Modular Deductive Verification of Multiprocessor Hardware Designs

  • Muralidaran Vijayaraghavan
  • Adam Chlipala
  • Arvind
  • Nirav Dave
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9207)


We present a new framework for modular verification of hardware designs in the style of the Bluespec language. That is, we formalize the idea of components in a hardware design, with well-defined input and output channels; and we show how to specify and verify components individually, with machine-checked proofs in the Coq proof assistant. As a demonstration, we verify a fairly realistic implementation of a multicore shared-memory system with two types of components: memory system and processor. Both components include nontrivial optimizations, with the memory system employing an arbitrary hierarchy of cache nodes that communicate with each other concurrently, and with the processor doing speculative execution of many concurrent read operations. Nonetheless, we prove that the combined system implements sequential consistency. To our knowledge, our memory-system proof is the first machine verification of a cache-coherence protocol parameterized over an arbitrary cache hierarchy, and our full-system proof is the first machine verification of sequential consistency for a multicore hardware design that includes caches and speculative processors.


Hardware Design Label Transition System Speculative Load Program Counter Coherence State 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was supported in part by NSF grant CCF-1253229 and in part by the Defense Advanced Research Projects Agency (DARPA) and the United States Air Force, under Contract No. FA8750-11-C-0249. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Department of Defense or the U.S. Government.


  1. 1.
    Arvind, Nikhil, R.S., Rosenband, D.L., Dave, N.: High-level synthesis: an essential ingredient for designing complex ASICs. In: Proceedings of ICCAD 2004, San Jose, CA (2004)Google Scholar
  2. 2.
    Arvind, Shen, X.: Using term rewriting systems to design and verify processors. Micro, IEEE 19(3), 36–46 (1999)CrossRefGoogle Scholar
  3. 3.
    Augustsson, L., Schwarz, J., Nikhil, R.S.: Bluespec Language definition, Sandburst Corp (2001)Google Scholar
  4. 4.
    Bhattacharya, R., German, S.M., Gopalakrishnan, G.C.: Symbolic partial order reduction for rule based transition systems. In: Borrione, D., Paul, W. (eds.) CHARME 2005. LNCS, vol. 3725, pp. 332–335. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  5. 5.
    Bhattacharya, R., German, S.M., Gopalakrishnan, G.C.: Exploiting symmetry and transactions for partial order reduction of rule based specifications. In: Valmari, A. (ed.) SPIN 2006. LNCS, vol. 3925, pp. 252–270. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  6. 6.
    Bluespec Inc, Waltham, M.A.: Bluespec SystemVerilog Version 3.8 Reference Guide, November 2004Google Scholar
  7. 7.
    Braibant, T., Chlipala, A.: Formal verification of hardware synthesis. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 213–228. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  8. 8.
    Burch, J.R., Dill, D.L.: Automatic verification of pipelined microprocessor control. In: Dill, D.L. (ed.) Computer Aided Verification. LNCS, pp. 68–80. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  9. 9.
    Cain, H.W., Lipasti, M.H.: Memory ordering: a value-based approach. In: Proceedings of the 31st Annual International Symposium on Computer Architecture, 2004, pp. 90–101, June 2004Google Scholar
  10. 10.
    Chang, C., Wawrzynek, J., Brodersen, R.W.: Bee2: a high-end reconfigurable computing system. Des. Test Comput. IEEE 22(2), 114–125 (2005)CrossRefGoogle Scholar
  11. 11.
    Xiaofang Chen, Y., Yang, G.G., Chou, C.-T.: Efficient methods for formally verifying safety properties of hierarchical cache coherence protocols. Form. Methods Syst. Des. 36(1), 37–64 (2010)CrossRefzbMATHGoogle Scholar
  12. 12.
    Chou, C.-T., Mannava, P.K., Park, S.: A simple method for parameterized verification of cache coherence protocols. In: Formal Methods in Computer Aided Design, pp. 382–398. Springer (2004)Google Scholar
  13. 13.
    Dave, N., Ng, M.C., Arvind.: Automatic synthesis of cache-coherence protocol processors using bluespec. In: Proceedings of Formal Methods and Models for Codesign, MEMOCODE, Verona, Italy (2005)Google Scholar
  14. 14.
    Delzanno, G.: Automatic verification of parameterized cache coherence protocols. In: Emerson, E.A., Sistla, A.P. (eds.) Computer Aided Verification. LNCS, vol. 1855, pp. 53–68. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  15. 15.
    Dill, D.L., Drexler, A.J., Hu, A.J., Yang, C.H.: Protocol verification as a hardware design aid. In: Proceedings of the IEEE 1992 International Conference on Computer Design: VLSI in Computers and Processors, ICCD 1992, pp. 522–525, October 1992Google Scholar
  16. 16.
    Emerson, E.A., Kahlon, V.: Exact and efficient verification of parameterized cache coherence protocols. In: Geist, D., Tronci, E. (eds.) CHARME 2003. LNCS, vol. 2860, pp. 247–262. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  17. 17.
    Hoe, J.C., Arvind.: Synthesis of operation-centric hardware descriptions. In: Proceedings of ICCAD 2000, pp. 511–518, San Jose, CA (2000)Google Scholar
  18. 18.
    Hoe, J.C., Arvind.: Operation-centric hardware description and synthesis. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 23(9), 1277–1288 (2004)Google Scholar
  19. 19.
    Norris Ip, C., Dill, D.L., Mitchell, J.C.: State reduction methods for automatic formal verification (1996)Google Scholar
  20. 20.
    Jhala, R., McMillan, K.L.: Microarchitecture verification by compositional model checking. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 396–410. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  21. 21.
    Joshi, R., Lamport, L., Matthews, J., Tasiran, S., Tuttle, M.R., Yuan, Y.: Checking cache-coherence protocols with TLA\({}^{\text{+ }}\). Formal Methods Syst. Des. 22(2), 125–131 (2003)CrossRefzbMATHGoogle Scholar
  22. 22.
    Kaivola, R., Ghughal, R., Narasimhan, N., Telfer, A., Whittemore, J., Pandav, S., Slobodová, A., Taylor, C., Frolov, V., Reeber, E., et al.: Replacing testing with formal verification in \({\rm Intel}^{\textregistered }\) \({\rm Core}^{\rm tm}\) i7 processor execution engine validation. In: Bouajjani, A., Maler, O. (eds.) Computer Aided Verification, vol. 5643, pp. 414–429. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  23. 23.
    Khan, A., Vijayaraghavan, M., Boyd-Wickizer, S., Arvind: Fast and cycle-accurate modeling of a multicore processor. In: 2012 IEEE International Symposium on Performance Analysis of Systems & Software, pp. 178–187, New Brunswick, NJ, USA, April 1–3, 2012Google Scholar
  24. 24.
    Kuskin, J., Ofelt, D., Heinrich, M., Heinlein, J., Simoni, R., Gharachorloo, K., Chapin, J., Nakahira, D., Baxter, J., Horowitz, M.A., Gupta, A.M., Rosenblum, M., Hennessy, J.: The stanford FLASH multiprocessor. In: Proceedings of the 21st Annual International Symposium on Computer Architecture, pp. 302–313, April 1994Google Scholar
  25. 25.
    Lamport, L.: How to make a multiprocessor computer that correctly executes multiprocess programs. IEEE Trans. Comput. 100(9), 690–691 (1979)CrossRefGoogle Scholar
  26. 26.
    Lamport, L.: Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley Longman Publishing Co., Inc., Boston (2002) Google Scholar
  27. 27.
    Manolios, P., Srinivasan, S.K.: Automatic verification of safety and liveness for pipelined machines using WEB refinement. ACM Trans. Des. Autom. Electron. Syst. 45:1–45:19 (2008)Google Scholar
  28. 28.
    McMillan, K.L.: Parameterized verification of the FLASH cache coherence protocol by compositional model checking. In: Margaria, T., Melham, T.F. (eds.) CHARME 2001. LNCS, vol. 2144, pp. 179–195. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  29. 29.
    McMillan, K.L.: Verification of an implementation of Tomasulo’s algorithm by compositional model checking. In: Hu, A.J., Vardi, M.Y. (eds.) Computer Aided Verification, pp. 110–121. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  30. 30.
    McMillan, K.L.: Verification of infinite state systems by compositional model checking. In: Pierre, L., Kropf, T. (eds.) CHARME 1999. LNCS, vol. 1703, pp. 219–237. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  31. 31.
    McMillan, K.L., Schwalbe, J.: Formal verification of the Gigamax cache consistency protocol. In: Proceedings of the International Symposium on Shared Memory Multiprocessing, pp. 111–134 (1992)Google Scholar
  32. 32.
    Moore, J.S.: An ACL2 proof of write invalidate cache coherence. In: Hu, A.J., Vardi, M.Y. (eds.) Computer Aided Verification. LNCS, vol. 1427, pp. 29–38. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  33. 33.
    Park, S., Dill, D.L.: Verification of FLASH cache coherence protocol by aggregation of distributed transactions. In: Proceedings of the 8th Annual ACM Symposium on Parallel Algorithms and Architectures, pp. 288–296. ACM Press (1996)Google Scholar
  34. 34.
    Shen, X., Arvind, Rudolph, L.: Commit-reconcile & fences (CRF): a new memory model for architects and compiler writers. In: Proceedings of the 26th annual international symposium on Computer architecture, pp. 150–161. IEEE Computer Society (1999)Google Scholar
  35. 35.
    Talupur, M., Tuttle, M.R.: Going with the flow: parameterized verification using message flows. In: Formal Methods in Computer-Aided Design, FMCAD 2008, pp. 1–8, November 2008Google Scholar
  36. 36.
    Windley, P.J.: Formal modeling and verification of microprocessors. IEEE Trans. Comput. 44(1), 54–72 (1995)CrossRefGoogle Scholar
  37. 37.
    Zhang, M., Bingham, J.D., Erickson, J., Sorin, D.J.: Pvcoherence: designing flat coherence protocols for scalable verification. In: 20th IEEE International Symposium on High Performance Computer Architecture, HPCA 2014, pp. 392–403. IEEE Computer Society, Orlando, FL, USA, February 15–19 (2014)Google Scholar
  38. 38.
    Zhang, M., Lebeck, A.R., Sorin. D.J.: Fractal coherence: scalably verifiable cache coherence. In: Proceedings of the 2010 43rd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO ’43, pp. 471–482. IEEE Computer Society, Washington, DC, USA (2010)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Muralidaran Vijayaraghavan
    • 1
  • Adam Chlipala
    • 1
  • Arvind
    • 1
  • Nirav Dave
    • 2
  1. 1.MITCambridgeUSA
  2. 2.SRI InternationalMenlo ParkUSA

Personalised recommendations