Departmental Papers (CIS)

Date of this Version

January 2005

Document Type

Conference Paper


From the 6th International Conference, VMCAI 2005, Paris, France, January 17-19, 2005.


We combine compositional reasoning and reachability analysis to formally verify the safety of a recent cache coherence protocol. The protocol is a detailed implementation of token coherence, an approach that decouples correctness and performance. First, we present a formal and abstract specification that captures the safety substrate of token coherence, and highlights the symmetry in states of the cache controllers and contents of the messages they exchange. Then, we prove that this abstract specification is coherent, and check whether the implementation proposed by the protocol designers is a refinement of the abstract specification. Our refinement proof is parametric in the number of cache controllers, and is compositional as it reduces the refinement checks to individual controllers using a specialized form of assume-guarantee reasoning. The individual refinement obligations are discharged using refinement maps and reachability analysis. While the formal proof justifies the intuitive claim by the designers about the ease of verifiability of token coherence, we report on several bugs in the implementation, and accompanying modifications, that were missed by extensive prior simulations.

Subject Area

CPS Formal Methods

Publication Source

Lecture Notes in Computer Science: Verification, Model Checking, and Abstract Interpretation



Start Page


Last Page




Copyright/Permission Statement

The original publication is available at



Date Posted: 11 September 2005