Data-centric Dynamic Partial Order Reduction

Data-centric Dynamic Partial Order Reduction

Technical Report No. IST-2016-620-v1+1 Deposited at 15 Jul 2016 08:43

https://repository.ist.ac.at/620/1/main.pdf

IST Austria (Institute of Science and Technology Austria) Am Campus 1

Copyright © 2012, by the author(s). All rights reserved.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and the full citation on the rst page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specic permission.

Data-centric Dynamic Partial Order Reduction

Abstract

We present a new dynamic partial-order reduction method for state-less model checking of concurrent programs. A common approach for exploring program behaviors relies on enumerating the traces of the program, without storing the visited states (akastateless explo-ration). As the number of distinct traces grows exponentially, dy-namic partial-order reduction (DPOR) techniques have been suc-cessfully used to partition the space of traces into equivalence classes (Mazurkiewiczpartitioning), with the goal of exploring only few representative traces from each class.

We introduce a new equivalence on traces under sequential con-sistency semantics, which we call the observation equivalence. Two traces are observationally equivalent if every read event ob-serves the same write event in both traces. While the traditional Mazurkiewicz equivalence is control-centric, our new definition is data-centric. We show that our observation equivalence is coarser than the Mazurkiewicz equivalence, and in many cases even expo-nentially coarser. We devise a DPOR exploration of the trace space, calleddata-centricDPOR, based on the observation equivalence.

1. For acyclic architectures, our algorithm is guaranteed to explore exactly one representative trace from each observation class, while spending polynomial time per class. Hence, our algo-rithm isoptimalwrt the observation equivalence, and in several cases explores exponentially fewer traces thananyenumerative method based on the Mazurkiewicz equivalence.

2. For cyclic architectures, we consider an equivalence between traces which is finer than the observation equivalence; but coarser than the Mazurkiewicz equivalence, and in some cases is exponentially coarser. Our data-centric DPOR algorithm re-mains optimal under this trace equivalence.

Finally, we perform a basic experimental comparison between the existing Mazurkiewicz-based DPOR and our data-centric DPOR on a set of academic benchmarks. Our results show a significant reduc-tion in both running time and the number of explored equivalence classes.

1.

Introduction

Stateless model-checking of concurrent programs.The verification of concurrent programs is one of the major challenges in formal methods. Due to the combinatorial explosion on the number of interleavings, errors found by testing are hard to reproduce (often calledHeisenbugs [31]), and the problem needs to be addressed by a systematic exploration of the state space.Model checking[9] addresses this issue, however, since model checkers store a large number of global states, it cannot be applied to realistic programs. One solution that is adopted isstateless model checking[15], which avoids the above problem by exploring the state space without explicitly storing the global states. This is typically achieved by a a scheduler, which drives the program execution based on the current interaction between the processes. Well-known tools such as VeriSoft [16, 17] and CHESS [27] have successfully employed stateless model checking.

Processp1: 1.writex; 2.readx; Processp2: 1.writex; 2.readx;

Figure 1: A system of two processes with two events each. Partial-Order Reduction (POR). Even though stateless model-checking addresses the global state space issue, it still suffers from the combinatorial explosion of the number of interleavings, which grows exponentially. While there are many approaches to reduce the number of explored interleavings, such as, depth-bounding and context bounding [22, 30], the most well-known method is par-tial order reduction (POR)[7, 15, 32]. The principle of POR is that two interleavings can be regarded as equivalent if one can be obtained from the other by swapping adjacent, non-conflicting (in-dependent) execution steps. The theoretical foundation of POR is the equivalence class of traces induced by theMazurkiewicz trace equivalence[28], and POR explores at least one trace from each equivalence class. POR provides a full coverage of all behaviors that can occur in any interleaving, even though it explores only a subset of traces. Moreover, POR is sufficient for checking most of the interesting verification properties such as safety properties, race freedom, absence of global deadlocks, and absence of assertion vi-olations [15].

Dynamic Partial-order Reduction (DPOR).Dynamic partial-order reduction (DPOR) [12] improves the precision of POR by record-ing actually occurrrecord-ing conflicts durrecord-ing the exploration and usrecord-ing this information on-the-fly. DPOR guarantees the exploration of at least one trace in each Mazurkiewicz equivalence class when the explored state space is acyclic and finite, which holds for stateless model checking, as usually the length of executions is bounded [12, 17, 31]. Recently, an optimal method for DPOR was developed [1].

A fundamental limitation.All existing approaches for DPOR are based on the Mazurkiewicz equivalence, i.e., they explore at least one (and possibly more) trace from each equivalence class. A basic and fundamental question is whether coarser equivalence classes than the Mazurkiewicz equivalence can be applied to stateless model checking and whether some DPOR-like approach can be de-veloped based on such coarser equivalences. We address this funda-mental question in this work. We start with a motivating example.

1.1 A minimal motivating example

Consider a concurrent system that consists of two processes and a single global variablexshown in Figure 1. Denote bywiandrithe write and read events toxby processpi, respectively. The system consists of four events which are all pairwise dependent, except for the pairr1, r2. Two tracestandt1are called Mazurkiewicz equiv-alent, denotedt „M t1, if they agree on the order of dependent events. The traditional DPOR based on the Mazurkiewicz equiva-lence„M will explore at least one representative trace from every class induced on the trace space by the Mazurkiewicz equivalence. There exist23

are23

possible interleavings, but half of those reorder the indepen-dent eventsr1, r2, and thus will not be considered. The traditional DPOR will explore the following four traces.

t1: w1, r1, w2, r2 t2: w1, w2, r1, r2 t3: w2, w1, r1, r2 t4: w2, r2, w1, r1 Note however thatt1andt4are state-equivalent, in the sense that the local states visited byp1andp2are identical in the two traces. This is because each read eventobservesthe same write event in t1andt4. In contrast, in every pair of traces amongt1, t2, t3, there is at least one read event that observes a different write event in that pair. This observation makes it natural to consider two traces equivalent if they contain the same read events, and every read event observes the same write event in both traces. This example illustrates that it is possible to have coarser equivalence than the traditional Mazurkiewicz equivalence.

1.2 Our contributions

In this work our contributions are as follows.

Observation equivalence.We introduce a new notion of observa-tion equivalence(Section 3.1), which is intuitively as follows: An observation function of a trace maps every read event to the write event it observes under sequentially consistency semantics. In con-trast to every possible ordering of dependent control locations of Mazurkiewicz equivalence, in observation equivalence two traces are equivalent if they have the same observation function. The ob-servation equivalence has the following properties.

1.Soundness.The observation equivalence is sufficient for explor-ing all local states of each process, and is thus sufficient for model checking wrt to local properties (similar to Mazurkieqicz equivalence).

2.Coarser. Second, we show that observation equivalence is coarser than Mazurkiewicz equivalence, i.e., if two traces are Mazurkiewicz equivalent, then they are also observation equiv-alent (Section 3.1).

3.Exponentially coarser.Third, we show that observation equiva-lence can be exponentially more succinct than Mazurkiewicz equivalence, i.e., we present examples where the ratio of the number of equivalence classes between observation and Mazurkiewicz equivalence is exponentially small (Section 3.2). In summary, observation equivalence is a sound method which is always coarser, and in cases, strictly coarser than the fundamental Mazurkiewicz equivalence.

Principal difference. The principal difference between the Mazurkiewicz and our new observation equivalence is that while the Mazurkiewicz equivalence is control-centric, observation equivalence isdata-centric. The data-centric approach takes into read-write and memory consistency restrictions as opposed to only event-dependency relation of Mazurkiewicz equivalence. More-over, the data-centric approach allows analysis to be more ’white-box’ and thus potentially more efficient.

Data-centric DPOR.We devise a DPOR exploration of the trace space, calleddata-centricDPOR, based on the observation equiv-alence. Our DPOR algorithm is based on a notion ofannotations, which are intended observation functions (see Section 4). The ba-sic computational problem is, given an annotation, decide whether there exists a trace which realizes the annotation. We show the com-putational problem is NP-complete in general, but for the important special case ofacyclicarchitectures we present a polynomial-time (cubic-time) algorithm based on reduction to 2-SAT (details in Sec-tion 4). Our algorithm has the following implicaSec-tions.

1. For acyclic architectures, our algorithm is guaranteed to explore exactly onerepresentative trace from each observation equiva-lence class, while spending polynomial time per class. Hence, our algorithm isoptimalwrt the observation equivalence, and in several cases explores exponentially fewer traces thanany enumerative method based on the Mazurkiewicz equivalence (details in Section 5).

2. For cyclic architectures, we consider an equivalence between traces which is finer than the observation equivalence; but coarser than the Mazurkiewicz equivalence, and in many cases is exponentially coarser. For this equivalence on traces, we again present an algorithm for DPOR that exploreexactly one representative trace from each observation class, while spend-ing polynomial time per class. Thus again our data-centric DPOR algorithm remains optimal under this trace equivalence for cyclic architectures (details in Section 6).

Experimental results. Finally, we perform a basic experimental comparison between the existing Mazurkiewicz-based DPOR and our data-centric DPOR on a set of academic benchmarks. Our results show a significant reduction in both running time and the number of explored traces (details in Section 7).

2.

Preliminaries

In this section we introduce a simple model for concurrent pro-grams that will be used for stating rigorously the key ideas of our data-centric DPOR. Similar (but syntactically richer) models have been used in [1, 12]. In Section 2.3 we discuss our various model-ing choices and possible extensions.

Informal model.We consider aconcurrent systemofkprocesses under sequential consistency semantics. For the ease of presenta-tion, we do not allow dynamic thread creapresenta-tion, i.e.,kis fixed during any execution of the system. Each process is defined over a set of local variablesspecific to the process, and a set ofglobal variables, which is common for all processes. Each process is represented as an acycliccontrol-flow graph, which results from unrolling the body of the process. A process consists of statements over the lo-cal and global variables, which we lo-callevents. The precise kind of such events is immaterial to our model, as we are only interested in the variables involved. In particular, in any such event we identify the local and global variables it involves, and distinguish between the variables that the eventreadsfrom and at most one variable that the eventwritesto. Such an event isvisibleif it involves global variables, andinvisibleotherwise. We consider that processes are deterministic, meaning that at any given time there is at most one event that each process can execute. Given the current state of the system, a scheduler chooses one process to execute a sequence of events that is invisibly maximal, that is, the sequence does not end while an invisible event from that process can be taken. The pro-cesses communicate by writing to and reading from the global vari-ables. The system can exhibit nondeterministic behavior which is solely attributed to the scheduler, by choosing nondeterministically the next process to take an invisibly maximal sequence of events from any given state. We considerlocksas the only synchroniza-tion primitive, with the available operasynchroniza-tions being acquiring a lock and releasing a lock. Since richer synchronization primitives are typically built using locks, this consideration is not restrictive, and helps with keeping the exposition of the key ideas simple.

2.1 Concurrent Computation Model

Here we present our model formally. Relevant notation is summa-rized in Table 1.

Relations and equivalence classes.A binary relation„on a set X is an equivalence relation iff „ is reflexive, symmetric and

transitive. Given an equivalence„Rand somexPX, we denote byrxsRthe equivalence class ofxunder„R, i.e.,

rxsR“ tyPX: x„Ryu

Thequotient setX{ „R:“ trxsR|xPXuofXunder„Ris the set of all equivalence classes ofXunder„R.

Notation on functions.We writef : X ÑÞ Y to denote thatf is a partial function from X toY. Given a (partial) functionf, we denote bydompfq andimgpfq the domain and image set of f, respectively. For technical convenience, we think of a (partial) functionf as a set of pairstpxi, yiqui, meaning thatfpxiq “yi for alli, and use the shorthand notationpx, yq Pfto indicate that xPdompfqandfpxq “y. Given (partial) functionsfandg, we writefĎgifdompfq Ďdompgqand for allxPdompfqwe have fpxq “ gpxq, andf “giff Ďgandg Ďf. Finally, we write fĂgiffĎgandf‰g.

Model syntax.We consider aconcurrent architecturePthat con-sists of a fixed number of processes p1, . . . , pk, i.e., there is no dynamic thread creation. Each processpiis defined over a set of ni local variablesVi, and a set ofglobal variables G, which is common for all processes. We distinguish a set oflock variables L_ĎGwhich are used for process synchronization. All variables are assumed to range over a finite domainD. Every processpiis represented as an acyclic control-flow graphCFGi which results from unrolling all loops in the body ofpi. Every edge ofCFGi is labeled, and called anevent. In particular, the architecturePis associated with a set ofeventsE, a set ofread events(orreads) R _Ď E, a set ofwrite events(orwrites)W _Ď E, a set of lock-acquireeventsLA

ĎE and a set oflock-releaseeventsLR ĎE. The control-flow graphCFGiof process piconsists of events of the following types (whereVi“ tv1, . . . , vniu,gPG,lPLand b:Vni

i Ñ tTrue,Falseuis a boolean function onniarguments). 1.e:vÐreadg, in which caseePR,

2.e:gÐwritefpv1, . . . , vniq, in which caseePW, 3.e:acquirel,

4.e:releasel, 5.e1:bpv1, . . . , vniq.

EachCFGiis a directed acyclic graph with a distinguished root noderi, such that there is a pathriùxto every other nodexof

CFGi. Each nodexofCFGihas either 1. zero outgoing edges, or

2. one outgoing edgepx, yqlabeled with an event of a type listed in Item 1-Item 4, or

3.mě2outgoing edgespx, y1q, . . . ,px, ymqlabeled with events ej :bjpv1, . . . , vniqof Item 5, and such that for all values of v1, . . . , vni, we havebjpv1, . . . , vnq ùñ blpv1, . . . , vniq for allj‰l.In this case, we callxabranchingnode.

For simplicity, we require that ifxis a branching node, then for each edgepx, yqinCFGi, the nodeyis not branching. Indeed, such edges can be easily contracted in a preprocessing phase. Figure 2 provides a summary of the model syntax. We letEiĎEbe the set of events that appear inCFGiof processpi, and similarlyRiĎR andWiĎWthe sets of read and write events ofpi. Additionally, we require thatEiXEj“ Hfor alli‰ji.e., allEiare pairwise disjoint, and denote byprocpeqthe process of evente. Thelocation of an eventlocpeqis the unique global variable it involves. Given two eventse, e1 P Eifor somepi, we writePSpe, e1qif there is a pathe ùe1_inCFG

i(i.e., we writePSpe, e1qto denote thateis ordered beforee1in theprogram structure).

We distinguish a set ofinitialization eventsWI

ĎWwith|WI

| “ |G|which are attributed to processp1, and are used to initialize all the global variables to some fixed values. For every initialization write eventwI and for any evente P Eiof processpi, we define

Vi“ tv1, . . . , vniu gPG lPL x e:vÐreadg y

_e

P

R

_e

P

W

e

_P

L

e

_P

L

Figure 2: The control-flow graphCFGiis a sequential composition of these five atomic graphs.

thatPSpwI

, eq(i.e., the initialization events occur before any event of each process). Figure 3 illustrates the above definitions on the typical bank account example.

Model semantics.A local stateof a process pi is a pairsi “ pxi,valiqwherexiis a node ofCFGi(i.e., the program counter) andvaliis a valuation on the local variablesVi. Aglobal stateof Pis a tuples“ pval, s1, . . . , skq, wherevalis a valuation on the global variablesGandsiis a local state of processpi. An evente along an edgepx, yqof a processpiisenabledinsifsi“ px,valiq (i.e., the program counter is on nodex) and additionally,

1. ife:acquirel, thenvalplq “False, and

2. if e : bjpv1, . . . , vniq, then bjpvalipv1q, . . . ,valipvniqq “ True.

In words, ifeacquires a lockl, theneis enabled ifflis free ins, and ifxis a branching node, theneis enabled iff it respects the condition of the branch ins. Note thatreleaselis always enabled, even if the lock is free. Given a states, we denote byenabledpsq Ď Ethe set of enabled events ins, and observe that there is at most one enabled event in each statesfrom each process. The execution of an enabled event e along an edge px, yq of pi in state s “ pval, s1, . . . , skqresults in a states1 “ pval1, s1, . . . , s1i, . . . , skq, where s1i “ py,val1iq. That is, the program counter of pi has progressed toy, and the valuation functionsval1_andval1

ihave been modified according to standard semantics, as follows:

1.e:vÐreadgthenval1ipvq “valpgq,

2.e : g Ð write fpv1, . . . , vn_iq then val1pgq “ fpvalipv1q, . . . ,valipvniqq,

3.e:acquirelthenval1plq “True, 4.e:releaselthenval1plq “False. Moreover,valagrees withval1_andval

iagrees withval1ion all other variables. We writesÝÑe s1to denote that the execution of evente insresults in states1. LetSPbe the finite set (since variables range

over a finite domain) of states ofP. The semantics ofPare defined in terms of a transition systemAP“ pSP,∆, s

0

q, wheres0 is the initial state, and∆ĎSPˆSPis the transition relation such that

ps, s1q PAPiffDePenabledpsq: sÝÑe s1

and eithereis an initialization event, or the program counter ofp1 has passed all initialization edges ofp1. We writes e1,...en

ÝÝÝÝÝÑs1if there exists a sequence of statestsi

u1_ďiănsuch that sÝÑe1 s1ÝÑe2 . . . sn´1 en

Method:bool withdrawpintamountq Globals:int _balance, lock _l

Locals :bool _success, int _v

// 1. Try withdraw 1 successÐFalse 2 acquireplq 3 vÐbalance 4 ifv´amountě0then 5 balanceÐv´amount 6 successÐTrue 7 releaseplq 8 printpsuccessq // 2. Print balance 9 vÐbalance 10 printpvq x1 x2 x3 x4 x5 x6 x7 e1:acquirel e2:vÐread balance e3:bpv,amountq

e4:balanceÐwritefpv,amount,successq e5:releasel e7: bpv,amountq e6:vÐread balance Ei“ te1, . . . , e7u Ri “ te2, e6u Wi “ te4u LA i “ te1u LRi “ te5u

Figure 3:(Left): A methodwithdrawexecuted whenever someamountis to be extracted from thebalanceof a bank account.

(Right): Representation ofwithdraw in our concurrent model. The root node isx1. The program structure ordersPSpe2, e4q. We have

locpe1q “locpe5qandlocpe2q “locpe4q “locpe7q.

The initial states0

“ pval, s0 1, . . . , s0

kqis such that the valuevalpgq of each global variablegcomes from the unique initialization write eventwwithlocpwq “ g, and for eachs0

i “ pxi,valiqwe have that xi “ ri (i.e., the program counter of process pi points to the root node ofCFGi). For simplicity we restrictSP to statess

that are reachable from the initial states0

by a sequence of events s0 e1,...,en

ÝÝÝÝÝÑs. We focus our attention on state spacesSPthat are

acyclic.

Architecture topologies. The architecture P induces a labeled communication graphGP “ pVP, EP, λPqwhereVP “ tpiui.

There is an edgeppi, pjq if processes pi, pj accesses a common global variable or a common lock. The labelλppi, pjqis the set of all such global variables and locks. We callP acyclicifGP

does not contain cycles. The class of acyclic architectures includes, among others, all architectures with two processes, star architec-tures, pipelines, tree-like and hierarchical architectures.

Notation Interpretation

P_{“ p}piqk

i“1 the concurrent architecture ofkprocesses G,V,L the global, local and lock variables E,W,R,LA_,

LR_,WI

the set of events, read, write, lock-acquire lock-release and initialization events

vali,val valuations of local, global variables

enabledpsq ĎE the set of enabled events ins s e1,...,en

ÝÝÝÝÝÑs1 _{sequence of events fromstos}1

procpeq,locpeq the process, the global variable of evente CFGi,PSĎE_ˆE the control-flow graph of processpi,

and the program structure relation GP “ pVP, EP, λPq the communication graph ofP

Table 1: Notation on the concurrent architecture.

2.2 Traces

In this section we develop various helpful definitions on traces. Relevant notation is summarized in Table 2.

Notation on traces.A (concrete, concurrent)traceis a sequence of eventst “ e1, . . . , ej such that for all1 ď i ă j, we have si´1 ei

ÝÑsi, wheresiPSPands

0

is the initial state ofP. In such a case, we write succinctlys0 t

Ý

Ñ si. We fix the first|G|events

e1, . . . , e|G|of each tracetto be initialization events that write the

initial values to the global variables. That is, for all1ďiď |G|we haveei P W, and hence every tracetstarts with aninitialization tracetI as a prefix. Given a tracet, we denote byE_ptqthe set of events that appear int, withRptq “ Eptq XRthe read events int, and withW_ptq “ E_ptq XWthe write events int, and let |t| “ |E_ptq|be thelengthoft. For an evente P E_ptq, we write

intpeq PN`_{to denote the index ofeint. Given someℓP}N_{, we} denote bytrℓsthe prefix oftup to positionℓ, and we say thattis an extensionoftrℓs. We letenabledptqdenote the set of enabled events in the state at the end oft, and calltmaximalifenabledptq “ H. We writeTPfor the set of all maximal traces ofP. We denote by

sptqthe unique state ofPsuch thats0 t Ý

Ñsptq, and given an event ePRptq YWptq, denote byvaltpeq PDthevaluethat the unique global variable ofehas insptrintpeqsq. We call a maximal tracet lock-freeif the value of every lock variable insptqisFalse(i.e., all locks have been released at the end oft). An eventeisinevitable in a tracetif every every lock-free maximal extension oftcontains e. Given a set of eventsA, we denote byt|Atheprojectionoft onA, which is the unique subsequence oftthat contains all events ofAXE_ptq, and only those. A sequence of eventst1is called the global projectionof another sequencetift1“t|pR_YW_q.

Sequential traces.Given a process pi, a sequential trace τi is a sequence of events that correspond to a path inCFGi, starting from the root noderi. Note that a sequential trace is only wrt

CFGi, and is not necessarily a trace of the system. The notation on traces is extended naturally to sequential traces (e.g.,E_pτiqand Rpτiqdenote the events and read events of the sequential traceτi, respectively). Givenksequential tracesτ1, τ2, . . . , τk, so that each τiis wrtpi, we denote by

τ1˚τ2˚. . .˚τk

the (possibly empty) set of all traces t such that E_ptq “

Ť

1_ďiďkEpτiq.

Conflicting events, dependent events and happens-before rela-tions.Two eventse1, e2 P RYW are said toconflict, written

Conflpe1, e2q if locpe1q “ locpe2q and at least one is a write event. The events are said to be inread-write conflictife1 P R, e2 P WandConflpe1, e2q. Two eventse1, e2are said to be inde-pendent[12, 15] if

1. for eachiP t1,2uand pair of statess1, s2such thats1 ei ÝÑs2, we have thate3´iPenabledps1qiffe3´iPenabledps2q, and

2. for any pair of statess1, s2such thate1, e2Penabledps1q, we have thats1ÝÝÝÑe1,e2 s2iffs1ÝÝÝÑe2,e1 s2,

anddependentotherwise. Following the standard approach in the literature, we will consider two conflicting events to be always dependent [16, Chapter 3] (e.g., two conflicting write events are dependent, even if they write the same value). A sequence of events tinduces ahappens-beforerelationÑt ĎE_ptq ˆE_ptq, which is the smallest transitive relation onEptqsuch that

e1Ñte2 if intpe1q ďintpe2qande1ande2are dependent. Observe thatÑtorders all pairwise conflicting events, as well as all the events of any process.

Notation Interpretation

t,τi a trace and a sequential trace

Conflpe1, e2q conflicting events

trℓs,|t| the prefix up to indexℓ, and length oft Eptq,Wptq,Rptq the events, write and read events of tracet

intpeq,valtpeq the index and value of eventein tracet t|X projection of traceton event setX enabledptq the enabled events in the state reached byt

Ñt the happens-before relation ont Ot the observation function oft

Table 2: Notation on traces.

2.3 Discussion and Remarks

The concurrent model we consider here is minimalistic, to allow for a clear exposition of the ideas used in our data-centric DPOR. Here we discuss some of the simplifications we have adopted to keep the presentation simple.

Global variables.First, note that the locationlocpeqof every event ePR_YWis taken to be fixed in eachCFGi. The dynamic access of a static, global data structuregbased on the value of a local variablev(e.g., accessing the element grvsof a global arrayg) can be modeled by using a different global variablegi to encode the i-th location of g, and a sequence of branching nodes that determine whichgi should be accessed based on the value ofv. Our framework can be strengthened to allow use of global arrays directly, and our algorithms apply straightforwardly to this richer framework. However, this would complicate the presentation, and is thus omitted in the theoretical exposition of the paper. A brief discussion on how arrays are handled directly is provided in the experimental results (Section 7), where we deal with arrays in the benchmark programs.

Invisible computations. Each process pi is deterministic, and the only source of nondeterminism in the executions of the sys-tem comes from a nondeterministic scheduler that chooses an en-abled event to be executed from a given state. The model uses the functionsf and bon eventse : g Ð write fpv1, . . . , vjqand e : bpv1, . . . , bnqrespectively to collapse deterministic invisible computations of each process, and only consider the value thatf writes on a global variable (in addition to the side-effects thatfhas on local the variables of processpi). This is a standard approach in modeling concurrent systems, as interleaving invisible events does not change the set of reachable local states of the processes.

Locks and synchronization mechanisms.We treat lock-acquire and lock-release events as neither read, nor write events, since

in every critical region protected by a pair of lock-acquire/lock-release events, the lock-lock-acquire/lock-release will always “observe” the preceding lock acquire. Hence lock events are independent in our model, and their reordering will occur naturally when needed (in contrast to the standard approach of [12]). Our approach can be extended to richer communication (e.g., message passing) and synchronization prim-itives (e.g. semaphores, wait-notify), which are often implemented using some low-level locking mechanism.

Maximal lock-free traces. We also assume that in every maxi-mal trace of the system, every lock-acquire is followed by a cor-responding lock-release. Traces without this property are typically considered erroneous, and some modern programming languages even force this restriction syntactically (e.g. in C#).

3.

Observation Trace Equivalence

In this section, we introduce the observation equivalence„O on traces, upon which in the later sections we develop our data-centric DPOR. We explore the relationship between the control-centric Mazurkiewicz equivalence„M and the observation equivalence. In particular, we show that„O refines „M, that is, every two traces that are equivalent under observations are also equivalent under reordering of independent events. We conclude by showing that„Ocan be exponentially more succinct, both in the number of processes, and the size of each process.

3.1 Mazurkiewicz and Observation Equivalence

In this section we introduce our notion of observation equivalence. We start with the classical definition of Mazurkiewicz equivalence and then the notion of observation functions.

Mazurkiewicz trace equivalence.Two traces t1, t2 P TP are

calledMazurkiewicz equivalent if one can be obtained from the other by swapping adjacent, independent events. Formally, we write„M for the Mazurkiewicz equivalence onTP, and we have

t1„M t2iff

1.E_pt1q “E_pt2q, and

2. for every pair of eventse1, e2 PEpt1qwe have thate1Ñt1e2 iffe1Ñt2e2.

Observation functions.The concurrent model introduced in Sec-tion 2.1 followssequential consistency[24], i.e., all processes ob-serve the same order of events, and a read event of some variable will observe the value written by the last write event to that variable in this order. Throughout the paper, anobservation functionis go-ing to be a partial functionO:R_ÑÞ W. A tracetinduces a total observation functionOt:Rptq ÑWptqfollowing the sequential consistency axioms. That is,Otprq “wiff

1.intpwq ăintprq, and

2. for allw1 P W_ptq such that ConflRWpr, wq we have that

intpw1q ăintpwqorintpw1q ąintprq.

We say that t is compatible with an observation function O if

OĎOt, and thattrealizesOifO“Ot.

Observation equivalence.We define theobservation equivalence „O on the trace space TP as follows. Fort1, t2 P TP we have

t1 „O t2 iff Ept1q “ Ept2q and Ot1 “ Ot2, i.e., the two observation functions coincide.

We start with the following crucial lemma. In words, it states that if two traces agree on their observation functions, then they also agree on the values seen by their common read events.

Lemma 1. Consider two tracest1, t2such thatOt1 ĎOt2. Then (i) for all r P Ept1q we have that valt1prq “ valt2prq, and (ii)E_pt1q ĎE_pt2q.

Proof. Since the processes are deterministic, it suffices to argue about (i). The proof is by induction on the prefixes oft1. We show inductively that for every0 ď ℓ ď |t1|, for allr P E_pt1rℓsqwe have thatvalt1prq “valt2prq. The claim is true forℓ“0, since in that caset1rℓs “εand no read event appears int1rℓs. Now assume that the claim holds for all prefixest1risfor0ďiďℓ, and let

r“arg min

r1_PEpt1qzEpt1rℓsqint1pr 1

q

be the next read int1 andw “ Ot1prq. Letp “ procpwq, and since p is deterministic, using the induction hypothesis we see thatvalt1pwq “ valt2pwq, and sinceOt2prq “ w, we have that

valt2prq “valt2pwq “valt1pwq “valt1prq, as desired.

Soundness.Lemma 1 implies that in order to explore all local states of each process, it suffices to explore all observation functions realized by traces ofP.

The Mazurkiewicz trace equivalence iscontrol-centric, i.e., equiv-alent traces share the same order between the dependent control locations of the program. In contrast, the observation trace equiv-alence isdata-centric, as it is based on which write events are ob-served by the read events of each trace. Note that two conflicting events are dependent, and thus must be ordered in the same way by two Mazurkiewicz-equivalent traces. We establish the formal rela-tionship between the two equivalences in the following theorem.

Theorem 1. For any two tracest1, t2 P TP, ift1 „M t2 then

t1„Ot2.

Proof. Consider any read eventr P R_pt1q and assume towards contradiction thatOt1prq ‰Ot2prq. Letw1 “Ot1prqandw2 “

Ot2prq. Sincet1„M t2, we have thatw1PEpt2qandw2PEpt1q. Thenw1Ñt1randw2Ñt2r, and one of the following holds.

1.rÑt1w2, and sincew2Ñt2rthent1‰„M t2, a contradiction. 2.w2Ñt1w1, and since t1 „M t2 we have that w2Ñt2w1, and thus rÑt2w1. Sincew1Ñt1r, we havet1 ‰„M t2, a contradiction.

The desired result follows.

Example 1. Figure 4 illustrates the difference between the Mazurkiewicz and observation trace equivalence on the example of Figure 3. Every execution of the system starts with an initial-ization tracetI that initializes the lockltoFalse, and the initial valuedesposit “4. Consider thatp1 is executed with parameter

amount “ 1and p2 is executed with parameter amount “ 2, (hence both withdrawals succeed). The primed eventse11, e12 repre-sent the system initialization.

•_{(Left): The sequential trace ofp1, p2.}

•_{(Center): Trace exploration using the Mazurkiewicz}

equiva-lence „M. Solid lines represent the happens-before relation enforced by the program structure. Dashed lines represent po-tential happens-before relations between dependent events. A control-centric DPOR based on „M will resolve scheduling choices by exploring all possible realizable sets of the happens-before edges.

•_{(Right): Trace exploration using the observation equivalence}

„O. Solid lines represent the happens-before relation enforced by the program structure. This time, dashed lines represent potential observation functions. Our data-centric DPOR based on„Owill resolve scheduling choices by exploring all possible realizable sets of the observation edges.

Both methods are guaranteed to visit all local states of each pro-cess. However, the data-centric DPOR achieves this by exploring potentially fewer scheduling choices.

3.2 Exponential succinctness

As we have already seen in the example of Figure 1, Theorem 1 does not hold in the other direction, i.e.,„Ocan be strictly coarser than„M. Here we provide two simple examples in which„Ois ex-ponentially more succinct than„M. In the first example we exam-ine a system of only two, identical processes, withnevents each. In the second example we examine a system ofkprocesses, with only two events each. Traditional enumerative model checking methods of concurrent systems are based on exploringat least(usually more than) one trace from every partition of the Mazurkiewicz equiv-alence using POR techniques that prune away equivalent traces (e.g. sleep sets [15], persistent sets [12], source sets and wakeup trees [1]). Such a search isoptimalif it explores at most one trace from each class. Any optimal enumerative exploration based on the observation equivalence is guaranteed by Theorem 1 to exam-ine no more traces than any enumerative exploration based on the Mazurkiewicz equivalence. The two examples show„Ocan offer exponential improvements wrt two parameters: (i) the number of processes, and (ii) the size of each process.

Example 2(Two processes of large size). Consider the systemP ofk“2processes of Figure 5, and foriP t1, . . . , nu, jP t1,2u, denote byw_ij(resp.rj) thei-th write event (resp. the read event) ofpj. In any maximal trace, there are two ways to order the read eventsr1

, r2

, i.e.,rj_{occurs beforer}3´j_{for the two choices ofjP} t1,2u. In any such ordering,r3´j

can only observe eitherwn3´´j1or w_nj_´1, whereas there are at mostn`1possible write events forr

j

to observe (eitherwj

nor one of thew 3_´j

i ). HenceTP{ „Ohas size Opnq. In contrast,TP{ „M has sizeΩp

`2¨n n

˘

q “Ωp2n

q, as there arep2¨nq!ways to order the2¨nwrite events of the two processes, butn!¨n!orderings are invalid as they violate the program structure. Hence, even for only two processes, the observation equivalence reduces the number of partitions from exponential to linear.

Example 3(Many processes of small size). We now turn our attention to a system ofPofkidentical processesp1, . . . , pkwith two events each, in Figure 6. There is only one global variablex, and each process performs a read and then a write tox. There are Opkk

qrealizable observation functions, by choosing for each one amongk read events, one among k write events it can observe. HenceTP{ „Ohas sizeOpkkq. In contrast, the size ofTP{ „M

isΩppk!q2

q. This holds as there arek!ways to order thek write events, and for each such permutation therek!ways to assign each of thekread events to the write event that it observes. To see this second part, letw1, . . . , wkbe any permutation of the write events, and letri be the read event in the same process aswi. Thenri can be placed right after anywjwithiďj, sincewimust happen beforeri, as forced by the program structure. Observe thatTP{ „O is exponentially more succinct thanTP{ „M, as

Ωppk!q2 q Opkk_q “Ω ¨ ˝ śk i“1i¨r k is kk ¨ k´1 ź i“rk 2s`1 i ˛ ‚“Ωp2 k q. 3.3 Solution Overview

Traditional DPOR algorithms exploit the Mazurkiewicz equiva-lence, and use various techniques such as persistent sets and sleep sets to explore each Mazurkiewicz class by few representative traces. Our goal is to develop an analogous DPOR that utilizes the observation equivalence, which by Theorem 1 is more succinct. In high level, our approach consists of the following steps.

x1 x2 x3 x4 x6 x5 x7 e1:acquirel e2:vÐread balance e3:bpv,amountq

e4:balanceÐwritefpv,amount,successq e5:releasel e6:vÐread balance

p

p

Mazurkiewizc-based

p

p

Observation-based

Figure 4: Trace exploration on the system of Figure 3 with two processes, where initiallybalanceÐ4and both withdrawals succeed.

Processp1: 1.writex 2.writex . . . n`1.readx Processp2: 1.writex 2.writex . . . n`1.readx

Figure 5: An architecture of two processes withn`1events each. Processp1: 1.writex 2.readx . . . Processpk: 1.writex 2.readx Figure 6: An architecture ofkprocesses with two events each. 1. In Section 4 we introduce the concept of annotations. An

an-notation is a function from read to write events, and serves as an intended observation function. Given an annotation, the goal is to obtain a trace whose observation function coincides with the annotation. We restrict our attention to a certain class of well-formedannotations, and show that although the problem is NP-complete in general, it admits a polynomial time (in fact, cubic in the size of the trace) solution in acyclic architectures. 2. In Section 5 we present our data-centric DPOR. Section 5.1

in-troduces the notion of causal past cones in a trace. The concept is similar to Lamport’shappens-beforerelation [23], and is used to identify past events that may causally affect a current event in a trace. We note that this concept is different from the happens-before relation used in the Mazurkiewicz equivalence. We use the notions of annotations and causal cones to develop our algo-rithm, and prove its correctness and optimality (in Section 5.2). 3. In Section 6 we extend our algorithm to cyclic architectures. Several technical proofs are relegated to Appendix A. Table 1 and Table 2 summarize relevant notation in the proofs.

4.

Annotations

In this section we introduce the notion ofannotations, which are in-tended constraints on the observation functions that traces discov-ered by our data-centric DPOR (DC-DPOR) are required to meet.

Annotations.Anannotation pairA“ pA`,A´qis a pair of 1. apositive annotationA`:R_ÑÞ W, and

2. anegative annotationA´:RÑÞ 2W

such that for all read events r, if A`prq “ w, then we have

ConflRWpr, wqand it is not the case thatPSpr, wq. We will use annotations to guide the recursive calls of DC-DPOR towards traces that belong to different equivalence classes than the ones explored already, or will be explored by other branches of the algorithm. A positive annotationA`forcesDC-DPORto explore traces that are compatible withA` (or abort the search if no such trace can be generated). Since a positive annotation is an “intended” observation function, we say that a tracetrealizesA` ifOt “

A`, in which caseA` is calledrealizable. A negative annotation

A´ preventsDC-DPORfrom exploring tracestin which a read event observes a write event that belongs to its negative annotation set (i.e., Otprq P A´prq). In the remaining section we focus on positive annotations, and the problem of deciding whether a positive annotation is realizable.

The value functionval_A`. Given a positive annotationA`, we define the relationăA`ĎimgpA`qˆdompA`qsuch thatwă<sub>A</sub>` r iffpr, wq PA`. The positive annotationA`isacyclicif the relation

PSY ăA`is a strict partial order (i.e., it contains no cycles). The value functionvalA` :dompA`q YimgpA`q ÑDof an acyclic positive annotationA`is the unique function defined inductively, as follows.

1. For each w P imgpA`q of the form w : g Ð

writefpv1, . . . , vniq, we havevalA`pwq “ fpα1, . . . , αniq, where for eachαjwe have

(a)αj “valA`prqif there exists a read eventr P dompA`q such that (i) r is of the form r : vj Ð read g1 and (ii)PSpr, wqand (iii) there exists no otherr1 P dompA`q withPSpr, r1qand which satisfies conditions (i) and (ii). (b)αjequals the initial value ofviotherwise.

2. For eachrPdompA`qwe havevalA`prq “val_A`pA`prqq. Note thatval_A`is well-defined, as for any read eventrthat is used to define the value of a write eventwwe havePSpr, wq, and thus by the acyclicity ofA`,valA`prqdoes not depend onval<sub>A</sub>`pwq.

Remark 1. IfA`is realizable then it is acyclic, and for any trace tthat realizesA`we have thatvalt“valA`.

Well-formed annotations and basis of annotations.A positive annotationA`_{is calledwell-formedif it is acyclic, and there exist}

sequential tracespτiqi, one for each processpi, such that eachτi ends in a global event, the following conditions hold.

1. (a) for every lock-acquire eventeaPEpτiqthere exists a lock-release eventer P Eptqsuch thatlocpeaq “ locperqand

inτipeaq ăinτperq, and

(b) for every pair of lock-acquire eventse1 a, e

2

a PEpτiq XLA such thatinτipe1

aq ăinτ_ipe2aqandlocpe1aq “locpe2aqthere exists a lock release event er P Epτiq XLR such that

inτipe 1

aq ăinτiperq ăinτipe2

aqandlocperq “locpe1 aq “ locpe2 aq. 2.Ť iRpτiq “ dompA `<sub>qand</sub>Ť iWpτiq Ď imgpA `_{q, i.e.,pτiqi}

contains precisely the read events ofA` and a superset of the write events.

3. Eachτicorresponds to a deterministic computation of process pi, where the value of every global eventeduring the computa-tion is taken to bevalA`peq.

The sequential tracespτiqi are called a basisof A` if every τi is minimal. The following lemma establishes properties of well-formedness and basis.

Lemma 2. LetX“dompA`qXimgpA`qbe the set of events that appear in a positive annotationA`, andXi“XXEithe subset of events ofXfrom processpi. The following assertions hold:

1. IfA`is well-formed, then it has a unique basispτiqi.

2. Computing the basis ofA`(or concluding thatA`is not well-formed) can be done inOpnqtime, wheren “ř

ip|τi|qifA

`

is well-formed, otherwisen“ř

iℓi, whereℓiis the length of the longest path from the rootriofCFGito an eventePXi. 3. For every tracet that realizesA` we have thatA` is

well-formed andtPτ1˚. . .˚τk.

4.1 The Hardness of Realizing Positive Annotations

A core step in our data-centric DPOR algorithm is constructing a trace that realizes a positive annotation. That is, given a positive annotationA`, the goal is to obtain a tracet(if one exists) such thatOt “ A`, i.e., tcontains precisely the read events ofA`, and every read event intobserves the write event specified byA`. Here, we show that the problem is NP-complete in the general case. Membership in NP is trivial, since, given a tracet, it is straightfor-ward to verify thatOt“A`inOp|t|qtime. Hence our focus will be on establishing NP-hardness. For doing so, we introduce a new graph problem, namely ACYCLIC EDGE ADDITION, which is closely related to the problem of realizing a positive annotation un-der sequential consistency semantics. We first show that ACYCLIC EDGE ADDITION is NP-hard, and afterwards that the problem is polynomial-time reducible to realizing a positive annotation.

The problem ACYCLIC EDGE ADDITION.The input to the problem is a pairpG, HqwhereG“ pV, Eqis a directed acyclic graph, andH “ tpxi, yi, ziquiis a set of triplets of distinct nodes such that

1.xi, yi, ziPV,pyi, ziq PEandpxi, yiq,pzi, xiq RE, and 2. each nodexiandyiappears only once inH.

Anedge addition setX “ teiu|iH“1| forpG, Hqis a set of edges ei P E such that for eachei we have either ei “ pxi, yiqor ei “ pzi, xiq. The problem ACYCLIC EDGE ADDITION asks whether there exists an edge addition setX forpG, Hqsuch that the graphGX“ pV, EYXqremains acyclic.

Lemma 3. ACYCLIC EDGE ADDITION is NP-hard.

wC 1 rC 1 wC 2 rC 2 wC 3 rC 3 wD 1 rD 1 wD 4 rD 4 wD 5 rD 5 w1 1 w21 w13 w41 w15 φ“ px1_x2_x3q l jh n C ^ px1_x4_x5q l jh n D

Figure 7: The reduction of 3SAT over φ to ACYCLIC EDGE ADDITION overpG, Hq. The nodes and solid edges represent the graphG, whereas the dashed edges represent the triplets inH.

Sketch.The proof is by reduction from MONOTONE ONE-IN-THREE SAT [14, LO4]. In MONOTONE ONE-IN-ONE-IN-THREE SAT, the input is a propositional 3CNF formulaφin which every literal is positive, and the goal is to decide whether there exists a satisfying assignment forφthat assigns exactly one literal per clause toTrue. The reduction proceeds as follows. In the following, we letC andD range over the clauses andxiover the variables ofφ. We assume w.l.o.g. that no variable repeats in the same clause. For every variablexi, we introduce a nodewi1 PV. For every clause C“ pxC1_xC2_xC3q, we introduce a pair of nodeswCC_j, rCC_j P V and an edgepwC Cj, r C Cjq PE, wherejP t1,2,3u. Additionally, we introduce an edgepwCCj, w 1

Clq PEfor every pairj, lP t1,2,3u such thatj ‰ l, and an edgepwC1j, r

C

C_lqfor eachj P t1,2,3u, wherel“ pj`1q mod 3`1. Finally, for every pair of clauses C, Dandl1, l2 P t1,2,3usuch thatCl1 “Dl2 “ℓ(i.e.,Cand Dshare the same variablexℓin positionsl1andl2), we add edges pwC

ℓ, rDℓq,pwℓD, rCℓq PE. The setHconsists of triplets of nodes pw1Cj, w

C Cj, r

C

Cjqfor every clause C andj P t1,2,3u. Figure 7 illustrates the construction. The detailed proof is in Appendix A.

From ACYCLIC EDGE ADDITION to annotations.Finally, we argue that ACYCLIC EDGE ADDITION is polynomial-time reducible to realizing a positive annotation. Given an instance pG, Hqof ACYCLIC EDGE ADDITION, withG“ pV, Eq, we construct an architecturePofk “2¨ |H|processesppiqi, and a positive annotationA`. We assume, wlog, that the set of nodesV is precisely the set of nodes that appear in the triplets ofH. Indeed, any other nodes can be removed while maintaining the connectivity between the nodes in the triplets ofH, and any edge addition setX solves the problem in the original graph iff it does so in the reduced graph. The construction proceeds in two steps.

1. For every tripletpxi, yi, ziq PH, we create two eventswiPW, ri PRinpisuch thatPSpwi, riq, and an eventw1iin process p|H|`i. For all three events we set locpriq “ locpwiq “

locpw1iq “ gi, wheregi P G is some fresh global variable of P. Finally, we introducepri, wiq P A`. Given a node u, let epuqdenote the event associated withu.

2. For every edgepu, vqwe introduce a new global variablegPG, and two eventswu,v P W,ru,v P Rsuch thatlocpwu,vq “

locpru,vq “ g. We make wu,van event of the same process as epuq, andru,v an event of the same process asepvq, and additionally PSpepuq, wu,vq and PSpru,v, epvqq. Finally, we introducepru,v, wu,vq PA`.

Observe that the above construction is linear in the size ofpG, Hq. We refer to Appendix A for the formal proof of the reduction.

4.2 Realizing Positive Annotations in Acyclic Architectures

We now turn our attention to a tractable fragment of the positive annotation problem. Here we show that ifPis an acyclic architec-ture, then the problem admits a polynomial-time solution (in fact, cubic in the size of the constructed trace).

Procedure Realize. LetP be an acyclic architecture, andA` a positive annotation overP. We describe a procedureRealizepA`q which returns a tracetthat realizesA`, orKifA`is not realizable. The procedure works in two phases. In the first phase,RealizepA`q uses Lemma 2 to extract a basispτiqiofA`_{. In the second phase,}

RealizepA`q determines whether the events of Ť

iEpτiq can be linearized in a trace tsuch thatOt “ A`. Informally, the sec-ond phase consists of constructing a 2SAT instance over variables xe1,e2, where e1, e2 P Ť

iEpτiq. Setting xe1,e2 to True corre-sponds to makinge1happen beforee2in the witness tracet. The clauses of the 2SAT instance capture four properties that each such ordering needs to meet, namely that

1. the resulting assignment produces a total order (totality, anti-symmetry and transitivity) between all of the events that appear in adjacent processes in the communication graphGP,

2. the produced total order respects the positive annotation, i.e., every write eventw1that conflicts with an annotated read/write pairpr, wq PA`must either happen beforewor afterr, 3. the produced total order respects the lock semantics, i.e.,

be-tween every two lock-acquire events on the same lock there must be a lock-release event, and

4. the produced total order respects the partial order induced by the program structurePSand the positive annotationA`. The formal description of the second phase is given in Algorithm 1.

Lemma 4. Given a well-formed positive annotation A` over a basispτiqi,Realizeconstructs a tracetthat realizesA`(or con-cludes thatA`is not realizable) and requiresOpn3

qtime, where n“ř

i|τi|.

Proof. We present the correctness proof and complexity analysis. Corrctness.We first argue about correctness.

1. IfRealizereturns a sequence of eventst(Line 30) then clearly tis a trace sincetrespects the program structurePS(Line 24) and the lock semantics (Line 21). Additionally,trealizesA`, as the sequential consistency axioms are satisfied because of Line 18 and Line 24.

2. If A` is realizable by a trace t, then t is a linearization of E˚_{, thus for every pair of distinct conflicting eventspe1, e2q P}

E˚ we haveintpe1q ă intpe2q(Line 24). By the sequential consistency axioms, for every pairpr, wq P A` andw1 ‰w withConflpr, w1_{qwe have eitherintpw}1_{q ăintpwqorintprq ă}

intpw1q(Line 18). Additionally, for every lock-acquire eventea appearing int, no other lock-acquire evente1athat conflicts with eaappears intbefore a lock-release eventersuch thatppeaq “ pperq appears int(Line 21). Finally, since tinduces a total order onV, it is clearly transitive (Line 10) and antisymmetric (Line 7). Hence the set of 2SAT clauses C is satisfiable. It suffices to argue thatG1 “ pV1, E1q (Line 29) is acyclic, as

Algorithm 1:RealizepA`q

Input: A positive annotationA`_{with basispτ}

iqi

Output: A tracetthat realizesA`orKifA`is not realizable

1 Construct a directed graphG“ pV, Eqwhere

2 -V “Ť_iEpτiq, and

3 -E“ tpe1, e2q: pe2, e1q PA` orPSpe1, e2qu

4 G˚“ pV, E˚q Ðthe transitive closure ofG

// A set C of 2SAT clauses over variables VC 5 CÐ H

6 VCÐ txe1,e2 :e1, e2PV ande1‰e2and eitherprocpe1q “

procpe2qorpprocpe1q,procpe2qq PEPu

// 1. Antisymmetry clauses

7 foreachxe1,e2PVCdo

8 CÐCY tpxe1,e2 ñ xe2,e1q,p xe2,e1ñxe1,e2qu

9 end // 2. Transitivity clauses 10 foreachxe1,e2PVCdo 11 foreachpe2, e3q PE˚do 12 CÐCY tpxe1,e2ñxe1,e3qu 13 end 14 foreachpe3, e1q PE˚do 15 CÐCY tpxe1,e2ñxe3,e2qu 16 end 17 end // 3. Annotation clauses

18 foreachpr, wq PA`andw1PV XWs.t.ConflRWpr, w1qdo

19 C_ÐC_{Y tp}xw1,rñxw1,wq,pxw,w1ñxr,w1qu

20 end

// 4. Lock clauses

21 foreachea, e1aPV XLAanderPV XLRs.t.

locpeaq “locpe1aqandlocpeaq “locperqandPSpea, erqand

Ee2

aPV XLAs.t.locpe2aq “locperqandPSpe2a, erqdo

22 CÐCY tpxe1 a,er ñxe1a,eaq,pxea,e1añxer,e1aqu 23 end // 5. Fact clauses 24 foreachpe1, e2q PE˚do 25 CÐCY tpxe1,e2qu 26 end

27 Compute a satisfying assignmentf:VCÑ tFalse,Trueu|VC|of the

2SAT overC, orreturnKifCis unsatisfiable

28 E1ÐEY tpe1, e2q: fpxe1,e2q “Trueu

29 LetG1_{“ pV, E}1_q

30 returna tracetby topologically sorting the vertices ofG1

then any topological order of G1 will satisfy the sequential consistency axioms (Line 18). Assume towards contradiction otherwise. If G˚ _{has a cycle, then A}` _{is not realizable, as}

t must linearize E˚. Hence G˚ must be acyclic, Thus, any cycle C in G1 traverses an edge pe1, e2q P E1zE˚, hence fpxe1,e2q “True. We distinguish the following cases. (a) If there exists a cycle C which traverses a single edge

pe1, e2q P E1zE˚, thenpe2, e1q P E˚, andfpxe2,e1q “

True (Line 24), and thus fpxe1,e2q “ False (Line 7), a contradiction.

(b) Otherwise, letCbe a simple cycle inG˚_{that traverses the}

fewest number of edges in E1zE˚, and C must traverse at least two edges pe1, e2q,pe3, e4q P E1zE˚. Observe that procpe1q ‰ procpe2q and procpe3q ‰ procpe4q as otherwise we would have pe2, e1q P E˚ or pe4, e3q P E˚, and there would exist a cycle that traverses a single edge from E1zE˚ (namely, e1 Ñ e2 Ñ e1 or e3 Ñ e4 Ñ e3). Since P is acyclic, by construction (Line 6) |tprocpe1q,procpe2q,procpe3q,procpe4qu| “2, i.e., there exist two processespi,pjsuch that

ThenCtraverses an edgepe1_{3, e}1

4qsuch that eithere13 “e1 orPSpe13, e1q, and eithere2“e14orPSpe2, e14q. In all cases, we havepe13, e1q,pe2, e14q P E˚. Sincepe13, e14q P E1 we havefpxe1

3,e14q “ True, and by transitivity (Line 10), we have thatfpxe2,e1q “True, a contradiction.

Complexity. The transitive closure requires Opn3

q time, since |V| “ n. The setVC (Line 6) hasOpn2qvariables and each of

the loops for constructing clauses iterates over triplets of nodes, hence the 2SAT instance is constructed inOpn3

qtime [5]. Com-puting a satisfying assignment forC (or concluding that none ex-ists) requires linear time in|C|, hence this step costsOpn3

q. Finally, constructingG1and computing a topological sorting of its vertices requiresOpn2

qtime in total. The desired result follows.

We conclude the results of this section with the following theorem.

Theorem 2. Consider any architectureP “ ppqiand letA` be any well-formed positive annotation over a basispτqi. Deciding whetherA`is realizable is NP-complete. IfPis acyclic, the prob-lem can be solved inOpn3

qtime, wheren“ř

i|τi|.

5.

Data-centric Dynamic Partial Order Reduction

DC-DPORand prove its correctness and compactness, namely that that the algorithm explores each observation equivalence class of TPonce. We start with the notion of causal past cones, which will

help in proving the properties of our algorithm.

5.1 Causal Cones

Intuitively, the causal past cone of an eventeappearing in a tracet is the set of events that precedeeintand may be responsible for enablingeint.

Causal cones.Given a tracetand some eventePE_ptq, thecausal past conePasttpeqofe intis the smallest set that contains the following events:

1. if there is an evente1PE_ptqwithPSpe1, eq, thene1PPasttpeq, 2. if e1 P Pasttpeq, for every event e2 P Eptq such that

PSpe2, e1q, we have thate2PPasttpeq, and

3. if there exists a readrPPasttpeq XR, we have thatOtprq P

Pasttpeq.

In words, the causal past cone ofe int is the set of eventse1 that precedee intand may causally affect the enabling ofein t. Note that for every evente1PPasttpeqwe have thate1Ñte, i.e., every event in the causal past cone ofealso happens beforeeint. However, the inverse is not true in general, as e.g. for some readr we haveOtprqÑtrbut possiblyOtprq RPasttprq.

Remark 2. If e1 P Pasttpeq, then e1Ñte and Pasttpe1q Ď

Pasttpeq.

The following lemma states the main property of causal past cones used throughout the paper. Intuitively, if the causal past of an event ein somet1also appears in another tracet2, and the read events in the causal past observe the same write events, theneis inevitable int2, i.e., every maximal extension oft2will containe.

Lemma 5. Consider two tracest1, t2 and an event e P E_pt1q such that for every readr P Pastt1peqwe haver P Ept2qand

Ot1prq “Ot2prq. Theneis inevitable int2.

Proof. We argue that every evente1PPastt1peq Y teuis inevitable int2. Lett12 be any lock-free maximal extension oft2. Assume

towards contradiction thatpPastt1peq Y teuqzE_pt1

2q ‰ H, and let em“arg min

e1_PpPast

t1peqYteuqzEpt12q

int1pe1q

be the first such event int1, and let piprocpemqofem. By Re-mark 2, for every evente1 PPastt1pemqwe havee1PPastt1peq, and sinceint1pe1q ăint1pemq, we havee1 PEpt12q. Letpx, yqbe the edge ofCFGilabeled withem. Sincee1PEpt12q, the program counter ofpibecomesxat some point int12. We examine the num-ber of outgoing edges from nodex.

1. Ifxhas one outgoing edge, we distinguish whether em is a lock-acquire event or not.

(a) Ifemis not a lock-acquire event, thenemis always enabled aftere1int12, hencet12is not maximal, a contradiction. (b) Ifem:acquirel, sincet12is a lock-free trace,lis released

inspt12q, henceemPenabledpt12qandt12is not maximal, a contradiction.

2. Ifxhas at least two outgoing edges then it is eitherem : v orem: bjpv1, . . . , vniq, wherevi PViare local variables of pi. Since for every readr P Pastt1pemqwe haver P Ept2q andOt1prq “Ot2prq, by Remark 2, the same holds for reads r P Pastt1pemq, i.e., for every readr P Pastt1pemqwe have r P Ept2q and Ot1prq “ Ot2prq. By Lemma 1, we have

valt1prq “ valt2prq for every such read r, and since pi is deterministic, the value ofvonxis a function of those reads, and thus eachvihas the same value when the program counter of pi reaches node xint1 and t12. Sinceem appears in t1, em is always enabled aftere1int12, hencet12is not maximal, a contradiction.

The desired result follows.

5.2 Data-centric Dynamic Partial Order Reduction

AlgorithmDC-DPOR.We now present our data-centric DPOR al-gorithm. The algorithm receives as input a maximal tracetand an-notation pairA“ pA`,A´q, wheretis compatible withA`. The algorithm scanstto detect conflicting read-write pairs of events that are not annotated, i.e, a read even r P Rptq and a write eventw P W_ptqsuch that r R dompA`q andConflRWpr, wq. IfwRA´prq, thenDC-DPORwill try tomutatertow, i.e., the algorithm will pushpr, wqin the positive annotationA` _{and call}

Realizeto obtain a trace that realizes the new positive annotation. If the recursive call succeeds, then the algorithm will pushw to the negative annotation ofr, i.e., will insertwtoA´prq. This will prevent recursive calls from pushingpr, wqinto their positive an-notation. Algorithm 2 provides a formal description ofDC-DPOR. InitiallyDC-DPORis executed on inputpt,Aqwheret“εis an empty trace, andA“ pH,Hqis a pair of empty annotations. We say thatDC-DPORexploresa class of TP{ „O when it is called on some annotation inputA“ pA`,A´q, whereA`is real-ized by some (and hence, every) trace in that class. The represen-tative trace is then the tracet1returned byRealize. The following two lemmas show the optimality ofDC-DPOR, namely that the al-gorithm explores every such class at most once (compactness) and at least once (completeness). They both rely on the use of annota-tions, and the correctness of the procedureRealize(Lemma 4). We first state the compactness property, which follows by the use of negative annotations.

Lemma 6 (Compactness). Consider any two executions of DC-DPORon inputspt1,A1qandpt2,A2q. ThenA`1 ‰A

`

2. We now turn our attention to completeness, namely that every realizable observation function is realized by a trace explored by

DC-DPOR. The proof shows inductively that iftis a trace that realizes an observation functionO, thenDC-DPORwill explore

Algorithm 2:DC-DPORpt,Aq

Input: A maximal tracet, an annotation pairA“ pA`,A´q

// Iterate over reads not yet mutated

1 foreachrPEptqzdompA`qin increasing indexintprqdo

// Find conflicting writes allowed by A´ 2 foreachwPE_ptqs.t.Conflpr, wqandwRA´_prqdo 3 A`r,wÐA`Y tpr, wqu

// Attempt mutation and update A´

4 Lett1ÐRealizepA`r,wq 5 ift1‰ Kthen 6 t2Ða maximal extension oft1 7 A´prq ÐA´prq Y twu 8 Ar,wÐ pA`r,w,A´q 9 CallDC-DPORpt2_,A r,wq 10 end 11 end

a trace ti that agrees with t on the first few read events. The, Lemma 5 guarantees that the first read eventron which the two traces disagree appears inti, and so does the write eventwthat robserves inO. HenceDC-DPOReither will mutater Ñw(if wRA´prq), or it has already done so in some earlier steps of the recursion (ifwPA´prq).

Lemma 7(Completeness). For every realizable observation func-tionO,DC-DPORgenerates a tracetthat realizesO.

See Section 2 for the formal proofs. We thus arrive to the following theorem.

Theorem 3. Consider a concurrent acyclic architecture P of processes on an acyclic state space, and n “ maxtPT_P|t|

the maximum length of a trace ofP. The algorithmDC-DPOR explores each class of TP{ „O exactly once, and requires O`

|TP{ „O| ¨n 5˘

time.

We note that our main goal is to explore the exponentially large TP{ „Oby spending polynomial time in each class. Then

5 factor in the bound comes from a crude complexity analysis (also see Sec-tion 7 for some optimizaSec-tions over thisn5bound).

6.

Beyond Acyclic Architectures

In the current section we turn our attention to cyclic architectures. Recall that according to Theorem 2, procedureRealizeis guaran-teed to find a trace that realizes a positive annotationA`, provided that the underlying architecture is acyclic.

Architecture acyclic reduction. Consider a cyclic architec-ture P, and the corresponding communication graph GP “

pVP, EP, λPq. We call a set of edgesX Ď EP anall-but-two

cycle setofGPif every cycle ofGP contains at most two edges

outside ofX. Given an all-but-two cycle set,X Ď EP we

con-struct a second architecturePX

, called theacyclic reductionofP overX, by means of the following process.

1. LetY “Ť

ppi,pjqPXλPppi, pjqbe the set of variables that ap-pear in the removed edgesX. We introduce a set ofobservable locksLO

inPX

such that we have exactly one observable lock lgPLOfor each variablegPY. For every lock-acquire event eawithlocpeaq P LOwe haveea P R. Similarly, for every lock-release eventerwithlocperq PLOwe haveerPW. That is, lock-acquire and lock-release events on observable locks are readandwriteevents, respectively (in contrast with the tradi-tional locks which are neither write nor read events).

2. For every processpi, every write eventwPWiwithlocpwq P Y is surrounded by an acquire/release pair on the observable lock variablellocpwq. Similarly, every lock-acquire eventePLA

withlocpeq PY is surrounded by an acquire/release pair on the observable lock variablellocpeq.

Observation equivalence refined by an edge set. Consider a cyclic architecturePand X an edge set of the underlying com-munication graphGP. We define a new equivalence on the trace

spaceTP as follows. Two tracest1, t2 P TPareobservationally

equivalent refined byX, denoted by„X

O, if the following hold: 1.t1„Ot2, and

2. for every edgeppi, pjq P X, for every pair of distinct write events w1, w2 P W_pt1q X pWi Y Wjq with locpw1q “

locpw2q “ gandg P λPppi, pjq, we have that int1pw1q ă

int1pw2qiffint2pw1q ăint2pw2q Clearly,„X

O refines the observation equivalence„O. The follow-ing lemma captures that the Mazurkiewicz equivalence refines the observation equivalence refined by an edge setX.

Lemma 8. For any two traces t1, t2 P TP, ift1 „M t2 then

t1„X O t2.

Exponential succinctness.Similar to„O, we present examples (in Appendix A.3) of cyclic architectures where the equivalence„X

O is exponentially more succinct than„M, since in general it considers fewer reorderings of events that access variables of the edges of EPzX, than the Mazurkiewicz reorderings on those events. Data-centric DPOR on a cyclic architecture.We are now ready to outline the steps of the data-centric DPOR algorithm on a cyclic architectureP, calledDC-DPOR-Cyclic. First, we determine an all-but-two cycle setX of the underlying communication graph GP “ pVP, EP, λPq, and construct the acyclic reductionPXofP

overX. Then, we executeDC-DPORonPX

, with the following two modifications on the procedureRealize.

1. After the transitive closure graph G˚ has been computed (Line 4), ifG˚contains a cycle, or there exists a pairpr, wq P

A` _{and aw}1 _{P V XWwithConflRWpr, w}1_{qand such that}

pw, w1q PE˚andpw1, rq PE˚, the procedure returnsK. 2. In Line 6 we use the edge setEPXzX. Hence for every variable

xe1,e2used in the 2SAT reduction, we have eitherprocpe1q “

procpe2qorpprocpe1q,procpe2qq PEPXzX.

We arrive to the following theorem. We refer to Appendix A for the formal proofs of correctness and complexity.

Theorem 4. Consider a concurrent architecturePof processes on an acyclic state space, andn“maxtPTP|t|the maximum length of a trace ofP. LetXbe an all-but-two cycle set of the communi-cation graphGP. The algorithmDC-DPOR-Cyclicexplores each

class ofTP{ „XO exactly once, and requiresO

`

|TP{ „XO | ¨n 5˘

time.

7.

Experiments

We report on a basic experimental evaluation of our data-centric DPOR, and compare it to the standard DPOR of [12].

Experimental setup.We have implemented ourDC-DPOR algo-rithm in Python, and evaluate its performance on a set of academic benchmarks (the details of the benchmarks can be found in Ap-pendix B). Our basis for comparison is also a Python implementa-tion of [12, Figure 4]. All benchmarks are straightforwardly trans-lated to our model syntax. The experiments were run on a standard desktop computer with 3.5GHz CPU.