. This paper describes an ongoing effort to verify the cache coherence protocol of the IEEE/ANSI Standard for Scalable Coherent Interface using the Mur' verification system. A model of the typical set protocol was constructed in the Mur' description language. This model was augmented with a specification of properties necessary for cache coherence. The Mur' verification system automatically checks if all reachable states in the model satisfy the given specification. Although verification is still under way, we have already found several errors in the C-code defining the protocol. Finally, we elucidate the experiences gained in the verification project. 1 Introduction The IEEE/ANSI Standard for Scalable Coherent Interface (SCI) includes a cache coherence protocol for distributed shared-memory multiprocessors. Designing a complex protocol -- like this cache coherence protocol -- is a challenging and difficult task. It is very hard for a designer to predict all possible interactions amon...

We describe two state reduction techniques for finite-state models of security protocols. The techniques exploit

. We present and analyze a probabilistic method for verification by explicit state enumeration, which improves on the "hashcompact" method of Wolper and Leroy. The hashcompact method maintains a hash table in which compressed values for states instead of full state descriptors are stored. This method saves space but allows a non-zero probability of omitting states during verification, which may cause verification to miss design errors (i.e. verification may produce "false positives"). Our method improves on Wolper and Leroy's by calculating the hash and compressed values independently, and by using a specific hashing scheme that requires a low number of probes in the hash table. The result is a large reduction in the probability of omitting a state. Hence, we can achieve a given upper bound on the probability of omitting a state using fewer bits per compressed state. For example, we can reduce the number of bytes stored for each state from the eight recommended by Wolper and Leroy to o...

The formalmethods community has long known aboutthe need to formally analyze concurrent software, but the OS community has been slow to adopt such methods. The foremost reasons for this are the cultural and knowledge gaps between formalists and OS hackers, fostered by three beliefs: inaccessibility of the tools, the disabling gap between the validated model and actual implementation, and the intractable size of operating systems. In this paper, we show these beliefs to be untrue for appropriately structured operating systems. We applied formal methods to verify properties of the implementation of the Fluke microkernel's IPC subsystem, a major component of the kernel. In particular, we have verified, in many scenarios, certain liveness properties and lack of deadlock, with results that apply to both SMP and uniprocessor environments. The SPIN model checker provided an exhaustive concurrency analysis of the IPC subsystem, unattainable through traditional OS testing methods. SPIN is easil...

The appeal of automatic formal verification is that it's automatic --- minimal human labor and expertise should be needed to get useful results and counterexamples. BDD(binary decision diagram)-based approaches have promised to allow automatic verification of complex, real systems. For large classes of problems, however, (including many distributed protocols, multiprocessor systems, and network architectures) this promise has yet to be fulfilled. Indeed, the few successes have required extensive time and effort from sophisticated researchers in the field. Clearly, techniques are needed that are more sophisticated than the obvious direct implementation of theoretical results. This thesis addresses that need, emphasizing an application domain that has been particularly difficult for BDD-based methods --- high-level models of systems or distributed protocols --- rather than gate-level descriptions of circuits. Additionally, the emphasis is on providing useful debugging information for the...

Modern digital systems often employ sophisticated protocols. Unfortunately, designing correct protocols is a subtle art. Even when using great care, a designer typically cannot foresee all possible interactions among the components of the system; thus, bugs like subtle race conditions or deadlocks are easily overlooked. One way a computer can support the designer is by simulating random executions of the system. There is, however, a high probability of missing executions containing errors -- especially in complex systems -- using this simulation approach. In contrast, an automatic verifier tries to examine all states reachable from a given set of startstates. The biggest obstacle in this exhaustive approach is that often there is a very large number of reachable states. This thesis describes three techniques to increase the size of the reachable state spaces that can be handled in automatic verifiers. The techniques work in verifiers that are based on explicitly storing each reachable ...

This paper describes our experience applyingformal verification to the cache coherence protocol of the HAL S1 System, a shared-memory and/or message-passing multiprocessor consisting of standard Intel Pentium R fl Pro symmetric multiprocessing (SMP) servers connected by HAL's proprietary Mercury Interconnect to create a cache-coherent, non-uniform memory access (CC-NUMA) machine. In recent years, several researchers have described the verification of cache coherence protocols to demonstrate the potential of formal verification. In this project, we sought to quantify this potential by carefully tracking the effort and results of applying formal verification, rather than simply demonstrating that verification was possible. Based on our records and experience, we show that protocol-level formal verification, properly applied, is sufficiently well-understood to be routinely undertaken, and we describe the techniques used to simplify the verification process. On the negative side, our form...

Abstract- The next generation UltraSPARC-I CPU represents a significant step forward in processor performance at the cost of increased design complexity. Added complexity increases the risks in achieving functionally correct first silicon. Existing design verification techniques were supplemented by applying emulation to obtain an early look at functionality. Discussed are the goals, methods and results of the UltraSPARC-I emulation. I.

Introduction Le diagnostic des erreurs de conception est un probl`eme important dans le domaine de la CAO. Par diagnostic nous signifions `a la fois la localisation et la correction d'une erreur dont l'existence a 'et'e mise en 'evidence par un outil de v'erification. Bien que des outils automatis'es de synth`ese soient employ'es pour obtenir des produits corrects-parconstruction, des exemples industriels montrent que, souvent, les conceptions obtenues par synth`ese automatique sont ensuite modifi'ees manuellement pour am'eliorer certaines caract'eristiques critiques telle que la performance ou la taille du circuit. Pendant cette phase de modification manuelle, des erreurs peuvent etre introduites involontairement [1, 2, 3]. La m'ethodologie employ'ee actuellement par plusieurs constructeurs de circuits peut etre qualifi'ee de construction-par-correction : une conception initiale est obtenue et v'erifi'ee par r