Formal verification of the HAL S1 System cache coherence protocol

The paper describes the authors´ experience applying formal verification to the cache coherence protocol of the HAL S1 System, a shared-memory and/or message-passing multiprocessor consisting of standard Intel Pentium^(R) Pro symmetric multiprocessing (SMP) servers connected by HAL´s proprietary Mercury Interconnect to create a cache-coherent, non-uniform memory access (CC-NUMA) machine. In recent years, several researchers have described the verification of cache coherence protocols to demonstrate the potential of formal verification. In this project, they sought to quantify this potential by carefully tracking the effort and results of applying formal verification, rather than simply demonstrating that verification was possible. Based on their records and experience, they show that protocol-level formal verification, properly applied, is sufficiently well-understood to be routinely undertaken, and they describe the techniques used to simplify the verification process. On the negative side, their formal verification methodology has limitations, so they outline the pitfalls encountered and recommend ways to minimize them