symmetric Concurrent Systems", In Proceedings of the International Conference on Computer Design, November 1993.

....algorithms and protocols, including realistic multiprocessor synchronization algorithms and cache coherence protocols. We obtained reductions in space (number of states examined) ranging from 83 to more than 99 compared with the original size. Although increased verification time was reported in [ID93a, ID93b], we have since devised an improved algorithm to obtain a much faster verifier. The speedups now range from 65 to 98 . For example, one verification problem originally requiring 50 Mbytes can be done in less than 500 Kbytes, with a reduction in verification time from 4 hours to 3 minutes. We have ....

....of graph isomorphism. When compared to the simple explicit state enumeration algorithms, using a simple exponential time canonicalization function for symmetry reduced verification often results in significantly increased time, even when there are vast reductions in the number of states explored [ID93a, ID93b]. However, many heuristics for testing graph isomorphism [Ebe88, Mit88] are also applicable in our problem. Using some of these heuristics results in a much faster algorithm. We are currently obtaining speedups of up to 98 . In some extreme cases when the heuristics for graph isomorphism are not ....

C. Norris Ip and David L. Dill, Efficient Verification of Symmetric Concurrent Systems. IEEE International Conference on Computer Design: VLSI in Computers and Processors, Cambridge, MA, October 3-6, 1993.

....one of the permutations used to canonicalize the first part. The result is a normalized state of a small lexicographically value. 4 Practical Results The new symmetry based search algorithm has been implemented in the Mur Verifier System. A wide range of examples were modeled in the new system [ID93]. We present in this section the results from a directory based cache coherence protocol that was designed at Stanford. Through a cache coherence protocol, a shared memory abstraction can be implemented on top of a message passing network. A typical configuration consists of processing nodes ....

C. Norris Ip and David L. Dill. Efficient Verification of Symmetric Concurrent Systems. To appear in IEEE International Conference on Computer Design: VLSI in Computers and Processors, Cambridge, MA, October 3-6, 1993.

....of his choice of repetition constructors, it does not help much in reducing the number of non maximal states. 4 Practical Results The abstraction with the repetition constructors can be combined easily with the other two reduction strategies implemented in Mur : symmetry reduction [ID93a, ID93b] and reduction by reversible rules [ID96] We present in this section the verification results for an industrial cache coherence protocol (ICCP) using the Mur verification system. This protocol is a typical centraldirectory based cache coherence protocol, as described in [DDHY92] Because of ....

....Reduction Mur was able to detect automatically that the abstract state graph is the same for systems with 15 processor or more. The saturated model has 38,269 states and is valid for 14 processors or more. This phenomenon is very similar to the data saturation phenomenon reported in [ID93a, ID93b] Acknowledgement We would like to thank Fong Pong for the discussion on the symbolic state model, Ganesh Gopalakrishnan, Seungjoon Park, Ulrich Stern, and Han Yang for their valuable feedback during the writing of this paper. ....

C. Norris Ip and David L. Dill. Efficient verification of symmetric concurrent systems. Int'l Conf. on Computer Design: VLSI in Computers and Processors, 1993.

....often unmanageably huge number of reachable states the state explosion problem . We are currently using the Mur verification system developed at Stanford to find errors in the SCI cache coherence protocol. In prior work, the Mur system was successfully applied to several industrial protocols [2, 3, 9, 14]. For verifying the SCI cache coherence protocol, the typical set protocol was modeled with the Mur description language. This model was augmented with a specification of A preliminary version of this paper was presented at the 2nd International Workshop on SCI based High Performance Low Cost ....

....also be called an arbitrary choice in the following. system are also found in the down scaled system. For example, in our SCI model the number of processors is scalable and defined by a constant. The Mur verifier supports automatic symmetry reduction of models by special language constructs [8, 9]. For example, if we have two processors, the state where processor one is the head and two is the tail of a sharing list is for verification purposes the same as the state where processor one is the tail and two is the head. There are several ways the Mur verifier detects design ....

C. N. Ip and D. L. Dill. Efficient verification of symmetric concurrent systems. In IEEE International Conference on Computer Design: VLSI in Computers and Processors, pages 230--234, 1993.

....the memory overhead caused by sleep sets is reduced to typically one or two bytes per state. We have extended the Mur verification system [7] developed at Stanford with the hash compaction scheme. In prior work, the old Mur system was successfully applied to several industrial protocols [8, 9, 25, 34, 42]. We tried the hash compaction scheme on some of these protocols. No omissions occurred using 5 byte compression. Then, we looked at one of these protocols and varied the number of bits in the compressed state descriptors. For each value, we conducted multiple runs of the verifier with randomly ....

C. N. Ip and D. L. Dill. Efficient verification of symmetric concurrent systems. In IEEE International Conference on Computer Design: VLSI in Computers and Processors, pages 230--4, 1993.

....would yield an omission probability smaller than (0:13 ) 2 = 1:69 Delta 10 Gamma6 . We have extended the Mur verification system developed at Stanford with the probabilistic verification scheme. In prior work, the old Mur system was successfully applied to several industrial protocols [5, 6, 12, 14, 17]. We tried the new, probabilistic scheme on some of these protocols. No omissions occurred using 5 byte compression. Then, we looked at one of these protocols and varied the number of bits in the compressed state descriptors. For each value, we conducted multiple runs of the verifier with randomly ....

C. N. Ip and D. L. Dill. Efficient verification of symmetric concurrent systems. In IEEE International Conference on Computer Design: VLSI in Computers and Processors, pages 230--234, 1993.

....Page 9 ffl Finally, let me conclude by presenting the verification result of an industrial cache coherence protocol. More results are presented in the paper, and they all confirmed that our new reduction method reduces the time and memory requirement to do verification. ffl Combining symmetry [ID93a, ID93b, ID] and reversible rules, Reduction of more than 1000 time in the the memory usage, and reduction of more than 200 time in the time requirement are achieved. This concludes the main presentation. The next two slides address two main questions from the audience at the conference. COMPARISON TO ....

C. Norris Ip and David L. Dill. Efficient verification of symmetric concurrent systems. IEEE International Conference on Computer Design: VLSI in Computers and Processors, pages 230--234, October 1993.

....the whole family of systems by verifying systems of 1 to n components, where n being the size of the system with a saturated state graph. Finally, this abstraction using repetition constructors can be combined easily with the other two reduction strategies implemented in Mur : symmetry reduction [19, 20] and reduction by reversible rules [22] The ability to combine these techniques has further increased the complexity of designs that can be verified using fully automatic formal verification tools. Acknowledgements We would like to thank Fong Pong for the discussion on the symbolic state model, ....

C. Norris Ip and David L. Dill. Efficient verification of symmetric concurrent systems. IEEE International Conference on Computer Design: VLSI in Computers and Processors, pages 230--234, October 1993.

No context found.

C.N. Ip and D. Dill. Efficient Verification of Symmetric Concurrent Systems. In Proceedings of the International Conference on Computer Design: VLSI in Computers and Processors, pages 230--234, Cambridge, Maryland, USA, October 1993. IEEE Computer Society.

No context found.

N. Ip and D. Dill, "Efficient Verification of Symmetric Concurrent Systems," Proceedings of IEEE International Conference on Computer Design: VLSI in Computers and Processors, 1993.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC