Verifying Safety of a Token Coherence Implementation by Parametric Compositional Refinement

We combine compositional reasoning and reachability analysis to formally verify the safety of a recent cache coherence protocol. The protocol is a detailed implementation of token coherence, an approach that decouples correctness and performance. First, we present a formal and abstract specification that captures the safety substrate of token coherence, and highlights the symmetry in states of the cache controllers and contents of the messages they exchange. Then, we prove that this abstract specification is coherent, and check whether the implementation proposed by the protocol designers is a refinement of the abstract specification. Our refinement proof is parametric in the number of cache controllers, and is compositional as it reduces the refinement checks to individual controllers using a specialized form of assume-guarantee reasoning. The individual refinement obligations are discharged using refinement maps and reachability analysis. While the formal proof justifies the intuitive claim by the designers about the ease of verifiability of token coherence, we report on several bugs in the implementation, and accompanying modifications, that were missed by extensive prior simulations.

[1]  David L. Dill,et al.  Verification of FLASH cache coherence protocol by aggregation of distributed transactions , 1996, SPAA '96.

[2]  Martín Abadi,et al.  Conjoining specifications , 1995, TOPL.

[3]  Vineet Kahlon,et al.  Reducing Model Checking of the Many to the Few , 2000, CADE.

[4]  Somesh Jha,et al.  Verifying parameterized networks , 1997, TOPL.

[5]  Randy H. Katz,et al.  Verifying a multiprocessor cache controller using random test generation , 1990, IEEE Design & Test of Computers.

[6]  Giorgio Delzanno Automatic Verification of Parameterized Cache Coherence Protocols , 2000, CAV.

[7]  David L. Dill,et al.  The Murphi Verification System , 1996, CAV.

[8]  Gérard Berry,et al.  The chemical abstract machine , 1989, POPL '90.

[9]  Alan Jay Smith,et al.  A class of compatible cache consistency protocols and their support by the IEEE futurebus , 1986, ISCA '86.

[10]  Xiaowei Shen,et al.  Using term rewriting systems to design and verify processors , 1999, IEEE Micro.

[11]  Rajeev Alur,et al.  Verifying Network Protocol Implementations by Symbolic Refinement Checking , 2001, CAV.

[12]  Milo M. K. Martin,et al.  Token Coherence: decoupling performance and correctness , 2003, 30th Annual International Symposium on Computer Architecture, 2003. Proceedings..

[13]  Robert P. Kurshan,et al.  A structural induction theorem for processes , 1989, PODC.

[14]  J. Bergstra,et al.  Handbook of Process Algebra , 2001 .

[15]  Gerard J. Holzmann Algorithms for automated protocol verification , 1990, AT&T Technical Journal.

[16]  Kenneth L. McMillan,et al.  Verification of an Implementation of Tomasulo's Algorithm by Compositional Model Checking , 1998, CAV.

[17]  Sarita V. Adve,et al.  Using speculative retirement and larger instruction windows to narrow the performance gap between memory consistency models , 1997, SPAA '97.

[18]  Kenneth L. McMillan,et al.  A Compositional Rule for Hardware Design Refinement , 1997, CAV.

[19]  Amir Pnueli,et al.  Parameterized Verification with Automatically Computed Inductive Assertions , 2001, CAV.

[20]  Amir Pnueli,et al.  Control and data abstraction: the cornerstones of practical formal verification , 2000, International Journal on Software Tools for Technology Transfer.

[21]  Davide Sangiorgi,et al.  Communicating and Mobile Systems: the π-calculus, , 2000 .

[22]  William H. Offenhauser,et al.  Wild Boars as Hosts of Human-Pathogenic Anaplasma phagocytophilum Variants , 2012, Emerging infectious diseases.

[23]  Rob van Glabbeek,et al.  Handbook of Process Algebra , 2001 .

[24]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[25]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[26]  Michel Dubois,et al.  Verification techniques for cache coherence protocols , 1997, CSUR.

[27]  A. Prasad Sistla,et al.  Reasoning about systems with many processes , 1992, JACM.

[28]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .

[29]  Pierre Wolper,et al.  Expressing interesting properties of programs in propositional temporal logic , 1986, POPL '86.

[30]  Milo M. K. Martin,et al.  Specifying and Verifying a Broadcast and a Multicast Snooping Cache Coherence Protocol , 2002, IEEE Trans. Parallel Distributed Syst..

[31]  Steven M. German,et al.  Formal Design of Cache Memory Protocols in IBM , 2003, Formal Methods Syst. Des..

[32]  Thomas A. Henzinger,et al.  Reactive Modules , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[33]  Alan J. Hu,et al.  Protocol verification as a hardware design aid , 1992, Proceedings 1992 IEEE International Conference on Computer Design: VLSI in Computers & Processors.