On Sequentializing Concurrent Programs

Ahmed Bouajjani LIAFA, University of Paris 7, France

Michael Emmi LIAFA, University of Paris 7, France

Gennaro Parlato ✓

University of Southampton, UK

What is this talk about?

Use of verification tools for sequential programs

to analyze concurrent programs

Write a sequential program that simulates the concurrent program

Kiss: Keep It Simple and Sequential [Qadeer, Wu—PLDI’04]

Many efficient solutions have been developed for sequential programs:

SMT-based Bounded Model-Checkers, BDD-based model-checkers, approximation techniques, deductive verification, …

Why don’t we exploit them?

code-to-code translation as a plug-in for sequential tools

A convenient way to get new tools for conc. programs …

Sequ. tool

Concsequtranlsation

Instrumentationfor the Sequ. tool

Concurrent Program

T1 T2 Tn

shared vars(SC semantics)

…

Sequ.program

What would it be a good sequential simulation?

First attempt:

Tracking state: C1 X C2 X … Ci … X Cn X Shared

Simulation: at each step simulate one move of a thread

State space explosion !

Q: Can we avoid such an explosion (cross product of locals)?

Yes, if we consider at most 2 context-switches

[Qadeer, Wu—PLDI’04]

13

2

132

Q: Can we avoid such an explosion (cross product of locals)?

A: YES, for certain under-approximation

Q: What about complete simulations ?

A: NO! (for theoretical reasons)

Related works• Up 2 context-switches [Qadeer, Wu—

PLDI’04]

• Many concurrency errors manifest themselves within few context-switches [Musuvathi, Qadeer—PLDI`07]

• Any fixed # context-switches (finite # of threads) • Eager [Lal, Reps—CAV`08]• Lazy [La Torre, Parlato, Madhusudan—CAV`09]

• Round-Robin schedules & parametrized programs• Lazy [La Torre, Parlato, Madhusudan—CAV`10]

• Delay-bounded schedules (thread creation) [Emmi, Qadeer, Rakamaric—POPL`11]

• Over-approximation [Garg, Madhusudan, TACAS`11]

Proposed sequentializations common characteristics

Avoid cross product (compositional)• 1 stack for the simulation• 1 local state, fixed # of shared states

Conc. & Sequ. Programs are in the same class• i.e. no additional data structures to simulate parallelism• Example: Boolean conc. programs Boolean

(sequential) program

Parametrized: increasing the parameter • more and more behaviors are captured• at the expense of more computational resources

Explore as many behaviors as possible• Goal

Our contribution

General mechanism enabling compositional sequentializations• Under-approximations

Captures at least or more behaviors than existing sequentializations

Existing sequentializations can be seen as a restrictions of ours

Our

Concurrent Sequential

Translation

- Compositional semantics- Thread interfaces

- Bounded semantics (restricted compositional semantics)

Compositional Semantics(code-to-code translation to sequ.

programs)P ::= var g:T H

H ::= proc p (var l:T ) s

s ::= s; s | x := e | skip | assume e

| if e then s else s | while e do s

| call x := p e | return e

| post p e | yield //Concurrent stmt

x ::= g | l

T1 T2 Tn

shared vars(SC semantics)

…

Main idea of the sequentialization• Transform each thread creation into a procedure call:

post p e call g:=p e

Only one interaction • Solution (return all possible interactions)

post p e call INTERFACE:=p e

Key concept: Thread interface

An interface of a thread T in an execution

captures the interactions (shared states)

of

T and all its sub-threads

with

the remaining threads involved in the execution

Thread interface

s1 s1’

s2

s3

s4

s5

s2’

s3’

s4’

s5’

How to compute Thread interface

• Every thread creation is transformed into a procedure call

• A thread procedure • computes an interface of the thread by simulating its

code

• The thread procedure keeps the following data structure to compute the interface

EXP: Interface to exportBAG: Interfaces imported from posted threads

Updating the interface data-structure:initialization

The procedure that simulates a thread first initializes the interface data-structure:

• interface to export is initialized with one round ( s1, s1 )

( s1 is a guessed shared state)• bag of imported interfaces is empty

∅s1 s1

EXP: Interface to exportBAG: Interfaces imported from posted threads

Updating the interface data-structure:

thread creation (post)

At any thread creation:

post p e transformed interface := call thread-p e;

Add( BAG, interface );

EXP: Interface to exportBAG: Interfaces imported from posted threads

Updating the interface data-structure

context-switch (yield)

At any yield point non deterministically either 1. interact at least once with internal threads, or

2. interact with an external thread

a

a b

b

EXP: Interface to exportBAG: Interfaces imported from posted threads

Updating the interface data-structure

context-switch (yield)

At any yield point non deterministically either 1. interact at least once with internal threads, or

2. interact with an external thread • Add a new round (a,a) to the interface to export ( a is guessed )

EXP: Interface to exportBAG: Interfaces imported from posted threads

a a

Sequential semantics for conc. programs

We’ve obtained a sequential program that simulates the conc. program by computing interfaces

Each Thread code p is replaced by the procedure thread-p:• Variables: Locals + Interface data-structure• Initialize the interface data-structure• The code of the original thread is attached• Only post, and yield statement are replaced with new code

(simulating the operations presented previously)

• At yield a yield statement (or return) return the exported interface

interface data-structure is unbounded

• An interface as a list:

aceg

bdfh

a b

c d

e f

g h

Bounding & Compressing

Bounding & Compressing

• Bound the # nodes in the interface data structure

• Compress the bag of exported interface as a DAGWe merge two node (x, y) and (y,z) into (x,z)

x y y z

- Ex 1. - Ex 2.

x y

y z

Our Sequentialization

Compositional Semantics

+

Bounding & Compressing

All existing sequentializations can be

simulated- Up 2 context-switches [Qadeer, Wu—PLDI’04]

- Any fixed # context-switches (finite # of threads) - Eager [Lal, Reps—CAV`08]- Lazy [La Torre, Parlato, Madhusudan—CAV`09]

- Round-Robin schedules & parametrized programs- Lazy [La Torre, Parlato, Madhusudan—CAV`10]

- Delay bounded schedules (thread creation) [Emmi, Qadeer, Rakamaric—

POPL`11]

T1 T2 Tn

initialshared state

round 1

round 2

round k

Sequ. for any fixed # context-switches

(finite # of threads) [Lal, Reps—CAV`08]

1 23

Conclusions

Conclusions:We have presented a general mechanism enabling compositional sequentializations of concurrent programs (under SC)

- parameterized (bounding & compressing the # of nodes in the interfaces)- more behaviors than existing sequentializations- Thread creation, parameterized programs, finite # threads- All existing sequentializations can be explained within our framework

Weak Memory models:- Translation TSO SC [Atig, Bouajjani, Parlato—CAV`11]- TSO SC sequential

Future works:- Experimental evaluation- Sequentializations for distributed programs (FIFO channels) ?

- The Tree-width of Auxiliary Storage [Madhusudan, Parlato—

POPL`11] - Lazy transformation of our sequentialization [La Torre, Madhusudan, Parlato—CAV`09, CAV`10]

Thanks!