Towards Certifying Deadlock-freedom of BIP Models

Verification and validation techniques have become popular in software and hardware development. They increase the confidence and potentially provide rich feedback on errors. However, with increasing complexity verification and validation techniques are more likely to contain errors themselves. In this paper we address the problem of guaranteeing the correctness of validation work with respect to a formal notion of correctness: We certify the absence of deadlocks in systems. Our certification is based upon an existing tool checking deadlock-freedom of BIP (behavior, interaction, priority) [BBS06] models: D-Finder [BBNS08]. BIP is a language for modelling real-time systems. Certificates are generated each time a BIP model is successfully checked for deadlock absence. They contain a proof script – an algorithm – that describes how to ensure oneself that a BIP model is indeed deadlock-free. Furthermore, they comprise system invariants of the checked BIP models implying deadlock-freedom that are used by the proof script. With the help of such a certificate third party users can ensure themselves of deadlock-freedom of their BIP models without having to trust or even take a look at the deadlock checking tool. In particular our certification methodology comprises the formalization of the notion of deadlock-freedom in the higher-order theorem prover Coq. The use of a higher-order theorem prover allows us to formalize this notion in a human readable way. The formalization of the BIP semantics, models, and their invariants in Coq, and an algorithm that checks whether the notion of deadlock-freedom indeed holds for a given BIP model are part of the methodology, too. The algorithm is instantiated to form more concrete proof scripts that are distributed as parts of our certificates. Apart from presenting the methodology we discuss first experimental results.