Formal verification of a deadlock detection algorithm

Deadlock detection is a challenging issue in the analysis and design of on-chip networks. We have designed an algorithm to detect deadlocks automatically in on-chip networks with wormhole switching. The algorithm has been specified and proven correct in ACL2. To enable a top-down proof methodology, some parts of the algorithm have been left unimplemented. For these parts, the ACL2 specification contains constrained functions introduced with defun-sk. We used single-threaded objects to represent the data structures used by the algorithm. In this paper, we present details on the proof of correctness of the algorithm. The process of formal verification was crucial to get the algorithm flawless. Our ultimate objective is to have an efficient executable, and formally proven correct implementation of the algorithm running in ACL2.

💡 Research Summary

The paper presents a formally verified algorithm for automatically detecting deadlocks in on‑chip networks that use wormhole switching. The authors first motivate the work by recalling Duato’s necessary‑and‑sufficient condition for deadlock‑free routing (1995) and the polynomial‑time detection algorithm proposed by Taktak et al. (2010). They point out that both approaches have subtle flaws: Duato’s theorem contains a discrepancy that the authors discovered during their own formalization, and Taktak’s algorithm can miss certain deadlocks because the underlying decision problem is co‑NP‑complete. Building on their own previously proved co‑NP‑complete condition, the authors design a new detection algorithm that runs in polynomial time but may return false positives (i.e., report a deadlock when none exists).

The algorithm works by assigning to each channel a mark in the set {0,1,2,3,4}.

• 0 – unmarked (initial state)
• 1 – visited but final mark not yet decided
• 2 – “immune” – no flit can be permanently blocked in this channel
• 3 – there exists a destination d such that a header flit destined for d can be permanently blocked in this channel
• 4 – no header can be permanently blocked, but for some destination d a tail flit can be permanently blocked.

The algorithm iterates over all channels c and all destinations d, examining the set of next‑hop channels supplied by the routing function. If for some destination d there is no neighbor marked 2, then c is marked 3 (a header can be blocked). If for every destination there exists at least one neighbor marked 2, c cannot be marked 3. In that case, if there exists a d‑path from c to a channel already marked 3, c is marked 4 (tails can be blocked). Otherwise c is marked 2 (immune). After termination every channel is marked 2, 3, or 4. If all channels are 2, the network is deadlock‑free. If any channel is 3 or 4, a deadlock can be constructed by filling 3‑marked channels with header flits and 4‑marked channels with tail flits.

To verify the algorithm, the authors use the ACL2 theorem prover. They store the network graph in a single‑threaded object (stobj) called graph, where each channel maps a destination to a list of neighbor channels. The markings, together with auxiliary lists escs (destinations that lead to a 2‑marked neighbor) and deps (destinations that do not), are stored in another stobj called marks. Accessors such as neighbors, marksi, update-marksi, etc., are defined in the usual ACL2 style.

Because some sub‑procedures are non‑trivial (e.g., checking whether a 4‑marked channel has a d‑path to a 3‑marked channel), the authors leave those parts abstract. They introduce defun‑sk specifications that state the existence of such paths without providing an implementation. For example, ex-d-path-to-not2 asserts that there exists a d‑path starting at a given channel, ending at a non‑2‑marked channel, and whose destination appears in deps but not in escs. This “top‑down” approach allows the authors to prove correctness of the whole algorithm independent of the concrete implementation of the missing pieces.

The correctness proof has two directions: (1) if the algorithm returns t (true) then there exists a set of d‑paths without an escape, and (2) if it returns nil (false) then every set of d‑paths has an escape. The paper focuses on the first direction, showing how a set of paths without an escape can be constructed from the final markings.

The informal proof proceeds as follows:

1. Build a witness set Π₃₄ consisting of a singleton path `