Automatic verification of finite-state concurrent systems

Abstract

Logical errors in finite-state concurrent systems such as sequential circuit designs and communication protocols are an important problem for computer scientists. They can delay getting a new product on the market or cause the failure of some critical device that is already in use. My research group has developed a verification method called temporal logic model checking for this class of systems. In this approach specifications are expressed in a propositional temporal logic, while circuits and protocols are modeled as state-transition systems. An efficient search procedure is used to determine automatically if a specification is satisfied by some transition system. The technique has been used in the past to find subtle errors in a number of non-trivial examples. During the last few years, the size of the state-transition systems that can be verified by model checking techniques has increased dramatically. By representing transition relations implicitly using Binary Decision Diagrams (BDDs), we have been able to check some examples that would have required 1020 states with the original algorithm. Various refinements of the BDD-based techniques have pushed the state count up to 10100 6B y combining model checking with various abstraction techniques, we have been able to handle even larger systems. In one example, we were able to verify a pipelined ALU with more than 101300 states (including 64 registers of 64 bits each). Recently, we have used model checking techniques to verify the cache coherence protocol in the IEEE Futurebus+ Standard. We found several errors that had been previously undetected. Apparently, this is the first time that formal methods have been used to find nontrivial errors in an IEEE standard. The result of the project is a concise, comprehensible, and unambiguous model of the cache coherence protocol that should be useful both to the Futurebus+ Working Group members who are responsible for the protocol and to actual designers of Futurebus+ boards. We believe this experience demonstrates that model checking techniques are already sufficiently powerful to be useful in verifying real industrial designs.