We present a type-based technique for the verification of deadlock-freedom in asynchronous concurrent systems. Our approach is to start with an interaction category such as ASProc, where objects are types containing safety specifications and morphisms are processes. We then use a specification structure to add information to the types so that they specify stronger properties. The extra information in this case concerns deadlock-freedom, and in the resulting category ASProc D , combining well-typed processes preserves deadlock-freedom. It is also possible to accommodate non-compositional methods within the same framework. The systems we consider are asynchronous, hence issues of divergence become significant; our approach incorporates an elegant treatment of both divergence and successful termination. As an example, we use our methods to verify the deadlock-freedom of an implementation of the alternating-bit protocol. Address for Correspondence Dr S. J. Gay Department of ...

We describe a tool, programmed in Java, for the formal verification of the absence of deadlock and livelock in networks of CSP processes. The innovative techniques used scale well to very large networks, unlike the exhaustive state checking method employed by existing tools.

The design of concurrent programs has a reputation for being difficult, and thus potentially dangerous in safetycritical real-time and embedded systems. The recent appearance of Java, whilst cleaning up many insecure aspects of OO programming endemic in C++, suffers from a deceptively simple threads model that is an insecure variant of ideas that are over 25 years old [1]. Consequently, we cannot directly exploit a range of new CASE tools-- based upon modern developments in parallel computing theory-- that can verify and check the design of concurrent systems for a variety of dangers such as deadlock and livelock that otherwise plague us during testing and maintenance and, more seriously, cause catastrophic failure in service. Our approach uses recently developed Java class libraries based on Hoare's Communicating Sequential Processes (CSP); the use of CSP greatly simplifies the design of concurrent systems and, in many cases, a parallel approach often significantly simplifies systems originally approached sequentially. New CSP CASE tools permit designs to be verified against formal specifications and checked for deadlock and livelock. Below we introduce CSP and its implementation in Java and develop a small concurrent application. The formal CSP description of the application is provided, as well as that of an equivalent sequential version. FDR is used to verify the correctness of both implementations, their equivalence, and their freedom from deadlock and livelock. Keywords: concurrency, multithreading, Java, CSP, formal methods

This paper presents experiences gained from the verification of a large-scale real-world embedded system by means of formal methods. This industrial verification project was performed for a fault-tolerant system designed and implemented by DaimlerChrysler Aerospace for the International Space Station ISS. The verification involved various aspects of system correctness, like deadlock and livelock analysis, correct protocol implementation, etc. The approach is based on CSP specifications and uses the model-checking tool FDR. It is realized by combining methods for the development as well as for the analysis. It is illustrated by examples and results obtained during the verification of the Byzantine agreement protocol implementation, where the combination of different abstraction methods is required. 1 Introduction The acceptance of Formal Methods in industry especially depends on their scalability, i.e. their applicability in large-scale realistic industrial projects. An important aspec...

Java may used to develop code for life-, safety-, and mission-critical embedded systems; multithreaded applications must be free from deadlock and livelock. These problems can be eliminated by basing designs on the structures and formalisms of Hoare's Communicating Sequential Processes (CSP). Java class libraries supporting CSP constructs now allow programmers to take advantage of these methods. CASE tools are available to automatically check CSP designs for deadlock and livelock and to validate implementations against specifications.

Most of the methods proposed for the development of high-performance systems (HPS) do not balance the software and performance engineering activities. This paper presents a method for the development of HPS which promotes the production of well-engineered, highly parallel programs the design decisions of which are also guided by their impact on performance. The method follows strong software engineering principles such as modularity, and the use of formal methods to support verification and transformation. From the point of view of performance engineering the method supports the use of prototypes for performance prediction at early stages of the development. Much of the method is language and hardware independent, and the paper illustrates the application of the method to the development of occam programs running on transputers. 1

15 Preface 19 Acknowledgements 22 1 Introduction 24 1.1 Background : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 24 1.2 Motivation and Objectives : : : : : : : : : : : : : : : : : : : : : : 24 1.3 Structure of the Thesis : : : : : : : : : : : : : : : : : : : : : : : : 25 1.3.1 Related Publications : : : : : : : : : : : : : : : : : : : : : 27 2 The Quest for High Performance 28 2.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 28 2.2 Bit and Instruction Level Parallelism : : : : : : : : : : : : : : : : 29 2.3 Reduced Instruction Set Computers : : : : : : : : : : : : : : : : : 30 2.4 The Limits of Sequential Computation : : : : : : : : : : : : : : : 31 2.5 Parallel Computer Architectures : : : : : : : : : : : : : : : : : : : 32 2.5.1 SIMD : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 33 2.5.2 MIMD : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 34 2.5.2.1 Shared Memory MIMD Architectures : : : : : : : 34 2.5.2.2 Distributed M...

Abstract. The process algebra Csp provides a well-established formalism for the modelling, analysis, and verification of concurrent systems. Besides being a specification language, Csp provides a valuable set of proof principles. We show in tutorial style, how these proof principles are made available in our tool Csp-Prover. Overall, Csp-Prover turns out to be an off-the-shelf proof tool ready for use in applications. 1

The configuration programming approach has been successfully applied to model parallel and distributed systems in terms of their component processes and relationships, separated from the functional aspects of the components' behaviour. This approach promotes the construction of modular and flexible systems but the lack of information about the components' behaviour prevents us verifying important properties such as deadlock freedom in the configuration.

A system is buffer tolerant when buffers (namely, queues that may be of arbitrary or varying length) may be introduced onto some or all of its channels without introducing errors. We give formal definitions of several types of buffer tolerance within the context of CSP and its models, prove a number of results about it and discuss when these might be useful. Most of our results apply to tree networks and to ones where the processes involved have a property such as being functional or confluent. We demonstrate the close connection of these last two properties by showing that they can both be characterised as appropriate sorts of buffer tolerance. 1