Formal design and verification methods for shared memory systems

Many modern hardware and software systems axe designed as a collection of components that run concurrently in order to achieve higher performance. These components employ sophisticated protocols for coordinating their actions. The correctness of these protocols is critical for the overall correctness of the system. Traditional debugging techniques such as simulation are increasingly unable to cover all aspects of the protocols. As a result, formal methods, especially model checkers that examine all possible scheduling of the events in the protocol, have gained considerable attention both from academia and industry. This dissertation shows how formal methods can be tailored to a particular domain to address concerns specific to the domain, and in doing so obtain algorithms that perform better on the protocols that occur in the narrower domain. The domain chosen is shared memory system design and verification. The contributions of the dissertation are: (1) a partial order reduction algorithm, called two phase, to improve the effectiveness of the model checkers, (2) a refinement procedure that synthesizes detailed distributed shared memory protocols from high-level specifications, and (3) a testing based approach, called test model checking , that can be used to verify if a given shared memory system correctly implements a given formal memory model. The two phase algorithm is more effective than the current partial order reduction algorithms on a number of protocols, including the protocols that occur in shared memory design. The refinement technique shows how formal methods can exploit domain specific knowledge to support a high-level specification and validation of protocols followed by an automatic synthesis of a detailed implementation. The test model checking approach shows how limitations of model checking can be overcome by combining model checking with traditional testing methods.

[1]  Richard J. Lipton,et al.  Reduction: a method of proving properties of parallel programs , 1975, CACM.

[2]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[3]  D. Lenoski,et al.  The SGI Origin: A ccnuma Highly Scalable Server , 1997, Conference Proceedings. The 24th Annual International Symposium on Computer Architecture.

[4]  Doron A. Peled,et al.  Verifying hardware in its software context , 1997, 1997 Proceedings of IEEE International Conference on Computer Aided Design (ICCAD).

[5]  Gerard J. Holzmann,et al.  Coverage Preserving Reduction Strategies for Reachability Analysis , 1992, PSTV.

[6]  William R. Bryg,et al.  A High-Performance, Low-Cost Multiprocessor Bus for Workstations and Midrange Servers , 1996 .

[7]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[8]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[9]  R W Butler,et al.  An Introduction to Requirements Capture Using PVS: Specification of a Simple Autopilot , 1996 .

[10]  Phillip B. Gibbons,et al.  On testing cache-coherent shared memories , 1994, SPAA '94.

[11]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[12]  Leslie Lamport,et al.  Pretending Atomicity , 1989 .

[13]  L. C.NorrisIpDavid,et al.  Better Veri cation Through Symmetry , 1996 .

[14]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[15]  book,et al.  Computer Architecture , a Quantitative Approach , 1995 .

[16]  David L. Dill,et al.  Verification of FLASH cache coherence protocol by aggregation of distributed transactions , 1996, SPAA '96.

[17]  Doron A. Peled,et al.  All from One, One for All: on Model Checking Using Representatives , 1993, CAV.

[18]  David L. Dill,et al.  Formal specification of abstract memory models , 1993 .

[19]  Doron A. Peled,et al.  Combining partial order reductions with on-the-fly model-checking , 1994, Formal Methods Syst. Des..

[20]  David L. Dill,et al.  Protocol Verification by Aggregation of Distributed Transactions , 1996, CAV.

[21]  Pierre Wolper,et al.  Using partial orders for the efficient verification of deadlock freedom and safety properties , 1991, Formal Methods Syst. Des..

[22]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[23]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[24]  Ganesh Gopalakrishnan,et al.  Explicit-enumeration based Veri cation made Memory-e cientRatan , 1995 .

[25]  Anoop Gupta,et al.  The Stanford FLASH multiprocessor , 1994, ISCA '94.

[26]  Leslie Lamport,et al.  How to Make a Multiprocessor Computer That Correctly Executes Multiprocess Programs , 2016, IEEE Transactions on Computers.

[27]  James R. Goodman,et al.  Cache Consistency and Sequential Consistency , 1991 .

[28]  Wolfgang Thomas,et al.  Handbook of Theoretical Computer Science, Volume B: Formal Models and Semantics , 1990 .

[29]  Michel Dubois,et al.  Verifying Distributed Directory-Based Cahce Coherence Protocols: S3.mp, a Case Study , 1995, Euro-Par.

[30]  Robert K. Brayton,et al.  Partial-Order Reduction in Symbolic State Space Exploration , 1997, CAV.

[31]  R.K. Brayton,et al.  Automatic verification of memory systems which service their requests out of order , 1995, Proceedings of ASP-DAC'95/CHDL'95/VLSI'95 with EDA Technofair.

[32]  Sarita V. Adve,et al.  Shared Memory Consistency Models: A Tutorial , 1996, Computer.

[33]  Patrice Godefroid Using Partial Orders to Improve Automatic Verification Methods , 1990, CAV.

[34]  Bishop Brock,et al.  ACL2 Theorems About Commercial Microprocessors , 1996, FMCAD.

[35]  Lawrence C. Paulson Introduction to Isabelle , 1999 .

[36]  Ganesh Gopalakrishnan,et al.  A new partial order reduction algorithm for concurrent system verification , 1997 .

[37]  Ratan Nalumasu,et al.  Translation between S/r and Promela , 1995 .

[38]  Martin Peschke,et al.  Design and Validation of Computer Protocols , 2003 .

[39]  Rajeev Alur,et al.  Model-Checking of Correctness Conditions for Concurrent Objects , 2000, Inf. Comput..

[40]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[41]  Fong Pong,et al.  Missing the Memory Wall: The Case for Processor/Memory Integration , 1996, 23rd Annual International Symposium on Computer Architecture (ISCA'96).

[42]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[43]  Leslie Lamport,et al.  How to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor , 1997, IEEE Trans. Computers.

[44]  John B. Carter A comparison of software and hardware synchronization mechanisms for distributed shared memory multiprocessors , 1996 .

[45]  David L Weaver,et al.  The SPARC architecture manual : version 9 , 1994 .

[46]  Robert S. Boyer,et al.  Computational Logic , 1990, ESPRIT Basic Research Series.

[47]  Anoop Gupta,et al.  The Stanford Dash multiprocessor , 1992, Computer.

[48]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[49]  Rob Gerth Sequential consistency and the lazy caching algorithm , 1999, Distributed Computing.

[50]  Somesh Jha,et al.  Exploiting symmetry in temporal logic model checking , 1993, Formal Methods Syst. Des..

[51]  Michel Dubois,et al.  A New Approach for the Verification of Cache Coherence Protocols , 1995, IEEE Trans. Parallel Distributed Syst..

[52]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[53]  Leslie Lamport,et al.  Lazy caching in TLA , 1999, Distributed Computing.

[54]  James R. Larus,et al.  Teapot: language support for writing memory coherence protocols , 1996, PLDI '96.

[55]  Gerard J. Holzmann,et al.  The State of SPIN , 1996, CAV.

[56]  E. Pascal Gribomont From Synchronous to Asynchronous Communication , 1988, Specification and Verification of Concurrent Systems.

[57]  Abraham Silberschatz,et al.  An Effective Implementation for the Generalized Input-Output Construct of CSP , 1983, TOPL.

[58]  Ganesh Gopalakrishnan,et al.  PV: A Model-Checker for Verifying LTL-X Properties , 1997 .

[59]  William W. Collier,et al.  Reasoning about parallel architectures , 1992 .

[60]  Courcoubetis M. Vardi P. Wolper M. Yannakakis Memory-E cient Algorithms for theVeri cationof Temporal PropertiesC , 1992 .

[61]  Antti Valmari,et al.  A stubborn attack on state explosion , 1990, Formal Methods Syst. Des..

[62]  Phillip B. Gibbons,et al.  Testing Shared Memories , 1997, SIAM J. Comput..

[63]  Ganesh Gopalakrishnan,et al.  Formal modeling and validation applied to a commercial coherent bus: a case study , 1997, CHARME.

[64]  Susanne Graf,et al.  Verification of a Distributed Cache Memory by Using Abstractions , 1994, CAV.