Extending CSP-Prover by deadlock-analysis: Towards the verification of systolic arrays

Csp-Prover provides a deep encoding of the process algebra Csp in the interactive theorem prover Isabelle. Here, we extend Csp-Prover by a framework for the deadlock-analysis of networks. As a typical example we study systolic arrays and prove in Csp-Prover that Kung's classical algorithm for matrix-multiplication is deadlock-free. 1 Introduction Among the various frameworks for the description and modeling of reactive systems , process algebra plays a prominent rôle. It has turned out to be suitable for requirement specifications, design specifications, and also for formal refinement proofs [3]. In this context, the process algebra Csp [8, 18] has been successfully applied in various areas such as train control systems [6], software for the International Space Station [4, 5], or verification of security protocols [20]. Csp-Prover [9, 10] provides a deep encoding of the process algebra Csp within the interactive theorem prover Isabelle [16]. Its approach of interactive theorem proving complements proofs by (finite) model checking in FDR [13]. The strength of Csp-Prover is to be found in the analysis of large or even infinite state systems as well as in its ability to deal with parametrised systems such as systolic arrays. Deadlocks are certainly the best known and also most feared failures exhibited by concurrent systems. For parallel algorithms such as systolic arrays, the proof of deadlock-freedom is as fundamental as the proof of termination for sequential algorithms. Systolic arrays, see e.g. [17], often deal with loosely specified data such as matrices over rings. Furthermore, they scale up with the size of the problem , e.g. Kung's systolic array for the multiplication of n × n matrices requires n 2 processing elements. For these reasons it is impossible to treat such systems solely within the classical model checking approach that requires systems to be finite state. Proofs of deadlock-freedom in Csp-Prover alone [10] (e.g. that the interaction of certain components of the electronic payment system ep2, a new international standard for electronic payment systems, is deadlock-free) were based on the facts that (i) there are Csp processes that are deadlock-free by construction and (ii) that Csp's stable-failures refinement is deadlock-preserving. In this paper we show how to extend Csp-Prover with Deadlock-Freedom Proof Package (abbreviated to Dfp) which provides a proof technique 1 suggested by Roscoe & Dathi [19] in order to analyse networks. For example, Dfp contains a theorem for localizing the proof of deadlock freedom of a whole systolic …