Joseph Cordina 1/11 The Use of Model-Checking for the Verification of Concurrent Algorithms Joseph Cordina Department of C.S.&A.I.

Joseph Cordina 2/11 Problems Designing Concurrent Algorithms – Complex algorithms that have multiple concurrent counter-parts – Usually designed using complex atomic instructions making it difficult to reason with – Increasing number of concurrent tasks make algorithm difficult to predict – Guarantees are necessary if used in critical scenarios Typical Verification – Dry-run on paper – Tested extensively on hardware – No guarantees of any sort Simple algorithms like semaphore implementations take long hours to verify, our aim is to verify wait-free algorithms.

Joseph Cordina 3/11 Model-Checking Automated technique allowing verification of properties according to the given model Several tools are available that try to minimise the state space – Main problem with verification is state-explosion SMV is a project that provides tools free – Accepts a model written in SMV language – Verifies properties in temporal logic – Outputs counter-examples of negated properties

Joseph Cordina 4/11 Verification of Algorithms Verification Model in SMV language – Model CPU characteristics (PC, registers,etc) – Moving PC from one instruction to the next in each time step – Current PC determines next state of registers and memory locations – Signal to start algorithm is un-deterministic Multiple instances of algorithm are verified for all legal permutations of execution

Joseph Cordina 5/11 Execution Models We have constructed two models – Uni-processor model with un-deterministic scheduler Multiple instances of an algorithm are executed as separate tasks Each task is modelled through the use of a task descriptor – Multi-processor model Multiple CPU descriptions each running some part of the algorithms Start of execution is un-deterministic

Joseph Cordina 6/11 SMV language Designer of algorithm – Supplies each instruction in SMV – Encodes the properties – SMV provides verification Each algorithm and property needs to be translated to SMV language – A cumbersome task – Requires designer to learn SMV

Joseph Cordina 7/11 Pre-Processing We built a parser in FLEX – Takes a description of the algorithm – Translates it to SMV language Easier to specify algorithm No need to learn SMV Description keywords – CPUs, REGISTERS, MEMORY, STATEVARS – LABELS, CODE, ASSERTIONS, TRIGGER, START – PERCPUASSUMPTIONS, EXCLUSIVEINSTRUCTIONS – PROVE Properties are specified in temporal logic with optimisations in terms of expressiveness

Joseph Cordina 8/11 Results Automation for the generation of the SMV model from an input concurrent algorithm Verification of concurrent algorithms – Framework allows very complex algorithms as long as no complex communication primitives are assumed Guarantees given for a limited number of concurrent resources – Limited by SMV – Assumptions can be given to limit the state space

Joseph Cordina 9/11 Future Work Coalesce the uni-processor model with the multi-processor model Make use of alternate model-checkers allowing CSP communication Implement more complex instructions allowing verification of wait-free algorithms Parse SMV output allowing visual representation dependant on input description

Joseph Cordina 10/11 Conclusion This work is a proof-of-concept showing the possibility of verification of concurrent algorithms using model-checking Our solution – Model using SMV language – Pre-processor Constructs model Creates algorithm instructions in SMV Generates properties and assumptions Algorithm designers can now have guarantees within a reasonable amount of time

Joseph Cordina 11/11 Thank You Questions?