On Reachability in Parameterized Phaser Programs

We address the problem of statically checking safety properties (such as assertions or deadlocks) for parameterized phaser programs. Phasers embody a non-trivial and modern synchronization construct used to orchestrate executions of parallel tasks. This generic construct supports dynamic parallelism with runtime registrations and deregistrations of spawned tasks. It generalizes many synchronization patterns such as collective and point-to-point schemes. For instance, phasers can enforce barriers or producer-consumer synchronization patterns among all or subsets of the running tasks. We consider in this work programs that may generate arbitrarily many tasks and phasers. We study different formulations of the verification problem and propose an exact procedure that is guaranteed to terminate for some reachability problems even in the presence of unbounded phases and arbitrarily many spawned tasks. In addition, we prove undecidability results for several problems on which our procedure cannot be guaranteed to terminate.


Introduction
We focus on the parameterized verification problem of parallel programs that adopt the phasers construct for synchronization [16]. This coordination construct unifies collective and point-to-point synchronization. Parameterized verification is particularly relevant for mainstream parallel programs as the number of interdependent tasks in many applications, from scientific computing to web services or e-banking, may not be known apriori. Parameterized verification of phaser programs is a challenging problem due to the arbitrary numbers of involved tasks and phasers. In this work, we address this problem and provide an exact symbolic verification procedure. We identify parameterized problems for which our procedure is guaranteed to terminate and prove the undecidability of several variants on which our procedure cannot be guaranteed to terminate in general.
Phasers build on the clock construct from the X10 programming language [5] and are implemented in Habanero Java [4]. They can be added to any parallel programming language with a shared address space. Conceptually, phasers are synchronization entities to which tasks can be registered or unregistered. Registered tasks may act as producers, consumers, or both. Tasks can individually issue signal, wait, and next commands to a phaser they are registered to. Intuitively, a signal command is used to inform other tasks registered to the same phaser that the issuing task is done with its current phase. It increments the signal value associated to the issuing task on the given phaser. The wait command on the other hand checks whether all signal values in the phaser are greater than the number of waits issued by this task, i.e. all registered tasks have passed the issuing task's wait phase. It then increments the wait value associated to the task on the phaser. As a result, the wait command might block the issuing task until other tasks issue enough signals. The next command consists in a signal followed by a wait. The next command may be associated to a sequence of statements that are to be executed in isolation by one of the registered tasks participating in the command. A program that does not use this feature of the next statement is said to be non-atomic. A task deregisters from a phaser by issuing a drop command on it.
The dynamic synchronization allowed by the construct suits applications that need dynamic load balancing (e.g, for solving non-uniform problems with unpredictable load estimates [18]). Dynamic behavior is enabled by the possible runtime creation of tasks and phasers and their registration/de-registration. Moreover, the spawned tasks can work in different phases, adding flexibility to the synchronization pattern. The generality of the construct makes it also interesting from a theoretical perspective, as many language constructs can be expressed using phasers. For example, synchronization barriers of Single Program Multiple Data programs, the Bulk Synchronous Parallel computation model [17], or promises and futures constructs [3] can be expressed using phasers.
This paper provides general (un)decidability results that we believe will guide verification of other synchronization constructs. We identify combinations of features (e.g., unbounded differences between signal and wait phases, atomic statements) and properties to be checked (e.g., assertions, deadlocks) for which the parameterized verification problem becomes undecidable. These help identify synchronization constructs with enough expressivity to result in undecidable parameterized verification problems. We also provide a symbolic verification procedure that terminates even on fragments with arbitrary phases and numbers of spawned tasks. We get back to possible implications in the conclusion. We summarize our contributions: -We show an operational model for phaser programs based on [16,4,6,9].
-We propose an exact symbolic verification procedure for checking reachability of sets of configurations for non-atomic phaser programs even when arbitrarily many tasks and phasers may be generated. -We prove undecidability results for several reachability problems.
-We show termination of our procedure when checking assertions for nonatomic programs even when arbitrary many tasks may be spawned. -We show termination of our procedure when checking deadlock-freedom and assertions for non-atomic programs in which the difference between signal and wait phases is bounded, even when arbitrary many tasks may be spawned.
Related work. The closest work to ours is [9], which is the only work on automatic and static formal verification of phaser programs. The work in [9] does not consider the parameterized case. For instance, this work can decide whether some program assertion is violated even in the presence of arbitray many tasks with arbitrary large phaser gaps. This is well beyond [9] and requires a more complex symbolic representation with a deeper termination argument. The work of [6] considers the dynamic verification of phaser programs and can therefore only be used to detect deadlocks at runtime. The work in [2] uses Java Path Finder [11] to explore all execution paths of the application. It is however also restricted to work on one concrete input at a time. A more general description of the phasers mechanism of Habanero Java has also been formalized in Coq [7].
Outline. We describe the phasers construct in Sec. 2. We then formally introduce the construct and show the associated general reachability problem to be undecidable in Sec. 3. We describe in Sec. 4 our symbolic representation and state some of its non-trivial properties. We use the representation in Sec. 5 to define a verification procedure and establish decidability results. We refine our undecidability results in Sec. 6 and summarize our findings in Sec. 7. An unbounded number of producers and consumers are synchronized using two phasers. In this construction, each consumer requires all producers to be ahead of it (wrt. the p phaser) in order for it to consume their respective products. At the same time, each consumer needs to be ahead of all producers (wrt. the c phaser) in order for the producers to be able to move to the next phase and produce new items.

Motivating example
The program listed in Fig. (1) uses Boolean shared variables B = {a, done}. The main task creates two phasers (line [4][5]. When creating a phaser, the task gets automatically registered to it. The main task also creates an unbounded number of other task instances (lines 7-8). When a task t is registered to a phaser p, a pair (w p t , s p t ) in N 2 can be associated to the couple (t, p). The pair represents the individual wait and signal phases of task t on phaser p.
Registration of a task to a phaser can occur in one of three modes: Sig Wait, Wait and Sig. In Sig Wait mode, a task may issue both signal and wait commands. In Wait mode, a task may only issue wait commands on the phaser. Finally, when registered in Sig mode, a task may only issue signal commands. Issuing a signal command by a task on a phaser results in the task incrementing its signal phase associated to the phaser. This command is non-blocking. On the other-hand, issuing a wait command by a task on a phaser p will block until all tasks registered to p get signal values on p that are strictly larger than the wait value of the issuing task on the same phaser. In this case, the wait phase of the issuing task is incremented. Intuitively, a signal command allows the issuing task to state that other tasks need not wait for it to complete its signal phase. In retrospect, a wait command allows a task to make sure all registered tasks have moved past its wait phase.
Upon creation of a phaser, wait and signal phases are initialized to 0 (except in Wait mode where no signal phase is associated to the task in order to not block other waiters). The only other way a task may get registered to a phaser is if an already registered task spawns and registers it in the same mode (or in Wait or Sig if the registrar is registered in Sig Wait). In this case, wait and signal phases of the newly registered task are initialized to those of the registrar. Tasks are therefore dynamically registered (e.g., lines 7-8). They can also dynamically deregister themselves (e.g., line 10-11).
In this example, an unbounded number of producers and consumers are synchronized using two phasers. Consumers require producers to be ahead of them (wrt. the phaser they point to with p) in order for them to consume their products. At the same time, consumers need to be ahead of all producers (wrt. the phaser pointed to with c) in order for these to produce their items. It should be clear that phasers can be used as barriers for synchronizing dynamic subsets of concurrent tasks. Observe that tasks need not, in general, proceed in a lock step fashion. The difference between the largest signal value and the smallest wait value can be arbitrarily large (several signals before waits catch up). Tasks have then more flexibility to proceed at their own speeds.
We are interested in checking: (a) control reachability as in assertions (e.g., line 20), race conditions (e.g., mutual exclusion of lines 20 and 33 ) or registration errors (e.g., signaling a dropped phaser), and (b) plain reachability as in deadlocks (e.g., a producer at line 19 and a consumer at line 30 with equal phases waiting for each other). Intuitively, both problems concern themselves with the reachability of target sets of program configurations. The difference is that control state reachability defines the targets with the states of the tasks (their control locations and whether they are registered to some phasers). Plain reachability can, in addition, constrain values of the phases in the target configurations (e.g., requiring equality between wait and signal values for deadlocks). Observe that control state reachability depends on the values of the actual phases, but these values are not used to define the target sets. For example, assertions are expressed as predicates over Boolean variables (e.g., line 20). Validity of such assertions may depend on respecting phasers synchronizations.

Phaser programs and reachability
We define the syntax and semantics of a core phaser programs language. We make sure the simplified language presented here is representative of the general purpose languages using phasers so that our results have a practical impact. A phaser program prg = (B, V, T) involves a set T of tasks including a unique "main" task main(){stmt}. Arbitrary many instances of each task might be spawned during a program execution. All task instances share a set B of Boolean variables and make use of a set V of phaser variables that are local to individual task instances. Arbitrary many phasers might also be generated during program execution. Syntax of programs is as follows.
Initially, a unique task instance starts executing the main(){stmt} task. A phaser can recall a pair of values (i.e., wait and signal) for each task instance registered to it. A task instance can create a new phaser with v = newPhaser(), get registered to it (i.e., gets zero as wait and signal values associated to the new phaser) and refer to the phaser with its local variable v. We simplify the presentation by assuming all registrations to be in Sig Wait mode. Including the other modes is a matter of depriving Wait-registered tasks of a signal value (to ensure they do not block other registered tasks) and of ensuring issued commands respect registration modes. We use V for the union of all local phaser variables. A task task(v 1 , . . . , v k ) {stmt} in T takes the phaser variables v 1 , . . . v k as parameters (write paramOf(task) to mean these parameters). A task instance can spawn another task instance with asynch(task, v 1 , . . . , v n ). The issuing task instance registers the spawned task to the phasers pointed to by v 1 , . . . , v n , with its own wait and signal values. Spawner and Spawnee execute concurrently. A task instance can deregister itself from a phaser with v.drop().
A task instance can issue signal or wait commands on a phaser referenced by v and on which it is registered. A wait command on a phaser blocks until the wait value of the task instance executing the wait on the phaser is strictly smaller than the signal value of all task instances registered to the phaser. In other words, v.wait() blocks if v points to a phaser such that at least one of the signal values stored by the phaser is equal to the wait value of the task that tries to perform the wait. A signal command does not block. It only increments the signal value of the task instance executing the signal command on the phaser. v.next() is syntactic sugar for a signal followed by a wait. Moreover, v.next(){stmt} is similar to v.next() but the block of code stmt is executed atomically by exactly one of the tasks participating in the synchronization before all tasks continue the execution that follows the barrier. v.next(){stmt} thus requires all tasks to be synchronized on exactly the same statement and is less flexible. Abscence of a v.next(){stmt} makes a program non-atomic.
Note that assignment of phaser variables is excluded from the syntax; additionally, we restrict task creation asynch(task, v 1 , . . . , v n ) and require that parameter variables v i are all different. This prevents two variables from pointing to the same phaser and avoids the need to deal with aliasing: we can reason on the single variable in a process that points to a phaser. Extending our work to deal with aliasing is easy but would require heavier notations.
We will need the notions of configurations, partial configurations and inclusion in order to define the reachability problems we consider in this work. We introduce them in the following and assume a phaser program prg = (B, V, T).
Configurations. Configurations of a phaser program describe valuations of its variables, control sequences of its tasks and registration details to the phasers. Control sequences. We define the set Suff of control sequences of prg to be the set of suffixes of all sequences stmt appearing in some statement task(. . .) {stmt}. In addition, we define UnrSuff to be the smallest set containing Suff in addition to the suffixes of all (i) s 1 ; while(cond) {s 1 }; s 2 if while(cond) {s 1 }; s 2 is in UnrSuff, and of all (ii) s 1 ; s 2 if if(cond) {s 1 }; s 2 is in UnrSuff, and of all (iii) s 1 ; v.next(){}; s 2 if v.next(){s 1 }; s 2 in UnrSuff, and finally of all (iv) v.signal(); v.wait(); s 2 if v.next(){}; s 2 is in UnrSuff. We write hd(s) and tl(s) to respectively mean the head and the tail of a sequence s. Partial configurations. Partial configurations allow the characterization of sets of configurations by partially stating some of their common characteristics. A partial configuration c of prg = (B, V, T) is a tuple T , P , bv, seq, phase where: -T is a finite set of task identifiers. We let t, u range over the values in T .
-P is a finite set of phaser identifiers. We let p, q range over the values in P . ping that associates to each task t in T a partial mapping stating which phasers are known by the task and with which registration values.
Intuitively, partial configurations are used to state some facts about the valuations of variables and the control sequences of tasks and their registrations. Partial configurations leave some details unconstrained using partial mappings or the symbol * . For instance, if bv(b) = * in a partial configuration T , P , bv, seq, phase , then the partial configuration does not constrain the value of the shared variable b. Moreover, a partial configuration does not constrain the relation between a task t and a phaser p when phase(t)(p) is undefined. Instead, when the partial mapping phase(t) is defined on phaser p, it associates a pair phase(t)(p) = (var, val) to p. If var ∈ V {−, * } is a variable v ∈ V then the task t in T uses its variable v to refer to the phaser p in P 4 . If var is the symbol − then the task t does not refer to v with any of its variables in V. If var is the symbol * , then the task might or might not refer to p. The value val in phase(t)(p) = (var, val) is either the value nreg or a pair (w, s). The value nreg means the task t is not registered to phaser p. The pair (w, s) belongs to (N×N)∪{( * , * )}. In this case, task t is registered to phaser p with a symbolic wait phase w and a symbolic signal phase s. The value * means that the wait phase w (resp. signal phase s) can be any value in N. For instance, phase(t)(p) = (v, nreg) means variable v of the task t refers to phaser p but the task is not registered to p. On the other hand, phase(t)(p) = (−, ( * , * )) means the task t does not refer to p but is registered to it with a arbitrary wait and signal phases. Concrete configurations. A concrete configuration (or configuration for short) is a partial configuration T , P , bv, seq, phase where phase(t) is total for each t ∈ T and where the symbol * does not appear in any range. It is a tuple T , P , bv, seq, phase where bv : B → B, seq : T → UnrSuff, and phase : . For a concrete configuration T , P , bv, seq, phase , we write isReg(phase, t, p) to mean the predicate phase(t)(p) ∈ V {−} × {nreg} . The predicate isReg(phase, t, p) captures whether the task t is registered to phaser p according to the mapping phase. Inclusion of configurations. A configuration c ′ = T ′ , P ′ , bv ′ , seq ′ , phase ′ includes a partial configuration c = T , P , bv, seq, phase if renaming and deleting tasks and phasers from c ′ can give a configuration that "matches" c. More formally, c ′ includes c if (bv(b) = bv ′ (b)) =⇒ (bv(b) = * ) for each b ∈ B and there are injections τ : T → T ′ and π : P → P ′ s.t. for each t ∈ T and p ∈ P : (1) ((seq(t) = seq ′ (τ (t))) =⇒ (seq(t) = * )), and either (2.a) phase(t)(p) is undefined, or (2.b) phase(t)(p) = (var, val) and phase ′ (τ (t))(π(p)) = (var ′ , val ′ ) with ((var = var ′ ) =⇒ (var = * )) and either (val = val ′ = nreg) or val = (w, s) and val ′ = (w ′ , s ′ ) with ((w = w ′ ) =⇒ (w = * )) and ((s = s ′ ) =⇒ (s = * )).
Semantics and reachability. Given a program prg = (B, V, T), the main task main(){stmt} starts executing stmt from an initial configuration c init = (T init , P init , bv init , seq init , phase init ) where T init is a singleton, P init is empty, bv init sends all shared variables to false and seq init associates stmt to the unique task in T init . We write c hd(seq(t)) = v := newPhaser() p ∈ P T , P , bv, seq t ← tl(seq(t)) , phase Fig. 2. Operational semantics of phaser statements without errors. Each transition corresponds to a task t ∈ T executing a statement from a configuration T , P , bv, seq, phase . For instance, the drop transition corresponds to a task t executing v.drop() when registered to phaser p ∈ P (with phases (w, s)) and referring to it with variable v. The result is the same configuration where task t moves to its next statement without being registered to p (albeit still refering to p with v).
hd(seq(t)) = assert(cond) cond bv = false T , P , bv, seq, phase ∈ AssertErrors assertion : errors hd(seq(t)) = b ′ := cond ′ (b ′ coincides with b or appears in cond) hd(seq(u)) ∈ {b := cond, if(cond) {stmt}, while(cond) {stmt}, assert(cond)} T , P , bv, seq, phase ∈ RaceErrors race : errors T , P , bv , seq, phase ∈ DeadlockErrors (deadlock : errors) Fig. 3. Definition of error configurations. Starting from T , P , bv, seq, phase , error configurations are obtained when tasks execute the above statements under certain conditions. For instance, a deadlock is obtained if tasks in a subset {t0, . . . , tn} ⊆ T form a cycle where each ti blocks (with its signal phase s ′ i ) the wait being executed by We are interested in the reachability of sets of configurations (i.e., checking safety properties). We differentiate between two reachability problems depending on whether the target sets of configurations constrain the registration phases or not. The plain reachability problem constrains the registration phases of the target configurations. The control reachability problem only constrains registration status, control sequences, or variable values. We will see that decidability of the two problems can be different. The two problems are defined in the following. Plain reachability. First, we define equivalent configurations. A configuration c = T , P , bv, seq, phase is equivalent to configuration c ′ = T ′ , P ′ , bv ′ , seq ′ , phase ′ if bv = bv ′ and there are bijections τ : T → T ′ and π : P → P ′ such that, for all t ∈ T , p ∈ P and var ∈ V {−} , seq(t) = seq ′ (τ (t)) and there are some integers (k p ) p∈P such that phase(t)(p) = (var, (w, s)) iff phase ′ (τ (t))(π(p)) = (var, (w + k p , s + k p )). We write c ∼ c ′ to mean that c and c ′ are equivalent. Intuitively, equivalent configurations simulate each other. We can establish the following: Observe that if the wait value of a task t on a phaser p is equal to the signal of a task t ′ on the same phaser p in some configuration c, then this is also the case, up to a renaming of the phasers and tasks, in all equivalent configurations. This is particularly relevant for defining deadlock configurations where a number of tasks are waiting for each other. The plain reachability problem is given a program and a target partial configuration and asks whether a configuration (equivalent to a configuration) that includes the target partial configuration is reachable. More formally, given a program prg and a partial configuration c, let c init be the initial configuration of prg, then reach(prg, c) if and only if c init − → * c 1 for c 1 ∼ c 2 and c 2 includes c.
Definition 1 (Plain reachability). For a program prg and a partial configuration c, decide whether reach(prg, c) holds.
Control reachability. A partial configuration c = T , P , bv, seq, phase is said to be a control partial configuration if for all t ∈ T and p ∈ P , either phase(t)(p) is undefined or phase(t)(p) ∈ (V {−, * } × {( * , * ) , nreg}). Intuitively, control partial configurations do not constrain phase values. They are enough to characterize, for example, configurations where an assertion is violated (see Fig. 3).
Definition 2 (Control reachability). For a program prg and a control partial configuration c, decide whether reach(prg, c) holds.
Observe that plain reachability is at least as hard to answer as control reachability since any control partial configuration is also a partial configuration. It turns out the control reachability problem is undecidable for programs resulting in arbitrarily many tasks and phasers as stated by the theorem below. This is proven by reduction of the state reachability problem for 2-counter Minsky machines. A 2-counter Minsky machine (S, {x 1 , x 2 } , ∆, s 0 , s F ) has a finite set S of states, two counters {x 1 , x 2 } with values in N, an initial state s 0 and a final state s F . Transitions may increment, decrement or test a counter. For example (s 0 , test(x 1 ), s F ) takes the machine from s 0 to s F if the counter x 1 is zero.

Theorem 2. Control reachability is undecidable in general.
Proof sktech. State reachability of an arbitrary 2-counters Minsky machine is encoded as the control reachability problem of a phaser program (captured in Fig. 4). The phaser program has three tasks main, xUnit and yUnit. It uses Boolean shared variables to encode the state s ∈ S and to pass information between different task instances. The phaser program builds two chains, one with xUnit instances for the x-counter, and one with yUnit instances for the y-counter. Each chain alternates a phaser and a task and encodes the values of its counter with its length. The idea is to have the phaser program simulate all transitions of the counter machine, i.e., increments, decrements and tests for zero. Answering state reachability of the counter machine amounts to checking whether there are reachable configurations where the boolean variables encoding the counter machine can evaluate to the target machine state s F . This can be captured with a control partial configuration.

A gap-based symbolic representation
The symbolic representation we propose builds on the following intuitions. First, observe the language semantics impose, for each phaser, the invariant that signal values are always larger or equal to wait values. We can therefore assume this fact in our symbolic representation. In addition, our reachability problems from Sec. 3 are defined in terms of reachability of equivalence classes, not of individual configurations. This is because configurations violating considered properties (see Fig. 3) are not defined in terms of concrete phase values but rather in terms of relations among them (in addition to the registration status, control sequences and variable values). Finally, we observe that if a wait is enabled with smaller gaps on a given phaser, then it will be enabled with larger ones. We therefore propose to track the gaps of the differences between ignal and wait values wrt. to an existentially quantified level (per phaser) that lies between wait and signal values of all registered tasks (to the considered phaser). We formally define our symbolic representation and describe a corresponding entailment relation. We also establish a desirable property (namely that of being a well-quasi-ordering) on some classes of representations. This property is crucial for the decidability of certain reachability problems (see. Sec. 5).
Named gaps. A named gap is associated to a task-phaser pair. It consists in a tuple (var, val) The val value describes task registration to the phaser. If registered, then val is a 4-tuple (lw, ls, uw, us). This intuitively captures, together with some level l common to all tasks registered to the considered phaser, all concrete wait and signal values (w, s) satisfying lw ≤ (l − w) ≤ uw and ls ≤ (s − l) ≤ us. A named gap (var, (lw, ls, uw, us)) is said to be free if uw = us = ∞. It is said to be B-gap-bounded, for B ∈ N, if both uw ≤ B and us ≤ B hold. A set G ⊆ G is said to be free (resp. B-gap-bounded) if all its named gaps are free (resp. B-gap-bounded). The set G is said to be B-good if each one of its named gaps is either free or B-gap-bounded. Finally, G is said to be good if it is B-good for some B ∈ N. Given a set G of named gaps, we define the partial order on G, and write (var, val) (var ′ , val ′ ), to mean (i) (var = var ′ ⇒ var = * ), and (ii) (val = nreg) ⇐⇒ (val ′ = nreg), and (iii) if val = (lw, ls, uw, us) and val ′ = (lw ′ , ls ′ , uw ′ , us ′ ) then lw ≤ lw ′ , ls ≤ ls ′ , uw ′ ≤ uw and us ′ ≤ us. Intuitively, named gaps are used in the definition of constraints in order to capture relations (i.e., reference, registration and possible phases) of tasks and phasers. The partial order (var, val) (var ′ , val ′ ) ensures the relations allowed by (var ′ , val ′ ) are also allowed by (var, val).

Constraints.
A constraint φ of prg = (B, V, T) is a tuple T , P , bv, seq, gap, egap that denotes a possibly infinite set of configurations. Intuitively, T and P respectively represent a minimal set of tasks and phasers that are required in any configuration denoted by the constraint. In addition: bv : B → B { * } and seq : T → UnrSuff { * } respectively represent, like for partial configurations, a valuation of the Boolean variables and a mapping of tasks to their control sequences. gap : T → totalFunctions (P , G) constrains relations between T -tasks and P -phasers by associating to each task t a mapping gap(t) that defines for each phaser p a named gap (var, val) ∈ G capturing the relation of t and p. egap : P → N 2 associates lower bounds (ew, es) on gaps of tasks that are registered to P -phasers but which are not explicitly captured by T . This is described further in the deonotations of a constraint below.
We write isReg(gap, t, p) to mean the task t is registered to the phaser p, The dimension of a constraint is the number of its phasers (i.e., |P |). A set of constraints Φ is said to be free, B-gap-bounded, B-good or K-dimension-bounded if each of its constraints are.
Intuitively, the configuration c should have at least as many tasks (captured by a surjection τ from a subset T 1 c of T c to T φ ) and phasers (captured by a bijection π from a subset P 1 c of P c to P φ ). Constraints on the tasks and phasers in T 1 c and P 1 c ensure target configurations are reachable. Additional constraints on the tasks in T 2 c = T c \ T 1 c ensure this reachability is not blocked by tasks not captured by T φ . More formally: , and 2. T c and P c can be written as T c = T 1 c ⊎ T 2 c and P c = P 1 c ⊎ P 2 c , with 3. τ : T 1 c → T φ is a surjection and π : P 1 c → P φ is a bijection, and 4. for , and 5. for each p φ = π(p c ), there is a natural level l : 0 ≤ l such that: , then it is the case that: i. (var c = var φ ) =⇒ (var φ = * ), and ii. (val c = nreg) ⇐⇒ (val φ = nreg), and iii. if (val c = (w, s)) and (val φ = (lw, ls, uw, us)) then lw ≤ l − w ≤ uw and ls ≤ s − l ≤ us.
We say in this case that τ and π witness the denotation of c by φ. Intuitively, for each phaser, the bounds given by gap constrain the values of the phases belonging to tasks captured by T φ (i.e., those in T 1 c ) and registered to the given phaser. This is done with respect to some non-negative level, one per phaser. The same level is used to constrain phases of tasks registered to the phaser but not captured by T φ (i.e., those in T 2 c ). For these tasks, lower bounds are enough as we only want to ensure they do not block executions to target sets of configurations.
This will ensure that configurations denoted by φ b are also denoted by φ a . Intuitively, φ b should have at least as many tasks (captured by a surjection τ from a subset T 1 b of T b to T a ) and phasers (captured by a bijection π from a subset P 1 b of P b to P a ). Conditions on tasks and phasers in T 1 b and P 1 b ensure the conditions in φ a are met. Additional conditions on the tasks in T 2 b = T b \ T 1 b ensure at least the egap a conditions in φ a are met. More formally: We say in this case that τ and π witness the entailment of φ a by φ b .
Proof. Assume a configuration c = T c , P c , bv c , seq c , phase c is denoted by We show c is also denoted by φ a .
By assumption, we can write T c as a partition T m c ⊎ T e c and P c as a partition Observe that τ is a well defined surjection. In addition, we write π to mean the restriction of π φ • π c to P m,m c . Observe that π is a well defined bijection. We show that τ and π witness the denotation of c by φ a .   The remaining part of this section aims to establish the following theorem: The idea is to propose an encoding for each constraint φ = T , P , bv, seq, gap, egap wrt. some arbitrary total orders < P and < T . We write enc(φ, < T , < P ) for the encoding of φ. We also define an entailment relation ⊑ e on encodings. Then, we show in Lem. 7 that enc(φ, < T , < P ) ⊑ e enc(φ ′ , < T ′ , < P ′ ) implies φ ⊑ φ ′ . Finally, we show in Lem. 8 that ⊑ e is WQO if the encoded K-dimension-bounded constraints are B-good for some pre-defined K, B ∈ N. We start with the named gaps. It is not difficult to show the following lemma: Lemma 3. If G is a good set of named gaps then (G, ) is WQO.
A task state of dimension K is any tuple in (UnrSuff × G K ) where K is a natural in N (corresponding to the number of phasers in the constraint to be encoded). We write (s, g 1 , . . . , g K ) (s ′ , g ′ 1 , . . . , g ′ K ′ ) for two task states to mean that they have the same dimension (i.e., K = K ′ ), that (s = s ′ ⇒ s = * ), and that g k g ′ k for each k : 1 ≤ k ≤ K. Using Higman's lemma [12] and Lem. 3, we can show the following: Let M UnrSuff × G K be the set of finite multisets over (UnrSuff × G K ). We write A ∀ ∃ B, for A and B two multisets in M UnrSuff × G K , if each element a ∈ A can be mapped to an element b ∈ B for which a b. By adapting Higman's lemma [12] and using Lem. 4, we can show the following lemma: We write A ∃ ∀ B, for A and B finite multisets in M UnrSuff × G K , to mean that each b ∈ B can be mapped to some a ∈ A for which a b. Rado's structure [13,14] shows that (M (S) , ∃ ∀ ) need not be WQO just because is WQO over S. Still, we establish the following result: Proof. We proceed by contradiction. Assume, without loss of generality, an in- . . . is -monotone, (b) each j-sequence has a constant control, i.e., s ¬j = s ¬j i1 = s ¬j i2 = . . ., and (c) for each dimension k : 1 ≤ k ≤ K, the projection of a j-sequence a ¬j i1 a ¬j i2 a ¬j i3 . . . on k is either constant or strictly increasing, i.e.,: We rename the sequence A i1 , A i2 , . . . into A 1 , A 2 , . . . . We obtain a ∃ ∀bad sequence A 1 , A 2 , . . . of -minimal sets satisfying the constraints depicted in the following figure: 1. For any i, j : 1 ≤ j < i, a ¬j i ∈ A i and a j a ¬j i for any a j ∈ A j . 2. For any i, i ′ , j : Observations (1) and (2)  We can therefore extract a sequence j 1 , j 2 , . . . of j-sequences that is increasing on each dimension in D (i.e., j a ≤ j b =⇒ for each k ∈ D.b ja (k) ≤ b j b (k)). In order for observation (3) to hold (i.e., a ¬j ′ i ′ a ¬j i for any i, j, j ′ : 1 ≤ j ′ < j < i and i ′ : j ≤ i ′ ), we need to have some dimensions on which the j-sequences (a ¬j i ) j1,j2,... do not increase, these would be the dimensions in {1, . . . K} \ D. But for these dimensions, (a ¬j i ) i:1,2,... is strictly increasing with i. This again contradicts observation (3).
Lem. 6 will be used in Lem. 8 to show an entailement relation on encodings of K-dimension-bounded and B-good constraints corresponds to a stronger relation than ⊑ and is WQO, hence establishing Thm. 3. First, we introduce constraints encodings and an entailement relation on them.
Encodings of constraints. Given a finite set Q and an associated total order < Q , we write Q [i] ∈ Q to mean the element of Q with < Q -index i ∈ {1, . . . |Q|} 5 . For instance, given a finite set of phasers P and an associated total order < P , we write P [k] to mean the phaser with < P -index k in P . The encoding of a constraint φ = T , P , bv, seq, gap, egap with respect to total orders < P and < T , written enc(φ, < T , < P ), is a tuple (bv, acc, env ) where: Observe that if two constraints result in the same encoding, then they can be obtained from each other by renaming the tasks and the phasers. As a consequence, if a constraint is free (resp. B-gap-bounded or B-good), then all constraints resulting in the same encoding will also be free (resp., B-gap-bounded or B-good). We define the dimension of an encoding (bv, acc, env ) to be the size of the domain of env (i.e., the dimension of an encoded constraint). A (possibly infinite) set of encodings E is said to be free (resp. B-gap-bounded or B-good) if all constraints encoded by any of its elements are free (resp. B-gap-bounded or B-good). The set is said to be K-dimension-bounded if there is natural K in N that is larger than the dimension of any of its elements.

Lemma 8. (E, ⊑ e ) is WQO if the set E of encodings is K-dimension-bounded
and B-good for some pre-defined K, B ∈ N.
Proof. Assume a K-dimension-bounded set E of B-good encodings and an infinite sequence S 1 = (bv 1 , acc 1 , env 1 ), (bv 2 , acc 2 , env 2 ), . . . . We show the existence of i, j : 1 ≤ i < j for which (bv i , acc i , env i ) ⊑ e (bv j , acc j , env j ). Dimensionboundedness of E ensures there are infinitely many encodings in S 1 with the same dimension, say K. We extract the subsequence S 2 consisting in all encodings with dimension K in S 1 . In addition, observe that the set of possible valuations of the Boolean variables is finite. We can therefore extract from S 2 an infinite subsequence S 3 where all elements share the same valuation of the Boolean variables. Let us rewrite S 3 , for simplicity, as the sequence (bv 1 , acc 1 , env 1 ), (bv 2 , acc 2 , env 2 ), . . . . For each i : 1 ≤ i, we can represent the mapping env i as the tuple (env i (1), env i (2), , . . . , env i (K)) in (N 2 ) K . Using Higman's lemma, we can extract from S 3 a subsequence S 4 , also renamed to (bv 1 , acc 1 , env 1 ), (bv 2 , acc 2 , env 2 ), . . . for simplicity, where env i (k) ≤ 2 env j (k) for any i, j : 1 ≤ i < j and k : 1 ≤ k ≤ K.
For each mapping acc i : {1, . . . , L i } → (UnrSuff × G K ) in S 4 , we write m acc i to mean the multiset over (UnrSuff×G K ) where the number of occurrences of an element (s, g 1 , . . . , g K ) coincides with the number of indices j in {1, . . . , L i } for which acc i (j) = (s, g 1 , . . . , g K ). Consider the sequence m acc 1 , m acc 2 , m acc 3 , . . . of elements in M UnrSuff × G K . Using the fact that E is B-good together with Lem. 5 and 6, we deduce the existence of i, j : i < j for which m acc i ∀ ∃ m acc j and m acc i ∃ ∀ m acc j . We can therefore build a surjection h : {1, . . . , L j } → {1, . . . , L i } such that acc i (h(l)) acc j (l) for each l in {1, . . . , L j }.

A symbolic verification procedure
We use the constraints from Sec. 4 as a symbolic representation in the adaptation of the classical working-list based backward procedure described below. This procedure corresponds to an instantiation of the framework of Well-Structured-Transition-Systems [1,8]. The procedure takes as arguments a program prg and a ⊑-minimal set Φ of constraints denoting the targeted set of configurations. Such sets can be easily built from the partial configurations described in Fig. 3.
The predecessor computation rules in Figures 7 and 8 that are used by the procedure need to first concretize the given constraint to explicitly contain the required task(s), phaser(s), phaser variable(s), and control sequence(s). For this purpose, they make use of the rules concTasksPhasers (a wrapper for concretizeTask and concretizePhaser), concretizeSeq, and concretizeVar. Each concretization rule returns a (possibly empty) set of concrete constraints. Intuitively, concretizeTask(φ, t, Un, F ) makes sure either t that is going to be used in the computation is already in φ, or adds it as a fresh task. concretizePhaser(φ, p, Un, F ) concretizes the phaser p. concretizeSeq(φ, t, s) makes sure the sequence of the task t is s, which is a requirement for the predecessor computation rule. Otherwise, it will return an empty set. Finally, concretizeVar(φ, t, p, v) ensures t uses the variable v to reference p, which is again required by the predecessor computation rule. In the following sections we introduce and then prove some of the characteristics of the concretization functions, predecessor computation functions, and the verification procedure.

Concretization
In this section, we introduce the concretization functions and prove some properties about them. Assume a constraint φ = T φ , P φ , bv φ , seq φ , gap φ , egap φ . We say a set Un is in φ if Un ⊆ T φ and a set F is fresh for φ if F ∩ T φ = ∅. We say concretizePhaser(φ, p φ , Un, F ) ( Figure 5) concretizes the phaser p φ in φ. Rule concretize phaser 1 is used when phaser p φ is already concrete and the input constraint will be returned without any modification. Rule concretize phaser 2 adds a new phaser p φ to the constraint φ and non-deterministically registers a set of tasks T ′ 1 in the concrete constraint that map to T 1 ⊆ T with p φ . Moreover, it non-deterministically chooses a set of tasks T ′ 2 that map to T 2 ⊆ T to not be registered with p φ . The task mappings τ 1 and τ 2 are used to map the tasks from the concrete constraint to constraint φ.
concretizeTask(φ, t φ , Un, F ) ( Figure 5) concretizes the task t φ in φ. Rule concretize task 1 is used when task t φ is already concrete and the input constraint will be returned without any modification. Rules concretize task 2 and 3 consider the case when a new task t φ will be added that copies a task u ∈ T . The difference between concretize task 2 and 3 is in the fact that concretize task 3, unlike concretize task 2 concretizes u (after being renamed to t ′ ) as well as t. Rule concretize task 4 concretizes a task that is non-deterministically registered with a subset of the phasers in P 2 ⊆ P φ and not registered to others. Such task needs to have phase bounds that respect the environment of the phasers in P 2 .
Rule concretize seq concretizes the control sequence of a task and rule concretize var concretizes the phaser name a task uses for referencing a phaser. Some facts about the the concretizations will follow. Lemma 9. For a given constraint φ = T φ , P φ , bv φ , seq φ , gap φ , egap φ , a set Un that is in φ, a set F that is fresh for φ, and a phaser p that is possibly in P φ , concretizePhaser(φ, p, Un, F ) always terminates. Each tuple (φ ′ , Un ′ , F ′ ) in concretizePhaser(φ, p, Un, F ) satisfies the following: Proof. By definiton of concretize phaser 1 and 2 in Figure 5.
Observe that concretizeVar(φ, t, p, v) and concretizeSeq(φ, t, s) in Figure  5 do not change the tasks, phasers, and phases. One can show that after calling them, the identity relations on T and P witness φ φ ′ .
that is a set of phaser identifiers possibly intersecting P φ , a set Un that is in φ, a set F that is fresh for φ, and B φ ⊆ Un ∪ F . concTasksPhasers(φ, A φ , B φ , Un, F ) always terminates and returns a finite set of tuples. Each tuple (φ ′ , Proof. By Lemmas 9 and 10 and induction on |A φ | + |B φ |. Definition 3 (τ -uniquely-mapped). For a given configuration c = T c , P c , bv c , seq c , phase c and constraint φ = T φ , P φ , bv φ , seq φ , gap φ , egap φ such that τ and π witness c ∈ [[φ]], a task t ∈ T c is said to be τ -uniquely-mapped iff τ (u) = τ (t) =⇒ u = t.
Lemma 13. Assume a configuration c = T c , P c , bv c , seq c , phase c , a constraint φ = T φ , P φ , bv φ , seq φ , gap φ , egap φ such that τ and π witness c ∈ [[φ]], a set Un that is in φ such that τ uniquely maps τ −1 (Un), and a set F that is fresh for φ. Let p c be an arbitrary phaser in P c and p φ be π(p c ) if p c is mapped by π or a fresh phaser, otherwise. A tuple (φ ′ , Un ′ , F ′ ) exists among concretizePhaser(φ, p φ , Un, F ) such that: and τ ′ and π ′ witness the denotation, Proof. The concretization of p φ will be performed in one of the following ways: -If p c is mapped to p φ by π, the rule (concretize phaser 1) will return (φ, Un, F ), which is the desired tuple. Observe that the tasks are not altered, hence, the returned tuple satisfies the conditions in the lemma. -If p c is not mapped by π, the rule (concretize phaser 2) generates a set of tuples (φ ′ , Un ′ , F ′ ) in which the concrete constraints account for all possible registrations of the tasks in T φ to the new phaser p φ . A constraint φ ′ = T φ ′ , P φ ′ , bv φ ′ , seq φ ′ , gap φ ′ , egap φ ′ generated by the rule will capture • the tasks in T 1 ⊆ T c that were mapped by τ but were not registered with p c can be mapped to T ′ 1 ⊆ T φ ′ by the task mapping τ 1 (τ ). • the tasks in T 2 ⊆ T c that were mapped by τ and are registered with p c can be mapped to T ′ 2 ⊆ T φ ′ by the task mapping τ 2 (τ ). The task mapping τ ′ that maps the tasks in T 1 using τ 1 (τ ) and those in T 2 using τ 2 (τ ) and the phaser mapping π ′ = π[p c ← p φ ] witness c |= φ ′ . τ ′ by construction uniquely maps the tasks in τ ′ −1 (Un ′ ).

Lemma 14.
Assume a configuration c = T c , P c , bv c , seq c , phase c , a constraint φ = T φ , P φ , bv φ , seq φ , gap φ , egap φ such that τ and π witness c ∈ [[φ]], a set Un that is in φ such that τ uniquely maps τ −1 (Un), a set F that is fresh for φ, and a set B c = (B c1 ⊎ B c2 ) ⊆ T c such that τ uniquely maps B c1 and does not uniquely map B c2 . Let t c be an arbitrary task in B c and t φ be τ (t c ) if t c is in Un or a task n F , otherwise. concretizeTask(φ, t φ , Un, F ) will generate a set of tuples among which there is a tuple (φ ′ , Un ′ , F ′ ) such that -c ∈ [[φ ′ ]] and τ ′ and π witness the denotation, -τ ′ uniquely maps the tasks in τ ′ −1 (Un ′ ), Proof. The concretization of t φ will be performed in one of the following ways: -If t c is in B c1 , it is already uniquely mapped to t φ , the rule (concretize task 1) will return (φ, Un, F ), which is the desired tuple. -If t c is mapped by τ but is in B c2 , it is mapped to τ (t c ) but not uniquely. The rule (concretize task 2) (respectively, concretize task 3) return in this case a tuple (φ ′ , Un ′ , F ′ ) for which the mappings given that t c and u c are both mapped to τ (t c )) and π witnesses c ∈ [[φ ′ ]]. The other claims hold by construction. -If t c is not mapped by τ , it is in B c2 . Let P m c ⊆ P c be the set of mapped phasers by π and P m,r c ⊆ P m c be the set of mapped phasers that t c is registered with. In this case, the rule (concretize task 4) returns a set of tuples among which there is a tuple (φ ′ , Un ′ , F ′ ) in which t φ is a fresh task that is registered with π(P m,r c ) and not with π(P m c \ P m,r c ). Hence, the task and phaser mappings τ ′ = τ [t c ← t φ ] and π witnesses c |= φ ′ . The other claims hold by construction.
A φ that is a set of phaser identifiers possibly intersecting P φ , B φ = Un ∪ F , a set Un that is in φ, and a set F that is fresh for φ. We say the tuple (c, Lemma 15. Given c = T c , P c , bv c , seq c , phase c , φ T φ , P φ , bv φ , seq φ , gap φ , egap φ , and τ and π that witness c ∈ [[φ]], for any A c ⊆ P c and B c ⊆ T c , (c, A c , B c ) matches (φ, A φ , B φ , Un, F ) with respect to τ and π if Proof. By Definition 4 and construction of c ∈ [[φ]].
Lemma 16. Assume a configuration c = T c , P c , bv c , seq c , phase c , a constraint the mappings τ and π, and the sets A c , B c ,  A φ , and B φ such that (c, A c , B c ) matches (φ, A φ , B φ , Un, F ) with respect to τ and π. For all the tuples (φ ′ , Un ′ , F ′ ) in concTasksPhasers(φ, A φ , B φ , Un, F ) we have that Un ′ = B φ and F ′ = ∅ and there exists one such tuple that: Proof. By Lemmas 13 and 14 and induction on |A φ | + |B φ |.

Predecessor Computation
In this section, we formally define the predecessor computation functions in  id in c. We exhibit φ ′ as well as the task and phaser mappings that witness The rule starts by concretizing φ according to c and A c = {t c } and B c = {p c }. Lemmas 16 and 17 ensure that after concretizations, a concrete constraint φ conc is generated such that c ∈ [[φ conc ]] with respect to some task and phaser mappings τ and π so that t c is uniquely mapped to t φ by τ , and p c is mapped to some p φ by π. The task t c in c ′ creates p c , hence, it must be the only task registered with p c or referencing it. This, combined with the definition of τ and π, guarantees that t φ is the only task in φ which is registered with p φ or referencing it. The new mappings τ and as well as the task and phaser mappings that witness The rule starts by concretizing t φ and p φ in φ. Lemmas 16 and 17 ensure that a concrete constraint φ conc = T φ , P φ , bv φ , seq φ , gap φ , egap φ is generated such that c ∈ [[φ conc ]] with respect to some task and phaser mappings τ and π so that t c is uniquely mapped to some t φ by τ , and p c is mapped to some p φ by π. The task t c in c ′ has just incremented the signal phase of the task t c on the phaser p c . There is a level l ≥ 0 that separates the signal phases of the tasks registered with p concTasksPhasers from their wait phases. Incrementing the signal s tc of task t c on p c satisfies the phase bounds in φ conc . The case in which l < s tc can be captured by signal II (here, us > 0 and l ′ = l ). The case where l = s tc can be captured with signal I (here, uw > 0 and l ′ = l − 1).
c for some c ′ . We exhibit φ ′ as well as the task and phaser mappings that witness Similar to the signal rule, this rule starts by concretizing t c and p c in c and uniquely maps them to t φ and p φ in φ conc . The task t c in c ′ has just incremented the wait phase of the task t c on the phaser p c . Let gap φ (t φ )(p φ ) = (v, (lw, ls, uw, us)). A level l > 0 exists that shows the signal and wait phases of the tasks registered with p c respect the phase bounds in φ conc . The same level can be used to show that phases of c ′ respect the phase bounds in φ ′ that is generated by the rule.
Similar to the signal rule, this rule starts by concretizing t c and p c in c and uniquely maps them to t φ and p φ in φ conc . Since c ∈ [[φ conc ]], there exists a level l that separates signal and wait phases of the tasks registered with p φ . The task t c in c ′ has just dropped the phaser p c . By existence of c ′ , a l ′ exists that takes into account the phases of t φ as well. If δ < −lwmax (respectively, δ > lsmax), we can show l − lwmax (respectively, l + lsmax) also separates the phases in c ′ . Otherwise, l + δ with −lwmax ≤ δ ≤ lsmax separates the phases in c ′ . We adapt the bounds for each such δ in this case. In a similar manner, if usmin < ∞ and uwmin < ∞ for some task, then a level l + δ with −uwmin ≤ δ ≤ usmin must separate the phases in c ′ . We adapt the phase bounds to this case.
The rule starts by concretizing t φ , u φ , and p i φ for every i : 1 ≤ i ≤ k in φ. Lemmas 16 and 17 ensure that a ] with respect to some task and phaser mappings τ and π so that t c and u c are uniquely mapped to some t φ and u φ by τ , and p ic is mapped to some p i φ by π for each i : 1 ≤ i ≤ k. The task t c in c ′ has just spawned the task u c . t c and u c are registered with each p ic for i : 1 ≤ i ≤ k and have the same phases in gap c . c ∈ [[φ conc ]] ensures that for each i : 1 ≤ i ≤ k, gap φ can be constrained so that t φ and u φ are registered with each p i φ in gap φ and have the same phases. Hence, the meet of the signal and wait gaps of t φ and u φ in gap φ is not empty. This meet will actually be the phase of t φ on phasers p i φ for i : 1 ≤ i ≤ k. phase ′ c is then obtained from phase c by removing the phases of u c . gap ′ φ is also obtained from gap φ by removing u φ . The task and phaser mappings τ ′ = τ \ {u} and π witness that φ ′ denotes c ′ .
We define c 0 c and c ∈ [[φ]]. Note that any predecessor computation rule starts by concretizing φ to some concrete constraint c generates the desired configuration c. The intuition is that if all tasks in T c ′ that are associated to t φ by τ execute stmt, we obtain a configuration c that is denoted by some concrete constraint φ conc , hence, denoted by φ.
newPhaser. This rule is only complete when τ −1 (t φ ) is a singleton. To simplify the presentation, we show completeness when main executes newPhaser, because then we are sure τ −1 (t φ ) is a singleton. Assume t φ is the task main in some φ , t c can again be associated with t φ in φ conc and phase c (u c )(p c ) = (−, nreg) for all other tasks c and the task and phaser mappings τ and exists p c such that π(p c ) = p φ and all tasks in τ −1 (t φ ) are associated with t φ by τ . c ′ is denoted by φ ′ and is obtained via signal I or signal II. There is therefore a level l ≥ 0 which shows that the signal and wait phases of the tasks registered in c ′ respect the phase bounds in φ ′ . We can show that l + 1 captures that the signal and wait phases of the tasks registered in c respect the phase bounds in φ if φ ′ is obtained via signal I, and l shows that the signal and wait phases of the tasks registered in c respect the phase bounds in φ if φ ′ is obtained via signal II.
In both cases, the task and phaser mappings τ and π should be used for the denotation.
, there exists p c such that π(p c ) = p φ and each task t ∈ τ −1 (t φ ) is associated with t φ by τ . If l witnesses c ′ ∈ [[φ ′ ]], then the same level witnesses c ∈ [[φ]] with the task and phaser mappings τ and π.
, there exists p c such that π(p c ) = p φ and each task t ∈ τ −1 (t φ ) is associated with t φ by τ . phase c is obtained from phase c ′ by 1) not modifying the phases of the tasks that are not associated with t φ , 2) assigning phase c (t)(p c ) = (−, nreg) for each t ∈ τ −1 (t φ ). A level l ≥ 0 witnesses these tasks respect the phase bounds in φ ′ (which is obtained for a certain δ). We can show l − δ witnesses denotation of c by φ conc . The third group of tasks to consider are those in T c \ τ −1 (t φ ) which are registered with p c . The phases for these tasks are not modified. Hence, the task and phaser mappings τ and π witness c ∈ [[φ conc ]].
exit. This proof is very similar to the proof of completeness of drop. The only difference is that the proof of drop needs to be extended by iterating through all phasers dropped in c ′ . The mappings τ ′ = τ \ τ −1 (t φ ) and π witness c ∈ [[φ conc ]].
asynch. Assume φ Let u φ be the newly spawned task, and p 1 φ , . . . p k φ be the phasers passed to u φ . By definition of , there exist p 1c , . . . p kc that π(p ic ) = p i φ for each i : 1 ≤ i ≤ k and τ associates each task t ∈ τ −1 (t φ ) to t φ , and each task u t spawned by t to u φ . We obtain phase c from phase c ′ by copying phase c ′ (t)(p ic ) to phase c (u t )(p ic ) for each t ∈ τ −1 (t φ ) and i : 1 ≤ i ≤ k. Therefore, each t ∈ τ −1 (t φ ) and u t can respectively be associated to t φ and u φ in φ. As a result, for c = T c , P c ′ , bv c ′ , seq c , phase c , c and the task and phaser mappings τ

Verification Procedure
The procedure makes use of a predecessors computation (line 7) that results, for a constraint φ and a statement stmt, in a finite set We write pre for the union of pre stmt for all stmt. These computations are described in Figures 7 and 8. Intuitively, the program statement for which the predecessors set is being computed can be executed by a task captured by the constraint φ = T , P , bv, seq, gap, egap explicitly (i.e., t ∈ T ) or implicitly (i.e., u ∈ T but satisfying the environment gaps). For all but atomic statements (i.e., v.next(){s}), the set Intuitively, the predecessors calculation for the atomic v.next(){stmt} statement is only an over-approxiamation because such an instruction can encode a test-and-set operation. Such an operation can be made to only be carried by exactly one task. Our representation allows for more tasks (and larger gaps), but the additional tasks may not be able to carry the atomic operation. We would therefore obtain a non-exact over-approximation and avoid this issue by only applying the procedure to non-atomic programs. In fact, we show in Sect. 6 that allowing atomic instructions results in the undecidability of the problems addressed by Thm. 6 and 7. Using Lem. 2 and the exactness of pre we can show by induction partial correctness.
We can also show the procedure to terminate if we only manipulate Kbounded-dimension and B-good constraints.  Proof sketch. Systematically drop, in the backward procedure, constraints violating K-dimension-boundedness (as none of the denoted configurations is reachable) ensures K-boundedness. Also, the set of target constraints is free (since we are checking control reachability) and this is preserved by the pre computation in Fig. 5, 7, and 8. Finally, Lemmas 18,19, and 20 ensure soundness, relative completeness, and termination. Theorem 7. Plain reachability for non-atomic phaser programs generating at most K phasers with, for each phaser, B-bounded gaps is decidable.
Proof sketch. Systematically drop, in the backward procedure, constraints requiring more than K phasers or larger than B gaps-values for some phaser gaps (as none of the denoted configurations is reachable) ensures K-dimensionboundedness and B-goodness. Finally, Lemmas 18,19, and 20 ensure soundness, relative completeness, and termination.

Limitations of deciding reachability
Assume a program prg = (B, V, T) and its initial configuration c init . We show a number of parameterized reachability problems to be undecidable. First, we address checking control reachability when restricting to configurations with at most K task-referenced phasers. We call this K-control-reachability.
Definition 5 (K-control-reachability). Given a partial control configuration c, we write reach K (prg, c), and say c is K-control-reachable, to mean there are n + 1 configurations (c i ) i:0≤i≤n , each with at most K reachable phasers (i.e., phasers referenced by at least a task variable) s.t. c init = c 0 and c i −→ c i+1 for i : 0 ≤ i < n − 1 with c n equivalent to a configuration that includes c.
Theorem 8. K-control-reachability is undecidable in general.
Proof sketch. Encode state reachability of an arbitrary Minsky machine with counters x and y using K-control-reachability of a suitable phaser program. The program (see [10]) has five tasks: main, xTask, yTask, child1 and child2. Machine states are captured with shared variables and counter values with phasers xPh for counter x (resp. yPh for counter y). Then, (1) spawn an instance of xTask (resp. yTask) and register it to xPh (resp. yPh) for increments, and (2) perform a wait on xPh (resp. yPh) to test for zero. Decrementing a counter, say x, involves asking an xTask, via shared variables, to exit (hence, to deregister from xPh). However, more than one task might participate in the decrement operation. For this reason, each participating task builds a path from xPh to child2 with two phasers. If more than one xTask participates in the decrement, then the number of reachable phasers of an intermediary configuration will be at least five. As a result, the phaser program will reach a configuration corresponding to s F via configurations having at most 4 reachable phasers iff the counter machine reaches a configuration with state s F . Theorem 9. Control reachability of phaser programs generating a finite number of phasers is undecidable if atomic statements are allowed.
Proof sketch. We encode state reachability problem of an arbitrary Minsky machine with counters x and y using a phaser program with atomic statements. The phaser program (captured in Fig. 10) has three tasks: main, xTask and yTask. The idea is to associate a phaser xPh to counter x (resp. yPh to counter y) and to perform a signal followed by a wait on xPh (resp. yPh) to test for zero on counter x (resp. counter y). Incrementing and decrementing is performed by asking spawned tasks to spawn a new instance (incrementing) or to deregister (decrementing). Atomic-next statements are used to ensure exactly one task is spawned or deregistred. As a result, the phaser program will reach a configuration sending the variable s to s F iff the counter machine reaches a configuration with state s F .
Finally, even with finite numbers of tasks and phasers, but with arbitrary gap-bounds, we can show [9] the following.
Theorem 10. Plain reachability of of non-atomic phaser programs generating a finite number of phasers is undecidable if the generated gaps are not bounded.

Conclusion
We have studied parameterized plain (e.g., deadlocks) and control (e.g., assertions) reachability problems for phaser programs. We have proposed an exact verification procedure for non-atomic programs. The procedure can be used for answering both control and plain reachability problems. We summarize our findings in Table 7. The procedure is guaranteed to terminate, even for programs that may generate arbitrary many tasks but finitely many phasers, when checking control reachability or when checking plain reachability with bounded gaps. These results were obtained using a non-trivial symbolic representation for which termination had required showing an ∃ ∀ preorder on multisets on gaps on natural numbers to be a WQO. We are working on a tool that implements the procedure in order to verify programs that dynamically spawn tasks and synchronize them with phasers. We believe our general decidability results are useful to reason about synchronization constructs other than phasers. For instance, a traditional static barrier can be captured with one phaser and with bounded gaps (in fact one). Similarly, one phaser with one producer and arbitrary many consumers can be used to capture futures where a "get" instruction can be modeled with a wait. We believe our negative results can also be used. For instance, atomic instructions can be modeled using test-and-set operation and may result in the undecidability of the reachability problem. This suggests more general applications of the work are to be investigated.  Table 1. Findings summary: ctrl stands for control reachability and plain for plain reachability; atomic stands for allowing the v.next(){stmt} atomic instruction and non−atomic for forbidding it (resulting in non-atomic programs). Recall the dimension of a phaser program is the number of dynamically generated phasers.  Fig. 10. In proof of Thm.9 for control reachability of atomic phaser programs. Encoding a Minsky machine with the two {x, y}. The value of counter x is represented by the number of instances of xTask tasks registered to phaser xPh. The construction ensures increments or decrements involve exactly one task.