Using a formal specification and a model checker to monitor and direct simulation

Abstract

We describe a technique for verifying that a hardware design correctly implements a protocol-level formal specification. Simulation steps axe translated to protocol state transitions. using a refinement map and then verified against the specification using a model checker. on the specification state space, the model checker collects coverage information and identifies states violating certain properties. It then generates protocol-level traces to these coverage gaps and error states. This technique was applied to the multiprocessing hardware of the Alpha 21364 microprocessor and the cache coherence protocol. We were able to generate an error trace which exercised a bug in the implementation that had not been discovered before a prototype was built.