Graph models for reachability analysis of concurrent programslaser.cs.umass.edu/courses/cs521-621/papers/p171-pezze.pdfity analysis to general concurrent programs, although recent

Graph Modelsof Concurrent

MAUF{O PEZZE

Politecnico di Milano

RICHARD N. TAYLOR

for Reachability AnalysisPrograms

University of California — Irvine

and

MICHAL YOUNG

Purdue University

The problem of analyzing concurrent systems has been investigated by many researchers, and

several solutions have been proposed. Among the proposed techniques, reachability

analysis—systematic enumeration of reachable states in a finite-state model—is attractive

because it is conceptually simple and relatively straightforward to automate and can be used m

conjunction with model-checking procedures to check for application-specific as well as general

properties. This article shows that the nature of the translation from source code to a modeling

formalism is of greater practical importance than the underlying formalism. Features ldentitled

as pragmatically important are the representation of internal choice, selection of a dynamic or

static matching rule, and the ease of applying reductions. Since combinatorial explosion is the

primary impediment to application of reachability analysls, a particular concern in choosing a

model is facilitating divide-and-conquer analysis of large programs. Recently, much interest in

finite-state verification systems has centered on algebraic theories of concurrency. Algebraic

structure can be used to decompose reachability analysis based on a flowgraph model. The

semantic equivalence of graph and Petri net-based models suggests that one ought to be able to

apply a similar strategy for decomposing Petri nets. We describe how category-theoretic treat-ments of Petri nets provide a basis for decomposition of Petri net reachability analysis.

Material in this article and the work of M. Pezz> was sponsored by the Air Force Materiel

Command, Rome Laboratory, and the Advanced Research Projects Agency under contract

number F30602-94-C-0218.

The work of R. N. Taylor was sponsored by the Defense Advanced Research Projects Agency

under grant MDA972-91-J-1O 10.

The ccmtent of the information does not necessarily reflect the position or the policy of the U.S.

Government, and no official endorsement should be inferred. The work of M. Young was

sponsored by the National Science Foundation under grants CCR-9157629 and INT-9217432.

Authors’ addresses: M. Pezze, Dipartimento di Elettronica e Informazione, Politecnico di Milano,

Piazza Leonardo da Vinci 32, Milano, Italia; email: [email protected]. it; R. N. Taylor, Depart-

ment of Information and Computer Science, University of California, Irvine, CA 92717-3425;

email: taylor~ics.uci. edu; M. Young, Software Engineering Research Center, Department of

Computer Sciences, Purdue University, West Lafayette, IN 47907-1398; email: young(~

cs.purdue.edu.

Permission to make digital/hard copy of all or part of this material without fee is granted

providled that the copies are not made or distributed for profit or commercial advantage, the

ACM ,copyright/server notice, the title of the publication, and its date appear, and notice is given

that copying is by permission of the Association for Computing Machinery, Inc. (ACM). To copy

otherwise, to republish, to post on servers, or to redistribute to lists requires prior specific

permission and/or a fee.

019915 ACM 1049-331X/95/0400-0171 $03.50

.4CM Transactions on Software Engmeermg and Methodology, Vol. 4, No 2. April 1995. Paws 171-213

172 . Mauro Pezze et al.

Categories and Subject Descriptors: D. 1,3 [Programming Techniques]: Concurrent Program-

ming; D.2.2 [Software Engineering]: Tools and Techniques—Petri nets; D.2.5 [Software

Engineering]: Testing and Debugging-debuggtng cuds; D.3.3 [Programming Languages]:

Language Constructs and Features—concurrent programming structures; F.3 1 [Logics and

Meanings of Programs]: Specifying and Verifying and Reasoning about ProWams—snechcmz-

cal verification

General Terms: Reliability, Verification

Additional Key Words and Phrases: Ada tasking. process algebra, static analysis

1. INTRODUCTION

The problem of analyzing concurrent 1 systems has been investigated by

many researchers. Several approaches have been proposed, ranging from

formal verification to testing and debugging, Between these poles lie special-

purpose, before-run-time analyses that fall short of fully general program

verification but provide strong assurance of critical program properties such

as freedom from deadlock. The inherent complexity of concurrent computa-

tion makes it unlikely that any single contemporary or future analysis

technique will provide an acceptable combination of expense and assurance

for all circumstances.

Among the proposed techniques, reachability analysis—systematic enu-

meration of reachable states in a finite-state model—is attractive because it

is conceptually simple and relatively straightforward to automate and can be

used in conjunction with model-checking procedures (e.g., Clarke et al. [ 1986]

and Wolper [1986]) to check for application-specific as well as general proper-

ties. Reachability analysis has been used successfully for some time in limited

domains like simple communication protocols [Holzmann 1987; Sunshine

198 1]. Combinatorial explosion has largely stymied application of reachabil-

ity analysis to general concurrent programs, although recent work in compo-

sitional analysis holds promise for scalable application.

One thread of research related to reachability analysis involves extracting

models from program texts. Since Taylor [ 1983] proposed a reduced flow-

graph model for reachability analysis of programs expressed in Ada and

related languages, a variety of alternative representations have been pro-

posed. Long and Clarke [1989] proposed a “task interaction graph” represen-

tation that captures synchronization structure more succinctly than Taylor’s

original model (an important attribute since it slows the combinatorial

explosion that is the primary limiting factor in applying reachability analy-

sis). Shatz et al. have proposed extracting Petri nets from Ada programs in

order to use existing Petri net analysis tools [ Shatz and Cheng 1988] and net

reduction techniques [Shatz et al. 1990].

1We use the term concurrent in a general sense for systems with multiple threads of control,

without regard to whether those threads of control are physically distributed or share physical or

lo~cal memory space, Although different organizations present them own problems (e.g., unreli-

able communication in physically distributed systems), basic problems of coordination are

common to all of them.

ACM TransactIons on Software Engineering and Methodology, Vol 4, No 2, April 1995

Reachability Analysis . 173

Thi,s article shows that the nature of the translation from source code to a

model ing formalism is of greater practical importance than the underlying

formalism. The choice of model does not depend on expressive power, since

finite-state models are formally equivalent in this regard. The main contribu-

tion of this article is identification of the following differences among models

and charact erization of their impact on practical choice of models for

reachability analys is, particularly as regards sizes of the composite state-

space representations produced:

—Matching rule: Petri nets and other net-like models use a static matching

rule, while flowgraph models use a dynamic matching rule. The choice of

matching time has no impact on the final reachability graph but may

impact model translation and consequently tool structure and efficiency

when reanalyzing portions of an evolving program.

—Reductions: Enumerative approaches generally depend on local graph

transformations to reduce the number of states explored. While a reduction

in one model generally has an analogue in another, the ease of identifying

and applying rewrites may be quite different, The more-specialized flow-

gra,ph models have an advantage in preserving structural information, but

the more-established general models such as nets have more well devel-

oped theory and tools to depend on.

—Representation of internal choice: We contend that a “refusals” model is

preferable to a “silent-move” model for reachability analysis because it

permits a more-compact representation. This appears to be an advantage

of ~lowgraph models over net models.

—Compositionality: A practical analysis technique for large, realistic applica-

tions must permit analysis of subsystems in isolation; preferably it should

support composition of analysis results in a manner that avoids or limits

combinatorial explosion. The complexity of concurrent computation~ pre-

vents inherently global analysis techniques from scaling up. For flowgraph

models, the rapidly developing theory of process algebras [Hennessy 1988;

Hoare 1985; Milner 1989] provides a foundation for hierarchical analysis.

Yeh and Young have exploited algebraic structure to decompose reacha-

bility analysis of a graph model which is close to Taylor’s reduced flow-

graph model [Yeh 1993; Yeh and Young 1991]. The correspondence be-

tw,een flovvgraph rnoclels and Petri net models of Ada tasking suggests that

the same approach should be applicable to hierarchical analysis with Petri

2The complexity is manifested as the “state explosion problem” for reachability analysis.

However, as with other intractable problems, the complexity is inherent to the problem rather

than the solution technique. (We can take deadlock detection as a representative problem for

which NP-completeness and PSPACE-completeness results abound [Apt 1983; Ladner 1979;

Smolka 1984: Taylor 1983]: race detection and a number of other problems in concurrency

analysis have identical lower bounds. ) The complexity may be manifested in other forms fm-

other analysis techniques, e.g., an analysis algorithm requiring time polynomial in the number of

processes must either be less accurate than reachability analysis or apply to a more-restricted

class of programs or properties.

ACM Transactions on Software Engineering and Methodology, Vol. 4, No 2, Aprd 1995


nets. We recall the essentials of a cate gory-theoretical treatment of nets to

show how compositional analysis may be ap plied with nets.

1.1 Outline of the Article

Section 2 reviews representative graph-based models that have been used for

reachability analysis of programs in Ada-like languages: task flowgraphs3

and concurrency graphs, as they are introduced in Taylor [1983], task inter-

action graphs (TIGs) and task interaction concurrency graphs as introduced

in Long and Clarke [1989], and Petri nets and reachability graphs as intro-

duced in Murata [ 1989], Peterson [1989], and Reisig [1985], This material is

provided to make the article self-contained; readers familiar with these

models may wish to skim or skip Section 2.

Section 3 describes the correspondence between flowgraph models through

reference to a general model, which allows their significant differences to be

isolated. We show that a primary difference is in the treatment of internal

choice and assess the impact of this difference on performance. In Section 4

we show that the main difference between Petri nets and Taylor’s reduced

flowgraph model is the point in analysis at which communicating actions are

matched (static versus dynamic matching). Pragmatic reasons for choosing a

Petri net representation or a more-specialized flowgraph representation,

including the applicability of reduction techniques, are also discussed. Section

5 considers the suitability of graph models for hierarchical analysis with

reductions based on algebra, a necessary condition for reachability analysis

that scales to systems with many tasks. Adapting flowgraph models to permit

application of algebraic theories of concurrency to reachability analysis is

outlined first, followed by a similar application of category theory to nets.

Section 6 summarizes the main factors that affect a choice among the models.

Details of task flowgraphs, task interaction graphs, and Petri nets are

relegated to Appendix A.

2. RELATED WORK

This section recalls the models used for reachability analysis of concurrent

programs and outlines alternative analysis techniques. Detailed definitions of

concurrency graphs, as defined in Taylor [ 1983], task interaction concurrency

graphs, as described in Long and Clarke [ 1989], and Petri nets are provided

in Appendix A.

2.1 Reachability Analysis of Concurrent Programs

Two broad classes of models have been used for supporting reachability

analysis of programs: flowgraph-based models [Apt 1983; Clarke et al. 1986;

3In Taylor [1983] task flowgraphs are called simply flowgraphs; the name task flowgrapks has

been introduced here to avoid confusion with definitions that appear later in the article and will

be used consistently through the article to refer to flowgraphs as defined in Taylor [ 1983].

ACM Transactions on Software Engmeermg and Methodology, Vol, 4, No, 2, April 1995.

ReachabilRy Analysis . 175

Long and Clarke 1989; McDowell 1989; Smolka 1!384; Taylor 1983] and Petri

nets [Morgan and Razouk 1987; Shatz and Cheng 1988; Shenker et al. 1986].

The use of flowgraph-based models for analyzing concurrent programs was

first presented in Taylor [1983], which defined task flowWaphs and concur-

rency flowgraphs. An improved model is described in Long and Clarke [1989]

that defined task interaction graphs (TIGs) and task interaction concurrency

graphs (TICGS). An algorithm for reachability analysis of Petri nets was first

presented in Karp and Miller [1.969]. Reachability analysis of Petri nets has

been used for anal yzing concurrent programs by several authors [Beaven et

al. 1991; Morgan and Razouk 1987’; Shatz and Cheng 1988; Shatz et al. 19901.

Task flowgraphs and TIGs have been defined as models of the Ada task

systelm. In this article, Ada represents only a common concrete point of

reference; similar techniques can be defined for other concurrent languages

with rendezvous synchronization. In this article, we consider only a subset of

Ada. The considered subset of Ada is described in Appendix A.

Tad. Flowgraphs and Concurrency Graphs. A task flowgraph represents

the structure of a single Ada task, abstracting all the aspects that are

unnecessary for determining possible sequences of synchronization activities.

For present purposes a synchronization activity is an entry call, an acceptstatement, select, select-else, task-begin, or task-end.4 A task flowgraph can

be obtained from an annotated flowgraph produced by a compilation system

by ignoring all the nodes representing statements not involved in determin-

ing synchronization activities. As an example, the task flowgraphs corre-

sponding to the Ada tasks of Figure 1 are presented in Figure 2. Notice that

the loop of task T 1 is explicitly represented, because it contains a syn chro-

nization statement (a selective wait).

Nodes of task flowgraphs representing synchronization activities are called

state-nodes; a state-node n‘ is called a successor of a state-node n, n‘ E

SZLCC( n), if there is a path from n to n‘ such that there is no state-node

between the first and last node on the path. (Informally, this means that a

single step of a task in a modeled execution may involve several “internal”

steps through control branches and other nontasking activity.)

An Ada program can be represented by the set of task flowgraphs corre-

sponding to the tasks in the program. The execution space of an Ada program

can be described by a concurrency graph, a flowgraph where nodes, also

callecl concurrency-nodes, are k-tuples of state-nodes, one node for each task

i%wgraph, and edges represent actions (state transitions) in the program.

A concurrency graph is a kind of reachability graph, where nodes represent

states of executions, and arcs represent possible transitions in the system.

dTo be precise, Ada rmdczvous must be modeled by two steps (engage and finish) for the generalcase mc]udmg synchronization activities within accept bodies Each of the models di scussed in

this article provides a special-case optimization for rendezvous without nested synchronization.

Since this consideration is essentially independent of tbe graph model used, wc present only the

“optimi zeal” form to keep the examples as simple as possible.

ACM Transactions on Software Fmgneermg and Methodology, Vol. 4. No. 2. April 1995

176 . Mauro Pezze et al

with text io;

procedure main istask TO;task T1 is

entry P;entry Q;

end Tl;task T2;

task body TO isbegin --(1)

T1 .P; --(2)end TO; --(3)

task body T 1 ispackage boolean_io is new text_ io.enumeration_ io(boolean):

done: boolean;begin --(4)

loop --(5)select --(6)

accept P; --(7)or

accept Q; --(8)end select;boolean_ io.get(done);

exit when done;end loop; --(9)

end Tl; --(lo)

task body T2 isbegin --(11)

T1.Q; --(12)end T2; --(13)

beginNULL;

end main;

Fig. 1, A simple Ada program,

Task TO Task T1 Task T2

10 begin

12-TIP

{30 end

40 begin lB begin

Ilz~ T1. Q

1130 end

I

+10. end

Fig, 2. Task flowgraphs corresponding to the Ada program of Figure 1.

ACM Transactlcms on Software Engineering and Methodology, VO1 4, No 2. April 1995


<1,6,

<2,6,

13>

:1,4,12>

<3,6,13> <3,10,13>

Fig.3. Theconcurrency graph corresponding tothe Adaprogram of Figurel.

As an example, the concurrency graph corresponding to the Ada program of

Figure 1 is shown in Figure 3. Nodes in Figure 3 are labeled with triples

describing the state of the three tasks. Note that the transitions in the

concurrency graph correspond to the successor function rather than the task

flowgraphs per se. For instance, the execution of the begin statement of Task

T1 corresponds to the flow from the initial node (1, 4, 11) to node (1, 6, 11)

in one step; node 5 in the flowgraph of Task T1 is not considered.

Task Interaction Graphs and Task Interaction Concurrency Graphs. Task

interaction graphs (TIGs) and task interaction concurrency graphs (TICGS)

were introduced for reducing the size of task flowgraphs and concurrency

graphs. TIGs are defined starting from a division of the statements of a single

task into regions called task regions. A task region is a portion of code that

starts from the task-beg in, or from a statement that can immediately follow

the execution of an accept or an entry call, and ends with an accept or an

entry call or with the end statement of the task. As an example, the task

regions for the Ada program of Figure 1 are shown in Figure 4.

A task interaction graph (TIG) is a flowgraph whose nodes correspond to

the task regions and whose edges represent task interactions, i.e., flow of

control between task regions; edges are labeled with the type of represented

interaction. The initial node is the task region corresponding to the begin

statement, and the final nodes are those regions in which the task-end

statement appears. The nodes of TIGs will be also called TIG-nodes. TheTIG-node corresponding to the initial region of the task is called the initial

TIG-node of the TIG. The TIG-nodes corresponding to regions of the task

where the execution may end are called final TIG-n odes of the TIG. The TIGs

ACM Transactions on Software Engmeerlng and Methodology, Vol 4, No 2, April 1995

178 . Mauro Pezz& et al

E3y”n5

l—f!rlulrf’f,{,,l

mk body T 1M

1

lII,lW[packaged... bmiwn

KJgmn

1

mlllul

m.tdhk body T2 I, “K’[]n

3 IU(>pKk’1 6 begin

.’,.spt P,

––––J––- ‘ E

T Q,,),

L.C.P1Q,ml <elect

7end T2,

hoolm.,c Ea(dmeJ 4 boolean_w get(do”ej

e>,! when dune, CM when don.end loop md loop,

end T I end Tlft”ul

Imp kn>p re~,<,tl

,.1,,1 select.x.qlt P d“ep! P,

,,r <,,

&L~LI[Q _ W+ Q,

end ,,l.. !, end \eleLt

Fig. 4 Task regions in the Task Interaction Graph (TIG) model of the Ada program of Figure 1.

Regions are single entry, which causes duplication of the loop body.

Task TO Task T1 Task T2

11

T1. P

2e

Fig, 5. Task

w3A

AA!!?

accept P accept Q

accept p

5 4

accept Qaccept P

accept Q

interaction graphs (TIGs ) for the Ada program

T6

1

T1. Q

70

of Figure 1.

corresponding to the Ada program of Figure 1 are shown in Figure 5. Final

TIG-nodes are indicated by a double circle.5

An Ada program can be represented by means of the set of TIGs corre-

sponding to the tasks of the program. The execution space of an Ada program

represented as a set of TIGs can be represented by means of a TICG, a

flowgraph whose nodes are tuples of TIG-nodes, one for each TIG in the

program, and edges corresponding to the possible interactions between tasks

in the program. As an example, the TICG corresponding to the Ada program

of Figure 1 is shown in Figure 6. TICG-nodes are labeled with triples that

describe the state of the three tasks that comprise the Ada program. Note

that state (2, 5, 6) is a potential deadlock (the loop could be executed exactly

once), but the node representing this state has out-edges. Additional inform a-

51n the full TIG model, including task initiation and termination, final TIG-nodes would have no

out-edges Even m the full model, though, the control branch to the end statement is not

represented by an edge; only the actual termination, which is a kind of task interaction, is

represented.

ACM Transactions on Software Engineering and Methodology, Vol 4, No. 2, Aprd 1995

Reachability Analysls . 179

<1,3,6>

/“@\<2,5,6- 0 <1,4,7>

1<2,4,7@ L● <2,5,7>

Fig. 6. The task interaction concurrency graph (TICG) corresponding to the Ada program ofFigure 1.

Fig.7. APetrinet corresponding tothe Adaprogram of Figurel

tion that must be associated with TIG edges to determine potential deadlocks

is describedin Section 3.2,

Petri Nets, Petri nets were originally proposed as a model for representing

and analyzing concurrent systems (not necessarily software). They have also

been used for representing and analyzing Ada programs [Mandrioli et al.1985; Morasca and Pezz& 1989; Shatz et al. 1990]. A Petri net is a bipartite

graph; the two set of nodes are called places and transitions. Tokens are usedto mark places to indicate the current state of the net. As an example, one

possible representation of the Ada program of Figure 1 is presented in Figure

7. In ~Figure 7 transitions represent actions; places represent conditions; and

arcs give the relations between conditions and actions. Transitions are la-

beled for the reader’s convenience according to their correspondence to the

statements of Figure 1.

Different algorithms for obtaining a Petri net from Ada programs can be

defined, resulting in different representations. The translation chosen in the

ACM Transactions on Software Engmeermg and Methodology, Vol 4, No. 2, Aprd 1995

180 . Mauro Pezze et al,

example of Figure 7 models only control flow and synchronization and is

similar to that used by Shatz et al. in the TOTXL system.G The net models of

Mandrioli et al. [1985] and Beaven et al. [1991; 1992] are also similar in their

essentials; the latter is a colored net model but can in principle be unfolded

into a conventional Petri net,

The set of places connected to a transition t by an arc entering t is called

the preset of transition t and is indicated as “t.Similarly, the set of places

connected to a transition t by an arc exiting t is called the postset of

transition t and is indicated as t‘.

The dynamic behavior of a system modeled by means of a Petri net can be

represented by a firing rule, which describes the effect of actions on the

marking of the net. A transition is enabled in a marking if there is at least

one token in each place of its preset. The firing of a transition t enabled in a

marking m removes a token from each place of “ t and adds a new token in

each place of t”.The set of markings reachable from the initial marking by

means of a finite number of firings is called the reachability graph of the

Petri net.

The reachability graph of the Petri net of Figure 7 is presented in Figure 8.

The labels associated with the nodes of the reachability graph of Figure 8

represent the places that are marked in the corresponding Petri net.

A Petri net is safe if for each reachable marking the number of tokens in

each place is at most one. From the reachability graph of Figure 8 it is easy to

verify that the Petri net of Figure 7 is safe. It is always possible to represent

an Ada program composed of a fixed number of tasks by means of a safe net.

Intuitively, if the number of tasks in the program is bounded, it is possible to

represent the tasks by disjoint sets of places and the state of each task by a

single token. In the net of Figure 7 places p., p ~, and p ~ represent the set of

possible states for task TO; places p~, pb, p~, p~, and p ~ represent the set of

possible states for task T 1; places p8, pg, and p lo represent the set of set of

possible states for task T2. Since each place represents the state of exactly

one task, only the token corresponding to such a task can mark that place.

The resulting net is thus safe.

2,2 Other Models of Ada Tasking

The models discussed above are representative of those used for reachability

analysis and will serve to illustrate important design decisions to be faced in

extracting such models from concurrent programs. Other analysis techniques,

also based on graph models, can be applied for some of the same problems,

but the important tradeoffs may be different. Although the remainder of this

GThe Petri net model produced by T’OT’fi has inconsequential differences owing to a construc-

tion mechanism based on merging places from templates instantiated for each statement.

TOTAL also inserts auxiliary places to help with bookkeepmg (e.g., a place that remams marked

while a rendezvous is engaged, so that queries can refer to this one place rather than several).

The consequence of this difference is that TOTAL’s nets are safe but not conservative, while the

net models we will produce are conservative (the total number of tokens is preserved by every

transition firing); this is an unimportant difference in the context of this article.

ACM TransactIons m Software Engineering and Methodology, Vol 4, No 2. April 1995


<Po

<PI

<PO, P6, P1O> <Pi, P4, P9>

,P4, P1O>O

I

<Pi, P7, P1O><P2, P4, P

t<P2, P5’, P1O*

<P2, P6, P1

<P2, P7, PI

Fig. 8. The reachability graph of the Petri net of Figure 7,

article is focused exclusively on models for reachability analysis, we briefly

review some alternative approaches and models here.

Invariant Analysis. Petri nets have an extensive theory, from which has

grown multiple analysis techniques. One of these is analysis using net

invariants, which involves finding integer solutions to a set of equations

representing a net [Peterson 1989]. In the worst case the analysis is still

exponential, but some nets with very large state-spaces can be analyzed in

reasonable time. For detection of circular waits, invariant analysis is pes-

simistic (may report potential waits that do not occur), but the solutions

generated may be used to guide and prune a reachability analysis. Such

potential synergism between techniques favors models like Petri nets for

which multiple analysis approaches have been developed.

Constrained Expressions. The analysis of constrained expressions

[Avrunin et al. 19861 represents possible interactions among tasks by a set ofinequalities relating counts of event occurrences. System descriptions for

constrained-expression analysis are customarily written as extended regular

expressions but are equivalent to automata that may be considered as analternative graph model for analysis. Additional inequalities represent unde-

sirable behaviors, e.g., deadlock, and a minimum (shortest trace) solution is

sought to the complete system of linear inequalities. Absence of a solution

ACM TransactIons on Software Engineering and Methodology, Vol. 4, No, 2, Aprd 1995,


implies absence of the undesirable system behavior, Algorithms used in the

linear programming part of constrained-expression analysis could in principle

be exponential, but acceptable performance has been obtained for systems

well beyond what would be possible using exhaustive state enumeration

[Avrunin et al. 1991], particularly in systems with many identical tasks. The

analysis is pessimistic, but a solution to the equations can be used in a

heuristic search for an erroneous behavior in the program state-space.

BDD-Based Symbolic Model Checking. Binary decision diagrams (BDDs)

[Bryant 1986], which are (usually) extremely dense encodings of boolean

functions, can be used to encode a transition relation symbolically. A proposi-

tional temporal logic formula may likewise be encoded in a BDD, and the two

may be combined to verify the formula [Burch et al. 1990]. The worst-case

complexity of BDD-based symbolic checking is exponential, and practical

examples with (provably) no polynomial-space BDD encoding are known; but

very promising results have been obtained for sequential circuits and other

parallel systems with regular structure.

The usual approach in representing a system of several tasks in a BDD is

to represent each individual task essentially by enumerating states and

transitions, but to represent their parallel evolution by encoding the next-state

rule rather than enumerating states [Enders et al. 1991]. Individual transi-

tion sequences may be implicitly explored when the system representation is

combined with a specification formula, but it may also happen that the

combination of a very regular system with a specification implicitly explores

large classes of possible sequences together, without exploring each individu-

ally,

The limited empirical evidence on efficacy of BDD-based symbolic model

checking for analyzing programs suggests that it can be more or less efficient

depending on the structure of the program under analysis [Corbett 1994;

Ratel et al. 1991], In principle one could encode any of the graph models

considered here using BDDs, by encoding their transition rules. In practice

the tradeoffs may be quite different: in the discussion which follows we will

consider the number of distinct states and transitions that must be explored

as a critical property of graph models for reachability analysis; for BDD-based

analysis the absolute size of a state-space may be less important than its

regularity.

Conservative Flow Analysis. A quite different approach, but with some of

the flavor of constrained expressions and Petri net invariants, is conservative

polynomial-time approximation of concurrent behavior using flow analysis.

Masticola and Ryder [ 1990; 1991] have developed a hypergraph model of Ada

programs together with a set of necessary conditions for deadlock. Only

specific deadlock conditions that can be analyzed using polynomial-time flow

analysis algorithms are detected in the analysis. Dwyer and Clarke [ 1994]

have generalized these techniques to a more-general class of safety proper-

ties. Conservative flow analysis is the only approach considered in this

section with guaranteed polynomial time and space requirements; the price of

course is pessimism, e.g., reports of deadlocks when none can occur.

ACM Transactions on Software Engineering and Methodology, Vol 4, No 2. Aprd 1995

Reachablllty Analysis . 183

Summary of Alternative Models. We do not expect any of the alternative

models to displace reachability analysis completely, although each is clearly

more effective for some problems. We do expect a reasonable toolkit for

analy,is to provide several analysis capabilities and that more-conservative

nonenumerative approaches may be attempted before one resorts to state-

space exploration. Except for symbolic model checking, each of the alternative

analyses is more pessimistic than reachability analysis. Except for conserva-

tive flow analysis, each approach is based on an underly ing graph model

that, in principle at least, might be used also for reachability y analysis. One

might therefore consider suitability for nonenumerative analyse s as a crite-

rion in choosing a graph model for reachability analysis. However, as we have

noted,, the performance considerations in choosing a graph model for reacha-

bility analysis may be quite different from those for nonenumerative tech

niques, since the latter are less sensitive to the size of a state-space and mo

re sensitive to its regularity.

Modular, hierarchical analysis, addressed in Section 5 with regard to

reachability analyses, will be important to other analyses, including even

polynomial time analyses, for systems of sufficient size.

3. LA13ELED FLOVVGRAPH MODELS

Both task flowgraphs and task interaction graphs are annotated graphs

whose! definition refers to the Ada task semantics. However the two models

are difficult to compare, since their definitions are based on different aspects

of the Ada task semantics (synchronization activities for task flowgraphs,

task regions for task interaction graphs). To compare the two models, we

refer to a common model—labeled flowgraphs-that expresses the essential

semantics of the two approaches. Besides providing a basis for comparison,

labeled flowgraphs replace the informal semantics of task flowgraphs as

described in Taylor [1983] by a simple and precise operational semantics.

Labeled flowgraphs are used later in this article as a basis for comparing

these models with Petri nets.

The translation highlights a key difference between the two models consid-

ered, as well as other models of rendezvous concurrency. Task flowgraphs

represent internal choice using internal moves (similar to the ~ action of CCS

[Milner 19801), while task interaction graphs represent internal choice as aproperty of task states (similar to acceptance sets [Hennessy 1988] or refusals

[Brookes et al. 19841). We show that the latter choice is chiefly responsible forthe performance advantages claimed for task interaction graphs and that this

advantage is bought at the expense of a considerably more complex check for

potential deadlock at each state in the reachability graph.

3.1 Labeled Flowgraplw and Concurrency Flowgraphs

To give a general rule for building reachability graphs from sets of labeledflowgraphs derived in different ways from Ada programs, we introduce a set

of labels, similar to the labels used in process algebras for modeling elemen-

tary alctions [Baeten and van Glabeek 1987; Bergstra and Klop 1984; Milner

ACM Transactions on Software Engmeermg and Methodology, Vol 4, No. 2, April 1995


1989]. The correspondence with process algebras is discussed in greater detail

in Section 5.1.

Definition 3.1.1 ( Actions). Let L = 2 u z u H be a finite set of elements

called actions. 2, called the set of names, and ~, called the set of conames,

are subsets of L such that names o = Z are in one-to-one correspondence

with conames 6 E z. G is called the complementary action of u. By a small

abuse of notation, we denote the union of this bijection and its inverse as a

function “bar” of one argument, so that ~ = a. H is the set of noncommuni-

cating actions, and the distinguished element q = H is called the silent

action.

We write 2, ~, or H where no confusion arises about which set L they are

taken from,

Definition 3.1.2 (Flowgraph ). A flowgraph is a 4-tuple G = (N, A, s, T)

where

—N is a finite set of elements called nodes,

—A c N x N, called the edges,

—s = ~, the distinguished start node,

—T c N, the set of terminal nodes.

Definition 3.1.3 ( Labeled Flowgraph). A labeled flowgraph is a 6-tuple

G=(N, A, L,s, T,l) where

—N is a finite set of elements called nodes;

—L = Z u % u H is a set of actions;

—A c N X N X L is a set of labeled edges. We write n ~ n’ to indicate that

there is an edge from n to n‘ whose label is x.

—s e N, the distinguished start node;

—T ~ N, the set of terminal nodes.

The presence of complementary actions in different labeled flowgraphs

allows the identification of corresponding synchronization actions in different

processes,

Definition 3.1.4 ( Reachability Graph). Given a domain N, a distinguished

start node nO = M, and a successor relation r L N X N, the reachabilitygraph is the smallest flowgraph G = ( ill, A, n ~, T ) such that (1) A/f G N, (2)

ifn, =iWand(nl, nJ) ~rthen(nl, nj) ●A,and(3)ifn J~lW and ~nj~ill

such that (n,, ~z~) ● r, then n, = T.

For reachability graphs built from flowgraph models, the domain of nodes

will be the cross product of nodes from individual flowgraphs, while for safe

Petri nets the domain of nodes will be the powerset of Petri net places. The

relation r may connect some unreachable nodes to other unreachable nodes,

hence the definition of a reachability graph as the smallest graph meeting

the conditions described above.

ACM TransactIons on Software Engmeermg and Methodology, Vol. 4, No. 2, Aprd 1995


Task T1

begi7

. . . . . . . . . . . . Fig. 9. The labeled flowgraph corre-. . . . ...”

,.. . spending to task T1 of the Ada pro-...

Pgram of Figure 1 for task flowgraphs.

Bold arcs indicate labeled flowgraphs

c

for task T1 of Figure 1, while dotted

... 0“1, accept (P) ,.oaccept (Q) arcs recall the task flowgraph of task. . . ,.... . . . ..,, 7’1 in Figure 2,. . ..’”

. ...,P

end

De&inition 3.1.5 (Program). A program is a finite set of labeled flowgraphs

sharing the same set of labels.

Definition 3.1.6 (Concurrency State). Given a program P = {( N,, Ai, L, s,,

T,, Li) I 1 s i s k}, a concurrency state is a k-tuple (nl, . . . , n~ ) of nodes, one

for each labeled flowgraph in the program; a concurrency state N’ =

( n~, . . . . n~ ) is a successor of a concurrency state N = ( nl,..., nk ) if and only

if either q i ,j such that

or 3 i such that

(1) ‘dp # i(nj = nP)

(2) 3X G H(n, ~ n;).

The initial concurrency state is the k-tuple ( SI, . . . . sk ).

Informally a concurrency state represents a global program state as a tuple

of local process states. The successor relation moves a pair of processes

through edges labeled with an action and a matching coaction or moves a

single task through a noncommunicating action. The concurrency flowgraph

is the reachability graph with the domain of nodes being concurrency states,

the initial node being the initial concurrency state, and with the successor

relation of Definition 3.1.6.

Task Flowgraphs as Labeled Flowgraphs. A syntax-directed construction

of labeled flowgraphs from structured Ada programs is straightforward. We

illustrate the key aspects through a simple example: the labeled flowgraph of

task Tl of Figure 1 (see Figure 9).The labeled flowgraph models obtained from an Ada program do not

correspond directly to task flowgraphs but to the successor relation in the

task flowgraph model. The concurrency graph for the labeled flowgraph

ACM Transactions on Software Engineering and Methodology, Vol 4, No. 2, Aprd 199.5.


Fig 10. The labeled flowgraph corresponding to task T 1 of the Ada F()

Tprogram of Figure 1 for the TIG model, The TIG shown in Figure 5

can be easily obtained from

splitting the TIG-nodes.

the TIG shown m this figure by suitably

FM / -6

model corresponds to the reachability graph for the task flowgraph model of

the same Ada program.

In Figure 9, arcs represent synchronization actions (accept statements and

task-begin). A select statement is represented with arcs with different labels

leaving the same node. For example arcs ~ and @ from node select to node

select represent the two choices of the select statement of task T 1 of the Ada

program of Figure 1. A conditional statement is represented by arcs with the

same label, leaving the same node. For example the two arcs labeled ~ both

leaving node select represent the loop-exit statement of the Ada program of

Fig-are 1, After accepting a call on P the task can either terminate, if it exits

the loop, or wait for accepting a further call within the same loop. The

representation of conditional statements is the key characteristic of task

flowgraphs. Its implications are discussed later in this section.

TIGs as Labeled Flowgraphs. The TIG model can similarly be represented

by labeled flowgraphs. A syntax-directed construction of labeled flowgraphs

from structured Ada programs is straightforward. We illustrate the key

aspects through the same example used in the paragraphs above: the labeled

flowgraph of task T1 of Figure 1 is shown in Figure 10.

In Figure 10, conditional statements are not represented with the layout of

the graph: the possible termination of task T 1 after each iteration of the loop

due to the exit statement is implicitly coded in “edge groups” associated withnodes. The use and implications of “edge groups” are described next.

3.2 Internal Choice and Potential Deadlock

Potential deadlock is among the most-important program properties that

reachability analysis techniques are used to detect. One may intuitively

expect that deadlock is manifested by a terminal node in a reachability

graph, but this is not always so. In particular, the deadlocks that result when

task T 1 of Figure 1 executes its loop body exactly once are represented by a

terminal node in the reachability graph constructed from the task flowgraph

model (nodes (3-10-1 2) and (2-10-13) in Figure 3), but are represented by

nonterminal nodes in the reachability graph (TICG) constructed from the TIG

model of the same program (nodes (2-5-6) and ( 1-4-7) in Figure 6). The TICG

folds together deadlocked states and nondeadlocked states, resulting in a

smaller state-space but a nontrivial procedure for checking for possible

deadlock at each reachability graph node. The difference is a direct conse-

ACM TransactIons on Software Engineering and Methodology, Vol. 4, No 2, Aprd 1995,

Reachablllty Analysm . 187

Task TA

if C then

accept X;

else

accept Y;

end if;

Task TA’

select

accept X;

or

accept Y;

end select;

Task TB

TA.X;

Fig. 11.. Potential deadlock: Ifversus Select, Tasks TA and TB candeadlock, butreplacmg TA

by TA’removes thepossibility of deadlock.

quence of the treatment of so-called’’internal choice,’’ i.e., arbitrary schedul-

ing and control-flow choices.

Silent Moues. ‘I’he most-common treatment of the internal branching

structure of a process is to model “silent moves” explicitly (e.g., the 7 action in

CCS or the q action in our general flowgraph model). The task flowgraph

model takes this approach, producing different graphs for Ada select and if

statements. Although the successor relation “skips over” these internal moves,

the commitment to particular control-flow paths is preserved in the model in

the form of multiple edges with identical labels leaving a node.

Edlge Groups or Acceptance Sets. The task interaction graph model pro-

duces flowgraphs with no silent moves (q actions in our flowgraph model).

However, the distinction between select and if is essential and must be

maintained (see Figure 11). In fact, the flowgraph model as described so far

does not preserve enough information about the branching structure of

programs to detect potentially deadlocked states. Additional information

must be associated with flowgraph nodes to preserve this information.

NO ndeterministic choices in TIGs are modeled by edge groups, associated

with flowgraph nodes. Edge groups carry essentially the same information as

refusals [Brookes et al. 1984] or acceptance sets [Hennessy 1988] in process

algebras. Each out-edge from a TIG node belongs to a single group. (For

purposes of deadlock checking in the simplified TIG model used in this article

we treat termination as an out-edge leading to the final region. In the full

TIG model, termination is actually represented by an edge to a TIG-node.) An

edg e that is not part of a select statement will form a singleton group. A

select statement with no delay or else alternative will be rep resented by an

edge group containing one TIG edge for each select alterna tive. As an

example, Figure 12 shows the TIGs for the task fragments of Figure 11. The

structure of the TIGs corresponding to tasks TA (if statement) and TA’ (selectstate ment) is the same. The difference between the representation of the two

tasks is in the edge-groups associated with the node n 1. For task TA (if

state ment) node nl is associated with two edge groups, e.g., El and E2,

ACM Transactions on Software Engineering and Methodology, Vol 4, No 2, April 1995


TA(TA’ ) TB

Fig. 12. The TIGs for tasks TA, TA’, and 273 of Figure 11.

each containing one edge, e.g., X = El, ~ = E2. For task TA’ (select state-

ment) node n 1 is associated with one edge group, e.g., E3 containing both

edges ~ and ~. Node n4 is associated with one edge group E containing edge

X; nodes n 2, n 3, n5 are associated with empty sets of edge groups.

There are two kinds of edge groups: blocking and non blocking.7 Any task

interaction that is not a select alternative is a blocking edge group. Edges

corresponding to alternatives of a select statement without an else or delay

alternative form a blocking edge group. In a select statement with a delay or

else alternative, all select alternatives with the exception of the delay or elsemake up a nonblocking edge group. The else or delay alternative produces

one or more blocking edge groups, depending on subsequent control-flow. In

Figure 12 all groups are blocking, since the corresponding Ada tasks do not

contain select statements with delay or else alternative.

An infinite wait cannot occur in a program execution state in which a select

delay or else alternative is possible. However, it is a consequence of the way

TIGs (and our corresponding labeled flowgraphs) are constructed from Ada

programs that a TIG node cannot have only out-edges belonging to nonblock-

ing edge groups. Only blocking edge groups need be considered for purposes

of checking individual TICG-nodes for potential deadlock, Since nonblocking

edge groups are irrelevant for this check, in the sequel “edge group” or

“group” will mean a blocking edge group.This leads to a straightforward characterization of potential deadlock

which can be detected by inspecting individual TICG-nodes. To keep the

discussion short, we omit consideration of task termination (which requires a

special case only because we have omitted an explicit TIG edge for termina-

tion in this presentation).

Let Q be a TICG-node, composed of TIG-nodes {ql, qk }. Each q, has one or

more blocking edge groups. A selection of edge groups k a tupk (g], . . . , gk )

where each g, is a blocking edge group in q,. Q represents a potential deadlockiff there is a selection of edge groups such that there is no edge in any g, with alabel from G (the set of noncommunicating actions) and no pair of edges in

groups g,, g~, i # j with matching labels q, : qj and q~ ~ qj.

7In Long and Clarke [1989], blocking edge groups are called one-edge groups, and nonblockmg

edge groups are called zero-edge groups. We have modified the terminology to make the

discussion clearer

ACM Transactions on Software Engineering and Methodology, Vol. 4, No 2. April 1995

Reachablllty Analysls . 189

This leads immediately to a simple algorithm for determining whether a

TICG-node represents a potential deadlock:

Pc]tential deadlock := true;Fc)r each possible selectlon of edge groups,

If any action IS possible with that choice,potential deadlock = false.

In the example of Figure 12 tasks TA and TB can deadlock. The TICG-node

( nl, n4) for tasks TA and TB is a deadlock node; in fact the group selection

{E2, E} does not contain any pair of edges with matching labels (edge ~, the

only edge in E2, does not match edge X, the only edge in E). On the

contrary, the TICG-node ( n 1, n4) for tasks TA’ and TB is not a deadlock

node; in fact the only possible group selection ({E3, E}) contains a pair of

edges with matching labels (edge ~ E E3, edge X = E).The simple enumeration of edge group combinations is exponential in the

numlber of tasks, since if each of n tasks has two edge groups, 2” combina-

tions will be enumerated. In the worst case, assuming P # NP, we cannot do

much better than the brute force enumeration above for determining whether

an individual TICG-node represents a potential deadlock. A proof is available

in Pezz& and Young [1995].

3,3 F>ractical Consequences of Representing Internal Choice

While determining whether a TICG-node represents a potential deadlock is

more complex than the 0(1) check for outgoing edges in the concurrency

graplh model, in practice the problem size is small. In our experience with a

reachability analysis tool using the TIG model [Young et al. 1995], the

execution time expended in this cheek has varied from insignificant (in the

case of examples with no external choice) to approximately 2/3 of total time

for reachability graph construction and analysis.

It is easy to see that this additional complexity in checking each node is

compensated by reduction in the number of nodes to be checked. The worst

case, brute force enumeration of all combinations of edge groups explores

exactly the number of combinations that would be represented as distinct

nodes in the task flowgraph model, so the lower bound on checking for

deadlock at a TICG-node is also a demonstration that the concurrency graph

constructed from task flowgraphs may be larger than a TICG by a factor

exponential in the size of the program being analyzed. (The typical difference

is much smaller but still significant.) The worst-case time complexity of

constructing and checking the reachability graph is unchanged. Since space

rather than time is usually the limiting factor in reachability analysis

[Corbett 1994; Holzmann 1991; Young et al. 1995], the advantage goes to the

TICG model.

Mcwe generally, this suggests a performance advantage for models in which

deadlocked program execution states may not be mapped onto “dea@ states

in the intuitive manner. For example, if we model the Ada tasking system

ACM TransactIons on Software En~neerlng and Methodoloeq, Vol. 4, No 2, Aprd 1995


with Petri nets, we may not wish all deadlocked execution states to be

represented by dead markings of a net. This somewhat counterintuitive

conclusion is explored further in the next section.

Treatment of nondeterminism also impinges on other aspects of a graph

model. We have so far modeled task initiation explicitly (albeit in a simplified

form) in the task flowgraph model, while omitting it from the TIG model. This

is not an arbitrary convention: the closure operation that removes q edges

from the labeled flowgraph, corresponding to the successor function for task

flowgraphs, cannot be applied to graphs with internal nondeterminism pre-

ceding the first visible action unless we consider the resulting labeled flow-

graph to have multiple initial nodes.

Experience. The cost of representing internal choice with silent moves is

high in the worst case, but how often and under what circumstances does the

representation of internal choice have a significant impact on the cost of

analyzing real concurrent programs? If a task has only external choice (an

Ada task acting as a monitor to protect a data structure, for example) then

there is no difference at all. There is a small difference in the case of only

internal choice. We should expect the impact to be greatest where internal

and external choice are combined, causing a multiplicative effect in represen-

tation of states. Experience applying analysis tools to the Chiron user inter-

face development system is consistent with this expectation.

The Chiron user interface development system [Keller et al. 1991; Taylor

and Johnson 1993] comprises roughly 105 source lines of code and required

approximately 10 labor-years of effort. Version 1.4 of Chiron is widely dis-

tributed and used and is supported by a professional staff, i.e., Chiron is not a

toy example and was not designed to demonstrate analysis techniques.

Concurrency is pervasive in the Chiron architecture. The major run-time

components of Chiron are divided into a server and multiple clients in

separate Unix processes, and both server and client are made up of several

lightweight processes, most of which are Ada tasks.

Portions of the run-time environment of Chiron have been analyzed with

two prototype tools from the Concurrency Analysis Tool Suite, or CATS. The

first of these analyses of version 1.0 of Chiron is reported in more detail in

Young et al. [19951; a second analysis of the same system was undertaken

with another prototype tool primarily to evaluate and refine a hierarchical

(compositional) approach to analysis. We will refer to the first prototype as

CATS/A and the second as CATS/P, Among the differences between the twotechniques is the representation of internal choice: CATS/A uses the TIG

model, and CATS/P uses a model with silent moves. Although other differ-

ences between CATS/A and CATS/l? make it impossible to compare directly

the impact of representation on overall performance, we can fairly compare

the sizes of the graph models produced for each individual task.

The client side of a run-time Chiron environment, as it exists with a single

client “artist,” consists of 8 Ada tasks. Of these, 5 tasks are either determinis-

tic or have only internal nondeterminism; the flowgraph models constructed

ACM TransactIons on Software Engmeermg and Methodology, Vol. 4, No 2, Aprd 1995


using the two tools differ by at most a few nodes and edges for these tasks.

The remaining 3 tasks contain select statements with guards: an Ada con-

struct that inherently mixes internal nondeterminism for evaluation of guards

with external nondeterminism in waiting on the open entries. Large differ-

ences in graph sizes occur in representing these tasks. In fact, if a syntax-

directed tran slation of guarded entries were applied straightforwardly,

elaboration of all possible combinations of 12 guarded entries would have

added 212 = 4096 nodes to the representation of one of the tasks, which

would have made analysis impossible. It was actually modeled using a

different approachg which cause d only a factor-of-four difference between the

two representations (26 nodes in the TIG model and 106 in the model with

silent moves). The remaining 2 tasks with guarded accepts are much smaller;

each is represented by 3 nodes in the TIG model and 6 nodes in the model

with silent moves.

3.4 Detecting Race Conditions

Parallel or unordered data accesses can be detected by determining which

regions of program code execute concurrently in the program execution states

corresponding to reachability graph nodes. In the original TIG model as

presented in Long and Clarke [1989], the TIG model has a small advantage

over the task flowgraph model, in that each TIG node corresponds to a region

of program source code with a single entry point. Race analysis can therefore

be performed at each TICG-node by examining the program regions repre-

sented by the constituent TIG-nodes. In the task flowgraph model, source

code regions must be identified with task flowgraph edges rather than nodes,

and race analysis therefore involves consideration of the flowgraph edges

traversed in reaching a concurrency flowgraph node. The cost of assuring

unique entry points for code regions in the TIG model is high [Young et al.

1995]; if the final duplication step in the TIG construction is omitted, then as

in the task flowgraph model code regions must be associated with TIG edges

rather than nodes. Data access operations can be summarized for program

regions (in either the task flowgraph model or the TIG model without

duplication) using dataflow analysis. An analysis similar to auail is per-

formed first on the flowgraph model to determine which edges introduce

regions in which accesses to shared variables occur and then on the reacha-

bility graph to determine which processes may perform accesses in each node.

The ILatter analysis may be performed “on-the-fly” during graph construction.

For sequences of actions that are intended to appear atomic with respect to

other sequences, a similar approach can be used to mark all nodes that occur

8The approach we typically take in modeling such tasks is to model some data values, whichexpands the graph model but reduces the degree of internal nondeterminism. The tool we appliedperforms this conversion automaticall~ for details the interested reader is referred to Yeh [ 1993]and Yeh and Young [1993].

ACM Transactions on Software Engineering and Methodology, Vol 4, No 2, April 1995.


within the sequence, provided the beginning and end of each such sequence

can be unambiguously determined in source code. Consider the case of a

variable which is protected by a lock only for individual read and write

accesses; we may wish to detect any overlap between a read-modify-write

sequence in one task with reads or writes of the same variable in another

task. A slightly modified liue analysis suffices to determine the flowgraph

regions between a read access and an update. This generalizes to groups of

variables in the obvious way. It does not suffice for recognizing all potential

nondeterministic execution, but concurrent programs are typically intended

to exhibit some nondeterminism.

4. MATCHING RULES, LABELED FLOWGRAPHS, AND PETRI NETS

In this section, we relate the flowgraph models considered so far to Petri net

models, highlighting the difference in when communicating actions are

matched. It is well known that Petri nets are strictly more powerful than

finite-state machines, while safe nets are identical in power to finite-state

machines. Recall that the Petri nets used for analysis of Ada tasking pro-

grams, as for instance in the models of Shatz and Cheng [19881, Beaven et al.

[1991; 1992], and Mandrioli et al. [1985] (when restricted to a bounded

number of tasks) are safe nets. Safe nets and labeled flow graphs are

identical in power from a purely formal viewpoint, both being forms of

finite-state machines. A more-interesting question is how safe nets and

flowgraph models differ with respect to practical aspects such as the difficulty

of deriving a model from a program, the size of the model derived, and (most

critically) the size of the reachability graph obtained and the complexity of

analyzing it.

4.1 Label Matching and Separate Compllatlon

Synchronizing pairs of actions (call/accept) must be matched at some point

in either model. Petri net models match actions during construction of the net

model, which we can call a static matching rule, while flowgraph models

match labels (conceptually at least) during construction of the reachability

graph (a dynamic matching rule). Petri nets are generally larger than

corresponding flowgraph models, because each potential synchronization

(call\ accept or sendireceive pair) is represented by a separate transition.

However, this does not impact the size of the reachability graph, so its impact

on overall performance is small.

Label matching at model construction can have another impact in analysis

of programs: it essentially requires that the model be constructed in a single

step from a whole program text, whereas flowgraph models can be con-

structed individually for each task. One way to provide separate translation

to a net model is to derive flowgraph models and then to use the construction

given here to derive net models. Another approach based on considering nets

as terms in an algebra will be presented in the following section.

ACM Transactions on Software En~neermq and Methodology, VO1 4, NO 2, April 1995


4,2 l-ranslating Labeled Flowgraphs to Petri Nets

The IIabeled flowgraph model can be easily translated into a Petri net. Given a

set of labeled flowgraphs representing a program, we obtain a (safe) Petri net

by applying the following rules:g

Construction 4.2.1 (Labeled Flow Graph. to Petri Net)

(1) For each node of each labeled flowgraph, add a place to the Petri net.

(iSince places will be in bijection with flowgraph nodes, we will use thesame names for both in the sequel).

(2) For each edge nl S nz in the set of labeled flowgraphs such that x ● H (a

noncommunicating action), add a transition t to the Petri net such that

“f = {nl} and t“= {nz}.

(3) For each pair of edges in the set of labeled flowgraphs, nl ~ nz and

n~ 3 n, (a matching pair of communicating actions), add a transition t to

the net such that “t= {nl, n~} and t-= {rzz,n4}.

(4) If node n is an initial node then the corresponding place is marked with

one token in the initial marking. If node n is not an initial node then the

corresponding place is not marked in the initial marking.

The Petri net produced by this construction will have exactly the same

number of places as there are nodes in the flowgraph model, but since each

labeled flowgraph edge may participate in many matches, the number of net

transitions may be larger (possibly quadratic). This has no impact on the size

of the reachability graph; essentially some of the label matching that is done

in the labeled flowgraph model while building the reachability graph is just

moved into an earlier phase of the analysis, i.e., label matching is performed

while creating Petri net transitions for each possible communication.

The construction ensures that the resulting Petri net reachability graph is

isomorphic to the reachability graph of the flowgraph model. (The initial

marking corresponds to the initial node of the flowgraph reachability graph,

and at each step the set of enabled actions corresponds and produces corre-

sponding states.) The size of the reachability graph therefore has little to do

with the choice of modeling formalism; the nature of the translation from

program texts is more important.

We have seen earlier that treatment of internal choice can have a dramatic

effect on reachability graph size. Although in principle Petri net models can

mimic either flowgraph model, nearly all proposed Petri net models of Ada

tasking (to our knowledge) use conflicting transitions to represent internal

choice in a manner similar to v edges in labeled flowgraphs corresponding to

—‘A similar construction for translating TIGs to Petri nets has been independently developed and

analyzed by Dwyer et al, [1995] and Forester [1991].

ACM Transactions on Software Engineering and Methodology, Vol 4, No. 2, April 1995


the task flowgraph model. 10 For instance, in the TOTAL toolset [Shatz et al.

1990] an unevaluated if construct is modeled as follows:

+ ;,

/o\i

-....$.,.I else

fhen .-”-”-’..,. ,,,”;, “--...part

part ~’ ‘-..... $.,,..,. ....-..”-.s........--””.. ‘>,,.,,., -....”......’

\/ o

This is even less efficient than the task flowgraph model, since the individ-

ual transition firings will be recorded in the reachability graph. On the other

hand, many extraneous transitions that occur in the translation may be

removed by net reductions.

If a net were constructed corresponding to the TIG model, a program

deadlock would not necessarily correspond to a dead state of the net. This is

not only counterintuitive but would also limit one of the primary advantages

of using nets, namely, the existence of a mature body of theory and tools for

analyzing nets. For instance, the theory of deadlock-preserving reductions of

Petri nets WOU1 d no longer be applicable. Nevertheless, given the possible

savings in reachabi ity graph size, such a model is not completely out of the

question. Consider for instance an analysis with the sole aim of determining

whether an unsafe state or sequence of events can occur (dangerous parallel

access to a resource, for instance). A net based on the TIG model (or a similar

transformation of a net model, perhaps after applying other reductions)

sacrifices no modeling accuracy for improved performance in such an analysis(see Figure 13 for an example).

4.3 Advantages and Disadvantages of Nets

We can summarize the advantages and disadvantages of net models with

regard to flowgraph models of tasking behavior as follows:

Mature Theory and Tools. Petri nets were among the first general models

of concurrency, and both a body of theory and a set of mature off-the-shelf

analysis tools have grown up around nets, No comparable set of general tools

ACM Transactions on Software Engineering and Methodology, Vol. 4, No. 2, April 1995.


Fig. 13, The Petri net for the TIG model

corresponding to the Ada program of Figure

1. Places are numbered according to the

numbers of the TIG-nodes of Figure 5. For

tbe sake of simplicity we used the labeled

flowgraph illustrated in Figure 10 corre-

sponding to the TIG of task T1. Transitions

are labeled with the corresponding synchro-

nization action. This net is simpler than the

1“net of Figure 7 that represents the same

program. The reachability graph obtained for

this net applying the “classical” Petri net

reachability algorithm is also smaller than

the graph for the Petri net of Figure 7 (it

comprises 4 states instead of 24 as the

reachability graph of Figure 8). Unfortu-

nately we cannot deduce deadlock properties

of the Ada program from the reachability

graph for this Petri net, but we can check for

safeness.

yet exists for flowgraph models, although many tools for particular flowgraph

models have been constructed. A body of theory for labeled flowgraph models,

based on algebraic theories of concurrency, is growing rapidly but is less

mature than net theory.

Internal Choice and Reachability Graph Size. Net theory and net-based

tools detect or preserve properties of Petri nets. If properties of the Petri net

do not reflect corresponding properties of the program under analysis, then

net reductions and analysis may be meaningless with respect to the original

program. Thus if one wishes to retain the advantages of net theory and tools,

a representation of internal choice with extra transitions (corresponding to a

silent-move model) is forced. This results in larger reachability graphs than

are obtained from flowgraph models that associate additional choice informa-

tion with nodes, like edge groups in the task interaction graph model.

Hierarchical Analysis. Reachability analysis of either net models or the

flowgraph models considered so far is limited to analysis of a small number of

tasks, due to explosive growth in the size of state-space. For practical

analysis of real programs, one must at least be able to isolate and indepen-

dently analyze small subsystems. Preferably one should be able to compose

analysis results in a way that avoids combinatorial explosion. The next

secticm considers hierarchical analysis, first in the case of flowgraph models

(which are already very close to an algebraic model of concurrency) and then

in the case of Petri nets.

5. COMPOSITIONALITY AND ALGEBRAIC REDUCTIONS

5.1 Compositionality and Flowgraph Models

The primary limitation of reachability analysis techniques is an exponential

growth of the state-space (reachability graph size) as the number of tasks

ACM Transactions on Software Engineering and Methodology, Vol 4, No, 2, Aprd 1995.


Table I. Com~ositlonal Versus Global Reachability Analysis Dimng Philosophers

States Enumerated

Phdosouhers Global Compositional

3

4

5

6

7

8

9

102040

6080

100

12

33

98

302

941

2945

9237

29010

24

3852

66

8094

108

122262542

82211021382

increases. Theoretical results imply that the exponential complexity cannot

be avoided in the worst case [Apt 1983; Ladner 1979; Smolka 1984; Taylor

1983], regardless of the analysis technique applied. Although even a naive

implementation of reachability analysis can find synchronization flaws in

systems beyond the capacity of designers to understand fully, in its conven-

tional form reachability analysis is limited to systems or subsystems consist-

ing of a few tasks (typically less than 10).

Since a global reachability analysis of a large, complex system is practically

impossible, it is essential to analyze portions of the system independently.

A compositional approach that combines results hierarchically from individ-

ual portions is required for scaling up reachability analysis to practical

systems. Reductions to equivalent (in the algebra) graphs must be applied to

intermediate results to avoid or limit state-space explosion.

The importance of compositional analysis to scalability is illustrated inTable I by the number of states explored in a global reachability analysis of

the classical dining philosophers problem and a compositional analysis of the

same problem. The compositional analysis includes reduction after each

combination step. The tool used for this comparison is capable of modeling

only 10 philosophers in a global analysis, but by alternating composition with

reductions in a hierarchical analysis it easily completes an exhaustive analy-

sis of 100 philosophers in a few minutes.

Hierarchical analysis of real programs is more difficult than analyzing

simple, regular examples like the dining philosophers. Organization of sys-

tems to facilitate hierarchical analysis is discussed in Yeh and Young [1994]

where it is illustrated by application to Sanden’s remote-furnace example. In

that case, attempts to analyze the original design failed due to an explosion

in the state-space. Several iterations of attempted analysis and redesign were

required, in the course of which several errors in the original design were

uncovered. The original design consisted of 8 Ada tasks for a version with 2

furnaces; the revised d ecomposes the design further into 19 tasks, with a

ACM TransactIons on Software Engineering and Methodology, Vol 4, No 2, April 1995

Reachability Analysis .

global state-space of approximately 2 X 1016 states, but the largest

constructed in the hierarchical analysis has just 444 states.

A compositional approach is necessary but not sufficient for scalable

197

graph

analy-

sis. It would be a critical advantage if one model were more suitable than

another for decomposing large systems into subsystems for analysis or for

hierarchically and incrementally composing analysis results.

The labeled flowgraph model introduced in Section 3 is already very close

to a labeled transition system that can be interpreted as a term in a process

algebra. We describe the small modifications necessary to achieve an alge-

braic structure for hierarchical composition, including simplification of inter-

mediate results when analyzing larger systems. Petri nets require somewhat

more modification for hierarchical analysis, but category theory provides the

necessary formal tools. The underlying theory is developed elsewhere and

repeated here only insofar as it is necessary background for the reader. The

contribution of the current article is not in adding to this body of theory but

in showing the relation between nets and flowgraph models with respect to

how algebraic theory may be applied to achieve scalable analysis.

5.2 Algebraic Treatment of Labeled Flowgraphs

For hierarchical analysis, it is essential that the product of analysis be in a

form that can be used in a further step in the analysis. For instance, in

formal verification of programs, we require the specification of a subroutine

to be in a form that can be used as an assumption when verifflng higher-level

routines. For reachability analysis from a labeled flowgraph model, it is

desirable to be able to treat the reachability graph as a labeled flowgraph. In

other words, we require reachability graph construction to be an operation

that maps pairs or sets of labeled flowgraphs to labeled flowgraphs.

We can easily interpret a reachability graph as a labeled flowgraph by

labeling reachability graph edges. For instance we can consider the label for

an edge representing rendezvous on actions a and ti as [a], where [a] E Hsince the rendezvous cannot participate in further synchronization. However,

the reachability graph construction considered so far is inherently global.

Consider again the simple example program, and imagine that for some

reason we wish to analyze first tasks TO and T 1 before adding task T2; a

reachability graph constructed from TO and T 1 alone is shown in Figure

14.11 The result of composing this intermediate result with T2 is not the

same as analyzing TO, T 1, and T2 together in a single step. Further

composing the flowgraph of Figure 14 with the task flowgraph for task T 2

does not correctly model the possibility of rendezvous on entry Q. In fact, the

communication labels of the edges of the task flowgraph of task T 2 do not

match any label of the flowgraph of Figure 14. Although we can syntactically

“In Figure 14, nodes are labeled referring to the labels of state-nodes of the task flowgraphs of

Figure 2. Edges are labeled with silent actions i (corresponding to the initialization of a task)

and [ ~D] (corresponding to the rendezvous between the two tasks). In the sequel we omit labels on

nodes if the understandability of the figure is not compromised.

ACM Transactions on Software Engineering and Methodology, Vol. 4, No. 2, April 1995.

198 . Mauro Pezz~ et al.

<1,4> i <1,6>

Fig. 14. Nonassociative composition of o~m

tasks ‘2’0 and 2’1. Progress of task 2’0 is

shown in the horizontal direction and

progress of task T 1 in the vertical direc- 11i i

tlon. This graph results when the usual

reachability analysis construction is ap-

plied to the task flowgraph models of a <2, 6>[P] <3,6>

portion of the system; it is of no use in ,~e~ e

analyzing the global behavior of tasks 2’0, <2/4>

T 1, and T2 together.

‘k

interpret reachability graph construction as a binary operator, it is not

associative or commutative.

In algebraic models of concurrency, associativity and commutativity are

achieved by defining a parallel composition operator (corresponding to reach-

ability graph construction) in a manner that preserves not only the possible

communications of the tasks being combined but also their remaining poten-

tial for independent interactions with additional tasks (e.g., the remaining

potential for task T 1 to communicate with task T2). These additional labeled

edges are maintained until they are removed by an algebraic operation of

restriction. In terms of our labeled flowgraph model, elements of H (the

noncommunicating actions) are no longer treated specially.

Figure 15 shows the composition of the labeled flowgraphs TO and T 1

using an associative composition operation. Both possible synchronization

actions and nonsynchronization actions are explicitly modeled in the reacha-

bility graph.

The price paid for associativity is an additional growth in the size of

reachability graphs to represent the individual evolution of processes as well

as their cooperation. Fortunately, the algebraic approach also provides mech-

anisms for simplifying intermediate products without affecting the final

results. For instance, in the example of Figure 15 only the arcs labeled with

actions ~ can potentially interact with task T2. Arcs labeled with ~ can be

removed (corresponding to a restriction operation in the algebra), and arcs

labeled with noncommunicating actions (including the rendezvous [ P]) can

be relabeled with the silent action q (corresponding to an abstraction opera-

tion in the algebra). Restriction is illustrated in Figure 16. The resulting

graph can be reduced as shown in Figure 17 before composing the simplified

result with T2. Details of composition and reduction differ depending on the

particular algebraic system used; these steps correspond to an interpretation

of labeled flowgraphs as terms in the algebra ACPV [Baeten and van Glabeek

1987; Bergstra and Klop 1984] as implemented in the CATS/P analysis tool

[Yeh and Young 1991]. If one were to begin with the TIG model, CSP

[Brookes et al. 1984] rather than ACP would be an appropriate underlying

algebra, because edge groups carry the same information as refusals.

ACM Transactions on Software Engineering and Methodology, Vol. 4, No, 2, Aprd 1995


Fig. 15. Associative composition of 7’() and T1. In this reachability graph construction, the

potential for 2’0 and 7’1 to interact independently with their environment (i.e., to synchronizewith T2) has been preserved, at the cost of a larger reachability graph.

Fig. 1.6. Restriction. The actions P and ~ are not used by task T2

environment), so edges labeled with those actions can be removed.

(or by the program

Key features of process algebras that provide compositionality and incre-

mentality to flowgraph models are

(1) An equivalence relation or preorder: The equivalence relation provides

mathematical support for transformation and simplification of processes.

l[somorphism is a trivial equivalence that certainly preserves all proper-

ACM Transactions on Software Engmeermg and Methodology, Vol. 4, No. 2, April 1995.


Fig. 17. Reduction. After restriction and abstraction, the reacha-

bdlty graph of TO together with T 1 can be reduced before

combining it with T 2. The graph shown here was produced

automatically by the CATS\P tool [Yeh 1993; Yeh and Young

199 I] using ACP~ as the underlying algebra and observation

equivalence as the basis for reduction. If CATS\P is directed to

reduce the graph using a refusals model (testing equivalence),

these three nodes are collapsed to one.

ties of interest but provides no opportunity for simplification. A coarser

equivalence relation is preferable but must be chosen carefully to pre-

serve properties of interest (e.g., language equivalence preserves safety

properties but not potential deadlock). The equivalence chosen must at

least be a congruence with respect to parallel composition. An equiva-

lence based on a preorder (one-to-many relation between specifications

and conforming implementations) provides the greatest opportunity for

automatic and user-guided simplification.

The equivalence relation depends on the representation program fea-

tures in the flowgraph model and particularly on the representation of

internal choice, For instance, in Figure 17 we used observation equiva-

lence to simplify reachability graphs obtained from a model with silent

moves. The same equivalence would not have preserved potential dead-

lock if it were applied to a reachability graph obtained from a model with

edge groups (in the TIG model) or acceptance sets.

(2) A composition operator associative with respect to the equivalence rela-

tion: The associativity of the composition operator ensures that the order

of compositions of subsystems does not affect the final result.

(3) Restriction and abstraction operations for removing unnecessary detail:

In analysis of programs, restriction and abstraction are closely related to

encapsulation. For instance, the CATS/P analysis tool automatically

applies restriction at each scope wall to remove potential actions thatbecome inaccessible outside a scope.

Several tools have been constructed for experimenting with process alge-

bras and verification of finite-state systems [Cleveland et al. 1990; 1991;

Fernandez 1988; Malhotra et al. 1990]. Although these typically provide a

variety of algebraic manipulations, they can be used to perform reachabilityanalysis as a series of composition and reduction steps.

A full discussion of methodologies for hierarchical design and analysis of

concurrent programs is beyond the scope of this article, but we will describe

briefly some of the pragmatic issues in composing and simplifying subsystem

representations. Hierarchical and incremental analysis depends heavily on

program design and user guidance. Abstraction, restriction, and simplifica-

tion can be applied not only at scope walls but also at other points where it

can be determined that all potential communications involving a particular

ACM TransactIons on Software Engineering and Methodology, VO1 4, No 2, April 1995


event have been accounted for (so that, for instance, we did not need a scope

wall to determine that action ~ could be restricted before composition with

task T2, which does not contain P actions). Even so, the choice of an order to

compose modules is critical. Composing ‘TO with T2, and then composing the

result with T 1, provides hardly any opportunity for simplification. Likewise,

a program with insufficient encapsulation of the synchronization structure of

subsystems is unlikely to gain much from a compositional analysis, while a

carefi~lly layered design with available service specifications at each layer or

module boundary stands to gain most [Yeh and Young 1994].

5.3 Compositlonality and Petri Nets

If a hierarchical, incremental analysis were possible with labeled flowgraph

models but not with Petri nets, it would be a strong factor weighing against

Petri net models for reachability analysis of concurrent programs. Labeled

flowgraphs can be interpreted as models of terms in a process algebra, which

means we have a sound semantic basis for decomposing programs into

manageable chunks and composing analysis results. With careful encapsula-

tion we may also analyze properties of larger systems than can be accommo-

dated in a global analysis. We desire similar mechanisms for decomposing net

models of concurrent programs and composing analysis results.

In this section we will show that safe Petri nets may be composed in a

manner similar to the associative composition of labeled flowgraphs. The

formal basis for this manipulation relies on category theory. It is documented

in Meseguer and Montanari [1990] and Winskel [1984; 1987] but is not

wide] y known outside the community of category theorists, We present the

basic concepts informally and with an emphasis on its potential practical

application for analysis of concurrent programs. Related issues that (to our

knowledge) have not yet been worked out satisfactorily in categorical Petri

net theory are also discussed.

5.4 Algebraic Treatment of Petri Nets

In Section 5.2 we identified three main features needed to control the

complexity of reachability analysis: an associative composition operator, an

equivalence relation that is a congruence with respect to composition (or a

preorder that permits substitution in one direction), and restriction and

abstraction operat ions for eliding internal details of encapsulated subsys-

tems. A composition ope rator, restriction, and a congruence (albeit overly

fine) are provided for safe nets in the framework of category theory by

Wins,kel [1984]. Recall that safe nets are sufficiently powerful to represent

the class of systems for which reachability analysis is useful, so an algebraic

treatment of a more-general class of nets is not required.

Net Product. We begin with a product operation on safe nets (Figure 18).

Informally, the product of two nets contains all the transitions of the original

nets with the same preset and postset and a new transition for each pair of

ACM Transactions on Software Engineering and Methodology, Vol 4, No 2, April 1995.


.( O-’)p*‘n- ‘

I

+

i + “&tl,t,> ,,&t2, _JTtl

[

I “ ‘“L.J ‘“””

PI \P3 *1 ‘<

(. ) (, _,) ( )P3

.— —

(a) (b)

Fig. 18, Net product of two simple nets. (a) the pair of nets to be composed, (b) the product net

with a new transition for every pam of transitions from the two nets.

transitions in the original nets with the union of the presets and the postsets

of the original transitions. The transitions of the original nets represent the

actions of the original nets that can take place independently, while the new

transitions represent all the possible synchronizations among the actions of

the original nets. The set of places of the product of two nets is the union of

the sets of places of the two component nets.

It is possible to verify that the net product operation preserves the reacha-

bility sets of the components—i.e., a marking M is reachable in NI OIVz if

and only if PI(M) is reachable in IVl and P2( M) is reachable in IVz ( PI and

P2 are projections of markings onto the set of places corresponding to theselected component).

The net product constitutes a mechanism for composing nets, but it is not

useful in this form: subsystems communicate only on matching actions and

not on every pair of actions as represented by the net product. We need a way

of defining the set of communication actions. In Winskel [ 1984] this is

accomplished with a net restriction operation that deletes a subset of transi-

tions from a net, written N \ S’ to indicate that the set S c T is deleted. In

particular, we can delete from the product of two nets the set of transitions

representing mismatched communication (e.g., rendezvous of a call to entry A

with an accept of entry B). The net composition operator can be obtained

from the net product by deleting all the actions resulting from composition of

noncommunicating actions.

More generally, net restriction can be used to delete transitions represent-

ing potential for further communication when it can be determined that no

such communication can take place, just as the restriction operator for

labeled flowgraphs (illustrated in Figure 16) deletes arcs representing com-

municating actions that will not be matched with any external program

component. The use of the net restriction operator for encapsulation is

illustrated in Figure 19.

In Section 4, in Construction 4.2.1, we formed transitions for pairs of

matching labels in the translation from labeled flowgraphs to Petri nets in

rule (3). ‘I’he net composition operation performs the same static matching on

ACM Transactions on Software Engineering and Methodology, Vol 4, No 2, Aprd 1995


(* )

(a)

, k--- ______ + )+,, . --

(b)

Fig. 19. Net composition of individual Petri net

models of tasks in the example Ada program ofFigure 1. The nets of (a) represent tasks TO and

T1 of the example program, with transition

labels taken directly from the correspondinglabeled flowgraph model. The net of (b) is thecomposition TO IIT 1 of the two nets in (a), with

the convention that labels on transitions repre-senting synchronization (x, ~ ) are written as[ x]. Extraneous transitions produced by the netproduct are not produced by the net composition

operation, The net is restricted in (c) to remove

actions P and F, which are not needed forcomposition with task 2“2.

~[Pl ‘C+”

(’-” ‘&.- ...____..#! -*–.—.-

(c)

nets with labeled transitions, so it is now possible to form a labeled net

representation of each individual Ada task, independently, and then to

combine them with the net composition operation. We modify the translation

from sets of labeled flowgraphs to Petri nets (Construction 4.2.1) to apply to

individual labeled flowgraphs as follows: rule (2) is now applied to every

labeled edge, regardless of whether the label is in H, and the net transition is

given the label of the flowgraph edge.

(2’) For each edge nl ~ nz in the labeled flowg-raph, add a transition t tothe Petri net such that “t = {nl} and t“= {n2}.

Rule (3) will not produce any transitions when the translation is applied to

a single labeled flowgraph. In Figure 19 we illustrate the composition of

labelled net representations of tasks TO and T 1 from the simple Ada programof Figure L

This removes one of the problems of Petri net models of programs, i.e., that

they do not support separate translation. However, we have not yet given an

effective mechanism for simplifying intermediate results in a hierarchical

ACM Transactions on Software Engmeermg and Methodology, Vol. 4, No. 2, April 1995.

204 . Mauro Pezzb et al.

analysis based on Petri nets, as illustrated in Figure 17 for an algebraic

interpretation of labeled flowgraphs. In the category theory treatments of

nets [Mesegaer and Montanari 1990; Winskel 1984; 1987], the equivalence

relation used is isomorphism of reachability graphs. Isomorphism is far too

fine an equivalence relation if one wishes to reduce intermediate analysis

results to combat state-space explosion effectively. Observation equivalence

and testing equivalence, which are appropriate for the labeled flowgraph

models considered in Section 3, treat the silent action q as not directly

observable and thereby produce smaller quotient graphs.

Other notions of equivalence between Petri nets have been proposed in

recent years, for instance, Autant [1991], Olderog [1989], and Stansifer

[1992], but these as yet do not provide a practical foundation for incremental

analysis (e.g., the bisimulation relation described in Autant et al. [1991] does

not address congruence with respect to composition of nets).

Suitable equivalences can be induced from the labeled flowgraph model.

Our translation of sets of labeled flowgraphs to nets preserves the reachabil-

ity graph of the labeled flowgraph model, as does the translation from

individual labeled flowgraphs to labeled nets with static matching performed

using a net composition operation. It is common to label each edge of a Petri

net reachability graph with the label of the transition that fired to produce

that edge, which gives us again a labeled flowgraph model that is identical to

the labeled flowgraph produced by reachability analysis of the original la-

beled flowgraph models of the same tasks. Equivalences used to reduce

labeled flowgraph models (e.g., taking the quotient with respect to observa-

tion equivalence) will have the same semantic properties as in the labeled

flowgraph model.

6. SUMMARY AND CONCLUSIONS

Software applied in critical applications requires high degrees of assurance of

various functional properties. Many critical applications involve task-level

concurrency; for such applications guarantees of freedom from deadlock and

race conditions are essential. Reachability analysis is no panacea, but it can

be a useful, practical technique for assessing such properties. Reachability

analysis techniques have been applied to problems ranging from communica-

tion protocols [Holzmann 1991] to SPMD parallel Fortran programs [Appelbe

1989] to user interface management systems [Taylor et al. 1992].

Reachability analysis can augment (but not replace) other formal and

informal techniques including program testing, Like other so-called “static”

analysis techniques, it provides strong assurance when successful but is

pessimistic in the sense of sometimes failing to accept a correct program.

Also, like other static analysis techniques, successful application depends

critically on program organization and often on maintaining a property

somewhat stronger than the property one actually seeks to ensure. One

advantage that it enjoys over program verification is the degree to which the

entire analysis process can be practically automated. On the other hand

complete verification addresses all functional properties, not just concur-

ACM Transactloms on Software Engmeenng and Methodology, Vol. 4, NcJ. 2, Apr]l 1995


rency. Program testing is not pessimistic and addresses a wide variety of

program properties but cannot provide as strong an assurance as reachability

analysis for critical properties of concurrent systems.

Unlike most common static analyses, reachability analysis can be spectacu-

larly expensive if applied without discipline. Issues of efficiency and scalabil-

ity have thus been a focus of this article. One thread of research in reachabil-

ity analysis, critical to practical application, concerns extracting models from

program source code.

We have considered representative graph models for reachability analysis

of concurrent programs. We have used models of Ada tasking from the

literature for reference, although for the most part the same principles should

hold for other classes of multithreaded, parallel, and distributed programs

with some form of two-party rendezvous synchronization. While the models

considered here by no means exhaust the possibilities, they do cover some

important dimensions of the design space, including representations of inter-

nal and external choice and static versus dynamic matching of synchronizing

events. In the interest of brevity and focus we have omitted important

variations and refinements, such as exploiting symmetry in systems with

many identical tasks [Helmbold and McDowell 1991; McDowell 1989].

The tradeoffs we have identified in choosing among various graph models

for leachability analysis have mostly to do with the size of reachability

graphs, since this is almost always the limiting factor in reachability analy-

sis. Different considerations may come to the fore when considering graph

models for other forms of concurrency analysis, such as those briefly reviewed

in Section 2.2. We do not expect one kind of analysis algorithm to dominate

others; basic theoretical results on the inherent complexity of concurrent

computation make that unlikely. Elucidation of design tradeoffs for particular

kinds of analysis may lead also to a better understanding of relations

between models used for different classes of techniques.

The power of the formal models considered in this article for analysis is less

important than the way critical features are treated in extracting a model

from source code. We have identified the representation of internal choice,

static versus dynamic matching, and encapsulation (modular or composi-

tional analysis) as important basic differences among models.

The representation of internal choice and its consequences are illustrated

by a comparison of Taylor’s reduced flowgraph model [Taylor 1983] to the

TIG model of Long and Clarke [1989]. We showed that associating extra

information with nodes to represent possible internal choice is the primary

source of the performance advantage of the TIG model.The primary advantage of Petri nets as a modeling formalism is a mature

body of theory and off-the-shelf tools. For instance, the PNut tools for Petri

net reachability analysis [Morgan and Razouk 1987] have been used as a

back-end analysis engine in the TOTAL tools for analyzing Ada programs

[Shatz et al. 1990], and the Caesar tools have been similarly applied for

analyzing LOTOS designs [Fernandez 1992]. The most-apparent difference

between a net and a flowgraph model is matching communicating actions

“statically” as transitions representing potential rendezvous. We have shown

ACM TransactIons on Software Engineering and Methodology, Vol. 4, No. 2, Aprd 1995


that the choice of static or dynamic matching is independent of other,

more-essential features of an analysis model and that either flowgraph model

of Ada programs can be easily translated into ordinary safe Petri nets in a

manner that preserves the structure of their reachability graphs. A less-ap-

parent but more-fundamental characteristic is the representation of internal

choice in nets. If internal choice is treated as in the TIG model, then a

deadlocked program state need not correspond to a dead marking of the net

representation, rendering much of Petri net theory useless. So, although

either model could in principle be translated directly into nets, in practice all

extant Petri net models of Ada tasking represent internal choice essentially

as in Taylor’s reduced flowgraph model, because to do otherwise sacrifices the

above-mentioned advantages of Petri net models.

Reachability analysis of real concurrent programs depends critically on

modular structure to permit analysis of small groups of tasks in isolation.

The successful analysis of the user interface management system cited above

was due in part to its good modularization, in which the analysis could be

12 A model used for reachabilitysplit into two pieces for separate examination.

analysis should likewise support modularity and preferably in a manner that

permits incremental hierarchical composition of analysis results with reduc-

tions of intermediate results to battle combinatorial explosion. The burgeon-

ing field of process algebras provides a framework for composition and

reduction of flowgraph models, as we have illustrated in Section 5.1; experi-

ence in applying algebraic structure to analysis of Ada programs is reported

in Yeh [1993] and Yeh and Young [1991]. Category theory is beginning to lay

the groundwork for similar approaches to Petri net analysis; we have shown

in principle how nets can be used in an incremental analysis.

APPENDIX

A, MODELS FOR REACHABILITY ANALYSIS OF ADA PROGRAMS

In this appendix we describe models for reachability analysis of Ada pro-

grams: task flowgraphs, TIGs, and Petri nets. Here we refer only to a limited

set of the Ada task system. Some limitations are intrinsic to reachability

analysis; some others are introduced in this article to simplify the presenta-

tion.

If program objects can be indexed by variable expressions or referenced

through a chain of pointers, a static tool is usually incapable of determining

the particular identity of an object; thus, for instance, static-analysis algo-rithms cannot deal satisfactorily with arrays of records that include tasks as

members or tasks that are objects of access types (although a small number

of dynamically identified objects can be accommodated by parameterized

duplication of parts of the model). Additionally, static analysis requires some

12The “semer” side of the split, conslstmg of 8 tasks, and a “client” configuration, consisting of 12

tasks, were each analyzed in under 30 seconds CPU time on a Spare 2/470. A client configura-

tion with two concurrently active artists, although having only one more task, required shout 40

minutes (2426 seconds).

ACM TransactIons on Software En~neering and Methodology, Vol 4, No. 2, Aprd 1995


restrictions on dynamic task creation: since static analysis consists of build-

ing a finite representation of the state-space of the analyzed program, the

number of tasks comprising the program must have an upper bound.

Entry queues (FIFO service order) are not explicitly represented, to our

knowledge, in any of the models used for reachability analysis of Ada

programs. It can be shown that except for real-time properties, FIFO entry

queues are adequately (and much more cheaply) represented by a simple

fairness assumption [Shatz and Cheng 1988; Young 1988]. We also do not

discuss veriffing correct ordering of sequences of values communicated among

tasks. This can be accomplished in each of the models discussed here using a

methcjd described by Wolper [1986], but it is orthogonal to the issues consid-

ered here.

The other restrictions introduced in this article are only for simplifying the

presentation. They concern shared variables, task activation and termination,

and subprograms. None of these features are considered in this article,

although dealing with them does not increase the complexity of the problem.

Morecwer, decisions of whether and how to represent these aspects are

essentially independent of the graph model used for analysis.

A.1 Ti~sk Flowgraphs and Concurrency Graphs

Task flowgraphs were introduced by Taylor [1983]. The definitions below

follow those in Taylor [1983] but are stated in terms of a basic flowgraph

model to facilitate comparisons.

Definition A.1.l (Task Flowgraph). Given an Ada task A, a task flow-

graph is a flowgraph where each node corresponds to either a synchronizationactivity in A or a compound statement,13 and each edge corresponds to the

flow of control among the considered statements in task A. The starting node

is the node corresponding to the task-begin; the final nodes are the nodes

corresponding to possible terminations of task A.

Definition A.L2 (Concurrency Graph). Let p be a set of k task flow-graphs; a concurrency-node is a k-tuple of state-nodes, one state-node for

each task flowgraph in P. A concurrency graph is a reachability graph with

initial~ node ( nzo, ..., mh ) where m, is the initial node of flowgraph i and the

following successor function: the concurrency-node IV’ = ( ni,..., nj ) is a

successor of the concurrency-node ~ = ( nl, ..., ‘k) if and onlY ifi

(1) Vi, 1< i s k, either

(a) nj G succ(nl)

(b) nj = ni;

(2) there exists at least one nj, 1 s j s k, which represents application of

case la;

13Compound statements, like concZitZonal statements and loops, are explicitly modeled in the

task flowgraph only if their body contains statements that correspond to synchronization

activities.

ACM TransactIons on Software En~neenng and Methodology, Vol 4, No. 2, April 1995


(3) adherence to the semantics of Ada is reflected in the selection of the

successors of concurrency-nodes; and

(4) the changes between the concurrency-state N’ and the concurrency-state

N are the minimum number required to satisfy conditions 2 and 3—i.e., if

the concurrency-state N’ is a successor of the concurrency-state N, then

there does not exist a successor S of N such that the set of components

for which S differs from N is a proper subset of the set of components for

which N‘ differs from N.

Condition (3) requires that the flow of control on the task flowgraphs

considered in building the concurrency graph follows the Ada semantics. The

definition is taken from Taylor [ 1983]; a more-formal definition that does not

refer to the Ada semantics is presented in Section 3. Condition (4) limits the

set of successors to the set of nodes reachable with at most one action:

concurrency states reachable from the concurrency node N with more than

one action performed concurrently do not belong to the set of immediate

successors of N; they can be reached from N through intermediate nodes.

(Such models are commonly called interleaving, versus step semantics, true

concurrency, and partial order models.)

A.2 Task Interact[on Graphs and Task Interaction Concurrency Graphs

Task interaction graphs (TIGs) and task interaction concurrency graphs

(TICGS) were introduced for reducing the size of task flowgraphs and concur-

rency graphs. TIGs are defined starting from a division of the statements of a

single task into regions called task regions.

Definition A.2. 1 (Task Region). Given an Ada task A, a task region is a

portion of code starting from the task-begin or from a statement that can

immediately follow the execution of an accept or an entry call, and it ends

with accept or entry calls or with the end statement of the task.

Task regions end and start with beginning or ending of synchronization

activities (entry call, accept, select, select-else, task-begin, task-end). (As with

the task flowgraph model, we consider only the case of rendezvous without

accept bodies to keep the examples as small as possible.)

Definition A.2.2 (Task Interaction Graph). Given an Ada task A, a task

interaction graph (TIG) is a flowgraph whose nodes correspond to the task

regions in A and whose edges represent task interactions, i.e., flow of controlbetween task regions; edges are labeled with the type of represented interac-

tion. The initial node is the task region corresponding to the begin statement,

and the final nodes are those regions in which the task-end statement

appears.

The TIG model as defined by Long and Clarke requires that each task

region begin with a single synchronization action—i.e., edges incident to a

TIG-node correspond to the same synchronization action. This simplifies

bookkeeping and improves the accuracy of analyses other than reachability

analysis (e.g., the dataflow analysis reported in Long and Clarke [1991]).

ACM TransactIons on Software Engineering and Methodology, Vol. 4, No, 2, Aprd 1995


Definition A.2.3 (Task Interaction Concurrency Graph (TICG)). Given a

set of k TIGs, a TICG-node is a k-tuple of TIG-nodes, one for each TIG. A

TICG is the reachability graph where the domain is TICG-nodes; the initial

node is (sl, ..., sk ) where s, is the initial node of TIG i and with the

following successor relation: a node N’ = ( nj,... , n~ ) is a successor of a node

N=(nl,... j nh ) iff there exists i and j such that for all 1 # i, j, nj = nl and

(1) (xL,, n}) is an edge in TIG,;

(2) (n), n;) is an edge in TIGJ;

(3) the labels associated with edges (( n,, nj )) and (( n~, n\ )) match—e.g., the

edge ((n,, n:)) belongs to task T. and is labeled with accept P and the

edge (( nj, nj )) belongs to task T~ and is labeled with T..P.

A.3 Petri Nets

Definition A.3. 1 (Petri Net). A Petri net is a 4-tuple (P, T, F, no) where,

P is a set of elements called places;

T is a set of elements, called transitions; P u T is nonempty, and P n 1’ kempty;

F c (P X T) U (T X P) is a flow relation between places and transitions;

an element of F is called an arc;~0: P -+ N is an assignment of natural numbers to places, called the

initiall marking. The number associated with a place p by the marking m o is

referred to as the number of tokens in place p.

Definition A.3.2 (Preset, Postset ). The set of places for which there exists

an arc leading to a transition t is called the preset of transition t and is

indicaltedby “t:“t= {x G PI (x, t) ~ F}.

The set of places to which there exists an arc from transition t is called the

postset of transition t and is indicated by t”:

t“={x~Pl(t, x) GF}.

The dynamic behavior of a system modeled by means of a Petri net can be

represented by the firing rule, which describes the effect of actions on the

marking of the net.

Definition A.3.3 (Firing Rule). Given a net N with marking m, a transi-

tion t is enabled if and only if V places p ● “t, m(p) > 1. The firing of a

transition t enabled in a marking m produces a new marking m‘ defined as

follow s:

(1) m’(p) = m(p) – 1, Vp =-t – t“,

(2) m’(p) = m(p) + 1, Vp = t“–“t,

(3) m’(p) = m(p), otherwise.

Definition A.3.4 (Petri Net Reachability Graph). A Petri net reachability

graph is the reachability graph where nodes are markings; the initial node is

the initial marking; and the successor relation is the Petri net firing rule.

ACM Transactions on Software Engineering and Methodology, Vol 4, No 2, Apr,l 1995.

210 . Mauro Pezzb et al

Definition A.3.5 (Safeness). A Petri net N = (P, T, F, mO ) is safe if and

only if for all reachable markings the number of tokens in each place is less

than or equal to 1.

ACKNOWLEDGMENTS

We are grateful to Wei Jen Yeh and David Levine for their work on analysis

tools and experiments discussed in this article. We also thank the anonymous

referees for their careful reading and many suggestions that improved the

article.

REFERENCES

APPELBE, B., SMITH, K., AND MCDOWELL, C. 1989, Start/pat: A parallel-programming toolkit.

IEEE Softw. 6, 4 (July), 29-38.

APT, K. R. 1983 A static analysis of CSP programs. In Proceedings of the Workshop on

Program Logic (Pittsburgh, Pa., June). Lecture Notes in Computer Science, vol. 164. Springer-

Verlag, New York. Published in 1984.

AUTANT, C., BELMESZi, Z., AND SCHNOEBELEN, P. 1991. Strong bisimilarity on nets revisited. In

PARLE ’91, Parallel Architectures and Languages Europe (Emdhoven, The Netherlands,

June). Lecture Notes in Computer Science, vol. 506. Springer-Verlag. Berlin, 295-312.

AVRUNIN, G. S., BUY, U. A., CORBETT, J. C., DILLON, L. K., AND WILEDEN, J. C. 1991. Automated

analysis of concurrent systems with the constrained expression toolset. IEEE Trans. SoftuJ.

Eng. 17, 11 (Nov.), 1204-1222.

A~TWJNIN, G, S., DILLON, L. K., WILEDEN, J. C., AND RIDDLE, W. E. 1986. Constrained expres-

sions: Adding analysis capabdlties to design methods for concurrent software systems. IEEE

Trans Softw. Eng. SE-12, 2 (F’eb ), 278-292.BAETZZN,J C. M, AND VAN GLABEEK, R. J, 1987, Another look at abstraction in process algebra.

In Proceedings of the 14th International Colloquz urn on Automata, Languages, and Program-

ming ( ICMLP) (Karlsruhe, Germany, July). Lecture Notes in Computer Science, vol. 267.

Springer-Verlag, Berlin, 84-94.

B~AVEN, M,, ELMORE, B., MARINESCU, D. C., AND STANSIFER, R. 1991 VERT-verification of

real-time programs. In Proceedings of the 15th Annual International Computer Software and

Applwation.s Conference (Sept.). IEEE Computer Society Press, Los Alamitos, Calif., 618-625.

BEAVEN, M., MARINESCU, D. C., AND STANSIFER, R. 1992 Modeling concurrent programs with

colored Petri nets. Tech. Rep. CRPDC-92-4, Center for Research in Parallel and Distributed

Computing, Dept of Computer Sciences, Univ of North Texas, Denton, Tex. Feb.

BERZXTRA, J. A. AND KLUP, J, W. 1984, Process algebra for synchronous communication. Infi

Contr. 60, 109-137.BROOKES, S. D., HOARE, C. A. R., AND ROSCOE, A. W. 1984. A theory of communicating

sequential processes. J ACM 31, 3 (July), 560–599.

BRMNT, R. E. Graph-based algorithms for boolean function manipulations. IEEE Trans. Com-

put. C-35, 8, 677–691.

BURC!H, ,J. R,, CLARKR, E. M., MGMILLAN, K. L., DILL, D. L., AND HWAN~, L. J. 1990. Symbolic

model checking: 10 20 states and beyond In proceedings of the 5th Annual SYmPosl urn on Log~c

in Computer Sctence (June). IEEE Computer Society Press, Los Alamitos, Calif.

CLARKE, E. M., EMERSON, E, A., .AND SISTLA, A. P 1986. Automatic verification of finite-state

concurrent systems using temporal logic. ACM Trans. Program. Lang. Syst. 8, 2 (Apr.),

244-263.

CL~AVELAND, R , PARROW, J., AND STEFFEN, B. 1990 A semantics-based verification tool for

finite-state systems. In Protocol Specification, Testing, and Verification, IX. North-Holland,

Amsterdam. 287-302.

CJ,E~VELAND, R., PARROW, J., AND STEFFEN, B. 1991. The concurrency workbench: A semantics

based tool for the verification of concurrent systems, In Proceedings of the Workshop on

ACM Transactions on Software Engmeermg and Methodology, Vol. 4, No, 2, April 1995


Automatic Ver@katLon Methods for Finite Sfute Machines (Feb.). Lecture Notes in Computer

Science, vol. 407, Springer-Verlag, New York, 24-37.

CORIMWT, J. C, 1994. An empirical evaluation ofthree methods fordeadlock analysis of Ada

tasking programs. In Proceedings of the 19941nternational Symposium on Software Testing

and .4nalysw ( ZSSTA) (Seattle, Wash., Aug.). ACM, New York, 204–215.

DWYER, M. AND CLARKE, L. 1994. Data flow analysis for verifying properties of concurrent

programs. In Proceedings of the 2nd ACM SIGSOFT Symposium on Foundations of Software

Engineering (New Orleans, La., Dec.). ACM, New York, 62–75.

DWYER, M., CLARRR, L., AND NIES, K. 1995. A compact Petri net representation for concurrent

programs. In Proceedings of the 17th International Conference on Softu,are Engineering (ICSE

17) (Seattle, Wash., Apr.) IEEE Computer Society Press, Los Alamitos, Calif. To be published,

ENDERS, R., FILKORN, T,, AND TAUBNER, D. 1991. Generating BDDs for symbolic model check-

ing in CCS. In Proceedings of the 3rd Workshop on Computer Azded VerLf6catLon. Lecture Notes

in Computer Science, vol. 531. Springer-Verlag, New York, 263–278.

FERNANDEZ, J.-C. 1988, Ald6baran: Un syst6me de v&-ification par ieduction de processus

communicants. Ph.D. thesis, Univ. de Grenoble, Grenoble, France.

FERNANDEZ, J.-C., GARAVEL, H., MOURNIER, L., RASSE, A., RODRIGUEZ, C., AND SIFAKIS, J. 1992,

A toolbox for the verification of LOTOS programs. In Proceedings of the 14th International

Con@-ence on Software Engineering (Melbourne, Australia). IEEE Computer Society Press,

Los Alamitos, Calif., 246-259.

FORESTER, K. 1991. TIG-based Petri nets for modeling Ada tasking. Master’s thesis, Dept. of

Computer and Information Science, Univ. of Massachusetts, Amherst, Mass. June, Available

as C(DINS Tech. Rep. 91–69.

HELMBOLD, D. P. AND MCDOWELL, C. E, 1991. Computing reachable states of parallel pro-

grams. In proceedings of the ACM\ONR Workshop OTLParallel and Distributed Debugging, B.

P. Miller and C. McDowell, Eds. ACM SZGPLAN Not. 26, 12, 76–84.

HENNESSY, M. 1988. Algebralc Theory of Processes MIT Press, Cambridge, Mass.

HOARE,, C. A. R. 1985. Communicating Sequential Processes. Prentice-Hall International, Lon-

don.

HOLZMANN, G. J. 1987. Automated protocol validation in Argos: Assertion proving and scatter

searching. IEEE Trans. SoftuI. Eng. SE-13, 6 (June), 683–696.

HOLZMANN, G, J. 1991. DesLgn and Valldatfon of Computer Protocols. Prentice-Hall, Engle-

woodl Cliffs, N.J.

KARP, R. M. AND MILLER, R. E. 1969. Parallel program schemata, J. Comput, Syst. SCZ. 3,

(May).

KELLEFL J. K., CAMERON, M., T.AYLOR, R. N., AND TROLTP, D. B. 1991. User interface develop-

ment and software environments: The Chiron- 1 system, In Proceedings of the 13th Interna-

tional Conference on Software Engineering (Austin, Tex., May). IEEE Computer Society Press,

Los Alamitos, Calif., 208-218.

LADNER, R. E. 1979. The complexity of problems in systems of communicating sequential

processes. In Proceechngs of the llth Annual ACM Symposium on Theory of Computing

(Atlanta, Ga., Apr.). ACM, New York, 214-223.

LONG, D. L. AND CL,ARKE, L. A. 1989. Task interaction graphs for concurrency analysis. In

Proceedings of the llth International Conference on Software Englneermg (Pittsburgh, Pa.,

May). 44-52.

LONG, D. L. AND CLARKE, L. A. 1991. Data flow analysis of concurrent systems that use the

rendezvous model of synchronization. In proceedings of the Symposium on Softu,are Testzng,

Analysis, and Verification (TAV4) (Victoria, British Columbia, Oct.). ACM Press, New York,

21-35.

MALHOR’rA, J., SMOLKA, S. A., GIACALONE, A., AND SHAPIRO, R. 1990, Winston—a tool for

hierarchical design and simulation of concurrent systems. In Spec@cat~on and Verification of

Concurrent S.vstems, C. Rattray, Ed. Sprmger-Verlag, New York, 140-152.

MANDRIOL1, D., ZICARI, R., GHEZZL, C., AND TLSATO, F. 1985. Modeling the Ada task system by

Petr] nets. Comput, Lang. 10, 1, 43-61.

ACM Transactions on Software Engineering and Methodology, Vol. 4, No. 2. April 1995


lMASTICOL& S P, AND RYDER, B. G. 1990 Static infinite wait anomaly detection in polynomial

time. Tech Rep. LCSR-TR-141, Dept of Computer Science, Rutgers Univ., Piscataway, N.J.

Jan,

MMTICOLA, S. P. AND RYDER, B. G. 1991. A model of Ada programs for static deadlock

detection m polynomial time. In Proceedings of the ACM1ONR Workshop on Parallel and

Dlstrlbuted Debugging, B, P. Miller and C. McDowell, Eds. SIGPLAN Not. 26, 12, 97-107.

MCDOWELL, C. E. 1989. A practical algorithm for static analysis of parallel programs, J.

Parallel Dlstrib. Comput. 6, 515-536.

MESEGUER, J, AND MONrAN~RI, U. 1990, Petri nets are monoids, ln~. ContpzLt. 88, 105-155,

MILNER, R. 1980, A Calculus of Communzcchng Systems, Lecture Notes in Computer Science,

vol 92. Springer-Verlag, New York

M[LNM?, R. 1989 Communlcatmn and Concurrency. Prentice-Hall International, London.

MORASC’A. S, AND PEZZilj M, 1989, Vahdation of concurrent Ada programs using symbolic

execution. In ESEC ’89 2nd European Software Engineering Conference. Lecture Notes m

Computer Science, vol 387. Springer-Verlag, Berlin, 469-486,

MORGAN, E. T. AND RAZOUK, R, R. 1987. Interactive state-space analysls of concurrent systems.

IEEE Trans. Softu,. Eng. SE-13, 10 (Ott ), 1080-1091.

MURATA, T. 1989 Petri nets: Properties, analysis, and applications Proc IEEE 77, 4 (Apr.),

541-580.

OLDEROG, E.-R. 1989 Strong blsimilarity on nets: A new concept for comparing net semantics.

In Lecture Notes in Computer Science Vol. 222. Springer-Verlag, New York, 549-573.

P~T~RSON, J. 1989. Petri Net Theory and the Modellng of Systems. Prentice-Hall, Englewood

Chffs, N.J.

PIzzzk, M. AND YOUNG, M. 1995. Complexity of recognizing deadlocked states in the TIC model

of Ada tasking Tech Rep., Software Engineering Research Center, Dept. of Computer Science.

Purdue Umv,, West Lafayette, Ind. Also avadable as http:/\www,cs.purdue. edu/

people ]young,lpapers.

R~TEL, C , HALBWACHS, N , AND RAY~O~D, P 1991. Programming and verifying critical systems

by means of the synchronous data-flow language LUSTRE, In Proceedings of the ACM

SIGSOFT ’91 Conference on Software for CrLtLcal Systems (New Orleans, La., Dec ) ACM, New

York, 112-119.

REISIG, W. 1985 Petri Nets. EATCS Monographs on Theoretical Computer Science. Sprmger-

Verlag, New York,

SHATZ, S M AND CHEN~, W K. 1988 A Petri net framework for automated static analysis of

Ada tasking behavior J. Syst. Softw. 8, (Dec.), 343-359,

SHATZ, S. M., MAI, K., BLACK, C., ANI) Tu, S. 1990. Design and implementation of a Petri net

based toolkit for Ada tasking analysls. IEEE Trans. Parallel Distrib Syst. 1, 4 (Oct.), 424-441.

SHENKER, B., MURATA, T., AND SH.ATz, S. M. 1986. Use of Petri net mvariants to detect static

deadlocks in Ada programs. In Proceedings of the Fall Joint Computer Conference (Nov ) IEEE

Computer Society Press, Los Alamitos, Cahf., 1072–1081. See also IEEE Trans. Softw Eng

15, 3 (Mar), 314-326.

SNIOMW, S. A 1984. Analysls of commumcatmg finite state processes, Ph.D. thesis, Computer

Sclcnce Tech. Rep. CS-84-05., Dept of Computer Science, Brown Univ , Providence, R.I.

STANSIFER, R. 1992. Critical paths and bisimulation for colored Petri nets, Tech. Rep., Dept. of

Computer Sciences, Center for Research in Parallel and Distributed Computmg, Univ. of

North Texas, Denton, Tex.

SUNSHINE, C. A., Ed. 1986. CommunLcatmn Protocol Modeling. Artech House, Dedham, Mass

TAYLOR, R. N. 1983a. Complexity of analyzing the synchromzation structure of concurrent

programs, Acts In fornlatLca 19, 57-84,

TAYLOR, R. N. 1983b. A general-purpose algorlthm for analyzing concurrent programs, C’om-

mun. ACM 26, 5 (May), 362-376.

TAYLOR, R N. AND JOHNSON, G. F. 1993 Separations of concerns in the Chiron-1 user interface

development and management system. In Proceedings of the Conference on Human Factors m

Computer Systems (Amsterdam, Apr.). ACM, New York, 367-374

T~~LoR, R, N,, LEVINE, D, L., AND KELLY, C D 1992. Structural testing of concurrent pro-

grams. IEEE Trans. Softa,. Eng. 18, 3 (lMar.), 206–215,

ACM Transactions on Software Engineering and Methodolo.~, Vol 4, No 2, April 1995


WINSKKL, G. 1984. Anew definition ofmorphism on Petri nets, In STACS 84, Sy?nposwm of

Theoretical Aspects of Computer Science (Paris, Apr.). Lecture Notes in Computer Science, vol.

166. Spnnger-Verlag, Berlin, 140-150.

WINSKEL, G. 1987. Petri nets, algebras, morphism, and compositionality. Infi Comput. 72,

197-238.

WOLPEIR, P. 1986. Specifying interesting properties of programs in propositional temporal

logics. In Proceedings of the 13th ACM Symposium on Principles of Programming Languages

(St. Petersburg, Fla., Jan.). ACM, New York, 184-193.

YEH, W. J. 1993. Controlling state explosion in reachability analysis. Ph.D. thesis, Dept. of

Computer Science, Purdue Univ., West Lafayette, Ind. Dec.

YEH, W. J. AND YOUNG, M. 1991. Compositional reachability analysis using process algebra. In

proc,?edmgs of the Symposium on Software Testing, Analysts, and Verification (TAV4]

(Victoria, British Columbia, Oct.). ACM Press, New York, 49-59.YEH, W. J. AND YOUNG, M. 1993. Compositional reachability analysis of Ada programs using

process algebra. Tech. Rep., Dept. of Computer Science, Software Engineering ResearchCenter, Purdue Univ., West Lafayette, Ind. July.

YEH, W. J. AND YOUNG, M. 1994. Redesigning tasking structures of Ada programs for analysis:

A case study. Softw. Test. Veri~ Rel. 4, (Dec.), 223-253.

YOUNG,, M. 1988. How to leave out details: Error-preserving abstractions of state-space mod-

els. [n Proceedings of the 2nd Workshop on Software Testing, Verification, and Analy.ws

(Banff, Canada, July). IEEE Computer Society Press, Los Alamitos, Calif., 63-70YOUNG, M., TAYLOR, R. N., LEVINE, D. L., FORESTER,K., AND BRODBECK,D. 1995. A concurrency

analysis tool suite for Ada programs: Rationale, design, and preliminary experience. ACM

Trans. Soflw. Eng. Meth. 4, 1 (Jan.), 65-106.

Received November 1994; revised March 1995; accepted May 1995

ACM Transactions on Software Engineering and Methodology, Vol 4, No. 2, April 1995.

Documents

Graph models for reachability analysis of concurrent programslaser.cs.umass.edu/courses/cs521-621/papers/p171-pezze.pdfity analysis to general concurrent programs, although recent