Joseph Cordina1/11

The Use of Model-Checking for the Verification of Concurrent Algorithms

Joseph Cordina

Department of C.S.&A.I.

Joseph Cordina2/11

Problems

Designing Concurrent Algorithms – Complex algorithms that have multiple concurrent counter-parts– Usually designed using complex atomic instructions making it

difficult to reason with– Increasing number of concurrent tasks make algorithm difficult to

predict– Guarantees are necessary if used in critical scenarios

Typical Verification– Dry-run on paper– Tested extensively on hardware– No guarantees of any sort

Simple algorithms like semaphore implementations take long hours to verify, our aim is to verify wait-free algorithms.

Joseph Cordina3/11

Model-Checking

Automated technique allowing verification of properties according to the given model

Several tools are available that try to minimise the state space

– Main problem with verification is state-explosion

SMV is a project that provides tools free– Accepts a model written in SMV language– Verifies properties in temporal logic– Outputs counter-examples of negated properties

Joseph Cordina4/11

Verification of Algorithms

Verification Model in SMV language– Model CPU characteristics (PC, registers,etc)– Moving PC from one instruction to the next in

each time step– Current PC determines next state of registers and

memory locations– Signal to start algorithm is un-deterministic

Multiple instances of algorithm are verified for all legal permutations of execution

Joseph Cordina5/11

Execution Models

We have constructed two models– Uni-processor model with un-deterministic

scheduler Multiple instances of an algorithm are executed as

separate tasks Each task is modelled through the use of a task

descriptor

– Multi-processor model Multiple CPU descriptions each running some part of the

algorithms Start of execution is un-deterministic

Joseph Cordina6/11

SMV language

Designer of algorithm– Supplies each instruction in SMV– Encodes the properties– SMV provides verification

Each algorithm and property needs to be translated to SMV language– A cumbersome task– Requires designer to learn SMV

Joseph Cordina7/11

Pre-Processing

We built a parser in FLEX– Takes a description of the algorithm– Translates it to SMV language

Easier to specify algorithm No need to learn SMV Description keywords

– CPUs, REGISTERS, MEMORY, STATEVARS– LABELS, CODE, ASSERTIONS, TRIGGER, START– PERCPUASSUMPTIONS, EXCLUSIVEINSTRUCTIONS– PROVE

Properties are specified in temporal logic with optimisations in terms of expressiveness

Joseph Cordina8/11

Results

Automation for the generation of the SMV model from an input concurrent algorithm

Verification of concurrent algorithms– Framework allows very complex algorithms as

long as no complex communication primitives are assumed

Guarantees given for a limited number of concurrent resources– Limited by SMV– Assumptions can be given to limit the state space

Joseph Cordina9/11

Future Work

Coalesce the uni-processor model with the multi-processor model

Make use of alternate model-checkers allowing CSP communication

Implement more complex instructions allowing verification of wait-free algorithms

Parse SMV output allowing visual representation dependant on input description

Joseph Cordina10/11

Conclusion

This work is a proof-of-concept showing the possibility of verification of concurrent algorithms using model-checking

Our solution– Model using SMV language– Pre-processor

Constructs model Creates algorithm instructions in SMV Generates properties and assumptions

Algorithm designers can now have guarantees within a reasonable amount of time

Joseph Cordina11/11

Thank You

Questions?