Abstract
We describe a novel technique for bounded analysis of asynchronous message-passing programs with ordered message queues. Our bounding parameter does not limit the number of pending messages, nor the number of “context-switches” between processes. Instead, we limit the number of process communication cycles, in which an unbounded number of messages are sent to an unbounded number of processes across an unbounded number of contexts. We show that remarkably, despite the potential for such vast exploration, our bounding scheme gives rise to a simple and efficient program analysis by reduction to sequential programs. As our reduction avoids explicitly representing message queues, our analysis scales irrespectively of queue content and variation.
Similar content being viewed by others
Notes
Since the assume statement may block executions depending on earlier nondeterministic choices, we consider only the values reached in completed executions as reachable; this avoids the problematic situation where a valuation is reached in an execution which cannot later complete because of finally non-realizable nondeterministic choices.
We assume each task in a given execution has implicitly a unique task-identifier.
For simplicity our examples do not pass arguments to tasks; in general, one should also store in the task-queue array the values of arguments passed to each posted procedure.
The number \(n\) of explored tasks is controlled by limiting the number of loop unrollings in the bounded task-queue encoding, and limiting the recursion depth, and phase-bound, in the bounded-phase encoding.
For simplicity, this description supposes the scheduler can be the only source of program nondeterminism.
References
Abdulla, P.A., Jonsson, B.: Verifying programs with unreliable channels. In: LICS ’93: Proceedings of the 8th Annual IEEE Symposium on Logic in Computer Science, pp. 160–170. IEEE Computer Society (1993)
Abdulla, P.A., Bouajjani, A., Jonsson, B.: On-the-fly analysis of systems with unbounded, lossy fifo channels. In: CAV ’98: Proceedings of the 10th International Conference on Computer Aided Verification, vol. 1427 of LNCS, pp. 305–318. Springer, Berlin (1998)
Atig, M.F., Bollig, B., Habermehl, P.: Emptiness of multi-pushdown automata is 2etime-complete. In: DLT ’08: Proceedings of the 12th International Conference on Developments in Language Theory, vol. 5257 of LNCS, pp. 121–133. Springer, Heidelberg (2008)
Atig, M.F., Bouajjani, A., Emmi, M., Lal, A.: Detecting fair non-termination in multithreaded programs. In: CAV ’12: Proceedings of the 24th International Conference on Computer Aided Verification, vol. 7358 of LNCS. Springer, Heidelberg (2012)
Barnett, M., Leino, K.R.M. Moskal, M., Schulte W.: Boogie: an intermediate verification language. http://research.microsoft.com/en-us/projects/boogie/. Accessed 1 Jan 2012
Boigelot, B., Godefroid, P.: Symbolic verification of communication protocols with infinite state spaces using QDDs. Form. Methods Syst. Design 14(3), 237–255 (1999)
Bouajjani, A., Emmi, M.: Bounded phase analysis of message-passing programs. In: TACAS ’12: Proceedings of the 18th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, vol. 7214 of LNCS, pp. 451–465. Springer, Heidelberg (2012)
Bouajjani, A., Habermehl, P.: Symbolic reachability analysis of fifo-channel systems with nonregular sets of configurations. Theor. Comput. Sci. 221(1–2), 211–250 (1999)
Bouajjani, A., Habermehl, P., Vojnar, T.: Verification of parametric concurrent systems with prioritised FIFO resource management. Form. Methods Syst. Design 32(2), 129–172 (2008)
Bouajjani, A. Emmi, M., Parlato G.: On sequentializing concurrent programs. In: SAS ’11: Proceedings of the 18th International Symposium on Static Analysis, vol. 6887 of LNCS, pp. 129–145. Springer, Heidelberg (2011)
Brand, D., Zafiropulo, P.: On communicating finite-state machines. J. ACM 30(2), 323–342 (1983)
Chaudhuri, S.: Subcubic algorithms for recursive state machines. In: POPL ’08: Proceedings of the 35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 159–169. ACM, New York (2008)
Dahl, R.: Node.js: Evented I/O for V8 JavaScript. http://nodejs.org/. Accessed 1 Jan 2012
Emmi, M., Lal, A.: Finding non-terminating executions in distributed asynchronous programs. In: SAS ’12: Proceedings of the 19th International Static Analysis Symposium, LNCS, pp. 439–455. Springer, Berlin (2012)
Emmi, M. Qadeer, S., Rakamaric, Z.: Delay-bounded scheduling. In: POPL ’11: Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 411–422. ACM, New York (2011)
Emmi, M., Lal, A., Qadeer, S.: Asynchronous programs with prioritized task-buffers. In: FSE ’12: Proceedings of the 20th International Symposium on the Foundations of Software Engineering. ACM, New York (2012)
Esparza, J., Kucera, A., Schwoon, S.: Model checking ltl with regular valuations for pushdown systems. Inf. Comput. 186(2), 355–376 (2003)
Ganty, P., Majumdar, R.: Algorithmic verification of asynchronous programs. ACM Trans. Program. Lang. Syst. 34(1), 6 (2012)
Ganty, P., Majumdar, R., Rybalchenko, A.: Verifying liveness for asynchronous programs. In: POPL 09: Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 102–113. ACM, New York (2009)
Haller, P., Odersky, M.: Scala actors: unifying thread-based and event-based programming. Theor. Comput. Sci. 410(2–3), 202–220 (2009)
Heußner, A., Leroux, J., Muscholl, A., Sutre, G.: Reachability analysis of communicating pushdown systems. In: FOSSACS ’10: Proceedings of the 13th International Conference on Foundations of Software Science and Computational Structures, vol. 6014 of LNCS, pp. 267–281. Springer, Heidelberg (2010)
HTML5: A vocabulary and associated APIs for HTML and XHTML. http://dev.w3.org/html5/spec/Overview.html. Accessed 1 Jan 2012
Jhala, R., Majumdar, R.: Interprocedural analysis of asynchronous programs. In: POPL ’07: Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 339–350. ACM, New York (2007)
Kidd, N., Jagannathan, S., Vitek, J.: One stack to run them all: reducing concurrent analysis to sequential analysis under priority scheduling. In: SPIN ’10: Proceedings of the 17th International Workshop on Model Checking Software, vol. 6349 of LNCS, pp. 245–261. Springer, Heidelberg (2010)
La Torre S., Parlato, G.: Scope-bounded multistack pushdown systems: fixed-point, sequentialization, and tree-width. In: FSTTCS ’12: Proceedings of the IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, vol. 18 of LIPIcs, pp. 173–184. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2012)
La Torre, S., Madhusudan, P., Parlato, G.: A robust class of context-sensitive languages. In: LICS ’07: Proceedings of the 22nd IEEE Symposium on Logic in Computer Science, pp. 161–170. IEEE Computer Society (2007)
La Torre, S. Madhusudan, P., Parlato G.: Context-bounded analysis of concurrent queue systems. In: TACAS ’08: Proceedings of the 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, vol. 4963 of LNCS, pp. 299–314. Springer, Heidelberg (2008)
La Torre, S. Madhusudan, P., Parlato, G.: Reducing context-bounded concurrent reachability to sequential reachability. In: CAV ’09: Proceedings of the 21st International Conference on Computer Aided Verification, vol. 5643 of LNCS, pp. 477–492. Springer, Heidelberg (2009)
La Torre, S., Madhusudan, P., Parlato, G.: Model-checking parameterized concurrent programs using linear interfaces. In: CAV ’10: Proceedings of the 22nd International Conference on Computer Aided Verification, vol. 6174 of LNCS, pp. 629–644. Springer, Heidelberg (2010)
La Torre, S., Madhusudan, P., Parlato, G.: Sequentializing parameterized programs. In: FIT ’12: Proceedings of the Fourth Workshop on Foundations of Interface Technologies, vol. 87 of EPTCS, pp. 34–47 (2012)
Lal, A., Reps, T.W.: Reducing concurrent analysis under a context bound to sequential analysis. Form. Methods Syst. Design 35(1), 73–97 (2009)
Lal, A. Qadeer, S., Lahiri, S.K.: A solver for reachability modulo theories. In: CAV ’12: Proceedings of the 24th International Conference on Computer Aided Verification, vol. 7358 of LNCS, pp. 427–443. Springer, Heidelberg (2012)
Lynch, N.A.: Distributed algorithms. ISBN 1-55860-348-4. Morgan Kaufmann, San Francisco (1996)
Miller, M.S., Tribble, E.D., Shapiro, J.S.: Concurrency among strangers. In: TGC ’05: Proceedings of the International Symposium on Trustworthy Global Computing, vol. 3705 of LNCS, pp. 195–229. Springer, Heidelberg (2005)
Post, E.L.: A variant of a recursively unsolvable problem. Bull. Am. Math. Soc 52(4), 264–268 (1946)
Qadeer, S., Rehof, J.: Context-bounded model checking of concurrent software. In: TACAS ’05: Proceedings of the 11th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, vol. 3440 of LNCS, pp. 93–107. Springer, Heidelberg (2005)
Qadeer, S., Wu, D.: KISS: keep it simple and sequential. In: PLDI ’04: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 14–24. ACM, New York (2004)
Reps, T.W., Horwitz, S., Sagiv, S.: Precise interprocedural dataflow analysis via graph reachability. In: POPL ’95: Proceedings of the 22th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 49–61. ACM, New York (1995)
Sen, K., Viswanathan, M.: Model checking multithreaded programs with asynchronous atomic methods. In: CAV ’06: Proceedings of the 18th International Conference on Computer Aided Verification, vol. 4144 of LNCS, pp. 300–314. Springer, Heidelberg (2006)
Sharir, M., Pnueli, A.: Two approaches to interprocedural data-flow analysis. In: Muchnick, S.S., Jones, N.D. (eds.) Program Flow Analysis: Theory and Applications, chapter 7, pp. 189–234. Prentice-Hall, Englewood Cliffs (1981)
Svensson, H., Arts, T.: A new leader election implementation. In: Erlang ’05: Proceedings of the 2005 ACM SIGPLAN Workshop on Erlang, pp. 35–39. ACM, New York (2005)
Trottier-Hebert, F.: Learn you some Erlang for great good! http://learnyousomeerlang.com/. Accessed 1 Jan 2012
Acknowledgments
We graciously thank Constantin Enea, Cezara Dragoi, Pierre Ganty, Salvatore La Torre, and the anonymous TACAS and STTT reviewers for helpful feedback.
Author information
Authors and Affiliations
Corresponding author
Additional information
Michael was supported by a post-doctoral fellowship from la Fondation Sciences Mathématiques de Paris.
Appendices
Appendix A: Syntactic extensions used in our translations
The following syntactic extensions are reducible to the original program syntax of Sect. 2.1. Here we freely assume the existence of various type- and expression-constructors. This does not present a problem since our program semantics does not restrict the language of types nor expressions.
Multiple types. Multiple type labels \(T_1,\ldots , T_j\) can be encoded by systematically replacing each \(T_i\) with the sum-type \(T = \Sigma _{i=1}^{j} T_i\). This allows local and global variables with distinct types.
Multiple variables. Additional variables x \({}_1\): \(T_1\), ..., x \({}_j\): \(T_j\) can be encoded with a single record-typed variable x: \(T\), where \(T\) is the record type
and all occurrences of \(\mathtt{{x}}_i\) are replaced by \(\mathtt{{x.f}}_i\). When combined with the extension allowing multiple types, this allows each procedure to declare any number and type of local variable parameters, distinct from the number and type of global variables.
Local variable declarations. Additional (non-parameter) local variable declarations var l’: \(T\) to a procedure \(p\) can be encoded by adding l’ to the list of parameters, and systematically adding an initialization expression (e.g., the choice expression \(^*\), or false) to the corresponding position in the list of arguments at each call site of \(p\) to ensure that l’ begins correctly (un)initialized.
Unused values. Call assignments call x := \(p\; e\), where x is not subsequently used, can be written as call _:= \(p\) \(e\), where _: \(T\) is an additional unread local variable, or simpler yet as call \(p\) \(e\).
Unused branches. if \(e\) then \(s\) else skip is abbreviated by if \(e\) then \(s\).
Increment. Increment operations \(x\)++ are encoded as \(x\) := \(x\) + 1.
Let bindings. Let bindings of the form let x: \(T\) = \(e\) in can be encoded by declaring x as a local variable var x: \(T\) immediately followed by an assignment x := \(e\). This construct is used to explicate that the value of x remains constant once initialized. The binding let x: \(T\) in is encoded by the binding let x: \(T\) = * in where * is the choice expression.
Arrays. Finite arrays with \(j\) elements of type \(T\) can be encoded as records of type \(\{\mathtt{{f}}_1: T, \ldots , \mathtt{{f}}_j: T\}\), where \(\mathtt{f}_1 \ldots \mathtt{f}_j\) are fresh names. Occurrences of terms a[i] are replaced by \(\mathtt{{a.f}}_i\), and array-expressions \([e_1, \ldots , e_j]\) are replaced by record-expressions \(\{\mathtt{{f}}_1 = e_1,\; \ldots , \mathtt{{f}}_j = e_j\}\).
Appendix B: Source code of programs analyzed in Sect. 6
Rights and permissions
About this article
Cite this article
Bouajjani, A., Emmi, M. Bounded phase analysis of message-passing programs. Int J Softw Tools Technol Transfer 16, 127–146 (2014). https://doi.org/10.1007/s10009-013-0276-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10009-013-0276-z