Journal of Automated Reasoning manuscript No - PDF document

JournalofAutomatedReasoningmanuscriptNo.(willbeinsertedbytheeditor) ProofPearl:AFormalProofofDallyandSeitz'NecessaryandSucientConditionforDeadlock-FreeRoutinginInterconnectionNetworksFreekVerbeek
JulienSchmaltzReceived:date/Accepted:dateAbstractAvoidingdeadlockiscrucialtointerconnectionnetworks.In'87,DallyandSeitzproposedanecessaryandsucientconditionfordeadlock-freerouting.Thisconditionstatesthataroutingfunctionisdeadlock-freeifandonlyifitschanneldependencygraphisacyclic.WeformallydeneandproveaslightlydierentconditionfromwhichtheoriginalconditionofDallyandSeitzcanbederived.DallyandSeitzprovethatadeadlocksituationinducescyclicdependenciesbyreductioadabsurdum.Incontrastweintroducethenotionofawaitinggraphfromwhichweexplicitlyconstructacyclicdependencyfromadeadlocksituation.Moreover,ourproofisstructuredinsuchawaythatitonlydependsonasmallsetofproofobligationsassociatedtoarbitraryroutingfunctionsandswitchingpolicies.Dischargingtheseproofobligationsissucienttoinstantiateourconditionfordeadlock-freeroutingonparticularnetworks.OurconditionanditsproofhavebeenformalizedusingtheACL2theoremprovingsystem.KeywordsDeadlock-freerouting
Interactivetheoremproving
ACL21IntroductionAnecessaryandsucientconditiontoguaranteefreedomfromdeadlocksincomputingsystemsistoshowthatdependenciesbetween"processes"and"resources"areacyclic.Inthecontextofinterconnectionnetworks,dependenciesarecapturedinthechanneldependencygraphinducedbytheroutingfunction.Thelatterisdeadlock-freeifandonlyifitschanneldependencygraphisacyclic.Chen[4]rststatessuchanecessaryandsucientconditionfordeadlock-freerouting.Hisconditionappliedtostore-and-forwardormessage-switchednetworks.In1987,DallyandSeitz[6]extendedthisconditiontonetworksbasedonwormholeswitching.TheseminalpaperofDallyandSeitzinspiredallsubsequentstudiesondeadlock-freeroutingininterconnectionnetworks,e.g.,[8,9,10,19].OurcontributionisaformalproofofDallyandSeitz'conditionfordeadlockfreerouting.TheproofhasbeenformalizedintheACL2theoremprovingsystem[11].Theformalproofconsistsof3638linesofACL2-codeand339theorems.Itisavailableathttp://www.cs.ru.nl/julien/Julien at Nijmegen/JAR09.html.DallyandSeitzreasonadabsurdumfromanorderingofresources.Incontrast,ourproofusesadynamicallydenedwaitinggraphasanintuitiveintermediatebetweenadeadlockedsetofmessagesandacycleinthedependencygraph.Therefore,ourproofisfullyconstructive(inthesenseofDuato[8]).Moreover,we ThisresearchissupportedbyNWO/EWprojectFormalValidationofDeadlockAvoidanceMechanisms(FVDAM)undergrantno.612.064.811. F.VerbeekandJ.SchmaltzInstituteforComputingandInformationSciences,RadboudUniversityNijmegenP.O.Box90106500GLNijmegen,TheNetherlandsSchoolofComputerScience,OpenUniversityofTheNetherlandsP.O.Box6401DLHeerlen,TheNetherlandsE-mail:ff.verbeek,julieng@cs.ru.nl 2haveextractedconstraintsorproofobligationsonarbitraryswitchingpoliciesandroutingfunctionsthataresucienttoproveourdeadlock-freecondition.Thus,ourconditionisasecond-ordertheoremwhichholdsforallconcretenetworkdenitionsprovidedthesedenitionssatisfythecorrespondinginstancesoftheseproofobligations.Thepaperisorganizedasfollows.ThenextSectionpresentstheACL2theoremprovingsystemandthemainfeaturesweusedinourproof.Section3introducespacketandwormholeswitchingpolicies.ThenecessaryandsucientconditionanditsproofproposedbyDallyandSeitzarepresentedinSection4.DallyandSeitzconditionisnotcompletelycorrect.Werevisetheirconditionandpresenttherevisedconditionandourproofinusualmathematicalnotation.InSection5wepresentourformalmodelofnetworksandourformalizationofDallyandSeitz'revisedcondition.OurformalconditionisproveninSection6.WediscusstherelationbetweenourworkandthatofDallyandSeitzinSection7.InSection8wepresentsomedetailsontheACL2theoremprovingeort.WeconcludeinSection9.2ACL2ACL2[11,12]standsfor"AComputationalLogicforApplicativeCommonLisp".Itdenotesaprogramminglanguage,arstorderlogic,andamechanicalreasoningengineforthatlogic.Thelogic[3,13]isaquantier-freerstorderlogicwithinduction.Functionsmustbetotalandterminationofrecursivefunctionsmustbeprovenbeforeaddingthemtothelogic.Nevertheless,ACL2providesmechanismstoovercometheselimitations,e.g.,boundedquantiersorpartialfunctions[2,14].Inourproofwemakeintensiveuseoftheencapsulationprincipleandthederivedruleofinferencefunctionalinstantiationto"simulate"second-orderfunctions.Wenowdetailthismechanism.InthissectionweusetheACL2inxsyntaxwherea+biswritten(+ab).Theencapsulationprincipleallowstheintroductionofundenedfunctionsthatsatisfyoneormoretheoremsprovidedonewitnesscanbeexhibited.Considerasanexamplethefollowingstatement:Letfbeafunctionovertwoargumentssuchthatfiscommutative,thatis,f(a;b)=f(b;a).Thissecond-orderstatementtranslatestotheencapsulateeventbelow.First,onedenesthesignaturesoftheconstrainedfunctions,e.g.,functionf.Thenonehastoprovideawitnessdenition.Finally,oneintroducestheconstraints,e.g.,functionfiscommutative.Afterthesuccessfulcompletionoftheencap-sulate,thelogicisextendedwiththenewfunctionsymbols,e.g.,f,andtheconstraintsonthesesymbols,e.g.,(fab)=(fba).Notethatthewitnessdenitionislocaltotheeventandnotaddedtothelogic.Itisonlycheckedduringtheencapsulatethatthiswitnesssatisesalltheconstraints.(encapsulate(((f**)=�*));;functionsignatures(local(defunf(ab)(declare(ignoreab))nil));;localwitness(defthmf-commute(equal(fab)(fba))));;constraintAftersuchanencapsulateevent,theACL2logiconlycontainsthenewfunctionsymbolsandtheirassociatedconstraints.Anytheoremprovenonthesefunctionsholdsforallconcretedenitionsthatsatisfythecorrespondingconstraints.Forinstance,onecoulddenefunctionaddbelow:(defunadd(ab)(+ab))Thisfunctioniscommutativeandcanbeconsideredavalidinstanceofabstractfunctionf.Anyproventheoremoffcanbeappliedtoaddbyusingafunctionalinstantiationhint.ThishintwillcauseACL2toproduceproofrequirementstoshowthataddsatisestheconstraintsoff.Thisidiomisusedintensivelyinourproof.Werefertoconstraintsalsoas"proofobligations".Moredetailsaboutthisuseofencapsulationandfunctionalinstantiationcanbefoundinanotherpublication[17]. 3 Y Y Z ZCAB XX (a)WHSExample AB (b)PSexampleFigure1:Interconnectionnetworkexamples3SwitchingpoliciesAninterconnectionnetworkisdenedbyasetofprocessingnodesandasetofcommunicationchannels.Withaninterconnectionnetwork,aswitchingpolicyandaroutingfunctionareassociated.Aswitchingpolicydetermineshowmessagespassthroughthenetwork.Aroutingfunctiondetermineshowmessagesareroutedfromsourcetodestination.AcommonlyusedswitchingpolicyisWormholeSwitching(WHS).Packetsaredecomposedintosmal-lerdataunitscalled\rits.A\ritconstitutestheatomicobjectthatistransferredbetweenanytwonodes.Typically,thereisaheader\ritfollowedbyasequelofdata\rits.Theendofapacketismarkedbyatail\rit.Forsimplicity,wedonotdistinguishbetweendata\ritsandthetail\rit.Werefertoallofthemasthetailortail\rits.Theheader\ritonlycontainsinformationonthedestinationofthemessage.Theheader\ritadvancesalongthespeciedroute,whilethetailfollowsinapipe-linefashion.Whentheheader\ritisblocked,all\ritsofthemessageareblocked.Achannelcanonlystore\ritsbelongingtoatmostonemessage.Therefore,tail\ritsblockheader\ritsofothermessages.Example1Figure1ashowsaninterconnectionnetworkwithwormholeswitching.MessagesX,Y,ZandaredestinedrespectivelyfornodeA,BandC.Assumechannelscanstoreatmostone\rit.Theheader\ritsofXandYareblocked,whichmeansthatthetail\ritsareblockedaswell.MessageZcanadvanceandreachitsdestination,thenmessageYcanadvanceandatlastXwilladvance,resultinginanemptynetwork.AnothercommonlyusedswitchingpolicyisPacketSwitching(PS),alsocalledstore-and-forward.Incontrasttowormholeswitching,packetsaretheatomicobjecttransferredbetweenanytwonodes.Apacketcontainsaheaderandapayload,i.e.,theactualdata.Theheadercontainsroutinginformatione.g.,destinationnode.Ateachintermediatenode,apacketisfullystoredandanalyzed.Oncethenextchanneloftherouteisavailable,itissenttotheneighboringnode.Example2Figure1bshowsanexampleofaninterconnectionnetworkwithpacketswitching.Eachboxrepresentsthestoragespaceofanoutgoingchannel.Inourexample,eachoutgoingchannelcanstoreonepacket.Thecrossedboxescontainpackets.AllpacketsaredestinedtonodeD.Inthecurrentconguration,allpacketsareblockedexcepttheoneinnodeC.Thatpacketcanarriveatitsdestination,afterwhichtheotherpacketswillfollow.Foranin-depthdiscussiononpacketswitchingandwormholeswitching,wereferthereadertosurveys(e.g.,byNiandMcKinley[15])andstandardtextbooks[9,7].4DallyandSeitzDallyandSeitzdenedanecessaryandsucientconditiontoguaranteedeadlock-freeroutingininter-connectionnetworkswithwormholeswitching.WeprovidetheconditionaspresentedbyDallyandSeitzandtheirproof.Thisconditionisnotcompletelycorrect.Wepresentarevisedversionandaddressthisconditionanditsproofinmathematicalnotation. 44.1OriginalversionThedenitions,thetheoremanditsproofareverbatimcopiesfromDallyandSeitz'paper[6].Denition1Aninterconnectionnetworkisastronglyconnecteddirectedgraph,I=(N;C).Thever-tices,N,representthesetofprocessingnodes.Theedges,C,representthecommunicationchannels.RoutingfunctionRisdenedasR:CN7!C.ThisrestrictsRtodeterministicroutingandprovidesitwithmoreinformationthanjustthecurrentnode:thenextchannelisbasedonthecurrentchannelandthedestination.GivenaninterconnectionnetworkIandroutingfunctionR:CN7!C,achanneldependencygraphcanbedened:Denition2AchanneldependencygraphDisagraphwiththechannelsofIasvertices.Thereisanedge(c0;c1)inthechanneldependencygraphifandonlyifthereexistsadestinationnodedsuchthatR(c0;d)=c1.ThefollowingtheoremisthenecessaryandsucientconditionfromDallyandSeitz.Theorem1AroutingfunctionR:CN7!C,foraninterconnectionnetworkI(withwormholeswitching),isdeadlock-freeifandonlyifthereisnocycleinthechanneldependencygraphD.ProofSupposethenetworkhasacycleinD.Itispossibletoconstructadeadlock-congurationbyllingthechannelsinthecyclewithmessages.Thedestinationsofthesemessagesmustbechoseninsuchawaythatforallmessages,thenextchannelcomputedbyRisonthecycle.SupposeanetworkhasnocycleinD.ThisimpliesthatthereexistsatotalorderoverthechannelsofC.Thusthereexistsafullchannelclthatistheleastchannelinthisorder.Everychannelafterclisempty,thusnomessageinclisblocked,andthecurrentcongurationisnotadeadlock.Thisconditioncanbeappliedtocreatedeadlock-freenetworksbybreakingthecyclesinthechanneldependencygraph.4.2RevisedversionTheorem1isfalse.ThedeadlockcongurationcreatedintheproofofTheorem1islegal,i.e.,buercapacitiesarenotexceededandwormsconsistofvalidpathsinthenetwork.Itishowevernotnecessarilyareachableconguration,i.e.,itisnotnecessarilypossibletoobtainthiscongurationstartingfromanemptynetwork.Figure2agivesanexampleofadeadlock-freeanddeterministicroutingfunctionwithacyclicchanneldependencygraph.ThenetworkcouldbeindeadlockifchannelacontainsmessagesdestinedforXandchannelbcontainsmessagesdestinedforY.ThiscongurationcanhoweverneverbereachedasXconsumesmessagesdestinedforXimmediatelyandneversendsthemtochannela. X Y a (a)NetworkR XY a bb a(b)RoutingfunctionFigure2:CounterexampletoTheorem1.TheissueisthatroutingfunctionsoftypeR:CN7!Cdonotunambiguouslydenewhattodowithnewlyinjectedmessages.Asthesearenotinachannel,theroutingfunctionmustsupplyanext 5channelbasedonthecurrentnodeinsteadofthecurrentchannel.Thus,routingmustalsobedenedasR:NN7!C.Givenadestinationnoded,routingfromachannel(i.e.,R(c;d)withcsomechannel)isnotnecessarilyequaltoroutingfromthesourcenodeofthatchannel(i.e.,R(s;d)withsthesourcenodeofchannelc).Consequently,Theorem1isnottrue.Formemorylessroutingfunctions,i.e.,routingfunctionsdenedcompletelyasR:NN7!C,anylegalcongurationisalsoreachable[8].Thisholdsforbothpacketswitchingandwormholeswitching.WeredeneTheorem1withthecorrecttypingoftheroutingfunction.Intheremainderofthissectionwepresenttherevisedtheoremanditsproofinmathematicalnotation.Sections5and6presenttheconditionanditsproofasformalizedinACL2.ThedenitionsinthisSectionarecopiesofDuato'spaperonanecessaryandsucientconditionforadaptiveroutingfunctions[8].Denition3AninterconnectionnetworkIisastronglyconnecteddirectedmultigraphI=(N;C).TheverticesNrepresentthesetofprocessingnodes.ThearcsCrepresentthesetofcommunicationchannels.Givenachannelci2C,letsianddidenotethenodesatrespectivelythesourceanddestinationofchannelci.Eachchannelchasacertaincapacity,denotedcap(c).Denition4AdeterministicroutingfunctionR:NN7!CisafunctionsuchthatR(s;d)suppliesachannelforamessagelocatedinprocessingnodesanddestinedforprocessingnoded.Ifamessageisatitsdestinationitisconsumed.Thusforallnodesn,R(n;n)=;.Denition5ThechanneldependencygraphisagraphGdep=(C;Edep).TheverticesofGdeparethechannelsofI.ThearcsofGdeparethedependenciesinI.Adependencyisapairofchannels(ci;cj)suchthat:9x2N
ci2R(si;x)^cj2R(di;x)Inwords,thereisadependencyfromcitocjifcjcanbeusedaftercibysomemessage.Denition6Acongurationisanassignmentof\ritsorpacketstochannels.Thus(c)returnsthesetof\ritsorpacketslocatedinchannelc.Denition7Achannelisunavailable,notationunav(c;)ifitcannotacceptnewheader\ritsorpackets.Forpacketswitchingnetworks,achannelcisunavailableifandonlyifitisfull,i.e.ifandonlyifj(c)j=cap(c).Forwormholeswitchingnetworks,achannelcisunavailableifandonlyifitcontainsatleastone\rit,i.e.ifandonlyifj(c)j�0.Givena\ritf,lethd(f)returntrueifandonlyiffisaheader\ritorapacketandlettl(f)returntrueifandonlyiffisatail\rit.Denition8Aroutingfunctionisdeadlock-freeifandonlyifthereexistsnodeadlockconguration.Adeadlockcongurationisacongurationthatsatisesthefollowingproperties:8ci2C8����.93;ㅐ.93;ㅐ.93;ㅐ.93;ㅐ:j(ci)jcap(ci)(1)8f2(ci)
ci2R(si;dest(f))(2)8f2(ci)
hd(f)=)di=dest(f)(3)8f2(ci)
hd(f)=)8cn2R(di;dest(f))
unav(cn;)(4)8f2(ci)
tl(f)=)j(next(ci))j=cap(next(ci))(5)Properties(1)and(2)statethatthecongurationmustbelegal,i.e.,thebuercapacitiesarenotexceededandthemessagesinthenetworkcanreachtheircurrentchannelfromthepreviousnode.Properties(3)through(5)statethatthecongurationisindeadlock.Header\ritshavenotarrivedattheirdestination(3)andcannotmovetoanavailablenexthop(4).Lastly,alltail\ritsarestuckasthenextchannelinthewormisfull(5).Therevisedtheoremisdenedformemorylessroutingandusesthecorrespondingchanneldependencygraph. 6Theorem2AroutingfunctionR:NN7!Cisdeadlock-freeifandonlyiftherearenocyclesinitschanneldependencygraphGdep.TheproofofTheorem2belowpresentsinusualmathematicalnotationtheproofformalizedinACL2.Section6containsfurtherdetails.Proof(=))Supposethereisadeadlock-conguration.All\ritsofallmessagesinwaitforsomechanneltobecomeavailable.ConsideragraphGwait=(C;Ewait)wherethereisanedge(ci;cj)ifandonlyifincongurationa\ritinciwaitsforchannelcjtobecomeavailable.InthisgraphthesetofunavailablechannelsUcontainsitsownneighbors.Thiscanbeseenbycontradiction:saythereisachannelcithathasaneighborcnoutsideU.ChannelcnisavailableasitisnotinthesetofunavailablechannelsU.Thusciwaitsforachannelthatisavailable,whichmeansthateventuallythe\ritsinchannelciwillbeabletoproceed.Thiscontradictstheassumptionthatisadeadlockconguration.Inanygraph,anysubgraphofparentverticesthatcontainsitsownneighborsnecessarilycontainsacycle.AssubgraphUinthewaitinggraphconsistsofparentverticesonlyandsinceUcontainsitsownneighbors,Ucontainsacycle.ThusgraphGwaitcontainsacycle.SinceGwaitisasubgraphofGdep,thereisacycleinGdep.((=)SupposethereisadependencycycleDinGdep.Thiscyclecanbelledwitheitherpacketsorwormsoflength1.Foreachdependency(ci;cj)2Dthereisadestinationxsuchthatci2R(si;x)andcj2R(di;x).Channelciislledwithamessagedestinedforx.Theresultingcongurationclearlysatisesproperties(1),(2)and(5).Property(3)issatised,sinceotherwisedi=xwhichwouldimplyR(di;x)=;whichwouldcontradictthatcj2R(di;x).Toprovethatproperty(4)issatised,weneeddeterminism.FordeterministicroutingfunctionR,cj2R(di;x)impliesR(di;x)=fcjg.Sincecj2DandallchannelsinDarelled,cjisunavailable.Sincetheresultingcongurationislegalandsinceroutingismemoryless,thecongurationisalsoreachable.5FormaltheoremanddenitionsInthissection,wegiveaformalandmoreprecisedenitionofanecessaryandsucientconditionfordeadlock-freerouting.Werstdeneournetworkmodel.Insteadofabstractnodesandchannels,weconsidertheinternalstructureofnodeswhichismadeofportswithbuers.Anetworkisthusrepresentedasagraphwhereverticesareinternalportsandedgesarelinksbetweentheseports.Routingfunctionsaredenedbetweenports,i.e.,overPPwherePdenotesthesetofports.Thesedierencesleadtoadierentdependencygraph,adierentstatement,andadierentproof.WediscussinSection7howtoderivetheoriginalconditionfromours.5.1FormalnetworkmodelPortsAninterconnectionnetworkconsistsofprocessingnodes,connectedbychannels.Thesenodesconsistofportsandacentralswitch(seeFigure3).Theswitchcontainstheroutingfunctionandtheswitchingpolicy.Thereisaportforeachin-andoutgoingchannel.Furthermore,eachnodehasalocalin-andout-port,respectivelyforinjectingandremovingmessagesfromthenetwork.Eachportisassociatedwithalistofbuers(ofsizeatleast1).Onebuercanstoreone\ritoronepacket.Buerlessswitchingcanberepresentedbyassociatingexactlyonebuerperport.Weassumethatifamessageislocatedinabuerofitsdestinationport,itisconsumedimmediately.Furthermore,weassumethatalldestinationportsareterminal,i.e.,theyarenotconnectedtootherports.Adestinationportisthereforeneverblocked. 7 Switch ChannelsChannelsoutLocalinIn-portsOut-ports Figure3:Processingnode,whereeachporthastwobuers.TravelsAtraveltisadatastructurewhichstorestheprogressofsendingamessageacrossanetwork.Itisatripleid;d;L&#x-364;&#x.958;whereidisauniqueidentier,disthedestinationportofthetravel,andLisalistcontainingforeach\rittheportwhichcurrentlystoresit.Forpacketswitching,thislisthassize1(thepacket).Forwormholeswitching,thelistisofarbitrarysizebutmustbeatleastofsize1asthereisatleastaheader\rit.Tdenotesthelistoftravelsinjectedintothenetwork.Functionscurr(t)anddest(t)denoterespectivelythecurrentlocationoftheheader\ritoftandthedestinationportoft.StateAstateSTisadatastructurewhichstoresthecurrentnetworkstate.Thestateisdenedasthelistofalltheportsofthenetwork.Eachportisassociatedtothelistofitsbuers.Functionbuers(p;ST)returnsthelistofbuersofportpinstateST.Function(b)returnstrueifandonlyifbuerbisempty.Forsakeofsimulation,abuerstoresbotha\ritandtheidofthecorrespondingtravel.CongurationAcongurationisdenedasalistoftravelsTandastateST,suchthatSThasabuerlledwith\ritfandidiifandonlyifthereisatravelinTwithidithathas\ritfcurrentlylocatedintheportcorrespondingtothebuer.NetworkDenitionAninterconnectionnetworkisadirectedgraph,I=(P;C).Thevertices,P,representthesetofports.Theedges,C,representthelinksbetweentheports.Wedonotrequiretheinterconnectionnetworktobestronglyconnected.Insteadweassumethatforalltravels,thedestinationportisreachablefromthesourceport.ReachabilityisformallydenedinSection5.3.5.2GraphtheoryWedeneagraphGbytwofunctions:functionVreturnsthesetoftheverticesofGandfunctionE(VV)returnsthesetoftheedgesofG.Acycleisapathwheretherstvertexisaneighborofthelast.Denition9LetG=(V;E)beagraphandletV0beasetofverticesfv0v1:::vn1gforn1.cycle(V0)def=80in:(vi;vi+1(modn))2EDenition10LetGbeagraph.AsetofverticesVVGissaturatedifandonlyif8v2V:EG(v)V.Asetofverticesissaturatedifitcontainsallitsneighbors. 8Denition11LetGbeagraphandletPbeapredicateovertheverticesofgraphG.AP-chainisthesmallestsetofverticesforwhichallpairsofmembersareinthetransitiveclosureofE0G,where(n0;n1)2E0Gifandonlyif(n0;n1)2EG^P(n0)^P(n1).Inotherwords,ifaP-chaincontainsvertexv,thenallneighborsofvforwhichpredicatePholdsareinthechainaswell.Forexample,letparent(n)returntrueifandonlyifnhasatleastoneneighbor.PortsfA;B;C;DginFigure4bconstituteaparent-chain.5.3RoutinganddependencygraphRoutingfunctionRisdenedasR:PP7!PsuchthatR(s;d)returnsthenextportleadingfromstod,i.e.,thenexthop.OurgoalistodeneaportdependencygraphforRfromwhichwewilldeneanecessaryandsucientconditionensuringRisdeadlock-free.ThestandarddenitionwouldstatethatsuchadependencygraphhasthesetofportsasverticesandedgesarepairsofportsconnectedbyR.However,aswedonotassumeastronglyconnectednetwork,theremightbeportsconnectedbyR(s;d)foradestinationdthatisactuallynotreachable.Toovercomethisissue,weassumetheexistenceofafunctionR,whichrepresentsreachability.WeassumesRdreturnstrueifandonlyifdisreachablefroms.Usingthisfunction,wedenetheportdependencygraphasfollows:Denition12LetI=(P;C)beanetwork.TheportdependencygraphcorrespondingtoroutingfunctionR:PP7!P,isthegraphGdep=(P;Edep)withthesetofportsPasverticesandthepairsofportsconnectedbyRasedges.FunctionEdepisdenedbythefollowingconstraintsorproofobligations:8s;d8p2R(s;d):sRd=)(s;p)2Edep(PO-I)8(p0;p1)2Edep9d:p0Rd^p12R(p0;d)(PO-II)Constraint[PO-I]statesthatforanyports,allnexthopsareneighborsintheportdependencygraph.Weconsideronlythosenexthopsleadingtoreachabledestinations.Constraint[PO-II]statesthatforanypair(p0;p1)connectedintheportdependencygraph,thereexistsareachabledestinationportsuchthatp1isanexthopleadingtothatdestination.5.4DeadlockTheexactandrealisticdenitionofadeadlockinanetworkdependsontheunderlyingdata-linkprotocolusedtoexchangemessagesbetweenports.Wewanttoabstractfromtheseunderlyingmechanismstokeeptheproofasgenericaspossible.Weproveourtheoremforanyswitchingpolicywhere{onthelevelofthenetworklayer{advancementofatraveldependsonlyontheavailabilityofthenexthops.Letrealdeadlock()returntrueifandonlyifisindeadlock.Atraveliscalledstuckifandonlyifthereexistsnonexthop(oftheheader\rit)thathasanemptybuer.Notethatthisdoesnotgiveanyinformationonthestateofthedata-linklayer.Aportisstuckifandonlyifitisnon-emptyandalltravelsinthebuersoftheportarestuck.Denition13AswitchingpolicySisnext-hop-basedifandonlyif:(9:8t2:T:stuck(t;:ST))()(90:realdeadlock(0))Aswitchingpolicyisnext-hop-basedifandonlyifadvancementofatraveldependsonlyonthenexthopsoftheheadersofthetravels.Weproveourtheoremforanynext-hop-basedswitchingpolicy.Thishastwoadvantages:(1)theproofbecomesgenericwithrespecttothedata-linklayerandlowerlayersand(2)theproofbecomeseasierasarealisticandconcretedeadlockcongurationisreducedtoacongurationwhereallmessageshavenoavailablenexthops.Notethatallnecessaryandsucientconditionsfordeadlock-freedomininterconnectionnetworksaredenedatthesamelevelofabstraction[6,8,10,19].Wewillnowshowthatbothpacketswitchingandwormholeswitchingpoliciessatisfyourdenitionofnext-hop-based. 9Packetswitchingisnext-hop-based:assumeacongurationwhereforallmessagesallnexthopsareunavailable.Regardlessofwhatdata-link-layerisused,inorderforamessagetoadvanceitneedsanexthopwithanavailablebuer.Asnobuerwilleverbecomeavailable,thecongurationcanberegardedasadeadlockconguration,regardlessofthestateofthedata-linklayer.Thus0=inDenition13.Forwormholeswitchingnetworksthereisasubtlety:thedeadlockconguration0isnotnecessarilyequaltocongurationwhereallheader\ritsarestuck.Assumeacongurationwhereforallmessagesallnexthopsareunavailable.Noheader\ritcanmove.Thiscongurationisnotnecessarilyindeadlock,astail\ritsmaybeabletoprogresscausingthetailtoshrink.Still,wormholeswitchingisnext-hop-based.Assumeacongurationwhereallnexthopsareunavailable.Thereexistsaconguration0wherenotail\ritcanadvanceaswell.Conguration0hastheexactsamewormsasbuthasallportslledcompletely.Wormsinmayconsistofmore\ritsthantheyoriginallyconsistedofin.Sinceisalegalandreachableconguration,0islegalandreachableaswell.Asanycongurationwhereallheader\ritsarestuckimpliesalegalandreachabledeadlockconguration,wormholeswitchingisnext-hop-based.Thusbothpacketswitchingandwormholeswitchingarenext-hop-based.CircuitSwitching[9,7],whereatravelcanadvanceifandonlyifitsentirerouteisfree,isnotnext-hop-based.Denition14Let=(T;ST).GivenfunctionR,functiondeadlock-conguration()isdenedas:jTj�0^8t2T8p2R(curr(t);dest(t))8b2buers(p;S)::(b)Adeadlock-congurationisanon-emptynetworkwhereforallmessagestraversingthenetworkthereexistsnonexthopwithanemptybuer.Thisdenitionisabstractwithrespecttothedata-linklayer.Thisispossibleasweproveourtheoremforanynext-hop-basedswitchingpolicy,i.e.,anyswitchingpolicywheresuchacongurationislogicallyequivalenttoarealisticdeadlock.Eachtravelhasaheaderandatail.Forourproof,weneedtoassumethattailsarecontinuous,i.e.,allconsecutiveportsinatailareconnected.Letloc(f)denotethecurrentlocationof\ritf.Letatravelbedividedinaheader\rithandtail\rits[f0;f1;:::;fk].Thenext\ritofatail\ritfiisdenedasfi1fori�0andhfori=0.Denition15Atravelhasavalidtail,ifandonlyif80ik:(loc(fi);loc(next\rit(fi)))2Edep_loc(fi)=loc(next\rit(fi))Atailmustbeapathintheportdependencygraphafterallconsecutiveequalshavebeenremoved.Theorem3Forallnext-hop-basedswitchingpoliciesSandforalldeterministicroutingfunctionsR:9:deadlock-conguration()^8t2T:valid-tail(t)^8t2T:curr(t)Rdest(t)()9cN:cycledep(c)Theorem3isourformalizationofDallyandSeitz'condition(Theorem2).Foranydeterministicroutingfunction,thereisadeadlock-conguration-wheretravelshavevalidtailsandreachabledestinations-possibleifandonlyifthereisacycleinthedependencygraph.DallyandSeitzstatedthecontrapositiveform:aroutingfunctionisdeadlock-freeifandonlyifthereisnocycleinitsdependencygraph.6FormalproofOurproofhastwopeculiaraspects.First,wehaveidentiedaxedsetofproofobligationsthataresucienttoproveTheorem3.Second,weuseawaitinggraphinsteadofatotalordertomakeourprooffullyconstructive.BeforeprovingthenecessityandsuciencyofTheorem3wepresenttheproofobligations,deneourwaitinggraph,andgiveanoverviewoftheproof. 106.1PreliminariesProofobligationsApplyingTheorem3,provingdeadlock-freedomofaninterconnectionnetworkwithroutingfunctionRandnext-hop-basedswitchingpolicySreducestodeningfunctionRandtheportdependencygraphGdepanddischargingeachofthefollowingproofobligations:[PO-I]EachpairofportsconnectedbyRareedgesofGdep;[PO-II]AlledgesofGdepareconnectedbyR;[PO-III]RisoftypePP7!P;[PO-IV]ThereisnocycleinGdep.Theseproofobligationsareusedasassumptionsintheformalproof.Inparticular,intheproofofthesuciencyofourconditionthatisdiscussedinSection6.3.Weprovideashortexampletodemonstrateoneinstanceoftheseproofobligations.Moredetailsaboutthemethodologyderivedfromourprooffalloutsidethescopeofthispaper.Theinterestedreadercanndmoreinformationinanotherpublication[21].Example3A2D-Meshnetworkconsistsofrowsandcolumnsofprocessingnodes.Figure5adepictsthetopologyofa222D-Mesh.AcommonlyusedroutingfunctionisXY-routing[15].Messagesareroutedrstalongthex-axistothecorrectcolumn,thenalongthey-axistothecorrectprocessingnode.Wedemonstratetheinstantiatedfunctionxybysomeexamples.Fromawest-outport,onlyportswithalowerx-coordinatearereachable.Fromasouth-outportonlyportswithalowery-coordinateandwiththesamex-coordinatearereachable,sinceXY-routingroutesrstalongthex-axisandthenalongthey-axis.Fromawest-inportanyportwithx-coordinatelessorequaltothecurrentx-coordinateisreachable.XY-routingcomputesonerouteforeachsource-destinationpair,sinceeachmessagecanmakeonlyoneturn.ThusConstraint[PO-III]issatised.Usingfunctionxyaportdependencygraphcanbedenedwhichsatises[PO-I],[PO-II]and[PO-IV].TheintuitionbehindtheproofofConstraint[PO-IV]isthataturnfromeitherthenorthernorsoutherndirectiontothewesterndirectionisnotpossible.Sinceacycleinameshcontainseitheranorth-westorasouth-westturn,thedependencygraphcannotcontainacycle.WaitinggraphIncontrasttothedependencygraph,thewaitinggraphisdynamicallydenedbyaconguration.Denition16AwaitinggraphGwaitisagraphwhichisdeneddynamicallybyconguration.Ithasasverticestheportsofthenetwork.Pair(p0;p1)isanedgeinthewaitinggraphifandonlyifp0=p1andoneofthefollowingconditionshold:{inthereisaheader\ritinp0routedtop1;{inthereisatail\ritinp0andthenext\ritislocatedinp1.Example4Figure4agivesanexampleofapacketswitchingconguration,whereeachporthastwobuers.Thearrowsaredirectedtothenexthopsofthetravelsinthebuers.Figure4bshowsthecorrespondingwaitinggraph.Itcontainstwocyclicwaitingchains.ChainfA;B;C;D;Eghasanescapeline(portE),whichmeansthatprogressionispossible.ChainfF;Gghasnoescapeline,thesemessagesaredeadlocked.Figure4cgivesanexampleofawormholeswitchingcongurationinabuerlessnetwork.TwomessagesXandYaresentacrossthenetwork,bothhavetwo\rits.Figure4dshowsthecorrespondingwaiting-graph.Nochainhasanescapeline,itisadeadlock-conguration. 11 (a)PSConguration ABCDEFG (b)Waitinggraph XXY Y (c)WHSConguration ABCDE (d)WaitinggraphFigure4:CongurationsandtheirwaitinggraphsProofsketchofTheorem3Assumeadeadlock-conguration=(T;ST).Weshowthatthewaitinggraphofcontainssaturatedchains(seesection5.2).Fromsuchachain,weconstructacycle.Thewaitinggraphisasubgraphoftheportdependencygraph.Henceanycycleinthewaitinggraphisacycleintheportdependencygraphaswell.Thus,wehaveconstructedacycleinthedependencygraph.Assumeacycleintheportdependencygraph.Wecanlleachportofthiscyclewith\ritsinsuchawaythatthenexthopsarethenextportsinthecycle.Thiscongurationisdeadlocked,sincethenexthopsofalltravelsarefull.Insteadofreasoningbycontradictionusingatotalorderoverthechannels,thisdemonstratestheexistenceofacyclebyconstructingitfromalistofdeadlockedmessagesusingthewaitinggraphasintermediate.6.2Ourconditionisnecessary(=))Weconsiderstuck-chainsinthewaiting-graph,i.e.,chainsofstuckports.Lemma1statesthatadeadlockmeansthatallnon-emptyportsareinasaturatedstuck-chain.Lemma2statesthateachportinastuck-chainisaparent.Asaturatedsetofparent-portsalwayscontainsacycle.Lemma3statesthatthewaitinggraphisasubgraphoftheportdependencygraph,whichimpliesthatanycycleinthewaitinggraphisacycleintheportdependencygraph.Thus,ourreasoningisstructuredasfollows:deadlock()saturatedstuck-chainsinthewaitinggraph=)cyclewait=)cycledepExample5InFigure4btherearetwostuck-chains:fA;B;C;DgandfF;Gg.Therstisnotsaturated,thesecondis.ThismeansthatFigure4aisnotadeadlock-congurationsincenotallnon-emptyportsareinasaturatedstuck-chain.InFigure4dtherearetwostuck-chainsaswell:fA;B;C;DgandfE;D;C;Bg.Theyarebothsaturated,whichmeansFigure4cisadeadlock-conguration.Lemma1LetPndenotethesetofnon-emptyports.deadlock-conguration()()8p2Pn:p2saturatedstuck-chaininGwaitProof(=))Firstnotethatifanon-emptyportisnotstuck,thereexistsatravelinthatportthatisnotstuck,whichcontradictstheassumptionthatisadeadlock-conguration.Letp2Pnbeanon-emptyport.Sincepisstuck,itisamemberofsomestuck-chainc.Weprovethatchaincissaturatedbycontradiction:assumethereexistsaportp02cwithaneighborn=2c.Portnisnon-empty:byDenition16eitherncontainsthenext\ritofatail-\ritinp0,ornisthenexthopofaheader\ritinp0.Intheformercase,clearlynisnon-empty.Inthelattercase,nisnon-empty-evenfull-becauseotherwisep0wouldnothavebeenstuck.Portnishowevernotstuck,becauseotherwiseitwouldhavebeenaddedtothechain(Denition11).Thisisacontradictionandthuschaincissaturated.((=)Ifallnon-emptyportsareinastuck-chain,thenallnon-emptyportsarestuck,thusalltravelsarestuck,whichimpliesadeadlock-conguration. 12Lemma2Astuck-chainisaparent-chain.ProofLetpbeaportinastuck-chain.Bydenitionpisnon-empty.Foranytail-\ritinp,letndenotethenext\ritofthetail.ByDenition16,n2Ewait(p),thuspisaparent.Foranyheader\ritinp,letnbeanexthop.ByDenition16,n2Ewait(p).Lemma3Thewaitinggraphisasubgraphoftheportdependencygraph.ProofWeprovethatanypair(p0;p1)2EwaitisapairinEdep.ByDenition16atleastoneofthefollowingapplies:{p0containsaheader\ritroutedtop1.Furthermore,thedestinationofthetravelofthisheader\ritisreachablefromp0.ByConstraint[PO-I]pair(p0;p1)isinEdep;{p0containsatail\ritfandp1=loc(next\rit(f)).ByDenition15,eitherp1=p0inwhichcaseitisnotawaitinggraphedgeor(p0;p1)2Edep6.3Ourconditionissucient((=)Leteachporthavebbuers.Givenaportdependencycycle[p0;p1;:::;pk],awitnesscongurationw=(Tw;STw)canbebuiltwithTw=[t0;0;:::;t0;b1;t1;0;:::;t1;b1;:::;tk;b1],suchthatforall0ikand0jb:{ti;jhasone1\rit,{curr(ti;j)=pi,{dest(ti;j)2fd2PjpiRd^R(pi;d)=pi+1(modk+1)g.STwisanemptystatelledwiththetravelsfromTw.Trivially,thewitnesscongurationhasvalidtailsandreachabledestinations.Furthermore,itisadeadlock-conguration:eachtravelti;jhasasnexthopni0forsome0i0kandallbuersofallportspi0arelledwithaheader\rit.Constraint[PO-II]statesthatthereexistsatleastonepossibledestinationportdest(ti;j),sincebyDenition9thenexthoppi+1(modk+1)isaneighborofpi.ByConstraint[PO-III],i.e.determinism,thereisnonexthopleadingtothedestinationportotherthantheoneinthecycle.7DiscussionFromTheorem3toTheorem2Theorem3ismeanttobeaformalizedversionofTheorem2.Itdiersfromitintwoaspects.Itismoregeneral:Theorem2isdenedforwormholeswitchingonly,whereasourtheoremisdenedforallnext-hop-basedswitchingpolicies,includingwormholeswitchingandpacketswitching.Itisdenedatalowerlevelofabstraction.Theorem2isdenedforroutingfunctionsoftypeR:NN7!C.Wehavedenedourtheoremonthelevelofports.WenowshowhowtoderivetheoriginalDallyandSeitz'conditionfromours.Port-basedroutingfunctionscanrepresentchannel-basedroutingfunctions.Figures5aand5bshowthesameinterconnectionnetworkrespectivelyonthelevelofprocessingnodesandchannels,andonthelevelofports.Figures5cand5dshowtherespectivedependencygraphs.Givenaportdependencygraph,achanneldependencygraphcanbecreatedby(1)contractingeachconnectedpairofportsofdierentprocessingnodesintoonevertexand(2)removingallotherportsandalledgesconnectedtothem.InFigures5cand5d,twoexamplepairsandtheircorrespondingchannelsaremarked.Thiswayacycleinthechanneldependencygraphcanbeconstructedfromacycleintheportdependencygraph.Ourproofassumesthatforallmessages,thedestinationportsarereachablefromtheirsources.ThisisimpliedbytheassumptionofDallyandSeitzthattheinterconnectionnetworkisstronglyconnectedonthelevelofprocessingnodes.Furthermore,weassumethatdestinationportsareterminalandthatmessagesinthebueroftheirdestinationportareimmediatelyconsumed.ThisisalsoassumedbyDallyandSeitz. 13 B (a)Networkofprocessingnodesandchannels (b)Networkofports B (c)Channeldependencygraph (d)PortdependencygraphFigure5:A2by2meshnetworktopologyonthelevelofprocessingnodesandonthelevelofports.TheroutingalgorithmdoesnotroutefromWesttoSouth,norfromNorthtoEast.BenetsofTheorem3Ourtheoremisasecond-orderstatement.Itholdsforalldenitionsoftheroutingfunctionandtheswitchingpolicyprovidedthatthesedenitionssatisfyproofobligations[PO-I]to[PO-IV].Thisenablesaconvenientwaytoformallyprovethataroutingfunctionisdeadlock-free.Onehas(1)togiveaconcretedenitionoftheroutingfunctionandtheswitchingpolicy,(2)thecorrespondinginstancesoftheproofobligationsareautomaticallygenerated,(3)todischargetheseproofobligationsfortheconcretedenitions,and(4)itfollowsbyfunctionalinstantiationthatthisconcretenetworkisdeadlock-free.[PO-III]iseasilyproven.Although[PO-IV]canbediculttoprove{dependingontheroutingalgorithm{onecanrstdeneastaticgraphwhichsatises[PO-I]and[PO-II]andthenperformasearchforacycle.Searchingforacycleinagraphcanbedoneinlineartime[5].RelatedWorkandExtensionsIncontrasttoDallyandSeitz,ourproofisfullyconstructive.Insteadofusingtheexistenceofatotalorderonthechannels,weusethewaitinggraphtoconstructawitnessdependencycyclefromalistofdeadlockedmessages.Duato[8]denesanecessaryandsucientconditionforadaptiveroutingfunctions.Theproofofhisconditionmakesuseofatotalorderonthechannels{inthesamewayasDallyandSeitz{toshowthatthereexistsnodeadlock-conguration.OurwaitinggraphissimilartothebuerwaitinggraphusedbySchwiebertandJayasimha[19].Inthatpaper,abuerwaitinggraphisusedtoshowanecessaryandsucientconditionforadaptiverouting.Theirtheoremholdsforallswitchingpoliciesthatrequireablockedpackettowaitforaspecicoutputbuer.Inthefuture,weexpecttogeneralizetheproofinthispapertoaformalizedproofofanecessaryandsucientconditionforadaptiverouting.Sinceadaptiveroutingallowsmultiplenexthopspermessage,adeadlock-congurationhasallthesenexthopslledforeachmessage.Thus,inordertoprovesuciencyadependencycycleisnotenough,sinceitmighthaveanescapeline.Asaturatedsetisenough,sincethissetcontainsallitsneighbors.Thedicultyliesinprovingthatadeadlock-congurationnecessarilycontainsasaturatedsetinthedependencygraph.8ACL2FormalizationInthissectionweprovidesomedetailsontheACL2formalization.WepresentourformalizationofTheorem2,andprovidesomedetailsontheproof.Lastlywepresentanapplicationofthiswork:weshowhowtheACL2formalizationcanbeusedtoprovedeadlock-freedomofNetworks-on-Chips. 148.1FormalizationofTheorem2Theorem2rangesovermemorylessroutingfunctionsandoverallpossiblecongurations.Itcontainsbothasecond-orderuniversalquantierandarst-orderexistentialquantier.Thesecond-orderquanticationcanbeelegantlyformalizedusingtheencapsulateconstructofACL2.Functionroutesisintroducedusinganencapsulateevent.Itreturnsasetofroutesfromasourcetoadestination.E.g.thefollowingconstraintsareaddedtotheencapsulateconstructtoenforceadeterministicroutingfunction:(defthmconsp-routes(implies(reachablecurrdest)(consp(routescurrdest))))(defthmdeterministic(implies(reachablecurrdest)(endp(cdr(routescurrdest)))))Constraintsconsp-routesanddeterministicstatethatforeachnodecurrandeachreachabledestina-tiondestthereisexactlyoneroute.Intotalthereare14constraintsontheroutingfunction.Formoredetailswereferto[18].Thestandardwayofformalizingtherst-orderexistentialquanticationinTheorem2iswitharecursivefunctionwhichsearchesthroughallpossiblecongurations.Deningsuchafunctionwouldbeverytediousasitwouldrequireafunctionenumeratingallreachablecongurations.Toovercomethisproblem,weusedthedefun-skconstructofACL2whichintroducesaskolemizedfunction[16].Givenarst-orderexistentialformula,adefun-skeventintroducesanon-executablefunctionwhichreturnstifandonlyifthereexistsawitnessthatsatisestheformula.Thisconstructallowsustoelegantlydenetherst-orderexistentialquanticationinTheorem2:(defun-skE-deadlock(resourceset)(exists(trlstntkstate)(and(uptodatentkstatetrlst)(realdeadlocktrlstntkstate)(trlstptrlstresourceset)(valid-tailstrlst)(trlst-has-reachable-routestrlst)(consptrlst))))Giventhesetofresourcesinthenetwork,functionE-deadlockreturnstifandonlyifthereisacon-guration,i.e.alistoftravelsandastatethatsatisesallpropertiesofadeadlock.Firstly,itmustbeacongurationasdenedinSection5.1.Second,functionrealdeadlockmustreturnt.Thisfunctionisassumedtobelogicallyequivalenttoafunctionstatingthatalltravelsarestuck(theswitchingmethodmustbenext-hop-based).Thelistoftravelsmustbesyntacticallywell-formed.Thisalsoincludesthattheroutesassociatedtothetravelsarevalidpathsinthenetworkleadingfromthecurrentlocationtothedestination.Thetailsmustbevalid(seeDenition15)andalltravelsmusthavereachabledestinations.Lastly,theremustbeatleastonetravelinthenetwork.Similarly,functionE-dep-cycleisdenedwhichreturnstifandonlyifthereisacycleinthede-pendencygraph.OurformalizationofTheorem2isnoweasilydened.Underassumptionthatwehaveavalidsetofresources,thereisadeadlockifandonlyifthereisacycleinthedependencygraph.(defthmdeadlock-.05;ॐdep-cycle(implies(resourcesetpresourceset))(iff(E-deadlockresourceset)(E-dep-cycleresourceset))))8.2ACL2ProofOurproofisbasedontwodierentgraphs.Eachgraphrequiresitsowndenitionsandtheoremsoncorrectness.E.g.itmustbeproventhattheneighborfunctionofthewaiting(dependency)graphalwaysreturnsvalidwaiting(dependency)vertices.Wehaveprovensometheoremsonagenericgraph.Thefact 15thatacyclicsubgraphimpliesacyclicsupergraphisprovengenericly.Inourproof,weusefunctionalinstantiationtoobtainthistheoremforthewaitinggraphandthedependencygraph.Althoughthissimpliedtheproofeort,functionalinstantiationdoesresultinarelativelylargenumberoftheoremsasboththegenerictheoremsandtheinstantiatedtheoremsmustbedened.Toprovetheexistentialquantierswecreatedafunctionthatbuildsadeadlockwitness.Provingthatthisfunctioncomputesacorrectdeadlockcongurationwitness,i.e.acongurationthatsatisesallnecessaryproperties,requiredmanytheorems.8.3ApplicationsOurworkiscloselyrelatedtothedenitionofaformaltheoryofnetworkarchitectures.Inthiscontext,Schmaltzetal.[18,1]proposedafunctionalformalizationofnetworks.Theydeneagenericfunction{namedGeNoC{representinganetworkwithanarbitraryroutingfunctionandswitchingpolicy.Theydeneproofobligationsonthesecomponentswhicharesucienttoproveglobalsafetypropertieslikemessagesreachtheirexpecteddestinationwithoutmodicationoftheircontent.OurACL2formalizationextendsthisworktosupporttheanalysisofdeadlock.Incombinationwithworkontheanalysisoflivelock[20]wewereabletoprovetheoremslikeallinjectedmessageseventuallyreachtheirdestinationandleavethenetworkforaspecicationofaNetwork-on-Chip[21].9ConclusionThispaperpresentedaformaldenitionofthenecessaryandsucientconditionfordeadlock-freeroutingininterconnectionnetworksproposedintheseminalpaperofDallyandSeitz.OurformalconditionhasbeenmechanicallyprovedusingtheACL2theoremprovingsystem.Ourconditionanditsproofslightlydiersfromtheoriginalone.Theformalizedtheoremismoregeneralasitdirectlyappliestopacketandwormholeswitchingpolicies.Ourtheoremalsoismoredetailed.Theroutingfunctionsandswitchingpoliciesaredenedatthelevelofportsinsteadofabstractprocessingnodes.Ourapproachisgenericinthesensethatourconditionisdenedforallroutingfunctionsandnext-hop-basedswitchingpoliciesthatsatisfyaxedsetofconstraintsorproofobligations.Thismeansthatprovingdeadlock-freedomisreducedto(1)deningastaticdependencygraphfortheroutingalgorithmand(2)dischargingaxedsetofproofobligationsonthisgraph.Wehaveshownthatthetwomostcommonlyusedswitchingpolicies,i.e.packetandwormholeswitching,arenext-hop-based.AcknowledgementsWewouldliketothankFreekWiedijkforsuggestingimprovementstoanearlierversionofthispaper.Wewouldliketothanktheanonymousreviewersfortheirapposite,constructiveanddetailedcomments.InparticularthecounterexampletoDallyandSeitz'originaltheoremwasprovidedtousbyoneofthereviewers.References1.D.Borrione,A.Helmy,L.Pierre,andJ.Schmaltz.Aformalapproachtothevericationofnetworksonchip.EURASIPJournalonEmbeddedSystems,2009(ArticleID548324):14pages,2009.doi:10.1155/2009/548324.2.R.S.BoyerandJStrotherMoore.Theadditionofboundedquanticationandpartialfunctionstoacompu-tationallogicanditstheoremprover.J.Autom.Reasoning,4(2):117{172,1988.3.R.S.BoyerandJStrotherMoore.AComputationLogicHandbook.AcademicPress,1988.4.R.C.Chen.Deadlockpreventioninmessageswitchednetworks.InACM74:Proceedingsofthe1974annualconference,pages306{310,NewYork,NY,USA,1974.ACM.5.T.H.Cormen,C.E.Leiserson,andR.L.Rivest.IntroductiontoAlgorithms.MITPressandMcGrawHill,1990.6.W.J.DallyandC.L.Seitz.Deadlock-freemessageroutinginmultiprocessorinterconnectionnetworks.IEEETransactionsonComputers,(36):547{553,May1987.7.W.J.DallyandB.Towles.PrinciplesandPracticesofInterconnectionNetworks.Morgan-KaufmannPublisher,2004.8.J.Duato.Anecessaryandsucientconditionfordeadlock-freeadaptiveroutinginwormholenetworks.IEEETransactionsonParallelandDistributedSystems,6(10):1055{1067,101995.9.J.Duato,S.Yalamanchili,andL.Ni.InterconnectionNetworks:AnEngineeringApproach.IEEEComputerSocietyPress,LosAlamitos,CA,USA,1997. 1610.E.FleuryandP.Fraigniaud.Ageneraltheoryfordeadlockavoidanceinwormhole-routednetworks.IEEETransactionsonParallelandDistributedSystems,9(7):626{638,1998.11.M.Kaufmann,P.Manolios,andJStrotherMoore.ACL2Computer-AidedReasoning:AnApproach,2000.12.M.KaufmannandJStrotherMoore.AnIndustrialStrenghTheoremProverofaLogicBasedonCommonLisp.IEEETransactionsonSoftwareEngineering,23(4):203{213,April1997.13.M.KaufmannandJStrotherMoore.StructuredTheoryDevelopmentforaMechanizedLogic.J.Autom.Reasoning,26(2):161{203,1997.14.P.ManoliosandJStrotherMoore.PartialfunctionsinACL2.J.Autom.Reasoning,31(2):107{127,2003.15.L.M.NiandP.K.Mckinley.Asurveyofwormholeroutingtechniquesindirectnetworks.IEEEComputer,26:62{76,Februari1993.16.S.Ray.QuanticationinTail-recursiveFunctionDenitions.InP.ManoliosandM.Wilding,editors,Pro-ceedingsofthe6thInternationalWorkshopontheACL2TheoremProverandItsApplications(ACL22006),volume205ofACMInternationalConferenceSeries,pages95{98,Seattle,WA,August2006.ACM.17.J.SchmaltzandD.Borrione.TowardsaFormalTheoryofOnChipCommunicationsintheACL2Logic.InProceedingsoftheSixthInternationalWorkshopontheACL2TheoremProveranditsApplications,partofFloC'06,Seattle,Washington,USA,August14-152006.ACM.18.J.SchmaltzandD.Borrione.Afunctionalformalizationofonchipcommunications.FormalAspectsofComputing,20:241{258,2008.19.L.SchwiebertandD.N.Jayasimha.Auniversalprooftechniquefordeadlock-freeroutingininterconnectionnetworks.InIn7thAnnualACMSymposiumonParallelAlgorithmsandArchitectures,pages175{184,1995.20.F.VerbeekandJ.Schmaltz.Formalvalidationofdeadlockpreventioninnetworks-on-chips.InS.RayandD.Russino,editors,EighthInternationalWorkshopontheACL2TheoremProverandItsApplication,pages135{145,NortheasternUniversity,BostonMA,USA,May11{122009.ACM.21.F.VerbeekandJ.Schmaltz.Formalspecicationofnetworks-on-chip:deadlock,livelock,andevacuation.InProceedingsofDesign,Automation&TestinEurope2010(DATE'10),march2010.