Murφ Explained

Murφ
Developer:David Dill's research group at the Stanford University Computer Systems Laboratory
Latest Release Version:3.1
Programming Language:ANSI C++
Operating System:Linux
Genre:Model Checking
License:similar to the MIT license
Website:http://verify.stanford.edu/dill/murphi.html (via the Wayback Machine)

Murφ (/ˈmɝ.fi/, also spelled Murphi) is an explicit-state model checker developed at Stanford University, and widely used for formal verification of cache-coherence protocols.

History

Murφ's early history is described in a paper by David Dill.[1] The first version of Murφ was designed at Stanford University in 1990 and 1991 by Prof. David Dill and his graduate students Andreas Drexler, Alan Hu, and Han Yang, and primarily implemented by Andreas Drexler. The specification language was extensively modified and extended by David Dill, Alan Hu, C. Norris Ip, Ralph Melton, Seungjoon Park, and Han Yang. Ralph Melton implemented the new version during the summer and fall of 1992. Seungjoon Park added liveness checking and fairness constraints, but because the algorithm for liveness verification conflicted with important optimizations, particularly symmetry reduction, liveness verification was omitted in subsequent releases. C. Norris Ip implemented reversible rules and repetition constructors (which are not included in release 3.1), and added symmetry and multiset reductions (which are). Ulrich Stern implemented hash compaction,[2] improved the use of disk, and implemented Parallel Murφ.

The last release from Stanford was release 3.1 in November of 1993. Many derivative versions of Murφ have been created since then by other groups.

Features

The Murφ compiler accepts a model written in the Murφ specification language and outputs C++ code that constitutes a verifier for that model. (That is, the C++ code, when executed, performs explicit-state model checking on the design described by the specification.) TheMurφ specification language uses guarded commands and an asynchronous, interleaving model of concurrency, with all synchronization and communication done through global variables.The verifier checks safety properties in the form of invariants and internal assertions that are specified in the model, and checks for deadlock. It does not check livenessproperties, though Murφ release 2.7L did support verification of a set of common LTL liveness properties. The language and verifier support some kinds of symmetry reductions.[3]

Murφ was originally applied to verifying cache-coherence protocols,[4] but has been applied to other problems as well, including verification of security protocols.

Licensing

The Murφ license is similar to the MIT license. Murφ may be used, copied, modified, sold, and redistributed for any purpose, provided the copyright notice and license are included, the name of Stanford University is not used for advertising or publicity without permission, and modified versions are not called Murphi without permission.

Derivatives

Many derivative versions of Murφ have been created, at Stanford and elsewhere, including these:

See also

External links

Notes and References

  1. Book: Dill . David L. . A Retrospective on Murϕ . Grumberg . Orna . Veith . Helmut . 25 Years of Model Checking: History, Achievements, Perspectives . 2008 . 77–88.
  2. Book: Stern . Ulrich . Dill . David L. . Formal Description Techniques IX . 1996 . Springer . Boston, MA . 333–348.
  3. Book: Ip . C. Norris . Dill . David L. . Proceedings of 1993 IEEE International Conference on Computer Design ICCD'93 . Efficient verification of symmetric concurrent systems . 1993 . 230–234 . IEEE. 10.1109/ICCD.1993.393375 . 0-8186-4230-0 . 38444364 .
  4. Dill . David L. . Drexler . Andreas J. . Hu . Alan J. . Yang . C. Han . Protocol verification as a hardware design aid . Proceedings of the 1992 IEEE International Conference on Computer Design: VLSI in Computers & Processors . 1992 . 552–525 . IEEE.