The Wildfire Verification Challenge Problem
Last modified 28 May 2002
The Challenge
We have written formal specifications of a cache-coherence protocol
and its correctness condition. The protocol's specification contains
a bug. The challenge problem is to find the bug.
Wildfire
The challenge problem's cache-coherence protocol is a simplified
version of the protocol for an Alpha multiprocessor, code-named
Wildfire, into which we have inserted a bug. Its correctness
condition is a simplified version of the Alpha memory model.
Wildfire is a system of processors connected in a hierarchical
network. It has the most complicated cache-coherence protocol we
know of. The challenge problem uses a greatly simplified version
of that protocol, but it is still fairly complicated. The bug was
inserted by us; to our knowledge, it was never present in the actual
system design. We think that trying to find it poses a practical
test of the efficacy of a verification method.
The Specifications
The protocol and its correctness condition are specified in TLA+, a
formal language based on the Temporal Logic
of Actions (TLA). The specifications consist of about 900 lines of
TLA+, exclusive of comments. The specifications are extensively
commented, and additional material explaining TLA+ is included. We do
not expect computer scientists to have much difficulty understanding
the meaning of the specifications, even if they are unfamiliar with
TLA.
Downloading the Problem
The specifications and related material--including papers describing
TLA--are contained in a collection
of files. The README file explains what is in the other
files. The files are available here: - Click here for a zip file. (1 MB)
- Click here for a Unix tar file.
(2 MB)
- Click here for a gzipped
Unix tar file. (1 MB)
Note: Obsolete versions of standard modules were removed from
these files on 14 April 2020.
The Rules
If you find the bug or have a question about the problem, please send
email to Leslie Lamport. Please do not
post any solution without first checking with us. We recommend
that you contact us if you intend to work on the problem, so we can
notify you of any corrections or clarifications. We also suggest
that you keep track of how much time you spend on the problem.
The First Solution
On 2 August 2000, Georges Gonthier reported that he had found two
bugs. One is the bug that we had inserted into the
protocol. The other is a relatively simple error resulting from
an oversight on our part. He found both errors without any
mechanical assistance. The presence of a second error should
make the challenge problem more fun, so we will not reveal it.
This problem is being posed by Leslie Lamport, Mark
Tuttle, and Yuan Yu. We were helped by the designers of the
system on which it is based, Kourosh Gharachorloo, Madhu Sharma, Simon
Steely, and Steve van Doren, and by Paul Harter.
This page can be found by searching the Web for the 24-letter
string
wildfirechallengeproblem.
Please do not put this string in any document that could wind up on
the web--including email messages and Postscript and Word documents.
One way to refer to it in Web documents is as "the string obtained by
removing the two - characters from
wildfi-rechall-engeproblem".