Veri cation of FLASH Cache Coherence ProtocolBy Aggregation of Distributed Transactions

To verify cache coherence protocols for distributed multi-processor architectures, we compare a state graph of the implementation with a speciication which is a state graph representing the simpliied behavior. The steps in the spec-iication correspond to atomic transactions, which are not atomic in the implementation. The method relies on an abstraction function which aggregates the implementation steps of each transaction into a single atomic transaction in the speciication. The key idea in deening the abstraction function is that it must complete transactions which have committed but are not nished. This approach is applied to veriication of the cache coherence protocol in the FLASH multiprocessor system. We illustrate how to determine an abstraction function which reduces the protocol to an atomic speciication. The protocol consisting of more than a hundred implementation steps has been reduced into six kinds of atomic transactions. Based on the reduced behavior, it is very easy to prove crucial properties of the protocol including data consistency of cached copies at the user level. Moreover, the reduced model allows us to write a simple executable memory model of the protocol. The aggregation method is also used to prove that the reduced protocol satisses a desired memory consistency model. 1 Introduction In shared-memory multiprocessor architectures, cache coherence protocols maintain consistency of multiple copies of cached data. The protocols control a number of readable and writable copies of each memory line for multiprocessors. Modiication of one copy of a datum may require updating of other copies to maintain consistency among them. Several coherence protocols have been proposed for distributed multiprocessor architectures but few are formally veriied 1, 15, 2, 10].