Cache coherence protocols of increasing complexities call for automated verification tools which are both efficient and reliable. Most current approaches can only verify protocols at a high level of abstraction, and the model size is limited to a small number of interacting processes. Using a simple full-map directory scheme as example, we show that the verification of a simple protocol becomes overwhelmingly complex when implementation details are taken into account. One way to deal with the complexity is to impose conservative handshaking rules such as acknowledging every single message between caches and memory. Such a conservative approach slows down every transaction in order to avoid race conditions, which are relatively rare. The other approach explored in this paper is to apply verification techniques to the protocol without acknowledgements in order to determine the minimum set of messages needed for correctness. A new verification technique which is extremely efficient and is...

We propose a specification model and present a method to algorithmically derive a protocol specification from a service specification based on the model. Unlike the previous models based on finite state machines, the proposed model can explicitly express concurrency, synchronization, and timing requirements such as delays and timeouts. We assume that there exists a reliable communication channel between any two protocol entities and the maximum delay for each channel is bounded by a positive constant. Because of the variable nature of the communication delays along with the time constraints associated with events, no protocol specification can fully simulate the service specification. The proposed method derives a protocol specification that is optimal in the sense that it provides the largest possible subset of the service specification under the communication delay constraints. We also give a method to derive a sub specification from a service specification and a maximum communicatio...

Many communication protocols can be observed to go through different phases performing a distinct function in each phase. A multiphase model for such protocols is presented. A phase is formally defined to be a network of communicating finite-state machines with certain desirable correctness properties; these include proper termination and freedom from deadlocks and unspecified receptions. A multifunction protocol is constructed by first constructing separate phases to perform its different functions. It is shown how to connect these phases together to realize the multifunction protocol so that the resulting network of communicating finite state machines is also a phase (i.e., it possesses the desirable properties defined for phases). The modularity inherent in multiphase protocols facilitates not only their construction hut also their understanding and modification. An abundance of protocols have been found in the literature that can be constructed as multiphase protocols. Three examples are presented here: two versions of IBM’s BSC protocol for data link control and a token ring network protocol.

A traditional method to validate protocols by state space exploration is to use forward symbolic execution. One of the main problems of this approach is that to find all undesirable system states one has to generate all reachable states and evaluate all desirable system states as well. The paper discusses an alternative search strategy based on backward symbolic execution. This time we start with a state that we know to be undesirable and execute the protocol backwards, evaluating only undesirable states in an effort to show that they are unreachable.

This paper introduces a new concept of state partitioning and state/transition exploration histories to generate test stimulus for the purpose of design validation. With our new state partitioning, during vector generation, state and transition exploration histories for each state group are maintained by dynamically constructing partial State Transition Graphs (STGs) for all state groups. By limiting a maximum size any state group can be, maintaining the complete state and transition exploration histories for each state group is feasible even for very large sequential circuits. While such histories are being collected, test vectors are generated using extracted spectral information from existing tests and Genetic Algorithm (GA) is used to explore new scenarios that are not in the histories. Experiments showed that much higher design error coverages together with smaller test sets are achieved with very short execution times. 1

this paper, a new technique, called reverse reachability analysis, is proposed to detect deadlocks on the communication between the communicating finite state machines. The technique is based on finding reverse reachable paths starting from possible deadlock states. If a reverse reachable path can reach the initial global state, then deadlock occurs. Otherwise the communication is deadlock-free. The effectiveness of the technique has been verified by some real protocols such as a specification of X.25 call establishment/clear protocol and Bartlet's alternating bit protocol

State explosion is well-known to be the principle limitation in protocol verification. In this paper, we propose a verification technique called leaping reachability analysis (LRA) to tackle state explosion. We advocate LRA as a uniform and property-driven relief strategy for verifying general progress properties of protocols modeled as networks of communicating finite state machines (CFSMs). Unlike most existing relief strategies in the CFSM model, LRA does not confine any of the protocol attributes and still proves to be adequate for detecting all deadlocks, all nonexecutable transitions, all unspecified receptions and all buffer overflows in a protocol. We show by experiments that LRA can largely relieve the state explosion problem by reducing significantly the amount of storage space and execution time required for verification. Keywords Communication protocols, protocol verification, communicating finite state machines, state space exploration, state explosion, relief strategies,...

We consider the following problem: For a system consisting of two submodules, the behavior of one submodule is known as well as the desired behavior S of the global system. What should be the behavior of the second submodule such that the behavior of the composition of the two submodules conforms to S?- This problem has also been called "equation solving", and in the context of supervisory control, it is the problem of designing a suitable controller (second submodule) which controls a given system to be controlled (first submodule). Solutions to this problem have been described in the context of various specification formalisms and various conformance relations. This paper presents a generalization of this problem and its solution in the context of relational databases, and shows that this general solution can be used to derive several of the known algorithms that solve the problem in the context of regular behavior specifications based on finite state machines with synchronous communication or interleaving semantics. The paper also provides a new solution formula for the case that the module behaviors are specified in a hypothesis-guarantee paradigm and distinguish between input and output interactions. In the sub-case of regular behavior specifications and interleaving semantics, this solution formula gives rise to an algorithm for Input/Output Automata, which is similar to one published recently. The formula also applies to the case of synchronous communication, which was not considered before. 1.

A relief strategy called fair reachability analysis [5, 7, 11] is extended for the verification of daisy-chain protocols, which are defined in the communicating finite state machine model as networks of n ³ 2 processes with a bidirectional, serial link structure. Fair reachability analysis is shown to decide the deadlock detection problem for daisy-chain protocols whose fair reachable global state space is finite. A sufficient condition for this finiteness is also given. Keywords Communicating finite state machines, network protocols, protocol validation, verification, state space exploration, deadlock detection, state explosion, relief strategies, fair reachability analysis 1 Introduction The communicating finite state machine (CFSM) model [1, 14] is one of the most widely used models for specification and verification of communication protocols. In this model, a protocol is defined as a network of n ³ 2 processes that exchange messages over error-free simplex channels, where each p...

This paper proposes rules for the automated construction of deadlock-free designs of communication protocols from the execution histories of existing systems, defines the properties of the constructed designs and identifies the conditions for a constructed design to be equivalent to the presumed design implied by the given set of global observations