Formal Verification of the HAL S1 System Cache Coherence Protocol

This paper describes our experience applying formal verification to the cache coherence protocol of the HAL S1 System, a shared-memory and/or message-passing multiprocessor consisting of standard Intel Pentium R Pro symmetric multiprocessing (SMP) servers connected by HAL’s proprietary Mercury Interconnect to create a cache-coherent, non-uniform memory access (CC-NUMA) machine. In recent years, several researchers have described the verification of cache coherence protocols to demonstrate the potential of formal verification. In this project, we sought to quantify this potential by carefully tracking the effort and results of applying formal verification, rather than simply demonstrating that verification was possible. Based on our records and experience, we show that protocol-level formal verification, properly applied, is sufficiently well-understood to be routinely undertaken, and we describe the techniques used to simplify the verification process. On the negative side, our formal verification methodology has limitations, so we outline the pitfalls we encountered and recommend ways to