A Partial Order Reduction Technique for Event-driven Multi-threaded
  Programs by Maiya, Pallavi et al.
A Partial Order Reduction Technique for
Event-driven Multi-threaded Programs
Pallavi Maiya
Indian Institute of Science
pallavih@iisc.ac.in
Rahul Gupta
Indian Institute of Science
rahulg@iisc.ac.in
Aditya Kanade
Indian Institute of Science
kanade@iisc.ac.in
Rupak Majumdar
MPI-SWS
rupak@mpi-sws.org
Abstract
Event-driven multi-threaded programming is fast becoming a pre-
ferred style of developing efficient and responsive applications.
In this concurrency model, multiple threads execute concurrently,
communicating through shared objects as well as by posting asyn-
chronous events that are executed in their order of arrival. In this
work, we consider partial order reduction (POR) for event-driven
multi-threaded programs. The existing POR techniques treat event
queues associated with threads as shared objects and thereby, re-
order every pair of events handled on the same thread even if re-
ordering them does not lead to different states. We do not treat
event queues as shared objects and propose a new POR technique
based on a novel backtracking set called the dependence-covering
set. Events handled by the same thread are reordered by our POR
technique only if necessary. We prove that exploring dependence-
covering sets suffices to detect all deadlock cycles and assertion
violations defined over local variables. To evaluate effectiveness of
our POR scheme, we have implemented a dynamic algorithm to
compute dependence-covering sets. On execution traces obtained
from a few Android applications, we demonstrate that our tech-
nique explores many fewer transitions —often orders of magnitude
fewer— compared to exploration based on persistent sets, wherein,
event queues are considered as shared objects.
1. Introduction
Event-driven multi-threaded programming is fast becoming a pre-
ferred style of structuring concurrent computations in many do-
mains. In this model, multiple threads execute concurrently, and
each thread may be associated with an event queue. Threads may
post events to each other’s event queues, and a thread can post an
event to its own event queue. For each thread with an event queue,
an event-loop processes the events from its event queue in the order
of their arrival. The event-loop runs the handler of an event only af-
ter the previous handler finishes execution but interleaved with the
execution of all the other threads. Further, threads can communicate
through shared objects; even event handlers executing on the same
thread may share objects. Event-driven multi-threaded program-
ming is a staple of developing efficient and responsive smartphone
applications [22]; a similar programming model is also used in dis-
tributed message-passing applications, high-performance servers,
and many other settings.
Stateless model checking [12] is an approach to explore the
reachable state space of concurrent programs by exploring differ-
ent interleavings systematically but without storing visited states.
In practice, the success of stateless model checking depends cru-
cially on partial order reduction (POR) techniques [5, 11, 29, 36].
Stateless search with POR defines an equivalence class on inter-
leavings, and explores only a representative interleaving from each
equivalence class (called a Mazurkiewicz trace [21]), but still pro-
vides certain formal guarantees w.r.t. exploration of the complete
but possibly much larger state space. Motivated by the success of
model checkers based on various POR strategies [2, 3, 7, 10, 12,
13, 28, 31, 41], in this work, we propose an effective POR strategy
for event-driven multi-threaded programs.
Motivating example. We first show why existing POR techniques
may not be very effective in the combined model of threads and
events. Consider a partial execution trace of an event-driven pro-
gram shown in Figure 1. The operations are executed from top to
bottom. The operations in the trace are labeled r1 to r5 and those
belonging to the same event handler are enclosed within a box la-
beled with the corresponding event. These operations are executed
by the threads t1, t2 or t3. Figure 1 enumerates all the operations
executed by a thread on a vertical line below the thread. An oper-
ation post(e) under thread t denotes the enqueuing of an event e
by thread t. The destination event queue can be identified by map-
ping the event posted with the corresponding event label against an
event handler. For example, the operation r1 executed by thread t2
posts an event e1 to thread t1’s event queue. In this trace, threads t2
and t3 respectively post events e1 and e2 to thread t1’s event queue.
The event handler of e1 in turn posts an event e3 to t1’s queue. The
event handlers of e2 and e3 respectively write to shared variables y
and x.
Figure 2 shows the state space reachable through all valid per-
mutations of operations in the trace in Figure 1. Each node indicates
a state of the program. An edge is labeled with an operation and in-
dicates the state transition due to that operation. The interleaving
corresponding to the trace in Figure 1 is highlighted with bold lines
and shaded states. For illustration purposes, we explicitly show the
contents of the event queue of thread t1 at some states. Events in a
queue are ordered from left to right. Pictorially, an event is removed
from the queue when it is dequeued for handling.
Existing POR techniques (e.g. [2, 10, 11, 31, 34]) recognize that
r2 and r5 (also r1 and r4) are independent (or non-interfering) and
that it is sufficient to explore any one of them at state s6 (respec-
tively, s10). The dashed edges indicate the unexplored transitions.
However, existing POR-based model checkers will explore all other
states and transitions. Since no two handlers executed on the thread
1 2018/8/5
ar
X
iv
:1
51
1.
03
21
3v
2 
 [c
s.P
L]
  1
6 O
ct 
20
17
t1 t2 t3
r1 post(e1)
r2 post(e2)
r3 post(e3)
r4 y = 5
r5 x = 1
e1
e2
e3
s0
s1
r1
e1
s2
r2
e1 e2
s3
r3
e2 e3
s4
r4
e3
s5
r5
s6
r3
e3
s7
r2
e3 e2
s8
r5
r4
e2
s9
r5
r2
s10
r2
e2
s11
r1
e2 e1
s12
r4
e1
s13
r3
r5
e3
s14
r4
r1
Figure 1: A partial trace of an event-driven program. Figure 2: The state space reachable through all valid permutations of
operations in the trace given in Figure 1. The leftmost event in an event
queue is the front of the queue.
t1 modify a common object, all the interleavings reach the same
state s5. Thus, the existing techniques explore two redundant inter-
leavings. This happens because these techniques treat event queues
as shared objects and so, mark any two post operations that en-
queue events to the event queue of the same thread as dependent.
Consequently, they explore both r1 and r2 at state s0, and r2 and
r3 at state s1. These result in unnecessary reorderings of events.
More generally, if there are n events posted to an event queue,
these techniques may explore O(n!) permutations among them,
even if exploring only one of them may be sufficient. Therefore,
a POR technique that can avoid redundant event orderings can be
significantly more scalable. We exploit this observation. For the
state space in Figure 2, our approach explores only the initial trace
(the leftmost interleaving) and thus visits substantially fewer states
and transitions compared to existing techniques.
Our approach. Realizing a partial order reduction technique ef-
fective for event-driven programs requires reviewing of various el-
ements of POR and redesigning them to be suitable in the con-
text of event-driven programs. To realize the reduction outlined
through motivating example, we do not consider event queues as
shared objects. Equivalently, we treat a pair of posts even to the
same thread as independent. The main question then is “How to
determine which events to reorder and how to reorder them se-
lectively?”. Surely, if two handlers executing on the same thread
contain dependent transitions then we should reorder their post
operations, but this is not enough. To see this, consider a partial
trace w shown in Figure 3. The transitions r3 and r6 belong to two
different threads and are dependent as they write to the same vari-
able. Figure 4 shows a a partial state space obtained by different
orderings of r3 and r6. The contents of thread t1’s event queue are
shown next to each state, whenever the queue is non-empty. As can
be seen in the rightmost interleaving, executing r6 before r3 re-
quires posting the event e2 before e1 even though their handlers do
not have dependent transitions. A state space exploration starting
with sequence w has to reorder e1 and e2 so as to explore a differ-
ent ordering of r3 and r6 than that explored by w. Thus, operations
posting events to the same thread may have to be reordered even to
reorder some multi-threaded dependences! Our first contribution is
to define a dependence relation that captures both single-threaded
as well as multi-threaded dependences.
We now discuss the implications of treating posts as indepen-
dent and only selectively reordering them. For multi-threaded pro-
grams, or when posts are considered dependent, reordering a pair
of adjacent independent transitions in a transition sequence does
not affect the reachable state. Hence, the existing dependence re-
lation [11] induces equivalence classes where transition sequences
differing only in the order of executing independent transitions are
in the same Mazurkiewicz trace [21]. However, our new depen-
dence relation (where posts are considered independent) may not
induce Mazurkiewicz traces on an event-driven program. One rea-
son is that reordering posts to the same thread affects the order
of execution of the corresponding handlers. If the handlers contain
dependent transitions, it affects the reachable state. Second, one
cannot rule out the possibility of new transitions (not present in the
given transition sequence) being pulled in when independent posts
are reordered, which is not admissible in a Mazurkiewicz trace. We
elaborate on this in Section 2.3.
Our second contribution is to define a novel notion of
dependence-covering sequence to provide the necessary theoreti-
cal foundation to reason about reordering posts selectively. Intu-
itively, a transition sequence u is a dependence-covering sequence
of a transition sequence v if the relative ordering of all the pairs of
dependent transitions in v is preserved in u. While this sounds sim-
ilar to the property of any pair of transition sequences in the same
Mazurkiewicz trace, the constraints imposed on a dependence-
covering sequence are more relaxed (as will be formalized in Def-
inition 2.4), making it suitable to achieve better reductions. For in-
stance, u is permitted to have new transitions, that is, transitions
that are not in v, under certain conditions.
Given a notion of POR, a model checking algorithm such as
DPOR [10] uses persistent sets [11] to structure the state space ex-
ploration to only explore representative transition sequences from
each Mazurkiewicz trace. As we show now, DPOR based on per-
sistent sets is unsound when used in conjunction with the depen-
dence relation in which posts are independent. Let us revisit the
state space given in Figure 4. Assume DPOR to explore this state
space starting with the leftmost branch of the state space in Fig-
ure 4, which corresponds to sequence w shown in Figure 3. Then,
DPOR identifies the set {r1} as persistent in state s0, because ex-
ploring any transition other than r1 from s0 does not hit a transition
dependent with r1. This set is tagged as PS in Figure 4. However, a
selective exploration using this set explores only one ordering be-
tween r3 and r6, even though the two orderings are not equivalent.
2 2018/8/5
t1 t2 t3 t4
r1 post(e1)
r2 post(e2)
r3 x = 1
r4 fork(t4)
r5 tinit(t4)
r6 x = 2
e1
e2
s0
s1
r1
s2
r2
s3
r3
s4
r4
s5
r5
s6
r6
s7
r2
s8
r1
s9
r4
s10
r5
r3
s11
r6
s12
r3
PS:{r1} DCS:{r1, r2}
DCS:{r3, r6}
e1
e1 e2
e2
e2
e2 e1
e1
e1
e1
Figure 3: A partial trace w of an event-driven program involving a
multi-threaded dependence.
Figure 4: A partial state space for some valid permutations of
transitions in the trace given in Figure 3.
Our third contribution is the notion of dependence-covering sets
as an alternative to persistent sets. A set of transitions L at a state s
is said to be dependence-covering (formalized in Definition 2.6)
if a dependence-covering sequence u starting with some transi-
tion in L can be explored for any sequence v executed from s. We
prove that selective state-space exploration based on dependence-
covering sets is sufficient to detect all deadlock cycles and viola-
tions of assertions over local variables. The dependence-covering
sets at certain states are marked in Figure 4 as DCS. In contrast
to PS, DCS at state s0 contains both r1 and r2. The set {r1, r2}
at s0 is a dependence-covering set because for any transition se-
quence v starting from s0, there exists a dependence-covering se-
quence u starting with a transition in {r1, r2}. Let v be the transi-
tion sequence along the rightmost interleaving in Figure 4. The se-
quence w (the leftmost interleaving) is not a dependence-covering
sequence of v since the dependent transitions r3 and r6 appear in a
different order. We therefore require r2 to be explored at s0. Note
that, {r2} is another dependence-covering set at s0 as both the or-
derings of dependent transitions r3 and r6 can be explored from
s10 reached on exploring r2.
Our final contribution is a dynamic algorithm called EM-DPOR
to compute dependence-covering sets. EM refers to the Event-
driven Multi-threaded concurrency model. EM-DPOR follows the
DFS based exploration strategy of DPOR [10] but the key steps of
our algorithm are different. In particular, EM-DPOR incorporates
several non-trivial steps (1) to reason about both multi-threaded de-
pendences as well as dependent transitions from different event
handlers on the same thread (single-threaded dependences), and
(2) to identify events for selective reordering and infer appropri-
ate backtracking choices to achieve the reordering. We have imple-
mented and evaluated this adaptation in a proof- of-concept model
checker. Further, we have provided a sketch outlining the proof of
correctness of our algorithm in Appendix B.
We now briefly explain how EM-DPOR computes the
dependence-covering sets and explores the state space shown in
Figure 4 starting with sequence w. On exploring a prefix of se-
quence w and reaching state s5, EM-DPOR identifies r6 to be de-
pendent with r3 and hence tries to reorder r6 w.r.t. r3. It does so by
attempting to execute transitions that happen before r6 prior to r3,
ultimately leading to the execution of r6 prior to r3. When attempt-
ing to compute backtracking choices at state s2 (the state where r3
is explored) to reorder r3 and r6, EM-DPOR finds r4 to happens
before r6. However, r4 is not enabled at s2 because both r3 and
r4 execute on the same thread t1, and r4 is a transition of the han-
dler of e2 while e1 is at the front of the queue (see the event queue
shown at s2 in Figure 4). Because EM-DPOR is aware of the event-
driven semantics and knows that r3 and r4 come from handlers of
two different events e1 and e2, it attempts to reorder the events
themselves. We call this a step to reschedule pending events be-
cause e2 is pending in the queue of the thread t1 at s2. EM-DPOR
then starts another backward search to identify the backtracking
choices that can reorder e1 and e2. It identifies that the correspond-
ing post operations r1 and r2 can be reordered to do so. It therefore
adds r2 to the backtracking set at s0 (from Figure 4 r1 is already
in the backtracking set at s0 since the exploration started with w),
exploring which leads to s8 where event e2 precedes e1 in the event
queue as required. EM-DPOR then reaches state s10 where r3 and
r6 are co-enabled. Being dependent, EM-DPOR explores both the
ordering between r3 and r6 from s10. Note that even while con-
sidering only r3 and r6 from different threads as dependent, EM-
DPOR is able to identify a seemingly unrelated pair of posts at r1
and r2 for reordering.
Experiments. We have evaluated EM-DPOR on Android applica-
tions which are a class of multi-threaded event-driven programs.
We have implemented a proof-of-concept model checking frame-
work called EM-Explorer which simulates the non-deterministic
behaviour exhibited by Android applications given individual exe-
cution traces. We implemented EM-DPOR which performs a selec-
tive state-space exploration based on dependence-covering sets, in
EM-Explorer. For comparison, we also implemented DPOR which
performs exploration based on persistent sets, where posts to the
same thread are considered dependent. We performed experiments
on traces obtained from 5 Android applications. Our results demon-
strate that our POR technique explores many fewer transitions —
often orders of magnitude fewer— compared to using persistent
sets.
3 2018/8/5
2. Formalization
We now formalize our notion of partial order reduction for event-
driven programs. Some of the definitions below follow the conven-
tions in [10]. Any reference to persistent sets henceforth, assumes
usage of the dependence relation defined in [11] as it is, which
marks two post operations to the same event queue as dependent.
2.1 Transition System
We consider an event-driven multi-threaded program A which has
the usual sequential and multi-threaded operations such as assign-
ments, conditionals, synchronization through locks and thread cre-
ation. In addition, the operation post(t1, e, t2) posts an asyn-
chronous event e from the source thread t1 to (the event queue of) a
destination thread t2. However in the execution traces given in the
paper, we omit the source and destination threads of post operation
(e.g., Figure 1 and 3) when apparent from the diagram. Each event
has a handler which runs to completion on the thread to whose
event queue the event is posted. However, the event handler of one
thread may interleave with operations of other threads. Operation
deq(e) denotes the dequeuing of an event e, and end(e) indicates
the completion of execution of an event handler. We consider deq
and end as the first and the last operation of an event handler. In
the traces considered in this paper, all the operations belonging to
the same event handler are grouped inside a box (e.g., Figure 1
and 3). The operations deq and end are omitted but implicitly as-
sumed as the first and the last operation inside the box. We omit
the formal syntax and semantics of various operations relevant in
the context of a multi-threaded event-driven program; they can be
found in [20].
An operation is visible if it accesses an object shared between
at least two threads or two event handlers (possibly running on the
same thread). The first operation (deq) of an event handler is also
considered a visible operation. All other operations are invisible.
The local state of an event handler is a valuation of the stack
and the variables or heap objects that are modified only within the
event handler. The local state of a thread is the local state of the
currently executing event handler. If a handler running on a thread
has finished executing, but the thread has not started executing the
next handler (if any), we say that the thread is idle; the local state
of an idle thread is undefined. A global state of the program A is
a valuation to the variables and heap objects that are accessed by
multiple threads or multiple handlers. Even though event queues
are shared objects, we do not consider them in the global state (as
defined above). Instead, we define a queue state of a thread as an
ordered sequence of events that have been posted to its event queue
but are yet to be handled. This separation allows us to analyze
asynchronous posts more precisely. Event queues are FIFO queues
with unbounded capacity, that is, a post operation never blocks.
For simplicity, we assume that every thread is associated with an
event queue. If a thread does not have an event queue in reality
then its state is determined by the default procedure that runs on it
in response to some initial event, and no other events are enqueued
to its event queue subsequently.
Let L, G and Q be the set of all local states, global states and
queue states respectively. Let Th be the set of all threads in A.
Then, a state s of an event-driven program A is a triple (l, g, q)
where (1) l is a partial map from Th to L, (2) g is a global state
and (3) q is a total map from Th to Q. A transition by a thread t
updates the state ofA by performing one visible operation followed
by a finite sequence of invisible operations ending just before the
next visible operation; all of which are executed on t. We identify
a transition by its visible operation, e.g., we say “post operation”
to mean a transition whose first operation is a post. Let R be the
set of all transitions in A. A transition rt,` of a thread t at its local
state ` is a partial function, rt,` : G × Q 7→ L × G × Q. A
transition rt,` ∈ R is enabled at a state s = (l, g, q) if ` = l(t)
and rt,`(g, q) is defined. We may use rt,`(s) to denote application
of a transition rt,`, instead of the more precise use rt,`(g, q). The
first transition of the handler of an event e enqueued to a thread t
is enabled at a state s, if e is at the front of t’s queue at s and t is
idle in s. We assume that if a transition is defined for a state then it
deterministically maps the state to a successor state.
We formalize the state space of A as a transition system SG =
(S, sinit ,∆), where S is the set of all states, sinit ∈ S is the
initial state, and ∆ ⊆ S × S is the transition relation such that
(s, s′) ∈ ∆ iff ∃r ∈ R and s′ = r(s). We also use s ∈ SG
instead of s ∈ S. Two transitions r1 and r2 may be co-enabled if
there may exist some state s ∈ S where they both are enabled. Two
events e and e′ handled on the same thread t may be reordered if
there exist states s, s′ ∈ S such that s = (l, g, q), s′ = (l′, g′, q′),
q(t) = e ·w · e′ ·w′ and q′(t) = e′ · v · e · v′. In Figure 2, events e1
and e2 may be reordered but not e1 and e3.
For simplicity, we assume that all threads and events in A have
unique IDs. We also assume that the state space is finite and acyclic.
This is a standard assumption for stateless model checking [10].
The transition system SG collapses invisible operations and is thus
already reduced when compared to the transition system in which
even invisible operations are considered as separate transitions. A
transition system of this form is sufficient for detecting deadlocks
and assertion violations [12]. We note that the event dispatch se-
mantics can be diverse in general. For example, Android applica-
tions permit posting an event with a timeout or posting a specific
event to the front of the queue. We over-approximate the effect of
posting with timeout by forking a new thread which does the post
non-deterministically but do not address other variants in this work.
We leave a more general POR approach that allows such variants
to event dispatch, to future work.
Notation. Let next(s, t) give the next transition of a thread t in a
state s. Let thread(r) return the thread executing a transition r. If
r executes in the handler of an event e on thread t then the task of r
is task(r) = (t, e). A transition r on a thread t is blocked at a state
s if r = next(s, t) and r is not enabled in s. We assume that only
visible operations may block. Function nextTrans(s) gives the set
of next transitions of all threads at state s. For a transition sequence
w : r1.r2 . . . rn in SG, let dom(w) = {1, . . . , n}. Functions
getBegin(w, e) and getEnd(w, e) respectively return the indices
of the first and the last transitions of an event e’s handler in w,
provided they belong to w. For a transition r, index(w, r) gives
the position of r in w.
Deadlock cycles and assertion violations. A pair 〈DC, ρ〉 in
a state s ∈ S is said to form a deadlock cycle if DC ⊆
nextTrans(s) is a set of n transitions blocked in s, and ρ is a
one-to-one map from [1, n] to DC such that each ρ(i) ∈ DC,
i ∈ [1, n], is blocked by some transition on a thread ti+1 =
thread(ρ(i+ 1)) and may be enabled only by a transition on ti+1,
and the transition ρ(n) ∈ DC is blocked and may be enabled by
two different transitions of thread t1 = thread(ρ(1)). A state s in
SG is a deadlock state if all the threads are blocked in s due to a
deadlock cycle.
An assertion α is a predicate over local variables of an event
handler and is considered visible. A state s violates an assertion α
if α is enabled at s and evaluates to false.
2.2 Dependence Relation
The notion of dependence between transitions is well-understood
for multi-threaded programs. It extends naturally to event-driven
programs if event queues are considered as shared objects, thereby,
marking two posts to the same event queue as dependent. To en-
able more reductions, we define an alternative notion in which two
4 2018/8/5
post operations to the same event queue are not considered depen-
dent. One reason to selectively reorder events posted to a thread
is if their handlers contain dependent transitions. This requires a
new notion of dependence between transitions of event handlers
executing on the same thread, which we refer to as single-threaded
dependence.
In order to explicate single-threaded dependences, we first de-
fine an event-parallel transition system which over-approximates
the transition system SG. The event-parallel transition system PG
of a program A is a triple (SP , sinit,∆P ). In contrast to the tran-
sition system SG = (S, sinit,∆) of Section 2.1 where events
are dispatched in their order of arrival and execute till comple-
tion, a thread with an event queue in PG removes any event in
its queue and spawns a fresh thread to execute its handler. This en-
ables concurrent execution of handlers of events posted to the same
thread. Rest of the semantics remains the same. Let Th and ThP
be the sets of all threads in SG and PG respectively. For each state
(l, g, q) ∈ S, there exists a state (l′, g′, q′) ∈ SP such that (1) for
each thread t ∈ Th , if l(t) is defined then there exists a thread
t′ ∈ ThP where l′(t′) = l(t), (2) g = g′, and (3) for each thread
t ∈ Th , q(t) = q′(t). Let RP be the set of transitions in PG and
ep : R→ RP be a total function which maps a transition rt,` ∈ R
to an equivalent transition r′t′,`′ such that ` = `
′ and either t′ = t
or t′ is a fresh thread spawned by t in PG to handle the event to
whose handler rt,` belongs in SG.
We illustrate the event-parallel transition system for the exam-
ple program in Figure 5. Here, x and y are shared variables. The
transitions r1 and r2 respectively run on threads t1 and t2. The last
three lines in Figure 5 give definitions of handlers of the events
e1, e2 and e3 respectively. Figure 6 shows a partial state space of
the program in Figure 5 according to the event-parallel transition
system semantics. The edges are labeled with the respective tran-
sitions. The shaded states and thick edges indicate part of the state
space that is reachable in the transition system semantics of Sec-
tion 2.1 as well, under the mapping between states and transitions
described above.
Definition 2.1. LetRP be the set of transitions in the event-parallel
transition system PG of a program A. Let DP ⊆ RP × RP be a
binary, reflexive and symmetric relation. The relationDP is a valid
event-parallel dependence relation iff for all (r1, r2) ∈ RP ×RP ,
(r1, r2) /∈ DP implies that the following conditions hold for all
states s ∈ SP :
1. If r1 is enabled in s and s′ = r1(s) then r2 is enabled in s iff it
is enabled in s′.
2. If r1 and r2 are both enabled in s then there exists s′ =
(l′, g′, q′) = r1(r2(s)) and s′′ = (l′′, g′′, q′′) = r2(r1(s))
such that l′ = l′′ and g′ = g′′.
This definition is similar to the definition of dependence relation
in [12] except that we do not require equality of the event states
q′ and q′′ in the second condition above. Clearly, any pair of post
transitions, even if posting to the same event queue, are independent
according to the event-parallel dependence relation.
Definition 2.2. Let R be the set of transitions in the transition
system SG of a program A. Let DP be a valid event-parallel
dependence relation for A and D ⊆ R × R be a binary, reflexive
and symmetric relation. The relation D is a valid dependence
relation iff for all (r1, r2) ∈ R × R, (r1, r2) /∈ D implies that
the following conditions hold:
1. If r1 and r2 are transitions of handlers of two different events
e1 and e2 executing on the same thread then the following
conditions hold:
(A) Events e1 and e2 may be reordered in SG.
(B) ep(r1) and ep(r2) are independent in DP , i.e.,
(ep(r1), ep(r2)) 6∈ DP .
2. Otherwise, conditions 1 and 2 in Definition 2.1 hold for all
states s ∈ S.
In the definition above, we use the event-parallel dependence re-
lation DP to formalize single-threaded dependence between tran-
sitions of two handlers in SG and apply the constraints in Defini-
tion 2.1 to states in SG to define (1) dependence among transitions
of the same event handler and (2) multi-threaded dependence. From
the second condition in Definition 2.2, all posts are considered as
independent of each other in SG.
EXAMPLE 2.3. The transitions r5 and r6 in Figure 5 run in two
different event handlers but on the same thread t. Since in the
event-parallel transition system, the handlers execute concurrently,
we can inspect the effect of reordering r5 and r6 on a state where
they are co-enabled. In particular, at state s3 in Figure 6, the
sequence r6.r5 reaches state s14, whereas, r5.r6 reaches s12 which
differs from s14 in the value of x. Therefore, (r5, r6) ∈ DP and by
condition 1.B of Definition 2.2, (r5, r6) ∈ D.
The condition 1.A of Definition 2.2 requires that the ordering
between e1 and e2 should not be fixed. Suppose the handler of e1
posts e2 but the two handlers do not have any pair of transitions that
are in DP . Recall that we do not track dependence through event
queues. Nevertheless, since a post transition in e1 enables e2, the
transitions in the two handlers should be marked as dependent. This
requirement is met through condition 1.A. Intuitively, it serves a
purpose analogous to condition 1 of Definition 2.1.
If (ri, rj) ∈ D, we simply say that ri and rj are dependent.
In practice, we over-approximate the dependence relation, for ex-
ample, by considering all conflicting accesses to shared objects as
dependent.
2.3 Dependence-covering Sets
Mazurkiewicz trace [21] forms the basis of POR for multi-threaded
programs and event-driven programs where posts are consid-
ered dependent. Two transition sequences belong to the same
Mazurkiewicz trace if they can be obtained from each other by re-
ordering adjacent independent transitions. The objective of POR is
to explore a representative sequence from each Mazurkiewicz trace.
As pointed out in the Introduction, the reordering of posts (inde-
pendent as per Definition 2.2) in a transition sequence w may not
yield another sequence belonging to the same Mazurkiewicz trace
(denoted [w]) for two reasons: (1) it may reorder dependent tran-
sitions from the corresponding event handlers and (2) some new
transitions, not in w, may be pulled in.
We elaborate on the second point. Suppose in w, a handler
h1 executes before another handler h2, both on the same thread,
such that h2 is executed only partially in w. Let us reorder the
post operations for these two and obtain a transition sequence w′.
Since the handlers run to completion, in order to include all the
transitions of h1 (executed inw) inw′, we must complete execution
of h2. However, as h2 is only partially executed in w, this results in
including new —previously unexplored— transitions of h2 in w′.
This renders w and w′ inequivalent by the notion of Mazurkiewicz
equivalence which expects the set of transitions in two equivalent
sequences to be identical.
We therefore propose an alternative notion, suitable to corre-
late two transition sequences in event-driven programs, called the
dependence-covering sequence. The objective of our reduction is
to explore a dependence-covering sequence u at a state s for any
transition sequence w starting at s.
Let w : r1.r2 . . . rn and u : r′1.r′2 . . . r′m be two transition
sequences from the same state s in SG reaching states sn and s′m
respectively. Let Rw = {r1, . . . , rn} and Ru = {r′1, . . . , r′m}.
5 2018/8/5
s0
s1
r1
s2
r2
s3
r3
s4
r4
s5
r5
s6
r6
s7
r2
s8
r1
s9
r5
s10
r3
r4
s20
r3
r5
s11
r5
r4
s12
r6
r4
s13
r6
s14
r5
s15
r4
s16
r4
r5
s17
r3
s18
r2
s19
r4
r6
r1 : p o s t ( t1 ,e1 ,t ) ; / / r u n s on t h r e a d t1
r2 : p o s t ( t2 ,e2 ,t ) ; / / r u n s on t h r e a d t2
h1 := {r3 : p o s t ( t ,e3 ,t ) ; r4 : y = 2;}
h2 := {r5 : x = 5;}
h3 := {r6 : x = −5;}
Figure 5: Pseudo code of an event-driven program.
r1
r3
r4 r6
r2
r5
(a) w1: r1.r2.r3.r4.r5.r6,
w2: r2.r1.r5.r3.r4.r6
r1
r3
r4 r6
r2
r5
(b) w3: r1.r3.r2.r4.r6.r5
Figure 6: Partial event-parallel state space of the program in Fig-
ure 5.
Figure 7: Dependence graphs of some sequences in SG of the
program in Figure 5.
Definition 2.4. The transition sequence u is called a dependence-
covering sequence of w if (i) all the transitions in w are in u but u
can have more transitions than w (i.e., Rw ⊆ Ru) and (ii) for each
pair of dependent transitions r′i, r
′
j ∈ Ru such that i < j, any one
among the following conditions holds:
1. r′i and r
′
j are executed in w and their relative order in u is
consistent with that in w.
2. r′i is executed in w and r
′
j ∈ nextTrans(sn).
3. r′i is not executed in w, r
′
j ∈ nextTrans(sn) and w can be
extended in SG such that r′i executes before r′j .
4. Irrespective of whether r′i is executed in w or not, r
′
j is not in
Rw ∪ nextTrans(sn).
The condition (i) above allows new transitions, that are not
in w, to be part of u. The condition (ii) restricts how the new
transitions may interfere with the dependences exhibited in w and
also requires all the dependences in w to be maintained in u. These
conditions permit dependence-covering sequence to be a relaxation
of Mazurkiewicz trace, making it more suitable for stateless model
checking of event-driven programs where posts may be reordered
selectively.
EXAMPLE 2.5. As an example, letw1,w2 andw3 be the three tran-
sition sequences in Figure 6 which correspond to valid sequences
in the transition system SG of the program in Figure 5. The se-
quences of transitions in w1, w2 and w3 are listed in Figure 7. To
illustrate dependence-covering sequences, we visualize the depen-
dences in these sequences as directed graphs, called dependence
graphs, in Figure 7. The nodes in the dependence graph of a tran-
sition sequence w represent transitions in w. If a transition ri ex-
ecutes before another transition rj in w such that ri and rj are
dependent then we draw an edge from ri to rj . The sequences w1
and w2 are dependence-covering sequences of each other. As can
be seen in Figure 7(a), their dependence graphs are identical. Also,
both w1 and w2 are dependence-covering sequences of a sequence
w4 = r2.r5. The dependence graph of w4 is isomorphic to a sub-
graph (enclosed in a rectangular box) of Figure 7(a). For transi-
tions r1, r3, r4 and r6 which do not belong to this subgraph, there
are no restrictions on dependences among themselves. However,
by Definition 2.4, there can be no incoming edge to the subgraph
from nodes not in the subgraph. Transition sequences w1 and w2
satisfy these criteria w.r.t. w4 and hence are dependence-covering
sequences of w4. However, we note that w4 and w1 (or w2) do not
belong to the same Mazurkiewicz trace. The sequence w3 is not a
dependence-covering sequence of w4 since there is an interfering
dependence (r6, r5) ∈ D to the transition r5 executed in w4. Pic-
torially, we can see an incoming edge from r6 to r5 in Figure 7(b).
Note. An important takeaway from the above example is that a
dependence-covering sequence u of a transition sequencew can re-
order event handlers seen inw so long as the relative ordering of de-
pendent transitions in w are not altered. Hence, in addition to iden-
tifying similarities between thread schedules, dependence-covering
sequences enable identification of similar ordering between events
as well. Recognizing similar event orderings was not possible with
the Mazurkiewicz way of identifying equivalence between transi-
tion sequences.
Definition 2.6. A non-empty subset L of transitions enabled at a
state s in SG is a dependence-covering set in s iff, for all non-
empty sequences of transitions w : r1 . . . rn starting at s, there
exists a dependence-covering sequence u : r′1 . . . r′m of w starting
at s such that r′1 ∈ L.
EXAMPLE 2.7. All the transition sequences connecting state s0 to
state s5 in Figure 2 are dependence-covering sequences of each
other. Thus, each of {r1}, {r2} and {r1, r2} are dependence-
covering sets at s0. Even if we take a prefix σ of any of these se-
quences, the shaded sequence in Figure 2 is a dependence-covering
sequence of σ.
In Figure 4, {r2} and {r1, r2} are individually dependence-
covering sets at state s0, whereas, {r1} is not a dependence-
covering set at s0.
For efficient stateless model checking of event-driven programs,
we can explore a reduced state space using dependence-covering
sets.
Definition 2.8. A dependence-covering state space of an event-
driven program A is a reduced state space SR ⊆ SG obtained by
selectively exploring only the transitions in a dependence-covering
set at each state in SG reached from sinit.
The objective of a POR approach is to show that even while
exploring a reduced state space, no concurrency bug is missed w.r.t.
the complete but possibly much larger state space. The exploration
of a dependence-covering state space satisfies this objective. The
following theorem states this guarantee.
Theorem 2.9. Let SR be a dependence-covering state space of an
event-driven program A with a finite and acyclic state space SG.
6 2018/8/5
Then, all deadlock cycles in SG are reachable in SR. If there exists
a state v in SG which violates an assertion α defined over local
variables then there exists a state v′ in SR which violates α.
The proof follows from the appropriate restrictions on allowed
dependences in a dependence-covering sequence u compared to the
dependences in w where w is required to reach a deadlock cycle or
an assertion violation in the complete state space. We provide a
complete proof of the above theorem in Appendix A.
The set {r1, r2} is both a persistent set and a dependence-
covering set at state s0 in Figure 2. We observe that in gen-
eral, a persistent set P at a state s ∈ SG is also a dependence-
covering set at s. Here, persistent set is defined using the depen-
dence relation where posts to the same event queue are depen-
dent, whereas, dependence-covering set is defined using the de-
pendence relation where they are not (more formally, using Defi-
nition 2.2). We present a proof of this claim in Appendix A.3. Note
that a dependence-covering set need not be a persistent set. As seen
in Example 2.7, {r1} and {r2} individually are both dependence-
covering sets at s0 in Figure 2 but they are not persistent sets.
3. Dynamic Algorithm to Compute
Dependence-covering Sets
This section describes the EM-DPOR algorithm for model check-
ing event-driven multi-threaded programs to explore a dependence-
covering state space (see Definition 2.8). EM-DPOR extends
DPOR [10] to compute dependence-covering sets. However, it dif-
fers from DPOR in many key steps.
3.1 Comparison between DPOR and EM-DPOR
DPOR performs depth first traversal on the transition system of a
program. Instead of exploring all the enabled transitions at a state,
it only explores transitions added as backtracking choices by the
steps of the algorithm which guarantees exploring a persistent set
at each visited state. On exploring a sequence w reaching a state s′,
and seeing dependence between a transition r′ ∈ nextTrans(s′)
and a transition r executed at a state s reached by a prefix of w,
DPOR adds backtracking choices at state s, so as to reorder r and
r′ eventually. However, not every pair of dependent transitions can
be reordered. For example, a pair of dependent transitions where
one transition enables the other, cannot be reordered. DPOR uses
a dependence relation which implicitly considers every adjacent
pair of transitions executed on the same thread as dependent, be-
cause executing a transition on a thread enables the execution of
the next transition. Hence, DPOR only attempts to reorder depen-
dent transitions which may be co-enabled, i.e., atleast executed on
different threads. However, a pair of dependent transitions executed
on different threads may have a strict ordering between them in a
given execution, making them unsuitable for reordering at any state
reached in that execution. DPOR uses happens-before relation, a
partial order relation on dependent transitions, to capture the order-
ing between dependent transitions in a transition sequence. DPOR
reorders only those may be co-enabled dependent transitions which
are not ordered by happens-before relation over the explored se-
quence.
EM-DPOR, extends the DPOR [10] algorithm and computes
dependence-covering sets. However, it differs from DPOR in sev-
eral ways. In particular, EM-DPOR incorporates several non-trivial
steps (1) to reason about both multi-threaded dependences as well
as dependent transitions from different event handlers on the same
thread (single-threaded dependences), and (2) to identify events for
selective reordering and infer appropriate backtracking choices to
achieve the reordering. In order to perform these steps, EM-DPOR
uses the dependence relation defined by Definition 2.2, to identify
dependent transitions. A happens-before relation based on this de-
pendence relation does not totally order all the transitions executed
on the same thread, and restricts the total ordering only within a
task (due to the second condition in Definition 2.2). A task refers
to an event handler or a thread without an event queue. Analo-
gously, EM-DPOR attempts to reorder a pair of dependent tran-
sitions which may be co-enabled or executed in the handlers of
may be reordered events (see Section 2.1) on the same thread. Typ-
ically, dynamic POR algorithms only reorder dependent transitions
i.e., they add backtracking choices only at a state which executes a
transition r dependent with another transition r′ such that r and r′
are identified for reordering. This is not the case with EM-DPOR.
Due to atomic execution of event handlers and FIFO processing of
events in a queue, reordering a pair of dependent transitions from
different handlers on the same thread would require reordering their
corresponding posts. Transitions posting to the same event queue
may have to be reordered even to reorder dependent transitions on
different threads, as shown for the state space in Figure 4. Hence,
EM-DPOR selectively reorders posts to the same event queue even
though the dependence relation used by EM-DPOR considers all
the pairs of posts to be independent. When attempting to reorder
a transition r executed at a state s and a dependent transition r′, if
EM-DPOR fails to add backtracking choices at state s then, EM-
DPOR employs a recursive strategy to dynamically identify and re-
order certain posts to the same event queue. As will be explained
in Example 3.5, EM-DPOR requires the enforced ordering between
such selectively reordered post operations to be captured. Hence,
the happens-before relation that we use with EM-DPOR is defined
to be a partial order on dependent transitions as well as selectively
reordered posts.
3.2 Definitions
We now define (selectively) reordered posts and the happens-before
relation used by our algorithm. We also define a few functions that
will be used in the rest of the section, and a notion of diverging
posts that will be used by EM-DPOR to reorder a pair of transitions
from different event handlers on the same thread.
Reordered posts. We define a function reorderedPosts(p, w)
which takes a transition p posting an event to a thread t’s event
queue and a sequence w explored by EM-DPOR where p is exe-
cuted in w, as input, and returns a set P of transitions such that a
transition p′ is a member of P if the following conditions hold:
1. p′ posts an event to thread t’s event queue.
2. There exists a prefix w1 of w such that w = w1.w2, w1 reaches
a state s, p is executed in w2, and the following holds:
(A) EM-DPOR has already explored a sequence w1.w3 where
w3 = p.a1 . . . ai.p
′.ai+1 . . . am, each ai for 1 ≤ i ≤ m
is a transition, and has added backtracking choices at state s
to reorder the post transitions p and p′, and
(B) p′ is a transition in w2 such that index(w2, p′) <
index(w2, p).
Happens-before relation. In the concurrency model assumed,
the events posted to the same event queue are handled in FIFO
order. Hence, we extend the happens-before relation defined in [10]
with a rule to reason about FIFO ordering and a rule to capture
ordering between reordered posts.
Definition 3.1. For a transition sequence w : r1.r2 . . . rn in SG
explored by EM-DPOR, the happens-before relation →w is the
smallest relation on dom(w) such that the following conditions
hold:
1. If i ≤ j and ri is dependent with rj then i→w j.
2. If ri and rj are two different transitions posting events e and
e′ respectively to the same thread, such that i →w j and the
7 2018/8/5
handler of e has finished and that of e′ has started in w, then
getEnd(w, e)→w getBegin(w, e′). This is the FIFO rule.
3. If rj is a post transition and ri ∈ reorderedPosts(rj , w)
such that i = max({l | rl ∈ reorderedPosts(rj , w)}) then
i→w j.
4. →w is transitively closed.
The relation→w is defined over transitions in w. We overload→w
to relate transitions in w with those in the nextTrans set in the
last state, say s, reached by w. For a task (t, e) having a transition
in nextTrans(s), i →w (t, e) if either (a) task(ri) = (t, e) or
(b) ∃k ∈ dom(w) such that i→w k and task(rk) = (t, e).
We note that unlike the happens-before relation defined in [10],
the happens-before relation defined above captures some informa-
tion related to sequences rooted at states reached by prefixes of w
explored by EM-DPOR prior to exploring w. This is required to
add happens-before mapping between reordered posts.
Diverging posts. For a transition sequence w in SG reach-
ing a state s and a transition r in w or nextTrans(s), let
postChain(r, w) = pm.pm−1 . . . p1 be the maximal sequence
of post transitions in w such that pi−1 is a transition in the
handler of the event posted by pi for m ≥ i > 1, and p1
posts the event whose handler executes r. Let r and r′ be tran-
sitions of two handlers running on the same thread such that
postChain(r, w) = pk . . . p1 and postChain(r′, w) = ql . . . q1.
Then, divergingPosts(r, r′, w) is a pair of posts (pi, qi) where
i is the smallest index in the post-chains of r and r′ in se-
quence w such that thread(pi) 6= thread(qi). In Figure 3,
divergingPosts(r3, r4, r1 . . . r6) = (r1, r2). Diverging posts are
undefined if there exists an index j such that task(pj) = task(qj)
and for all i < j, thread(pi) = thread(qi).
The order of execution of diverging posts of r and r′ uniquely
determines the order of execution of r and r′. In Figure 3, the
order of execution of r1 and r2 uniquely determines the order of
execution of r3 and r4. If r and r′ do not have diverging posts,
their relative order of execution is fixed.
Helper functions and data structures. Function enabled(s)
gives the set of threads whose next transitions are enabled at a state
s. Consider a transition sequencew : r1 . . . rn from the initial state
sinit of a given event-driven multi-threaded program. The func-
tion last(w) gives the last state reached by w. If w is empty, it is
the initial state. For an index k ∈ dom(w), pre(w, k) is the state
before executing transition rk. The function getPost(w, e) gives
the transition in w which posted the event e. Function event(r)
gives the event corresponding to the handler which executes r (this
is nil if r is executed by a thread without an event queue). For a
thread t with an event queue, the function executable(s, t) returns
the event whose handler can perform the next transition on t in a
state s, whereas blockedEv(s, t) returns the set of events present
in t’s queue in state s that are not executable. We say that a task
(t, e) is executable at a state s if t is a thread without a queue
(e = nil), or e = executable(s, t). Function execTasks(s)
returns the set of tasks whose events are executable in state s,
whereas blockedTasks(s) returns the set of tasks whose events
are blocked in state s. Function dest(r) takes a transition r posting
an event as input and returns the destination thread. Data structures
backtrack(s) and done(s) respectively track the threads added as
backtracking choices at a state s, and the threads already explored
from a state s during the DFS traversal. Another data structure the
algorithm populates is the setRP maintained at every visited state.
The set RP (s) corresponding to a state s is a set of ordered pairs
of transitions where a pair (a, b) ∈ RP (s) is such that a and b are
posts to the same thread such that a and b have been identified for
reordering in an execution where a is executed prior to b. The set
RP will be implicitly looked up to compute the set reorderedPosts
of a post operation, and in turn derive happens-before ordering be-
tween posts as per condition 3 in Definition 3.1.
3.3 Overview of EM-DPOR Algorithm
This section describes the EM-DPOR algorithm to explore a
dependence-covering state space (see Definition 2.8) of event-
driven programs obeying the concurrency model described in Sec-
tion 2.1.
The EM-DPOR algorithm has two components: (1) a depth first
search based state space explorer called Explore, and (2) a recur-
sive routine called FindTarget to compute backtracking points
and choices for a pair of reorderable dependent transitions. We
note that the algorithms presented in this section assume depen-
dence even between transitions reading from the same shared vari-
able, even though the dependence relation defined by Definition 2.2
considers such non-conflicting transitions to be independent. In
Appendix C, we present modifications to the Algorithm Explore
which makes EM-DPOR capable of treating such transitions in-
cluding a few more types of transitions as independent. We now
give an overview of Explore and FindTarget.
Explore. Algorithm Explore, given as Algorithm 1, takes a tran-
sition sequence w and a set rp of posts identified for reordering,
as input and obtains the current state s = last(w) (line 1). Also,
the set RP (s) corresponding to state s is initialized to rp. Initially,
i.e., when Explore is invoked for the first time, w is empty.
The loop at lines 2–6 iterates over all threads t and identifies
transitions from w that have a race with next(s, t). A transition
ri has a race with next(s, t) if they are dependent and may be
co-enabled (if thread(ri) 6= t) or may be reordered (if event(ri)
and event(next(s, t)) may be reordered), and ri does not happen
before any transition in the task that executes next(s, t). The algo-
rithm selects a transition ri which satisfies the above requirements
and has the highest index in w. It then invokes the recursive routine
FindTarget at line 4 to compute backtracking choices to reorder
ri and next(s, t), and if required, identify posts to same thread
for selective reordering.
Lines 7–19 perform a selective depth first traversal starting at
state s reached by w. The algorithm Explore is called recursively
by extending the current transition sequence with an outgoing tran-
sition r of a thread t ∈ backtrack(s) from s, such that t is not
already explored from s i.e., t 6∈ done(s). Lines 11–16 are ef-
fective only if the transition r executed at state s reached by w,
is a post transition. Line 15 removes those members from the set
RP (s) where the recently executed transition r is the first transi-
tion in the ordered pair. This is because after the execution of post
operation r, any remaining post identified to be reordered w.r.t.
r cannot be reordered by extensions of the sequence w.r. Hence,
we do not track such pairs anymore. We now explain intuitions for
lines 12 and 13 which add r’s thread as a backtracking choice at a
state from where r’s nearest reordered post is executed.
On inspecting the members of the form (r, ) in the set RP (s)
and checking the post transitions in w, the posts which have
been successfully reordered w.r.t. the post transition r can be
identified, i.e., reorderedPosts(r, w.r) can be computed with
the help of RP . If the transition r = next(s, t) has a post
operation such that a transition rk inw is its nearest reordered post
then, condition 3 in Definition 3.1 adds a happens-before mapping
from rk to r. The happens-before mapping from rk to r initiates
FIFO and transitive ordering between transitions across some of
the handlers corresponding to post chains originating from rk and
r; consequently, dependent transitions which could otherwise be
identified by line 3 for reordering may get ordered by happens-
before.
8 2018/8/5
Input: a transition sequence w: r1 . . . rn and a set rp of posts to be reordered
Let s = last(w); RP (s) = rp1
foreach thread t do2
if ∃i = max({i ∈ dom(w) | ri is dependent and (may be co-enabled or reordered with next(s, t)) and i 6→w task(next(s, t))}) then3
// Identify backtracking point and choice to reorder ri and next(s, t)
FindTarget(w, ri, next(s, t))4
end5
end6
if ∃t ∈ enabled(s) then7
Let backtrack(s) = {t} and done(s) = ∅8
// Perform selective depth-first traversal
while ∃t ∈ (backtrack(s) \ done(s)) do9
Let r = next(s, t); Execute transition r10
if r is a post operation then11
if ∃k = max({k ∈ dom(w) | rk ∈ reorderedPosts(r, w.r)}) then12
Add thread t to backtrack(pre(w, k))13
end14
rp = RP (s) \ {(r, ) ∈ RP (s)}15
end16
Add t to done(s); Explore(w · r)17
end18
end19
Algorithm 1: Explore
Transition r is enabled in pre(w, k) — state from which rk
is executed, because rk ∈ reorderedPosts(r, w.r) which means
EM-DPOR has already seen an execution where r is executed from
a state reached by a prefix of w but prior to or at pre(w, k) which
makes r the next transition on its thread at pre(w, k) (see definition
of reordered posts in Section 3.2). Hence, line 13 adds thread t as
a backtracking choice at pre(w, k), so as to not miss alternate or-
derings between dependent transitions across post chains of rk and
r. For example, consider a sequence w.r . . . p1 . . . p2 . . . pn . . . w′
explored by EM-DPOR where w and w′ are transition sequences,
and pi for 1 ≤ i ≤ n and r are transitions posting to the same
event queue. Assume that the handlers of p1, . . . pn−1 and pn con-
tain transitions dependent with transitions in r’s handler, and EM-
DPOR identifies p1, p2, . . . , pn to be reordered with r. Let EM-
DPOR eventually explore v = w . . . p1 . . . pn . . . r.w′′. Since pn
is the nearest reordered post w.r.t. r in sequence v, a happens-
before mapping is added between pn and r. As a result the han-
dlers corresponding to pn and r get ordered by FIFO rule, due to
which the dependent transitions in the handlers of pn and r will not
be selected for reordering by line 3 in Algorithm 1. Since line 13
adds r’s thread to the backtracking set at the state prior to pn in
sequence v, EM-DPOR will still be able to explore a dependence-
covering sequence for w . . . p1 . . . pn−1 . . . r . . . pn.w′′′. This may
be missed otherwise.
FindTarget. Explore invokes FindTarget (Algorithm 2) to
compute backtracking choices to reorder a pair of dependent tran-
sitions r and r′. Let i be the index of r in w and s be the state
from which r = ri is executed (line 1). If FindTarget fails to
identify backtracking choices to be added to backtrack(s), then it
identifies posts for selective reordering and recursively invokes it-
self to compute corresponding backtracking choices. Among other
criteria, a recursive call terminates when a happens-before order-
ing between r and r′ is detected (line 2). Transitions r and r′
may be co-enabled or they may belong to different event handlers
on the same thread. In the latter case, we first identify a pair of
post operations executed on different threads which need to be re-
ordered so as to reorder r and r′. FindTarget operates in four
main steps explained below, of which Steps 2 - 4 are applica-
ble only when thread(r) 6= thread(r′) and Step 1 only when
thread(r) = thread(r′).
Step 1. Transitions r and r′ may be from different tasks on the same
thread. Such transitions can only be reordered by reordering their
diverging posts. Line 4 therefore recursively invokes FindTarget
on post operations of r and r′. This way it simultaneously walks
up postChain(r, w) and postChain(r′, w) on each recursive call
to FindTarget till it finds divergingPosts(r, r′, w). On reaching
the diverging posts, the condition thread(r) = thread(r′) —
where r and r′ are diverging posts— evaluates to false and the
control goes to Step 2.
Step 2. This step is reached only when thread(r) 6= thread(r′).
Similar to the algorithm DPOR’s [10] computation of backtracking
choices, this step computes threads to be added to backtrack(s) to
facilitate executing r′ before r in a future run. Lines 6–10 compute
a set candidates consisting of task(r′) and tasks that have a
transition, executed after r, with a happens-before ordering with
r′. Tasks in set candidates are restricted to only those which are
either executable or blocked in state s. Additionally, only those
tasks whose threads are enabled at s are added, so that one such
thread can be explored from s to eventually achieve the reordering.
Threads whose transitions are already explored from state s are
added to done set at s by line 17 in Algorithm 1. For a task (t, e) ∈
candidates, it is possible that its thread t is already in done(s). If
all the tasks in the set candidates are in done(s) then in case of a
purely multi-threaded program, this would imply that the intended
order between r′ and r has already been explored. However, this
reasoning need not hold in the presence of events. This is because
for a task (t, e) ∈ candidates such that t ∈ done(s), event e may
be blocked on its queue in state s— which means t ∈ done(s) due
to exploration of the executable task on t in a prior run. However,
the executable task on t may not even have any happens-before
ordering with r′. In which case exploring it from state s would
either not have explored the required order between r′ and r, or
would not have preserved the required order between other pairs of
dependent transitions when r′ is executed before r in a prior run.
Hence, lines 12–16 compute unexplored to be a set of
threads corresponding to tasks in candidates which are not in
9 2018/8/5
Input: a transition sequence w: r1 . . . rn, a transition r from w and a transition r′ which may or may not belong to w
Let i = index(w, r) and s = pre(w, i)1
if r′ 6∈ nextTrans(last(w)) and i→w index(w, r′) then return // Step 1: Recursively search for diverging posts2
if thread(r) = thread(r′) then3
FindTarget(w, getPost(w, event(r)), getPost(w, event(r′))); return4
end5
// Step 2: Reorder transitions from distinct threads
if r′ ∈ nextTrans(last(w)) then6
Let candidates = {task(p) ∈ execTasks(s) ∪ blockedTasks(s) | thread(p) ∈ enabled(s)7
and p = r′ or (∃k ∈ dom(w) : k > i and k →w task(r′) and p = rk)}
end8
else9
Let candidates = {task(p) ∈ execTasks(s) ∪ blockedTasks(s) | thread(p) ∈ enabled(s)10
and p = r′ or (∃k ∈ dom(w) : k > i and k →w index(w, r′) and p = rk)}
end11
Let unexplored = {t | (t, e) ∈ candidates} \ done(s)12
if unexplored 6= ∅ then13
Add any t ∈ unexplored to backtrack(pre(w, i))14
if r′ and r are post operations then RP (s) = RP (s) ∪ {(r, r′)} return15
end16
// Step 3: Recursively search for backtracking choices to make a pending (blocked) event executable
Let pending = {(t, e) ∈ candidates | e ∈ blockedEv(s, t)}17
if pending 6= ∅ then ReschedulePending(w, pending, r) // See Algorithm 318
else // Step 4: All the tasks in candidates are executable, or candidates = ∅19
Let ts = {t | (t, e) ∈ candidates}20
if ts 6= ∅ then Add any t ∈ ts to backtrack(pre(w, i)) else BacktrackEager(w, i, r′) // See Algorithm 421
Algorithm 2: FindTarget
done(s), and add some thread in unexplored to backtrack(s) if
unexplored 6= ∅. In addition, if r and r′ are post transitions then
the algorithm tracks that these two posts have been identified for
reordering and backtracking choices have been added correspond-
ingly at state s to execute r′ prior to r. This information is tracked
by adding the ordered pair (r, r′) to the set RP (s).
If unexplored = ∅, i.e., all the threads with transitions that
happen-before r′ are already explored from s, does not imply that
r′ cannot be reordered with r or EM-DPOR has already seen a
run where r′ is explored before r. Rather it indicates that we
need to adopt a different strategy to achieve the reordering. This
is illustrated through an example below.
EXAMPLE 3.2. In sequence w of Figure 3, transitions r3 and r6
are dependent, may be co-enabled and do not have a happens-
before ordering. When Explore invokes FindTarget to com-
pute backtracking choices to reorder r3 and r6, Step 1 is skipped
as thread(r3) 6= thread(r6). Step 2 computes candidates =
{(t1, e2)} as t1 is enabled at s2 (see Figure 4), and r4 executed
in (t1, e2) forks t4 and thus happens before r6. However, t1 is al-
ready executed from s2 and is in done(s2). Yet, as can be seen in
Figure 4, r3 and r6 can be reordered; but by reordering r1 and r2
posting events e1 and e2 respectively. But adding thread t1 corre-
sponding to the only task (t1, e2) in candidates will not achieve
this reordering. Step 3 explains our technique to handle such cases.
Step 3. In this step, line 17 computes a set pending which is a
subset of tasks in candidates whose events are blocked in their
event queues in state s. If set pending is not empty, line 18 invokes
ReschedulePending. Intuitively, ReschedulePending identifies
a set of events blocked in s to be reordered with their corresponding
executable events i.e., it performs selective reordering of posts
to same thread so as to eventually reorder r and r′ executed on
different threads. We present its details in Section 3.4.
Step 4. Finally, the set pending being empty implies that all the
tasks in candidates are executable at state s or candidates itself
is empty. FindTarget computes a set of threads ts corresponding
to each task in candidates. If the set ts is non-empty, it only means
that another ordering of r and r′ is already explored in a past run
as all the threads in ts are already in done(s) (due to lines 12–16),
and the algorithm trivially adds any thread from ts to backtrack(s)
(line 21). If ts = ∅ which means candidates = ∅, FindTarget
invokes BacktrackEager (see Algorithm 4) at line 21.
3.4 Selective Reordering of Blocked and Executable Events
ReschedulePending (Algorithm 3) is invoked by Algorithm 2 on
line 18 in Step 3 of FindTarget when a transition r executed
from a state s in sequence w explored by EM-DPOR has to be
reordered with a transition r′ on another thread, and Step 2 of
FindTarget fails to add backtracking choices to backtrack(s).
ReschedulePending is called only if the candidate set of tasks
computed by Step 2 has a set of tasks with their events blocked
in state s such that their corresponding executable tasks are al-
ready explored from s. Then, Algorithm 3 identifies suitable events
blocked in s to be reordered with executable events on their corre-
sponding queues, attempting to co-enable r and r′ facilitating their
reordering.
We present some intuitions on scenarios where relevant pairs of
events enqueued to the same event queue should be reordered to
explore different orderings between a pair of transitions executed
on different threads. A pair of event handlers executed on the
same thread may have to be reordered so as to reorder a pair of
transitions, say p1 (assumed to be executed at a state s in a sequence
v) and p′n (may or may not be executed in v) on different threads,
typically in the following scenarios.
(a) Even though there exists a sequence in SG where p′n is executed
prior to p1, in sequence v however p1 must be executed to eventu-
ally execute p′n. This may be the case if a transition that enables p′n
10 2018/8/5
is in a task whose event is blocked in p1’s thread in state s (similar
to the scenario presented for Figure 4).
(b) Any transition sequence rooted at state s cannot preserve the
relative ordering between a set of pairs of dependent transitions
when reordering p1 and p′n, even though this can be achieved by
reordering some relevant pairs of events. This may be the case
if a transition that happens before p′n is in a task whose event
is blocked in p1’s thread in state s. In such a case executing p′n
prior to p1 by adding backtracking choices at state s breaks the
ordering between transitions in the blocked task on p1’s thread
and p′n. More generally case (b) can occur if a transition in a task
blocked on p1’s thread in state s happens before a transition in the
executable task on another thread, say tn, such that a transition in
a task blocked in s on tn happens before p′n. In general there may
be any number of such blocked – executable tasks between p1 and
p′n, with happens-before mapping from transitions in blocked tasks
to transitions in executable tasks on different threads, as depicted
in Figure 8(a). Clearly, reordering p1 and p′n by exploring thread
tn (see Figure 8) from state s breaks the happens-before ordering
between a transition in a blocked task on thread tn−1 and transition
pn in the executable task on tn.
t1
p1e1
p′1e
′
1
t2
p2e2
p′2e
′
2
· · · ti
piei
p′ie
′
i
· · · tn
pnen
p′ne
′
n
(a) Sequence v
t1 t2 · · · ti · · · tn
p′ie
′
i
pnen
p′n
e′n
p1e1
p′1e
′
1
p2e2
p′2e
′
2
piei
(b) Events ei and e′i are reordered
Figure 8: Partial dependence structure of sequence v. Directed
edges indicate dependence or relation by →v . Even though p′n is
indicated inside task (tn, e′n), it may only have a happens-before
relation with a transition in (tn, e′n).
In both cases (a) and (b) it is intuitive to identify the event cor-
responding to the blocked task that happens before p′n for reorder-
ing with its corresponding executable event. Also, this blocked
task will be in set candidates computed by Step 2 of Algo-
rithm 2 invoked to reorder p1 and p′n when exploring sequence v.
From the structure given in Figure 8(a), reordering tasks (tn, en)
and (tn, e′n) seems to reorder p1 and p′n without disturbing the
happens-before ordering between any p′i and pi+1, for 1 ≤ i < n.
Now assume tasks (tn, en) and (tn, e′n) to contain a pair of depen-
dent transitions, say q and q′, in which case reordering these tasks
so as to reorder p1 and p′n breaks the ordering between q and q′. In
such a scenario reordering events ei – e′i, for some i ∈ [1, n − 1],
such that the corresponding tasks of these event pairs do not have
dependent transitions, would aid in reordering p1 and p′n without
affecting any other pairs of dependent transitions (see Figure 8(b)).
However, identifying one right pair of events for reordering among
various available relevant pairs of events is hard, as the dependent
transitions that may be affected by the reordering of a pair of events
may not even be present in the handlers of these events. Hence, we
have designed EM-DPOR to reorder all the relevant pairs of events.
Insights on reordering relevant event pairs. In case of scenario
presented for Figure 8(a) EM-DPOR eventually explores every
thread ti for 1 ≤ i ≤ n from state s. This is because explor-
ing any thread ti from s eventually explores a sequence where
the order between transitions p′i−1 and pi (or p
′
n and p1) is re-
versed compared to what is required, while the remaining blocked
to executable task happens-before mapping is as required. As a
result FindTarget adds thread ti−1 to backtrack(s) eventually
exploring it. Even after exploring every ti, 1 ≤ i ≤ n, from
state s, one pair of transitions from executable and blocked tasks
respectively on different threads are out of order. FindTarget
invoked to reorder this pair finds threads corresponding to all
tasks in candidates to be explored from s resulting in a call to
ReschedulePending. Then, ReschedulePending identifies rel-
evant blocked – executable event pairs for reordering by checking
for happens-before mapping from blocked tasks to executable tasks
such that the threads corresponding to these tasks are already ex-
plored from s. The details of this process is explained below.
Algorithm ReschedulePending. Algorithm 3 takes a sequence w
explored by EM-DPOR, a set of tasks pending (same as pending
computed by FindTarget), and a transition r = ri identified by
FindTarget to be reordered with a transition r′ as input. Since
ReschedulePending is invoked by the step 3 of FindTarget (Al-
gorithm 2), we refer to the steps of ReschedulePending as 3a,
3b and 3c. In Algorithm 3, variable worklist stores a subset of
executable tasks in state s, and swapMap maintains a map from
threads to a subset of events blocked on their respective queues at
s. Lines 2 and 3 in Step 3a pick any task (tk, ek) from set pending
passed as argument, initialize worklist with the executable task
on thread tk and add ek to the set of blocked events maintained
for thread tk in swapMap. Step 3b (lines 4–11) initiated by a
non-empty worklist identifies other relevant blocked events for
reordering. This is required as it is hard to pick exactly one pair of
relevant blocked – executable events for reordering, as explained
earlier. Line 5 removes some executable task (tj , ej) from the
worklist. Line 6 computes a set C of tasks blocked in s such that,
a blocked task (t, e) is added to C if there exists a transition rl
in the handler of e which happens before a transition in (tj , ej).
This essentially checks for the blocked task on one thread to ex-
ecutable task on another thread happens-before pattern, illustrated
through Figure 8. Additionally, line 6 only retains those blocked
tasks whose threads are already explored from state s. Lines 7–10
iterate on each blocked task in C, add corresponding executable
task to worklist for further processing and store the event corre-
sponding to blocked task in swapMap. We note that in case of
scenario presented for sequence v in Figure 8, if tn ∈ done(s)
then, FindTarget called to reorder dependent transitions p1 and
p′n reach Step 3, compute pending = {(tn, e′n)} and invoke
ReschedulePending. Step 3a of Algorithm 3 adds event e′n cor-
responding to a pending task (tn, e′n) to the set swapMap[tn]
and initializes worklist with the executable task (tn, en). Initi-
ated by the executable task (tn, en), Step 3b iteratively adds e′i to
swapMap[ti] and (ti, ei) to worklist starting from i = n− 1 to
i = 1. The while loop exits on processing executable task (t1, e1)
and not finding any more blocked events satisfying the constraints
in line 6.
Lines 12–16 (Step 3c) iterate over each thread t for which the set
of blocked events swapMap[t] is non-empty, pick an event among
events in set swapMap[t], and invoke FindTarget to reorder the
post transition for the executable event at state s on thread t with
that of the selected blocked event.
EXAMPLE 3.3. Continuing Example 3.2, Step 2 in FindTarget
called to reorder r3 and r6 (Figure 3) fails to add any back-
tracking choices at state s2 (Figure 4). Then, Step 3 computes
11 2018/8/5
Input: a transition sequencew: r1 . . . rn, a set of tasks called pending whose events are posted in w, and a transition r from w
Let i = index(w, r) and s = pre(w, i) // Step 3a: Initialization1
Let (tk, ek) be any task in pending2
Let worklist = {(tk, executable(s, tk))} and swapMap[tk] := {ek}3
// Step 3b: Identify blocked events to be reordered with executable events at state s
while worklist 6= ∅ do4
Remove a task (tj , ej) from worklist5
Let C = {(t, e) | ∃l ∈ dom(w) : (t, e) = task(rl) and e ∈ blockedEv(s, t) and l→w getEnd(w, ej) and t ∈ done(s)}6
foreach (t, e) ∈ C do7
worklist = worklist ∪ {(t, executable(s, t))}8
Add event e to the set swapMap[t]9
end10
end11
// Step 3c: Reorder blocked and executable events identified by Step 3b
foreach thread t such that swapMap[t] 6= ∅ do12
Let e be any event in swapMap[t]13
Let r = getPost(w, executable(s, t)) and r′ = getPost(w, e)14
FindTarget(w, r, r′)15
end16
Algorithm 3: ReschedulePending
pending = {(t1, e2)} as e2 is blocked in s2, and invokes
ReschedulePending(r1 . . . r5, {(t1, e2)}, r3). Line 3 in Algo-
rithm 3 adds e2 to swapMap[t1]. Step 3b adds no more blocked
events to swapMap. Step 3c calls FindTarget(r1 . . . r5, r1, r2)
to reorder blocked event e2 with executable event e1 at state s2
on t1. In the recursive call, state s0 (where r1 is executed) is
identified as the backtracking point and Step 2 adds thread t3 to
backtrack(s0) as t3 executes r2. Thus in a future run where r2 is
explored before r1, r3 and r6 get reordered as shown in Figure 4.
3.5 Simulating DPOR
Call to BacktrackEager(w, i, r′) is performed by line 21 in Al-
gorithm 2 when Steps 2 and 3 of Algorithm 2 fail to identify back-
tracking choices to reorder transitions r (same as ri) executed at
a state s and a transition r′. When the DPOR algorithm fails to
identify candidate threads using the HB relation so as to reorder a
pair of racing transitions in the multi-threaded setting, it includes
all the threads enabled at s as backtracking choices, initiating ex-
ploration of all thread interleavings rooted at s. In our event-driven
setting, in addition, EM-DPOR must initiate all possible reordering
of events in each queue which are posted prior to reaching state s.
BacktrackEager (Algorithm 4) achieves the same.
It initializes a temporary HB relation which will only be used
in the current invocation of BacktrackEager, with the HB ordered
pairs in the relation→w. Given a transition sequence w, an index
i and a transition r′, BacktrackEager treats every nearest pair
(rj , rk) of transitions with no happens-before between them as per
 , and posting to the same event queue as dependent, provided
j, k < i (Algorithm 4 line 4). We consider rj to be nearest to
rk if j < k and rj has the highest index in w among all other
transitions satisfying the given constraints. BacktrackEager then
simulates the DPOR approach with this dependence relation from
the initial state along w up to ri. Note that dependence through
shared objects is already considered in Algorithm 1. Lines 5–8 add
backtracking choices at state pre(w, j) to reorder rj and rk, and
mark rj to happen before rk. The new happens-before mapping
added to  induces additional transitive and FIFO mappings to
be added to  (see line 8 in Algorithm 4). Hence, we call  as
the extended HB relation. If ri is established to happens before
r′ as per  , then BacktrackEager returns (line 9), because ri
and r′ have got related by happens-before by considering a pair
of post operations (rj , rk) as dependent. Thus, ri and r′ will get
reordered when rj and rk get reordered on exploring backtracking
choices added by line 6. Otherwise, the algorithm iterates until ri
is reached, and computes backtracking choices to reorder ri and
r′ similar to DPOR (lines 12–19) using the extended HB relation
 . Lines 7 and 20 update the RP sets of different states since
the post transitions executed from these states were identified
to be reordered w.r.t. posts executed later. As explained earlier
RP sets will be queried to identify the set of reorderedPosts
in subsequent explorations. Below is an example illustrating the
working of BacktrackEager.
EXAMPLE 3.4. For the purpose of this example, consider an im-
plementation of EM-DPOR which does not track happens-before
ordering between a fork operation and the initialization of the
spawned thread. Assume exploring a sequence w given in Figure 3
with such an implementation of EM-DPOR. On reaching state s5
(see Figure 4) Explore invokes FindTarget to reorder dependent
transitions r3 and r6. As thread t4 executing r6 is not enabled at
s2 and missing happens-before mapping between r4 and r5 causes
candidates computed on line 7 of Algorithm 2 to be an empty
set. Set pending is also empty as it is a subset of candidates.
This causes the control flow of FindTarget to reach Step 4 invok-
ing BacktrackEager(r1 . . . r5, 3, r6). Then, lines 4–6 in Algo-
rithm 4 pick transitions r1 and r2 posting events to the same event
queue, as the nearest co-enabled posts not ordered by , and add
t3 executing r2 to backtrack(s0). This is because r1 is explored
at s0 in w. On backtracking to s0, EM-DPOR explores a run where
events e1 and e2 are reordered which eventually reorders r3 and r6
as shown in Figure 4.
3.6 Role of HB Order Induced Between post Transitions
We now give another example to illustrate the end-to-end working
of EM-DPOR along with highlighting the role played by happens-
before mappings added between reordered post operations by
rule 3 in Definition 3.1.
EXAMPLE 3.5. Consider an execution trace z shown in Figure 9,
of a program in which two threads t1 and t2 have event queues.
12 2018/8/5
Input: a transition sequence w: r1 . . . rn, an index i ∈ dom(w) and a transition r′ such that FindTarget failed to reorder transitions ri and r′
Let =→w // Initialize a new relation with existing members in →w1
foreach k ∈ {2, · · · , i− 1} in the increasing order do2
// Reorder nearest co-enabled post operations
Let wˆ = r1 . . . rk−13
if rk is a post operation and ∃j = max({j ∈ dom(wˆ) | rj is a post operation and dest(rj) = dest(rk) and j 6 k}) then4
Let ts = {t ∈ enabled(pre(w, j)) | t = thread(rk) or (∃l ∈ dom(wˆ) : l > j and l  k and t = thread(rl))}5
if ts 6= ∅ then Add any t ∈ ts to backtrack(pre(w, j)) else Add all t ∈ enabled(pre(w, j)) to backtrack(pre(w, j))6
RP (pre(w, j)) = RP (pre(w, j)) ∪ {(rj , rk)}7
Add j  k to the relation and close it by transitivity and FIFO rules in Definition 3.18
if ri happens before r′ by then return9
end10
end11
// Compute backtracking choices to reorder r and r′ using extended happens-before relation  
Let s = pre(w, i)12
if r′ ∈ nextTrans(last(w)) then13
candidates = {t ∈ enabled(s) | t = thread(r′) or (∃l ∈ dom(w) : l > i and l  task(r′) and t = thread(rl))}14
else15
candidates = {t ∈ enabled(s) | t = thread(r′) or (∃l ∈ dom(w) : l > i and l  index(w, r′) and t = thread(rl))}16
end17
if candidates 6= ∅ then Add any t ∈ candidates to backtrack(s)18
else Add all t ∈ enabled(s) to backtrack(s)19
if ri and r′ are post operations then RP (s) = RP (s) ∪ {(ri, r′)}20
Algorithm 4: BacktrackEager
t0 t1 t2 t3 t4 t5 t6
r1 post(e1)
r2 post(e2)
r3 post(e3)
r4 post(e4)
r5 post(e5)
r6 post(e6)
r7 fork(t0)
r8 b = 1
r9 y = 5
r10 b = 10
r11 read(y)
e3
e4
e1
e2
s0
s1
r1.r2.r3.r4
e1 e2t1:
e3 e4t2:
s2
r5
s3
r6.r7
s4
r8
s5
r9.r10
s6
r11
s7
r1.r2.r4.r3
e1 e2t1:
e4 e3t2:
s9
r6 .r7
s10
r8
s11
r9.r10
s12
r11
s13
r5
· · ·
· · ·
s14
r11
s15
r5
s16
r6.r7
s17
r8
s18
r9 .r10
· · ·
s8
r2.r1.r4.r3
e2 e1t1:
e4 e3t2:
s19
r9.r10
s20
r11
s21
r5
s22
r6.r7
s23
r8
· · ·
· · ·
z1 z2 z z3
Figure 9: A partial trace z of an event-driven program in-
volving a multi-threaded dependence.
Figure 10: A partial state space for some valid permutations of transitions
in the trace given in Figure 9.
Transitions r1 and r2 respectively post events e1 and e2 to the event
queue of the thread t1, and the transitions r3 and r4 respectively
post events e3 and e4 to the event queue of the thread t2. Transitions
r5 and r6 post events e5 and e6 respectively to the same event
queue. However, the event handlers corresponding to e5 and e6
are not shown in the figure. We assume that the event handlers
of e5 and e6 contain dependent transitions. Figure 10 shows a
partial state space explored by various permutations of transitions
in z. For economy of space, we merge prefixes of certain transition
sequences and represent them by single edges. Event queue state
of threads t1 and t2 are indicated for some of the states reached on
executing the post operations in various orders. The events in an
event queue are ordered from left to right, which makes the leftmost
event the front of the queue. The sequences of interest are labeled
as z, z1, z2 and z3 in Figure 10. The shaded states correspond
to states explored by z. Sequence z has two pairs of may be co-
enabled dependent transitions — (r8, r10) and (r9, r11), and a pair
of may be reordered dependent transitions in the handlers of e5 and
e6.
Assume that EM-DPOR initially explores sequence z1 in which
the relative order of events e3 and e4 is reversed compared to that
in z. We show how EM-DPOR eventually explores a dependence-
covering sequence of z, rather z itself, when the model checking
starts with z1. A dependence-covering sequence of z must maintain
13 2018/8/5
the relative ordering of all pairs of dependent transitions in z (see
Definition 2.4). Clearly, z1 is not a dependence-covering sequence
of z as the relative order of dependent transitions in the event
handlers of e5 and e6 posted respectively by the transitions r5
and r6, is reversed w.r.t. that in z. We will be showing the pair of
dependent transitions or post transitions in a transition sequence
zi, whose order is problematic for zi to be a dependence-covering
sequence of z, in an enlarged form.
When exploring z1, Algorithm 1 invokes FindTarget (Al-
gorithm 2) to compute backtracking choices to reorder depen-
dent transitions in the handlers of e6 and e5 (not shown in Fig-
ure 10). Step 1 of FindTarget identifies r6 and r5 as correspond-
ing diverging posts and recursively invokes FindTarget to re-
order r6 and r5. In the recursive call, Step 2 of FindTarget
adds thread t2 to backtrack(s7) since r6 is executed from state
s7, and EM-DPOR eventually explores a sequence z2. Since
r5 ∈ reorderedPosts(r6, z2), r5 and r6 are related by →z2 .
Again, z2 is not a dependence-covering sequence of z as the rel-
ative order of dependent transitions r9 and r11 is reversed com-
pared to that in z. On exploring a prefix of z2 till state s17
where r9 = next(s17, t1), FindTarget is invoked to reorder
r11 and r9. Step 2 of FindTarget computes candidates =
{(t1, e2)}. Since t1 is in done(s7) due to sequence z1, Step 3 of
FindTarget is reached which computes pending = {(t1, e2)}.
Then, ReschedulePending is invoked by line 18 of FindTarget
to reorder relevant blocked events with executable events at state
s7. Event e2 is added to swapMap[t1] and (t1, e1) to worklist
(line 3 in Algorithm ReschedulePending). On processing (t1, e1)
in worklist, Step 3(b) of ReschedulePending adds blocked
event e3 to swapMap[t2] and (t2, e4) to worklist, as r5 in the
task (t2, e3) blocked at state s7 happens before r6 in the task
(t1, e1) executable at state s7, and t2 ∈ done(s7). No task is
added to worklist on processing (t2, e4). Then, Step 3c invokes
FindTarget to reorder posts of events e1 and e2 and posts of e4
and e3. Reordering e4 and e3 allows us to explore z — our target
sequence.
As mentioned earlier, arbitrarily selecting a blocked event for
reordering w.r.t. an executable event, among the set of blocked
events identified by Steps 3a - 3b of ReschedulePending may
not yield a dependence-covering sequence for a target sequence.
For example, any sequence explored after reordering events e1 and
e2 reverses the order of dependent transitions r8 (executed by the
thread t0) and r10 (executed by the handler of e2 on t1) as shown
in sequence z3, making such sequences non dependence-covering
w.r.t. z. This example also demonstrated the necessity to capture the
ordering between reordered posts. The happens-before mapping
from r5 to r6 helped in identifying event e3 as a relevant blocked
event to be reordered with its corresponding executable event e4,
leading to the exploration of a dependence-covering sequence of z.
3.7 Formal Guarantees and Variants of EM-DPOR
in Appendix B we provide a sketch outlining the proof of correct-
ness of EM-DPOR. Through this proof sketch we show that when-
ever Explore backtracks from a state s to a prior state in the search
stack, it must have explored a dependence-covering sequence (see
Definition 2.4) for any sequence w in SG from state s. This equiv-
alently proves that EM-DPOR explores a dependence-covering set
at each visited state s.
Appendix C discusses a few variants of the Algorithm Explore
capable of identifying more pairs of independent transitions than
assumed in this section (see the beginning of Section 3.3). We have
incorporated these optimizations in our EM-DPOR implementation
used for experimental evaluation of EM-DPOR.
4. Implementation
This section describes a vector clock based implementation of
EM-DPOR on a prototype stateless model checking framework
called EM-Explorer. Since we evaluate EM-DPOR over Android
application traces, EM-Explorer has been designed to handle the
concurrency behavior of Android applications.
Vector Clock Based Implementation of EM-DPOR
Happens-before relation (see Definition 3.1) over a given transi-
tion sequence which in turn captures the order between dependent
transitions in the sequence, plays a vital role in various steps of
EM-DPOR such as identifying unordered dependent operations to
be reordered, computing backtracking choices and so on. We use
vector clocks data structure to compute the happens-before rela-
tion. We have designed the implementation of EM-DPOR simi-
lar to the implementation of the DPOR [10] algorithm which too
uses vector clocks to capture the HB relation over traces of multi-
threaded programs to dynamically computes persistent sets [12].
In a multi-threaded setting where all the operations executed on
the same thread are totally ordered, each component (or clock) of a
vector clock corresponds to a thread. Hence, the vector clock times-
tamp of an operation z denotes the last known operation (as known
by z) performed by each thread of the program. In an event-driven
program, the operations from different event handlers on the same
thread need not be totally ordered. Hence in the vector clocks we
use, each clock corresponds to a task in the program where a task
is either an event or a thread. In order to compute the vector clock
timestamps of operations of a task, we maintain a vector clock with
each task. Most of the computations on vector clocks described
in [10] are lifted in a straightforward manner to task-based vector
clocks. As defined by rule (2) of Definition 3.1, EM-DPOR orders
event handlers executed on the same thread if their corresponding
posts have a happens-before ordering, so as to respect the FIFO
ordering of events. FIFO ordering is specific to the event-driven
concurrency model considered in this work and is not handled by
the vector clock based implementation of DPOR. The treatment of
FIFO closure requires a special design explained below.
Computing FIFO closure. Initially all the components (scalar
clocks) of the vector clocks of all the tasks are initialized to zero.
Let V1 be the vector clock of a task in which the transition with vis-
ible operation post( ,e,t) is executed. Let V2 be the vector clock
of the task (t, e). On executing post( ,e,t), the component (t, e)
in the vector clock V1, i.e., V1((t, e)), is incremented making this
component of V1 non-zero, and the vector clock V2 of task (t, e)
is initialized with the same value as that of V1. After initialization
V2 remains unmodified till event e is dequeued. When dequeuing
event e we check the value of each component corresponding to
events posted to the thread t, in vector clock V2. If the value of
any such component of V2, say (t, e′), is non-zero, we update V2
by performing a vector clock join between V2 and the vector clock
of the task (t, e′). A non-zero component value for a task (t, e′)
in (t, e)’s vector clock V2 indicates that post( ,e′,t) happens-
before post( ,e,t), and thus FIFO rule in Definition 3.1 is appli-
cable. Since the event e′ is handled prior to e on the thread t, the
vector clock of (t, e′) has a value corresponding to the VC times-
tamp of end(t,e′) when it is used to update V2. Thus the event
handler of e gets ordered w.r.t. that of e′.
EM-Explorer Framework
The order of execution of operations in an Android application is
influenced not only by the sources of non-determinism in the ap-
plication, but also by the Android framework and the inter-process
communication between the applications running in different pro-
cesses on an Android device. Interpreting or modeling various con-
14 2018/8/5
Table 1: Statistics on execution traces from Android applications
Application Trace length Threads Events Memory locations
Remind Me 444 4 9 89
My Tracks 453 10 9 108
Music Player 465 6 24 68
Character Recognition 485 4 22 40
Aard Dictionary 600 5 30 30
currency relevant APIs and operations from application/framework
code, makes building a full fledged model checker for Android ap-
plications a challenge in itself. Tools such as JPF-Android [38] and
AsyncDroid [27] take promising steps in this direction. However,
presently they either explore only a limited number of sources of
non-determinism [27] or require a lot of framework libraries to be
modeled [37, 38]. We have therefore built a prototype exploration
framework called EM-Explorer, which emulates the semantics of
visible operations like post, read, acquire and so on.
Our framework takes an execution trace generated by an au-
tomated testing and race detection tool for Android applications,
called DROIDRACER [20], as input. Since DROIDRACER has the
capability to run on real-world applications, we can experiment on
real concurrency behaviors seen in Android applications and eval-
uate different POR techniques on them. DROIDRACER records all
concurrency relevant operations and memory reads and writes.
EM-Explorer emulates such a trace based on their operational se-
mantics and explores all interleavings of the given execution trace
permitted by the semantics. Android permits user and system-
generated events apart from programmatically generated events by
the application. EM-Explorer only explores the non-determinism
between program and system generated events while keeping the
order of user events fixed. This is analogous to model checking
w.r.t. a fixed data input. EM-Explorer does not track variable val-
ues and is incapable of evaluating conditionals on a different in-
terleaving of the trace. EM-Explorer is a stateless model checker,
i.e., it does not store program states which can be restored when
backtracking to a state. Hence, backtracking is performed by re-
executing the prefix of the last explored sequence upto the back-
tracking point.
Android supports different types of component classes, e.g., Ac-
tivity class for user interface, and enforces a happens-before order-
ing between handlers of lifecycle events of component classes. EM-
Explorer seeds the happens-before relation for such events in each
trace before starting the model checking, to avoid exploring invalid
interleavings of lifecycle events. Android applications may post
events in different modes such as associating a delay with an event
or posting an event to the front of the queue. We over-approximate
the effect of posting with delay by forking a new thread which does
the post non-deterministically, as mentioned in Section 2.1. We
leave handling of other variants of posting events as future work.
We subject the execution trace generated by DROIDRACER to post-
processing. Specifically, we recursively remove empty event han-
dlers (event handlers which only execute deq and end with ei-
ther no other visible operations in between or only posting events
whose event handlers are empty) from the traces obtained from
DROIDRACER before model checking. This is done to facilitate
fair comparison with DPOR which does not inspect the contents
of the handlers before reordering events. DPOR would otherwise
unnecessarily reorder even such events.
5. Experimental Evaluation
We evaluate the performance of EM-DPOR which computes
dependence-covering sets, by comparing with DPOR [10] which
computes persistent sets. DPOR is designed to use a dependence re-
lation in which transitions with operations posting to the same event
queue are considered dependent. Whereas, EM-DPOR uses the de-
pendence relation given in Definition 2.2. Both the algorithms are
implemented in the EM-Explorer framework described in Section 4
and evaluated on post-processed execution traces of Android appli-
cations obtained by running DROIDRACER.
We evaluated these two POR techniques on execution traces
generated by DroidRacer on 5 Android applications obtained from
the Google Play Store [1]. Table 1 presents statistics like the num-
ber of visible operations in the trace (which is same as the count
of concurrency relevant operations logged by DROIDRACER),
threads, events, threads with event loops and (shared) memory loca-
tions in the collected execution trace of each of these applications.
We only report the threads created by the application, and the num-
ber of events excluding events with empty event handlers.
We analyzed each of the traces described in Table 1 using both
the POR techniques. Table 2 gives the number of interleavings
(listed as “Traces”) and distinct transitions explored by DPOR and
EM-DPOR. It also gives the time taken for exploring the reduced
state space for each execution trace. If a model checking run did not
terminate within 4 hours, we force-kill it and report the statistics
for 4 hours. The statistics for force-killed runs are marked with
∗ in Table 2. Since EM-Explorer does not track variable values,
it cannot prune executions that are infeasible due to conditional
sequential execution. However, both DPOR and EM-DPOR are
implemented on top of EM-Explorer and therefore operate on the
same set of interleavings. The difference in their performance thus
arises from the different POR strategies.
In our experiments, DPOR’s model checking run terminated
only on two execution traces among the five, whereas, EM-DPOR
terminated on all of them. Except for the execution trace from
My Tracks application, EM-DPOR finished state space exploration
within a few seconds. As can be seen from Table 2, DPOR explores
a much larger number of interleavings and transitions, often orders
of magnitude larger compared to EM-DPOR. While this is a small
evaluation, it does show that significant reduction can be achieved
for real-world multi-threaded event-driven programs by avoiding
unnecessary reordering of events.
Performance. Both the techniques used about the same memory
and the maximum peak memory consumed by EM-DPOR across
all traces, as reported by Valgrind, was less than 50MB. The ex-
periments were performed on a machine with Intel Core i5 3.2GHz
CPU with 4GB RAM, and running Ubuntu 12.04 OS.
6. Related Work
Exploring all possible interleaving of transitions executed by
threads (or processes) is one of the causes of state explosion
problem faced by state space exploration based verification tech-
niques. Partial order reductions consisting of techniques like stub-
born sets, persistent sets and sleep sets [11, 36] alleviate this prob-
lem by trying to explore only a representative interleaving of each
Mazurkiewicz trace [21] (an equivalence class on thread interleav-
ings). Traces are partial orders of a dependency relation [11, 18]
over transitions which classifies a pair of non-interfering transi-
tions as independent. A POR enabled state space explorer only re-
orders dependent transitions, and this has been proved to visit all
deadlocks and safety violations present in the original non-reduced
space of thread interleavings [11]. Practically, dependent transi-
tions are identified based on the operations performed on com-
munication objects like shared memory, FIFO buffers and so on.
Dynamic partial order reduction (DPOR) [10] is an algorithm to
compute persistent sets by checking for dependences during run-
time, thus improving the precision of the persistent sets computed
and resulting in greater reductions in state space explored, while
the older techniques [12] inspect static program structures.
A few works [7, 25] in the past have combined POR with
bounded exploration [9, 24] of the state space. Coons et al. [6, 7]
have extended persistent sets to account for various bound func-
15 2018/8/5
Table 2: Statistics on model checking runs using different POR techniques
Application DPOR EM-DPORTraces Transitions Time Traces Transitions Time
Remind Me 24 1864 0.18s 3 875 0.05s
My Tracks 1610684∗ 113299092∗ 4h∗ 405013 26745327 101m 30s
Music Player 1508413∗ 93254810∗ 4h∗ 266 34333 4.15s
Character Recognition 1284788 67062526 199m 28s 756 39422 6.58s
Aard Dictionary 359961∗ 14397143∗ 4h∗ 14 4772 1.4s
tions such as context bounding and preemption bounding, and have
soundly combined the DPOR algorithm with various search bound-
ing techniques. They achieve this by conservatively identifying
more backtracking points where backtracking choices computed to
reorder a pair of dependent transitions can be added than the default
one computed by DPOR, so that a partial order between transitions
which could be explored within the bound is not missed. Their al-
gorithm which performs bounded POR dynamically is integrated
with the CHESS [26] model checker.
Recent algorithms guarantee optimality in POR [2, 30], i.e.,
they explore exactly one transition sequence per Mazurkiewicz
trace [21]. Whereas prior POR techniques guarantee exploring
atleast one member from each equivalence class of execution traces
and provided no such optimality guarantees. Abdulla et al. [2] have
devised an optimal DPOR technique based on a novel backtrack-
ing set called source set and a data structure called wakeup tree.
However, the notion of source sets and the optimal DPOR algo-
rithm assume total ordering between transitions executed on the
same thread. Hence, integrating our new dependence relation with
source sets will involve significant changes to the definitions and
algorithms presented in [2]. Rodrı´guez et al. [30] describe unfold-
ing semantics parametrized on the commutativity based classical
independence relation [11], and present an unfolding based opti-
mal POR algorithm. The unfolding semantics identifies dependent
transitions with no ordering relation between them to be in conflict.
Their POR algorithm backtracks and explores a new transition se-
quencew from a state s only if every prior transition explored from
s is in conflict with some transition in w. This is problematic in our
setting where posts are considered independent and hence trivially
non-conflicting, causing unfolding based POR to miss reordering
posts when required. Establishing optimality in our setting is an
interesting but non-trivial future direction.
Huang [14] has developed a state space reduction technique for
multi-threaded programs based on a notion called maximal causal-
ity [15, 33], where an explored thread interleaving is guaranteed to
have an operation that reads a value different from all the prior in-
terleavings. Whereas Mazurkiewicz trace based conventional POR
techniques explore different thread interleaving so as to explore dif-
ferent partial order of dependent transitions without any constraints
on the values observed. Hence, exploration based on maximal
causality are capable of reducing the number of equivalence classes
over execution traces even further, compared to Mazurkiewicz trace
based equivalence. Unlike dynamic POR based techniques which
explore the thread interleavings using depth-first search of the state
space, this technique identifies the interleavings by starting from
a seed interleaving and generate other interleavings by encoding
the interleaving and the allowed variations as a quantifier-free first-
order logic formula. Solving the constraints of the generated for-
mula using an SMT solver identifies an interleaving from another
equivalence class. While the number of explorations by maximal
causality based reduction technique can be much smaller, the con-
straint solving may be time consuming. However this technique is
shown to be parallelized where multiple interleavings are explored
parallely, and the constraint solving corresponding to various inter-
leavings can also be carried out parallely.
Sen and Agha [31] and Tasharofi et al. [34] describe dynamic
POR techniques for distributed programs with actor semantics
where actors execute concurrently. Actors do not have shared mem-
ory and communicate only via asynchronous message exchanges.
Both the POR techniques for the actor model explore all possi-
ble interleavings of messages sent to the same process. Sen and
Agha [31] present a way of combining concolic execution [32] with
partial order reduction in the context of actor based systems, thus
being able to reason about various data input as well as thread in-
terleavings. The dynamic partial order reduction technique outlined
in [31] is adapted in a tool called Basset [19] which is a model
checker for actor programs built on top of Java PathFinder [40].
Tasharofi et al. [34] identify the dependence relation defined in
the context of actor programs to be transitive, which is not the
case for dependence relation over transitions of multi-threaded pro-
grams. The authors have adapted the DPOR algorithm [10] given
for multi-threaded programs to be sensitive to this transitive de-
pendence relation, causing it to explore fewer transitions than a
naı¨ve adaptation of DPOR for actor programs. Reduction tech-
niques and model checking algorithms for MPI programs are de-
scribed in [28, 35]. MPI programs too use message-passing con-
structs like non-blocking send and receive to exchange data be-
tween processes, and use global synchronization constructs like
barriers. However, the message processing semantics of actor pro-
grams and MPI programs are quite different compared to the event
handling semantics of event-driven programs such as Android ap-
plications.
R4 [17] is a stateless model checker for event-driven programs
such as client-side web applications. R4 adapts persistent sets [12]
and the DPOR algorithm to the domain of single-threaded event-
driven programs where enqueued events are non-deterministically
dequeued in any order and each event handler is atomically exe-
cuted to completion without interference from other handlers. As
described in [17], the concurrency model handled by R4 allows an
entire event handler to be considered as a single transition. In con-
trast, the focus of our POR technique is on multi-threaded programs
with event queues, and thus needs to be sensitive to interference
from multiple threads. Mirzaei et al. [23] and Merwe et al. [39]
model Android libraries and extend Java PathFinder [40] to model
check Android applications. However, these works do not model
various concurrency aspects of Android present in real-world appli-
cations. AsyncDroid [27] is a systematic concurrency testing tool
for Android applications which explores various thread schedules
for a given sequence of UI events.
While most of the state space reduction techniques in the lit-
erature assume the target programs to be run under a sequentially
consistent (SC) memory model, recently, many efficient stateless
model checking techniques have been developed for weaker mem-
ory models as well [3, 4, 8, 16, 41]. The challenges faced when
developing efficient exploration techniques for event-driven pro-
grams are orthogonal to those faced when handling different mem-
ory models.
7. Conclusions and Future Work
The event-driven multi-threaded style of programming concurrent
applications is becoming increasingly popular. We considered the
problem of POR-based efficient stateless model checking for this
concurrency model. The key insight of our work is that more
reduction is achievable by treating operations that post events to the
same thread as independent and only reordering them if necessary.
16 2018/8/5
Towards this, we presented new formulations of dependence-
covering sequences and sets such that exploring only dependence-
covering sets suffices to provide certain formal guarantees. We
also presented EM-DPOR —a dynamic algorithm to perform POR
by computing dependence-covering sets for event-driven multi-
threaded programs. Our experiments provide empirical evidence
that EM-DPOR explores orders of magnitude fewer transitions
compared to DPOR for event-driven multi-threaded programs.
In future, we plan to develop further optimizations and a prac-
tical tool to model check these programs. Also, we aim to achieve
better reductions by defining a notion of sleep sets suitable for this
concurrency model and combining it with dependence-covering
sets. Another non-trivial but interesting problem would be to es-
tablish optimality in our event-driven setting on the similar lines
as [2, 30]. A few other directions are to extend [14] to develop max-
imal causality based state space exploration technique for event-
driven programs, and to explore bounded POR for event-driven
programs.
References
[1] https://play.google.com/store/apps. Retrieved October 15,
2017.
[2] P. Abdulla, S. Aronis, B. Jonsson, and K. Sagonas. Optimal Dynamic
Partial Order Reduction. In Proceedings of the 41st ACM SIGPLAN-
SIGACT Symposium on Principles of Programming Languages, POPL
’14, pages 373–384. ACM, 2014.
[3] P. A. Abdulla, S. Aronis, M. F. Atig, B. Jonsson, C. Leonardsson, and
K. Sagonas. Stateless Model Checking for TSO and PSO. In Proceed-
ings of the 21st International Conference on Tools and Algorithms for
the Construction and Analysis of Systems - Volume 9035, pages 353–
367. Springer-Verlag New York, Inc., 2015.
[4] P. A. Abdulla, M. F. Atig, B. Jonsson, and C. Leonardsson. Stateless
Model Checking for POWER. In Computer Aided Verification - 28th
International Conference, CAV Proceedings, Part II, Lecture Notes in
Computer Science, pages 134–156. Springer, 2016.
[5] E. M. Clarke, O. Grumberg, M. Minea, and D. Peled. State Space
Reduction Using Partial Order Techniques. STTT, 2(3):279–287,
1999.
[6] K. E. Coons. Fast Error Detection with Coverage Guarantees for
Concurrent Software. PhD thesis, The University of Texas at Austin,
2013.
[7] K. E. Coons, M. Musuvathi, and K. S. McKinley. Bounded Partial-
order Reduction. In Proceedings of the 2013 ACM SIGPLAN Inter-
national Conference on Object Oriented Programming Systems, Lan-
guages, and Applications, OOPSLA ’13, pages 833–848. ACM, 2013.
[8] B. Demsky and P. Lam. SATCheck: SAT-directed Stateless Model
Checking for SC and TSO. In Proceedings of the 2015 ACM SIG-
PLAN International Conference on Object-Oriented Programming,
Systems, Languages, and Applications, OOPSLA 2015, pages 20–36,
New York, NY, USA, 2015. ACM.
[9] M. Emmi, S. Qadeer, and Z. Rakamaric´. Delay-bounded Schedul-
ing. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Sym-
posium on Principles of Programming Languages, POPL ’11, pages
411–422. ACM, 2011.
[10] C. Flanagan and P. Godefroid. Dynamic Partial-order Reduction
for Model Checking Software. In Proceedings of the 32nd ACM
SIGPLAN-SIGACT Symposium on Principles of Programming Lan-
guages, POPL ’05, pages 110–121. ACM, 2005.
[11] P. Godefroid. Partial-Order Methods for the Verification of Concur-
rent Systems - An Approach to the State-Explosion Problem, volume
1032 of Lecture Notes in Computer Science. Springer, 1996.
[12] P. Godefroid. Model Checking for Programming Languages Using
Verisoft. In Proceedings of the 24th ACM SIGPLAN-SIGACT Sym-
posium on Principles of Programming Languages, POPL ’97, pages
174–186. ACM, 1997.
[13] G. Holzmann. The Spin Model Checker: Primer and Reference Man-
ual. Addison-Wesley, 2004.
[14] J. Huang. Stateless Model Checking Concurrent Programs with Max-
imal Causality Reduction. In Proceedings of the 36th ACM SIGPLAN
Conference on Programming Language Design and Implementation,
PLDI ’15, pages 165–174, New York, NY, USA, 2015. ACM.
[15] J. Huang, P. O. Meredith, and G. Rosu. Maximal Sound Predictive
Race Detection with Control Flow Abstraction. In Proceedings of the
35th ACM SIGPLAN Conference on Programming Language Design
and Implementation, PLDI ’14, pages 337–348. ACM, 2014.
[16] S. Huang and J. Huang. Maximal Causality Reduction for TSO
and PSO. In Proceedings of the 2016 ACM SIGPLAN International
Conference on Object-Oriented Programming, Systems, Languages,
and Applications, OOPSLA 2016, pages 447–461. ACM, 2016.
[17] C. S. Jensen, A. Møller, V. Raychev, D. Dimitrov, and M. Vechev.
Stateless Model Checking of Event-driven Applications. In Proceed-
ings of the 2015 ACM SIGPLAN International Conference on Object-
Oriented Programming, Systems, Languages, and Applications, OOP-
SLA 2015, pages 57–73. ACM, 2015.
17 2018/8/5
[18] S. Katz and D. Peled. Defining Conditional Independence Using
Collapses. Theor. Comput. Sci., 101(2):337–359, 1992.
[19] S. Lauterburg, M. Dotta, D. Marinov, and G. Agha. A Framework for
State-Space Exploration of Java-Based Actor Programs. In Proceed-
ings of the 2009 IEEE/ACM International Conference on Automated
Software Engineering, ASE ’09, pages 468–479. IEEE Computer So-
ciety, 2009.
[20] P. Maiya, A. Kanade, and R. Majumdar. Race Detection for Android
Applications. In Proceedings of the 35th ACM SIGPLAN Conference
on Programming Language Design and Implementation, PLDI ’14,
pages 316–325. ACM, 2014.
[21] A. W. Mazurkiewicz. Trace theory. In Advances in Petri Nets 1986,
volume 255 of LNCS, pages 279–324. Springer, Heidelberg, 1986.
[22] Z. Mednieks, L. Dornin, G. B. Meike, and M. Nakamura. Program-
ming Android. O’Reilly Media, Inc., 2012.
[23] N. Mirzaei, S. Malek, C. S. Pasareanu, N. Esfahani, and R. Mahmood.
Testing Android Apps through Symbolic Execution. ACM SIGSOFT
Software Engineering Notes, 37(6):1–5, 2012.
[24] M. Musuvathi and S. Qadeer. Iterative Context Bounding for System-
atic Testing of Multithreaded Programs. In Proceedings of the 28th
ACM SIGPLAN Conference on Programming Language Design and
Implementation, PLDI ’07, pages 446–455. ACM, 2007.
[25] M. Musuvathi and S. Qadeer. Partial-order Reduction for Context-
bounded State Exploration. Technical report, Tech. Rep. MSR-TR-
2007-12, Microsoft Research, 2007.
[26] M. Musuvathi, S. Qadeer, T. Ball, G. Basler, P. A. Nainar, and
I. Neamtiu. Finding and Reproducing Heisenbugs in Concurrent Pro-
grams. In Proceedings of the 8th USENIX Conference on Operat-
ing Systems Design and Implementation, OSDI’08, pages 267–280.
USENIX Association, 2008.
[27] B. K. Ozkan, M. Emmi, and S. Tasiran. Systematic Asynchrony Bug
Exploration for Android Apps. In Computer Aided Verification - 27th
International Conference, CAV 2015, Part I, volume 9206 of LNCS,
pages 455–461. Springer, Heidelberg, 2015.
[28] R. Palmer, G. Gopalakrishnan, and R. M. Kirby. Semantics Driven
Dynamic Partial-order Reduction of MPI-based Parallel Programs. In
Proceedings of the 2007 ACM Workshop on Parallel and Distributed
Systems: Testing and Debugging, PADTAD ’07, pages 43–53. ACM,
2007.
[29] D. Peled. All from One, One for All: On Model Checking Using
Representatives. In Proceedings of the 5th International Conference
on Computer Aided Verification, CAV ’93, pages 409–423. Springer-
Verlag, 1993.
[30] C. Rodrı´guez, M. Sousa, S. Sharma, and D. Kroening. Unfolding-
based Partial Order Reduction. In CONCUR, volume 42 of LIPIcs,
pages 456–469. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik,
2015.
[31] K. Sen and G. Agha. Automated Systematic Testing of Open Dis-
tributed Programs. In Proceedings of the 9th International Confer-
ence on Fundamental Approaches to Software Engineering, FASE’06,
pages 339–356. Springer-Verlag, 2006.
[32] K. Sen, D. Marinov, and G. Agha. CUTE: A Concolic Unit Testing
Engine for C. In Proceedings of the 10th European Software Engineer-
ing Conference Held Jointly with 13th ACM SIGSOFT International
Symposium on Foundations of Software Engineering, ESEC/FSE-13,
pages 263–272. ACM, 2005.
[33] T. F. S¸erba˘nuT¸a˘, F. Chen, and G. Ros¸u. Maximal Causal Models
for Sequentially Consistent Systems. In Runtime Verification: Third
International Conference, RV 2012, pages 136–150. Springer Berlin
Heidelberg, 2012.
[34] S. Tasharofi, R. K. Karmani, S. Lauterburg, A. Legay, D. Marinov,
and G. Agha. Transdpor: A Novel Dynamic Partial-order Reduction
Technique for Testing Actor Programs. In Proceedings of the 14th
Joint IFIP WG 6.1 International Conference and Proceedings of the
32Nd IFIP WG 6.1 International Conference on Formal Techniques
for Distributed Systems, FMOODS’12/FORTE’12, pages 219–234.
Springer-Verlag, 2012.
[35] S. Vakkalanka, G. Gopalakrishnan, and R. M. Kirby. Dynamic Verifi-
cation of MPI Programs with Reductions in Presence of Split Opera-
tions and Relaxed Orderings. In Proceedings of the 20th International
Conference on Computer Aided Verification, CAV ’08, pages 66–79.
Springer-Verlag, 2008.
[36] A. Valmari. Stubborn Sets for Reduced State Space Generation. In
Proceedings of the 10th International Conference on Applications and
Theory of Petri Nets: Advances in Petri Nets 1990, pages 491–515.
Springer-Verlag, 1991.
[37] H. van der Merwe. Verification of Android Applications. In 37th
IEEE/ACM International Conference on Software Engineering, vol-
ume 2 of ICSE ’15, pages 931–934, 2015.
[38] H. van der Merwe, B. van der Merwe, and W. Visser. Verifying
Android Applications using Java PathFinder. ACM SIGSOFT Software
Engineering Notes, 37(6):1–5, 2012.
[39] H. van der Merwe, B. van der Merwe, and W. Visser. Verifying
Android Applications Using Java PathFinder. SIGSOFT Softw. Eng.
Notes, 37(6):1–5, 2012.
[40] W. Visser, K. Havelund, G. Brat, S. Park, and F. Lerda. Model Check-
ing Programs. Automated Software Engg., 10(2):203–232, 2003.
[41] N. Zhang, M. Kusano, and C. Wang. Dynamic Partial Order Reduc-
tion for Relaxed Memory Models. In Proceedings of the 36th ACM
SIGPLAN Conference on Programming Language Design and Imple-
mentation, PLDI ’15, pages 250–259. ACM, 2015.
A. Properties of Dependence-covering Sets
In this section, we prove that a selective state space exploration
using the dependence-covering sets (see Definition 2.6) is sufficient
to detect all deadlock cycles in SG (see Section 2.1), and if there
is a state s in SG where a local assertion α fails then some state s′
where α fails is reached in the reduced state space as well. We then
give a theorem relating dependence-covering sets and persistent
sets [11].
A.1 Deadlock Cycles
In the following discussion, let w be a transition sequence from
a state s in SG to reach a deadlock cycle 〈DC, ρ〉. Let u be a
dependence-covering sequence (see Definition 2.4) of w starting
from s. Further, Rw and Ru be the sets of transitions executed in
w and u respectively, and sn and s′m be the last states reached by
w and u respectively.
Lemma A.1. Let si be a state reached by a prefix of w where
a transition b ∈ DC is blocked and not enabled later in w. Then,
there exists a prefix of uwhich reaches a state s′j where b is blocked
and not enabled later in u.
Proof. Let Rb ⊆ Rw denote the transitions which have a direct
dependence with b or a dependence with some other transition
which directly or transitively has a dependence with b. Clearly, all
the transitions in Rb are executed prior to b since the transition b
is blocked by a prefix of w and never enabled as per the premise
of the lemma. By the definition of dependence-covering sequence
(see Definition 2.4), Rw ⊆ Ru and hence, Rb ⊆ Ru. Further, the
relative ordering of dependent transitions in Rb is maintained in u.
Let s′j be the state reached after executing all transitions inRb in u.
Since b ∈ nextTrans(sn), there can be a transition r′k in u such
that r′k 6∈ Rw and r′k is dependent with b, in particular, r′k enables
b. Since u is a dependence-covering sequence of w, r′k exists only
if w can be extended so that r′k executes before b. By the definition
of deadlock cycle, this is not possible. Hence, the transition b will
be blocked at s′j and there is no transition in uwhich enables b after
s′j .
Lemma A.2. The pair 〈DC, ρ〉 is a deadlock cycle at the state s′m
reached by u.
18 2018/8/5
Proof. By Lemma A.1, for any b ∈ DC, there exists a state s′j
reachable from s by some prefix of u such that b is blocked at s′j and
not enabled later in u. Thus, all the transitions in DC are blocked
at s′m.
Let DC contain k transitions and b = ρ(a) for some a ∈ [1, k].
Let t be the thread blocked on the transition b′ = ρ(a + 1) at sn
where k + 1 is taken to be 1. In w, let ri be the transition of t
that blocks b after which it is never enabled. Clearly, ri ∈ Rb for
the set Rb defined in the proof of Lemma A.1. Since the state s′j
is reached in u once all the transitions in Rb are executed and in
the same relative order between themselves, ri blocks b before or
at s′j in u. Since b remains blocked from s
′
j onwards (Lemma A.1),
there is no other transition in u that can enable b. By Lemma A.1,
the thread t itself subsequently blocks on b′ ∈ DC in u. Thus,
〈DC, ρ〉 is also a deadlock cycle at s′m.
Theorem 2.9.1. [Part of Theorem 2.9] Let SR be a dependence-
covering state space of a program A with a finite and acyclic state
space SG. Then, all deadlock cycles in SG are reachable in SR.
Proof. Let 〈DC, ρ〉 be a deadlock cycle at a state d in SG, reach-
able from sinit. Let s be a state which is common to both SG and
SR such that there exists a transition sequencew from s to d in SG.
In the least, the initial state sinit is such a state.
Let L be a dependence-covering set at s. By definition (see
Definition 2.6), there exists a transition sequence u from s, starting
with a transition r ∈ L such that u is a dependence-covering
sequence of w. By Lemma A.2, u eventually reaches the deadlock
cycle 〈DC, ρ〉. Let s′ = r(s). Since r ∈ L, s′ is in SR. If
u = r.u′ then u′ is a transition sequence from s′ in SG to a state
with deadlock cycle 〈DC, ρ〉. There exists a dependence-covering
sequence for u′ from s′ in SR. With a similar argument, there exists
a successor state s′′ of s′ in SR from which the same deadlock cycle
can be reached and so on. Since the state space is finite and acyclic,
eventually a state d′ is reached in SR where 〈DC, ρ〉 is a deadlock
cycle.
A dependence-covering state space only preserves all the dead-
lock cycles and not deadlock states present in SG. Suppose w is
a transition sequence in SG reaching a deadlock state d. Let u be
a dependence-covering sequence of w. Since u may contain some
transitions not in w (Definition 2.4) and those may modify some
shared objects, u may reach another state d′ with the same dead-
lock cycle as in d. But d and d′ may not be the same. Note that
exploration of the dependence-covering state space does detect the
set of transitions involved in each deadlock in SG.
A.2 Assertion Violations
Theorem 2.9.2. [Part of Theorem 2.9] Let SR be a dependence-
covering state space of an event-driven multi-threaded program A
with a finite and acyclic state space SG. If there exists a state v in
SG which violates an assertion α defined over local variables then
there exists a state v′ in SR which violates α.
Proof. The state v is reachable from the initial state sinit in SG.
Let s be a state which is common to both SG and SR such that
there exists a transition sequence w from s to v in SG. In the least,
the initial state sinit is such a state.
Let L be a dependence-covering set at s. By the definition of
dependence-covering set (see Definition 2.6), there exists a transi-
tion sequence u from s, starting with a transition r ∈ L such that
u is a dependence-covering sequence of w. Let Rw and Ru be the
sets of transitions executed in w and u respectively. Let Rα ⊆ Rw
denote the set of transitions which have a direct dependence with α
or a dependence with some other transition which directly or transi-
tively has a dependence with α. By definition (see Definition 2.4),
Rw ⊆ Ru and hence, Rα ⊆ Ru. Further, the relative ordering
of dependent transitions in Rα is maintained in u. Let v′ be the
state reached after executing all transitions in Rα in u. Since α
is an assertion on local variables, no new transition r′k ∈ Ru i.e.,
r′k ∈ Ru\Rw can have a dependence with α. Thus state v′ violates
the assertion α.
Let s′ = r(s). Since r ∈ L, s′ is in SR. If u = r.u′ then u′ is a
transition sequence from s′ in SG to a state which violates α. With
a similar argument, there exists a successor state s′′ of s′ in SR
from which a state which violates α is reachable and so on. Since
the state space is finite and acyclic, eventually a state is reached in
SR which violates α.
A.3 Relation between Persistent Sets and
Dependence-covering Sets
Theorem A.3. If P is a persistent set in a state s ∈ SG accord-
ing to the standard dependence relation which considers posts to
the same event queue to be dependent, then P is a dependence-
covering set in s according to the dependence relation of Defini-
tion 2.2.
Proof. Letw : r1.r2 . . . rn be any transition sequence in SG from a
state s. Asw is a dependence-covering sequence of itself, if r1 ∈ P
then P is also a dependence-covering set in s.
If r1 6∈ P then by Lemma 6.8 in [11] we can infer that
either (a) there exists a sequence w′ ∈ [w] (where [w] is the
Mazurkiewicz trace of w) such that the first transition in w′, say
w′1, is in the persistent set P , or (b) all the transitions in P are
independent with all the transitions in w. We prove the lemma for
the two cases (a) and (b) identified.
Case (a): We show that w′ is a dependence-covering sequence of
w even according to dependence relation of Definition 2.2. Since
w′ ∈ [w], the relative ordering of each pair of dependent transi-
tions inw′ is the same as that inw. The only difference between the
dependence relation of Definition 2.2 and the standard dependence
relation resulting in Mazurkiewicz traces is that, Definition 2.2 con-
siders posts to be independent and does not totally order transi-
tions executed by different event handlers on the same thread. How-
ever, if interfering (non-post) transitions are executed on two dif-
ferent threads, then both these dependence relations identity such
pairs to be dependent. Since posts are considered dependent as per
the dependence relation resulting in [w], the relative ordering of all
posts in w′ posting to the same event queue is consistent with that
in w. As a result, the relative ordering of operations across event
handlers executed on the same thread is the same in both w′ and
w. Thus, the relative orderings of all dependent transitions in w
are preserved in w′ even according to Definition 2.2. Additionally,
Rw = Rw′ because of the property of Mazurkiewicz trace. Thus,
w′ is a dependence-covering sequence of w such that w′1 ∈ P (as-
sumption of this case). Therefore, P is a dependence-covering set
in s as per Definition 2.6.
Case (b): Consider a state s′ = r(s) such that r ∈ P . As per the
assumptions of this case, r is independent with all the transitions in
w as per the standard dependence relation which considers posts
to the same event queue dependent. Then, sequence w is enabled
at s′ making r.w a valid sequence in SG. If any transition ri in w
has a post operation, then r cannot be a transition posting to the
same event queue as ri. Otherwise, ri would be dependent with r,
contradicting the assumption of this case. Also, if r is executed on
a thread t then, no transition in w is executed on thread t, because
next(s, t) is unique. A pair of transitions from different threads
considered independent by the standard dependence relation, are
considered independent even by Definition 2.2 (see condition 2 of
the definition). Hence, r.w is a dependence-covering sequence of
19 2018/8/5
w in conjunction with dependence relation of Definition 2.2. Thus,
P is a dependence-covering set in s.
B. Correctness of EM-DPOR
This section presents a sketch to prove the correctness of the al-
gorithm EM-DPOR to dynamically compute dependence-covering
sets (see Definition 2.6), presented in Section 3. Algorithm
Explore (Algorithm 1) performs a depth first traversal of the state
space. We want to prove that whenever Explore backtracks from
a state s to a prior state in the search stack, it must have explored
a dependence-covering sequence (see Definition 2.4) for any se-
quence w in SG from state s. We equivalently prove that EM-
DPOR explores a dependence-covering set at each visited state s.
Theorem B.24 given towards the end of this section formally states
this property.
We organize this section as follows. Section B.1 gives the proof
strategy for the Theorem B.24. Section B.2 provides a complete
proof or a proof sketch for the lemmas related to the cases in-
troduced in the proof strategy, and Section B.3 presents the main
proof. The variables and notation introduced in Section B.1 will be
used in the rest of this section.
Even though in Section 3.2 we had defined helper functions
such as last(), pre() and a few others over a transition sequence
starting from the initial state sinit, we may abuse the notation
to use these functions over transition sequences starting from an
intermediate state in the state space SG as well. In the rest of
the section, happens-before relation (→w) used in the context of
a transition sequence w in SG which is not assumed to be explored
by EM-DPOR is defined as follows:
Definition B.1. The happens-before relation→w for a transition
sequencew : r1.r2 . . . rn in SG is the smallest relation on dom(w)
such that the following conditions hold:
1. If i < j and ri is dependent with rj then i→w j.
2. If ri and rj are transitions posting events e and e′ respectively
to the same thread, such that i →w j and the handler of e has
finished and that of e′ has started inw, then getEnd(w, e)→w
getBegin(w, e′).
3. →w is transitively closed.
While the above happens-before relation is similar to that de-
fined in Definition 3.1, it does not reason about reordered posts
in w. This is because if we do not assume w to be explored by
EM-DPOR then the notion of reordered posts is irrelevant in the
context of w. Hence, the above happens-before relation can be de-
rived for a transition sequence in SG without any prior information
and purely with the help of dependence relation on SG. However,
if w is assumed to be explored by EM-DPOR then happens-before
relation (→w) referred in its context is the one defined in Defini-
tion 3.1.
Transition in a sequence. Given a transition sequence w and
another transition sequence z we say that a transition c ∈ Rz ∪
nextTrans(last(z)) to be a transition executed in w, i.e., c ∈
Rw, if at a state s′ reached by a prefix w′ of w such that c ∈
nextTrans(s′) and a state s′′ reached by a prefix z′ of z such
that c ∈ nextTrans(s′′) we have index(w′, b) →w′ task(c) iff
index(z′, b)→z′ task(c) for any transition b.
This intuitively means that the transition prior to c in task(c)
has an identical incoming direct and transitive dependence edges in
the dependence graph of w as well as z, due to which transition c
in w is guaranteed to be discovered (may or may not be enabled) in
the transition sequence z too.
B.1 Proof Strategy and Notation
B.1.1 Inductive Reasoning
EM-DPOR consists of four algorithms — Explore (Algorithm 1),
FindTarget (Algorithm 2), ReschedulePending (Algorithm 3)
and BacktrackEager (Algorithm 4). The proof is by induction
on the order in which states visited by Explore (Algorithm 1) are
backtracked. This is similar to the inductive strategy used to prove
Theorem 1 in [10], which states that the DPOR algorithm computes
persistent sets at each explored state. However, we cannot directly
borrow the structure of DPOR’s proof, as we additionally need to
consider the effect of event-driven semantics and reason about the
recursive nature of FindTarget (Algorithm 2).
Let S be a sequence explored by Algorithm Explore of EM-
DPOR, starting from an initial state sinit ∈ SG. Let s = last(S),
and L = {next(s, t) | t ∈ backtrack(s)} where backtrack(s) is
the backtracking set computed by EM-DPOR before backtracking
to a state prior to s in the search stack S. Assume SR ⊆ SG to
be the state space explored by EM-DPOR starting from state sinit.
State s is in SR as sequence S is explored by Algorithm 1.
Claim C1. The EM-DPOR algorithm explores a dependence-
covering sequence for every transition sequence w in SG
from a state s reached by Explore(S).
Induction hypothesis H1. For every transition sequence from a
state reached on each recursive call Explore(S.r), for all r ∈
L, the algorithm explores a corresponding dependence-covering
sequence.
The base case of the induction based proof of Claim C1 which
captures the essence of Theorem B.24, will be proved in Sec-
tion B.3. The proof strategy for the induction step is presented be-
low.
Induction step. We prove that for any sequence w : s r1−→
s1
r2−→ s2 . . . rn−→ sn in SG, Explore(S) explores a dependence-
covering sequence of w from state s. Here, s′ r
′−→ s′′ means
s′′ = r′(s′′).
If r1 ∈ L then, the algorithm explores a dependence-covering
sequence u of r2 . . . rn from state s1 by induction hypothesis H1,
making r1.u a dependence-covering sequence of w from state
s. Assume r1 6∈ L henceforth. We also assume that w has no
dependence-covering sequence starting with any transition in L
from state s.
We prove the inductive case by doing an exhaustive case analy-
sis of the contents of set L. Set L satisfies the properties presented
in one of the following five cases.
A. ∃p ∈ L such that p is a non-post transition and p is indepen-
dent with all the transitions in w.
B. L contains a non-empty subset of non-post transitions such
that all the non-post transitions in L are dependent with some
transition in w, and no transition in L is in w.
C. L contains a non-empty subset of non-post transitions such
that all the non-post transitions in L are dependent with some
transition in w, and the first transition in w from L is a non-
post transition.
D. L contains only post transitions and no transition in L is in w.
E. The first transition inw fromL is a post transition. In this case
if L contains non-post transitions we assume all of them to be
dependent with some transition in w. Note that the presence of
non-post transitions in L does not affect the proof in this case.
Section B.2 presents lemmas reasoning the induction step for
each of the five cases above. Lemma for case A is proved by
20 2018/8/5
deriving contradiction to our assumption on non-existence of a
dependence-covering sequence of w starting with any transition in
L from s. Lemmas for cases B, C, D and E are proved by deriving
contradictions to the assumptions made on the contents of L, when
we assume non-existence of a dependence-covering sequence of
w starting with any transition in L from s. This in turn proves the
existence of a dependence-covering sequence ofw in SR from state
s.
B.1.2 Common Construction for Cases B, C, D and E
As shown in Figure 11 we construct a transition sequence z :
s
r′1−→ s′1
r′2−→ s′2 . . .
r′m−−→ s′m in SG, such that (a) r′1 ∈ L
and (b) ∃r ∈ nextTrans(s′m) where r is a transition in w, say
r$ = r for 1 ≤ $ ≤ n in w, and r is dependent with a transition
r′l in z such that r
′
l is the nearest may be co-enabled or may be
reordered transition that does not happen before r. Additionally,
r′l may or may not be executed in w. If r
′
l is executed in w then
index(w, r) < index(w, r′l). We use z which is not a dependence-
covering sequence of z in our proof arguments, provided z is valid
in SG. We reason about the validity of z in each of cases B, C, D
and E separately. In cases D and E we generate a set of relevant non
dependence-covering transition sequences of w with the help of z,
all of which will be used by the proofs related to cases D and E.
Figure 11 pictorially depicts some of the key states, transitions,
sequences and function calls required when reasoning about cases
B, C, D and E. Any other properties of r′l specific to the case
B, C, D or E considered, will be presented in Section B.2. Let
Z = z.z′.r where z′ is the shortest sequence in SG which enables
r. If there exists no such z′ then Z = z. Note that z′ =  if
thread(r) ∈ enabled(s′m). Let v be a suffix of Z from state s′1
i.e., v = r′2.r′3 . . . r′m.z′.r if Z = z.z′.r or v = r′2.r′3 . . . r′m if
Z = z. Since s ∈ SR and r′1 ∈ L, state s′1 = r′1(s) is in SR. Then
by induction hypothesis H1, EM-DPOR explores a dependence-
covering sequence u of v from s′1. Since r′1 ∈ L algorithm explores
r′1.u. Clearly, r′1.u is a dependence-covering sequence ofZ = r′1.v
from state s.
Let δγ ∈ SR be the state reached by S.r′1.γ where γ is a prefix
of u such that r′l is a transition in r
′
1.γ, and transition r dependent
with r′l is in nextTrans(δγ). Due to the characteristics of r
′
l and r
described in constraint (b) given earlier on sequence z, and r′1.u
being a dependence-covering sequence of Z whose prefix is z,
Explore(S.r′1.γ) invokes FindTarget(S.r′1.γ, r′l, r) (line 4 in
Algorithm 1). With this being a common scenario for cases B, C, D
and E, we present specific arguments for each of the cases in their
respective lemmas in Section B.2, and derive contradictions to the
assumptions made on the contents of L.
Notation. Given transition sequences w1 and w2, let w1 \ w2
denote transitions which are in sequence w1 but not in sequence
w2. For a set of tasks tks, threadSet(tks) = {t | (t, e) ∈
tks}, i.e., threadSet gives a set of threads corresponding to a
set of tasks. Whenever we need to reason about multiple instances
of variables like candidates and pending from Algorithm 1,
2, 3 or 4 in our proofs, we use numerical subscripts to distin-
guish one instance from the other (e.g., candidates1 is differ-
ent from candidates2 and so on). We do not add any subscripts
for variable instances corresponding to the first FindTarget call
(FindTarget(S.r′1.γ, r′l, r)) from Explore(S.r
′
1.γ).
B.2 Supporting Lemmas
We use the induction hypothesis H1 and prove induction step sep-
arately for each of the cases A – E introduced in section B.1.1.
B.2.1 Case A
Lemma B.2. EM-DPOR explores a dependence-covering se-
quence of w from state s when set L satisfies case A.
Proof. Case A states that, ∃p ∈ L such that p is a non-post
transition and p is independent with all the transitions in w. Then,
no transition in w is executed on the same thread as p. This is
because, p = next(q, thread(p)) for any state q visited by a
prefix of w. Since the next transition of a thread at any state is
unique, no transition in w is executed on thread(p). Then, by
the second condition of the dependence relation (Definition 2.2),
p commutes with all the transitions in w and sequence w is enabled
at state s′ = p(s). Since s ∈ SR and p ∈ L, s′ ∈ SR. Then
by induction hypothesis H1, EM-DPOR explores a dependence-
covering sequence u of w from s′. Therefore, p.u is a dependence-
covering sequence of w at state s.
B.2.2 Case B
Case B states that the backtracking set L in state s contains a non-
empty subset of non-post transitions such that all the non-post
transitions in L are dependent with some transition in w, and no
transition in L is in w. With the help of the transition sequence z
described in Section B.1.2 we prove that EM-DPOR identifies a
transition in w to be reordered with a non-post transition in L, due
to which a transition in w gets added to the set L. This establishes
contradiction to the property of set L which in turn proves that our
primary assumption of absence of a dependence-covering sequence
of w starting from a transition in set L, does not hold.
To suit the case under consideration, we refine the construction
of sequence z as follows.
Construction B.3. Let z : s
r′1−→ s′1
r′2−→ s′2 . . .
r′m−−→ s′m in SG be
a sequence satisfying the following constraints:
M1. r′1 ∈ L is a non-post transition.
M2. For all r′i in z, i 6= 1, r′i is a transition in w and r′i = ri−1.
Recall that w = r1.r2 . . . rn.
M3. ∃r ∈ nextTrans(s′m) such that r = r$ is in w, and r is the
first transition in w to be dependent with r′1.
Following properties can be inferred for a sequence z adhering to
Construction B.3.
P1. All the transitions in z except r′1 are in w.
P2. Transitions r′1 and r may be co-enabled i.e., thread(r′1) 6=
thread(r). This is because, r′1 = next(q, thread(r′1)) at any
state q visited by a prefix of sequence w, including the state
s$−1 where r = r$ is executed. Since both r′1 and r are in
nextTrans(s$−1), thread(r′1) 6= thread(r).
P3. A sequence z satisfying M1, M2 and M3 exists as all the
transitions in L are dependent with some transition in w. In
the worst case, z may only consist of r′1 if r′1 is dependent with
some transition in nextTrans(s) which is executed in w.
P4. z is not a dependence-covering sequence of w at state s as the
dependence between r′1 and r does not satisfy any constraints
of a dependence-covering sequence (Definition 2.4).
Lemma B.4. EM-DPOR explores a dependence-covering se-
quence of w from state s when set L satisfies case B.
Proof. Consider a sequence z in SG constructed as per Construc-
tion B.3. Then, as explained in the proof strategy (Section B.1.2)
let Z = z.z′.r or Z = z based on the existence of shortest z′ that
enables r. EM-DPOR explores a dependence-covering sequence
u for v = r′2.r′3 . . . r′m.z′.r or v = r′2.r′3 . . . r′m, making r′1.u a
dependence-covering sequence of Z. Note that in this case v only
consists of transitions from w and if there exists a z′ satisfying the
criteria considered, v also has transitions from z′ . Also, r′l = r
′
1
(see Figure 11). From Section B.1, δγ ∈ SR is the state reached by
S.r′1.γ where γ is a prefix of u such that r ∈ nextTrans(δγ).
21 2018/8/5
sinit
s
S
s ∈ SR
s1
r1
s$−1
r2 . . . r$−1
s$
r = r$
sn
r$+1 . . . rn
w in SG
s′1
r′1
s′l−1
r′2 . . . r
′
l−1
s′l
r′l
s′m
r′l+1 . . . r
′
m
z′.r
r ∈ nextTrans(s′m)
Z in SG
z = r′1 . . . r
′
m, Z = z.z
′.r, v = r′2 . . . r
′
m.z
′.r
δγ
γ
FindTarget(S.r′1.γ, r
′
l, r)
u in SR
Figure 11: Illustration of key components in the proof strategy of cases B, C, D and E. Transition sequences w and Z start at state s, and
sequences v and u start at state s′1. A solid circle with no annotation denotes a state in SG. States coloured yellow correspond to sequence w.
By Construction B.3 and its properties, transition r′1 is the
nearest dependent and may be co-enabled transition which does
not happen before r at state δγ . Then, Explore(S.r′1.γ) in-
vokes FindTarget(S.r′1.γ, r′1, r). Line 4 in FindTarget (Al-
gorithm 2) is skipped as thread(r′1) 6= thread(r). Step 2 of
FindTarget identifies state s from where r′1 is executed, as the
state to add backtracking choices to reorder r′1 and r. We first
show that the line 7 in Algorithm 2 computes candidates ⊆
{task(r′2), task(r′3), . . . , task(r′m), task(r)}. In other words, set
candidates contains no task (t, e) such that transition next(s, t) is
in γ \(v\z′). This is because u is a dependence-covering sequence
of v and thus there exists no transition p ∈ u \ v dependent with a
transition p′ ∈ v such that index(S.r′1.u, p) < index(S.r′1.u, p′).
As a result there exists no p ∈ γ \v, γ being a prefix of u, such that
p is dependent with r. Hence there exists no p ∈ γ \ v such that
p happens before r. Since z′ is a sequence to enable r from state
s′m reached by z, no transition in z′ happens before any transition
of thread(r) executed in z. Also, r is not yet executed in S.r′1.γ
and hence by Definition 3.1, no transition in z′ happens before r in
S.r′1.γ. Set candidates only consists of those tasks whose threads
are enabled at state s, and in this case only those tasks whose en-
abled transition are in sequence v \ z′ and thus in w. Now there are
two cases.
1. candidates 6= ∅ Then threadSet(candidates) ∩
backtrack(s) is not an empty set. This is due to line 14 in
Algorithm 2, and even if threadSet(candidates) ⊆ done(s),
done(s) ⊆ backtrack(s) at any point of execution of the algo-
rithm. This contradicts the assumption that set L has no transition
from sequence w.
2. candidates = ∅ Then set pending computed at line 17 in
Algorithm 2 is an empty set since pending ⊆ candidates. This
results in a call to BacktrackEager(S.r′1.γ, |S|+1, r) on line 21.
Note that index(S.r′1.γ, r′1) = |S|+ 1.
BacktrackEager(S.r′1.γ, |S|+ 1, r) (Algorithm 4) temporar-
ily copies the HB relation in →S.r′1.γ to  (see line 1 in
BacktrackEager). Then, it orders each pair of co-enabled post
transitions in S posting events to the same destination thread, and
closes the happens-before relation  with FIFO and transitivity
due to newly added post to post mappings (lines 4–8). We refer
to the modified happens-before relation as extended happens-before
relation. We show that the extended happens-before relation does
not order r′1 and r i.e., i 6 task(r) where i = |S| + 1. This is
because, sequence S.w executes r and not r′1 whereas, sequence
S.r′1.γ executes r′1 and not r. Hence with a common prefix S, se-
quences S.w and S.r′1.γ explore both the ordering between r and
r′1. Thus the order of post operations in S does not determine the
order of r′1 and r. However BacktrackEager only orders post
operations in S and their respective handlers in S.r′1.γ.
Since i 6 task(r), Algorithm 4 does not return via line 9 and
proceeds to compute set candidates1 on line 14 using extended
happens-before relation. Due to FIFO the handlers posted to the
same thread execute in the order in which they are posted. Since
S is a prefix of both S.w and S.r′1.γ, the relative execution or-
der of event handlers in w and r′1.γ whose events are posted in
S is the same. BacktrackEager only augments happens-before
mappings between transitions of handlers posted in S. Thus any
new happens-before mappings in the extended happens-before re-
lation, between a transition p in r′1.γ and r is such that p is a
transition in w, and index(S.w, p) < index(S.w, r). This along
with our earlier reasoning on the dependence-covering property of
S.r′1.u proves that candidates1 computed by line 14 only con-
tains threads whose enabled transitions at s are executed in se-
quence w. If candidates1 6= ∅ then line 18 of Algorithm 4
adds a thread from candidates1 to backtrack(s). This contra-
dicts the assumption that sequence w has no transition from L. If
candidates1 = ∅, then backtrack(s) = enabled(s) (line 19).
Then, thread(r1) ∈ backtrack(s) which implies r1 ∈ L. Tran-
sition r1 being the first transition in w contradicts the assumption
that sequence w has no transition from set L.
B.2.3 Case C
Case C states that L contains a non-empty subset of non-post
transitions such that all the non-post transitions in L are depen-
dent with some transition in w, and the first transition in w from L
is a non-post transition. With the help of the transition sequence
22 2018/8/5
z described in Section B.1.2 we prove that EM-DPOR identifies a
transition in w executed prior to the first transition from L in w to
be reordered with the first transition from L in w. We will further
prove that this causes a transition in w executed prior to the first
transition from L in w, to get added to the set L. This establishes
contradiction to the property of set L.
To suit the case under consideration, we refine the construction
of sequence z as follows.
Construction B.5. Let z : s
r′1−→ s′1
r′2−→ s′2 . . .
r′m−−→ s′m in SG be
a sequence satisfying the following constraints:
M1. r′1 ∈ L is a non-post transition and r′1 is the first transition in
w from L. Let k = index(w, r′1).
M2. For all r′i in z, i 6= 1, r′i is a transition in w and r′i = ri−1.
M3. ∃r ∈ nextTrans(s′m) such that r = r$ is in w such that
$ < k, and r is the first transition in α : r1.r2 . . . rk−1 to be
dependent with r′1.
Construction B.5 differs from Construction B.3 in constraints M1
and M3. Following properties can be inferred for a sequence z
constructed as per Construction B.5.
P1. All the transitions in z are in w.
P2. Transitions r′1 and r may be co-enabled i.e., thread(r′1) 6=
thread(r). This is because, r′1 = next(q, thread(r′1)) at any
state q visited by a prefix of sequence α, including the state
s$−1 where r = r$ is executed. Since both r′1 and r are in
nextTrans(s$−1), thread(r′1) 6= thread(r).
P3. A sequence z satisfying M1, M2 and M3 exists only if ∃r′1 ∈ L
such that r′1 is dependent with some transition prior to its index
inw. In such a case z can at least consist of r′1 if r′1 is dependent
with some transition in nextTrans(s) which is executed prior
to r′1 in w. If r′1 is not dependent with any transition prior to it
in w, then z does not exist. Nevertheless, as will be shown in
Lemma B.6, we get a dependence-covering sequence ofw from
s in SR without constructing z in such a case.
P4. z is not a dependence-covering sequence of w at state s as the
dependence between r′1 and r does not satisfy any constraints
of a dependence-covering sequence (Definition 2.4).
Lemma B.6. EM-DPOR explores a dependence-covering se-
quence of w from state s when set L satisfies case C.
Proof. In the context of case C two sub-cases exist:
I. Assume there exists a transition r′1 ∈ L executed in w
such that k = index(w, r′1) and r′1 is independent with
all the transitions ri in w for 1 ≤ i < k. Then by Def-
inition 2.2 transition r′1 commutes with all such ri and thus
rk−1(. . . r2(r1(r′1(s))) . . .) = sk. Since rk+1 . . . rn−1rn is en-
abled at sk, sequence r′1r1 . . . rk−1rk+1 . . . rn is a dependence-
covering sequence of w from state s.
II. Assume no transition in L executed in w satisfies sub-case I.
Let r′1 be the first transition in w from L, and let r′1 be depen-
dent with some transition ri in w where 1 ≤ i < k where
k = index(w, r′1). Consider a sequence z in SG constructed
as per Construction B.5. Sequence z exists as sub-case II satis-
fies the pre-condition of property P3 of Construction B.5. As ex-
plained in Section B.1.2, let Z = z.z′.r or Z = z based on
the existence of shortest z′ that enables r. EM-DPOR explores
a dependence-covering sequence u for v = r′2.r′3 . . . r′m.z′.r or
v = r′2.r
′
3 . . . r
′
m, making r′1.u a dependence-covering sequence
of Z. Note that here r′l = r
′
1. From Section B.1, δγ ∈ SR is
the state reached by S.r′1.γ where γ is a prefix of u such that
r ∈ nextTrans(δγ).
By Construction B.5 and its properties, transition r′1 is
the nearest dependent and may be co-enabled transition which
does not happen before r. Then, Explore(S.r′1.γ) invokes
FindTarget(S.r′1.γ, r
′
1, r). Line 4 in FindTarget is skipped
since thread(r′1) 6= thread(r). Step 2 of FindTarget identifies
state s from where r′1 is executed, as the state to add backtrack-
ing choices to reorder r′1 and r. We show that the line 7 com-
putes candidates ⊆ {task(r1), task(r2) . . . task(rk−1)} i.e.,
candidates has no task (t, e) such that transition next(s, t) is in
γ \ α. The reason for this is similar to a corresponding step in the
proof of Lemma B.4. Set candidates only consists of those tasks
whose threads are enabled at state s, and in this case only those
tasks whose enabled transition at s are in α : r1.r2 . . . rk−1, a pre-
fix of w. Now there are two cases.
1. candidates 6= ∅ Then threadSet(candidates) ∩
backtrack(s) is not an empty set. This is due to line 16 in
Algorithm 2. This contradicts the assumption that r′1 is the first
transition in w from L, as index of any transition in α is lesser than
k = index(w, r′1).
2. candidates = ∅ Then set pending computed at line 17 in
Algorithm 2 is also an empty set as pending ⊆ candidates. This
results in a call to BacktrackEager(S.r′1.γ, |S|+1, r) on line 21
in Algorithm 2. Then, we can use a reasoning similar to that in the
proof of Lemma B.4 to derive contradiction for the assumption that
r′1 is the first transition in w from L.
B.2.4 Case D
Case D assumes all the transitions in the set L to be of the type
post such that none of the transitions in L are in the transition
sequence w. Unlike the lemmas related to cases B and C prov-
ing which involved reasoning about non-post transitions in the
set L, case D requires reasoning about post transitions in the
set L. Similar to the proof strategy of cases B and C we will
show that EM-DPOR identifies some transition in w to be re-
ordered with a post transition in the set L. Since EM-DPOR
considers a post transition to be independent w.r.t. all the tran-
sitions, the Explore algorithm never invokes FindTarget to re-
order a post with some other transition. However, a recursive call
to FindTarget may reorder a pair of posts to the same event
queue (see step 1 of Algorithm 2 (FindTarget) and step 3c of
Algorithm 3 (ReschedulePending)). For this to happen the pair
of posts will have to be somehow related to a pair(s) of depen-
dent transitions which are originally identified for reordering by
Explore. However, establishing this relation between a pair(s) of
dependent transitions and a pair of post transitions is non-trivial
and may involve reasoning about a set of transition sequences ulti-
mately leading to the identification of posts to be reordered start-
ing from a transition sequence which identifies a pair of dependent
transitions to be reordered.
With the help of the transition sequence z described in Sec-
tion B.1.2 we will be generating a set of transition sequences
of interest, which will lead to the identification of a post in w
to be reordered with a post in the backtracking set L. After
identifying these posts and establishing that FindTarget will
be called to reorder them, we will show that a transition from
w gets added to the set L by invoking arguments similar to the
proofs of Lemma B.4 and B.6. This establishes contradiction to
the property of set L, and in turn establishes the existence of a
dependence-covering sequence of w starting from some transition
belonging to the set L.
We make the following assumptions to simplify the proof
sketch.
23 2018/8/5
Assumption B.6.1. For any transition sequence α executed from
state s considered henceforth (including sequence w and z) we
make the following assumptions. Let Kα be the set of transitions
in α such that for each k ∈ Kα, k 6∈ w. Then,
1. Transitions in Kα do not form a deadlock cycle consisting only
of transitions in Kα.
2. Every lock acquired inside a task is released within the same
task (thread or event handler). This assumes that a lock acquire
and release does not span multiple event handlers.
3. If a transition p ∈ Kα is disabled at a state, then it does not
require a transition in w to be executed for p to eventually
enable.
Reasoning about this case requires a few new definitions which
we introduce below.
Definition B.7. A function DG(p, α, s′) which defines a de-
pendence graph of a transition w.r.t. a sequence, takes a transition
p and a sequence α executed from a state s′ where p ∈ Rα or
p ∈ nextTrans(last(α)), and returns a set P such that P ⊆ Rα
and for each transition a ∈ P , if p ∈ Rα then index(α, a) →α
index(α, p) else either index(α, a) →α task(p) or a is depen-
dent with p.
The following definition gives the criteria when dependence
graphs of a transition w.r.t. two different sequences are equivalent.
Definition B.8. Predicate identicalDG(p, α, β, s′) takes a
transition p, and transition sequences α and β, both executed from
the same state s′, such that p ∈ Rα ∪ nextTrans(last(α)),
p ∈ Rβ ∪ nextTrans(last(β)), and the predicate evaluates to
TRUE only if DG(p, α, s′) = DG(p, β, s′).
Definition B.9. A set future of a post operation r, i.e.,
future(r) is a set of transitions such that a transition r′ ∈
future(r) if, (1) there exists a sequence α in SG such that r′ is
executed by the handler of the event posted by r in α, or (2) r′ ∈
future(r′′) such that r′′ is a post operation and r′′ ∈ future(r).
Definition B.10. A set enabledFuture of a post operation r,
i.e., enabledFuture(r) is a set of transitions such that a transition
r′ ∈ enabledFuture(r) if, (1) r′ ∈ future(r), or (2) there exists
a sequence α in SG reaching a state s′ such that a transition
r′′ ∈ future(r) is blocked in s′ and r′ is the first transition
of a shortest sequence from s′ which enables r′′, or (3) r′ ∈
enabledFuture(r′′) such that r′′ is a post operation and r′′ ∈
enabledFuture(r).
Construction B.11. Let z : s
r′1−→ s′1
r′2−→ s′2 . . .
r′m−−→ s′m in SG,
where r′1 ∈ L and v = r′2 . . . r′m, be a sequence satisfying the
following constraints:
M1. Sequence v consists of transitions belonging to w as well as
transitions outside w. For a transition r′i ∈ v, if r′i ∈ w then
identicalDG(r′i, w, z, s). For a transition r
′
i ∈ v, if r′i 6∈ w
then r′i is the first transition of a shortest sequence from the
state s′i−1, comprising only of transitions which do not belong
to w, to be executed to make an event e which was dequeued in
w but blocked in s′i−1 executable.
M2. There exists no extension to any prefix α of z which results
in a transition sequence α.γ such that there exists a pair of
dependent transitions c and d with the following properties:
(a) (i) Either c and d are transitions in w such that they are
ordered differently in γ compared to their order in w, or
(ii) c 6∈ w, c is a transition in the enabledFuture set of a
post in w, and d ∈ w such that c is executed prior to d in
α.γ, and
(b) Attempting to reorder c and d through some other extension
to α will only result in a transition sequence α.γ′ which
breaks the order between another pair of dependent transi-
tions c′ and d′ such that either (i) c′, d′ ∈ w, or (ii) d′ ∈ w,
c′ is a transition in the enabledFuture set of a post in w,
and c′ is executed prior to d′ in α.γ′.
M3. There exists a transition r ∈ nextTrans(s′m) such that r is
a transition in w and r is dependent with a transition r′l 6∈ w
executed in v such that r′l ∈ enabledFuture(r′1).
M4. z is a sequence with maximum transitions from w while satis-
fying the constraints M1, M2 and M3.
From the constraints given in Construction B.11, a pair of tran-
sitions in w posting to the same event queue can be reordered in
sequence z so long as the properties M1 and M2 are respected. We
now present a lemma describing the property of transitions not in
w but present in v.
Lemma B.12. In a transition sequence z = r′1.v constructed by
only following the constraint M1 of Construction B.11, a transition
r′i ∈ v such that r′i 6∈ w satisfies one of the following properties.
1. r′i ∈ enabledFuture(r′1), or
2. r′i ∈ enabledFuture(r′j) where r′j is a post transition in w.
Proof. We prove this by inducting on the order in which transitions
not belonging to w are added to v.
Base case. Let r′i be the first transition in v which does not belong
to w. Recall that r′1 ∈ L is the first transition of z, and from the
property of case D we know that r′1 6∈ w and it is a post transition.
This makes r′i the second transition in z to not be from the sequence
w. As per constraint M1 of Construction B.11, a transition not
belonging to w is added to v only to make an event dequeued in
w executable. Assume that r′i has been added to make an event e
blocked in the state s′i−1 and dequeued in w, executable. Let E be
the set of events on thread(e) such that for each event e′ ∈ E,
either e′ is the executable event on thread(e) at state s′i−1 or e
′
is an event blocked in e’s event queue in state s′i−1 such that e
′
is dequeued prior to e. If any of the events in E is dequeued in
w, then executing r′i breaks the property M1. This is because in
such a case, the shortest sequence to make e executable will also
comprise of transitions from w. Also, if any event e′ in E is posted
by a transition in sequence S prior to reaching the state s from
where w is assumed to be executed, then due to FIFO ordering
we can infer that e′ is dequeued prior to e in sequence w as well.
By elimination, each event in E is either (a) the event posted by
r′1, since r′1 is the only transition in z that does not belong to w
when state s′i−1 is reached, or (b) an event posted by a transition
in w but was not dequeued in w. The shortest sequence to make e
executable will atleast comprise of the transitions in the handlers of
the events inE, and r′i could be the deq transition of the executable
event on thread(e) which too is in E. However, if a transition, say
b, in the handler of e′ ∈ E is blocked on some transition outside
the handler of e′ (e.g., if it is a transition acquiring a lock held by
some other thread), then the shortest transition sequence to make
e executable will also include transitions to enable b; transition
r′i could be a transition executed to eventually enable b. In either
case, r′i satisfies the constraints to be in enabledFuture(r
′
1) or
enabledFuture(r′j) where r
′
j is a transition posting an event in
E. Hence proved.
Induction hypothesis. All the transitions upto kth transition
added to v which do not belong to w either belong to
enabledFuture(r′1), or belong to enabledFuture(r′j) where r
′
j is
a post transition in w.
24 2018/8/5
Induction step. We need to show that one of the two properties
specified in the lemma holds even for the (k + 1)th transition,
say r′i, that does not belong to w but is added to v. Then from
the condition M1, r′i should be the first transition in a shortest
sequence comprising only of transitions not in w, to make an event
e executable such that e is dequeued in w but is currently blocked
in the state s′i−1. Then, either r
′
i is a transition in the executable
task on thread(e), or it is a transition that must be executed so
as to eventually enable a transition b 6∈ w in the executable task
on thread(e) or the handler of an event prior to e in e’s event
queue. Otherwise, r′i can be removed to obtain a shorter sequence
executing which can make e an executable event. Let us firstly
reason about the case where r′i is a transition in the executable
task on thread(e), and let e′ be the corresponding event of the
executable task. Then, post(e′) which is clearly executed prior
to r′i, is either a transition in w or a transition not in w. In the
latter case due to induction hypothesis, post(e′) satisfies one of
the two properties listed in the lemma. If post(e′) is a transition in
w or post(e′) is a transition in the enabledFuture set of a post
transition in w (as per property 2 listed by the lemma), then by
Definition B.10 transition r′i too belongs to the enabledFuture set
of a post transition in w thus satisfying condition 2. If post(e′)
∈ enabledFuture(r′1) (as per property 1 listed in the lemma),
then r′i being in the handler of e
′ satisfies the constraints to be in
enabledFuture(r′1).
Now consider the case where r′i has been added to eventually
enable a transition b 6∈ w in the executable task on thread(e) or
the handler of an event prior to e in e’s event queue. Let e′ be the
event corresponding to the handler in which the transition b is exe-
cuted. Now we can show that r′i belongs to enabledFuture(r
′
1) or
enabledFuture(r′j) where r
′
j is a post transition in w, by reason-
ing about post(e′) similar to the first case presented above.
Lemma B.13. A transition sequence z = r′1.v which satisfies the
constraints M1, M2 and M3 exists in SG.
Proof. A transition sequence z = r′1.v satisfying the constraint M1
in Construction B.11 trivially exists in SG. One such sequence can
be constructed by concatenating r′1 with a prefix of w till the next
transition to be executed in w is a deq transition whose event e
is blocked on dest(r′1), such that the event posted by r′1 must be
dequeued and handled for e to become executable. If there is no
such prefix then we must be able to execute r′1.w which clearly
is a dependence-covering sequence of w, since r′1 being a post
transition is independent w.r.t. all the transitions in w as per the
dependence relation defined in Definition 2.2.
Now, let z = r′1.v be a transition sequence in SG satis-
fying the constraints of M1. Our main assumption is that there
exists no transition sequence starting from any transition in the
backtracking set L at s which is a dependence-covering se-
quence of w. Then, the sequence z must reach a state s′m
where a transition r ∈ nextTrans(s′m) is such that r ∈ w,
identicalDG(r, w, z, s) = FALSE and no extension γ to z can
result in identicalDG(r, w, z.γ, s). Otherwise, we can obtain a
sequence z which is a dependence-covering sequence of w. Since
all the transitions belonging to w in the constructed sequence z
have their DG identical to that found in w, there can be only
two causes for the DG(r, z, s) to be different from that w.r.t. w
— (1) a transition r′l 6∈ w present in v is dependent with r, or
(2) r ∈ nextTrans(s′m) must be executed so as to execute a de-
pendent transition r′ ∈ w such that r′ is executed prior to r in w.
From Lemma B.12, if it is case (1) then there can be two subcases:
(1.a) r′l ∈ enabledFuture(r ′1 ), or (1.b) r′l ∈ enabledFuture(r′j)
where r′j executed prior to r
′
l in v is a post transition in w.
Let us assume that any sequence z = r′1.v satisfying the con-
straints of M1 can only satisfy the cases 1.b or 2 defined above. We
will establish a contradiction for this assumption thus establishing
the validity of constraint M2 and M3 given in Construction B.11.
Towards this, we construct a sequence z by strengthening the con-
straints of M1. Let z = r′1.v be a transition sequence constructed
as per M1 as well as a constraint that for every pair of posts
p1 ∈ w and p2 ∈ w executed in z and posting events to the same
event queue, index(z, p1) < index(z, p2) iff index(w, p1) <
index(w, p2). Let z be the longest such sequence. Then, z reaches
a state s′m where a transition r ∈ nextTrans(s′m) is such that
r ∈ w and r satisfies one among the cases 1.b or 2 or (3) r is a
post transition which must be executed so as to execute a post
r′ ∈ w posting to the same event queue as r such that r′ is exe-
cuted prior to r in w. If z satisfies condition 3 then executing r at
s′m violates the constraint on ordering between post transitions.
The reasoning for cases 2 and 3 are similar. Let us firstly assume
that r satisfies either of case 2 or 3. This indicates the existence of
a transition r′ ∈ w either dependent with r (if case 2) or posting to
the same event queue as r (if case 3) such that r must be executed
to eventually execute r′, even though r′ was executed prior to r
in w. Let a sequence γ from s′m be the shortest sequence such
that r′ ∈ nextTrans(last(z.γ)). Let P be a set of transitions
such that a transition p ∈ P if index(S.z.γ, p) →S.z.γ task(r′)
and p ∈ γ. Since r′ is a transition in w, all the transitions in the
set P too are in w. We argue that either there exists a transition
p ∈ P such that task(p) is blocked on thread(r) at state s′m, or
attempting to reorder r and r′ by executing transitions related to r′
(for example those in the set P or in event handlers executed prior
to handlers containing some transitions in P ) prior to r breaks the
ordering between another pair of transitions from w such that these
transitions are either dependent or post to the same event queue. In
the latter case we argue that attempting to reorder the new adversely
ordered transitions in turn breaks the ordering between some other
pair of transitions from w and so on. Since the state space we
consider is finite and acyclic, continuing this process of reordering
adversely ordered transitions eventually causes r to execute prior
to r′. If this is not the case then r′ can be executed prior to r
which indicates the existence of some other sequence longer than z
and satisfying the constraints M1 and ordering restriction between
posts. This violates our assumption of z being the longest such
sequence. All these pairs of transitions including r and r′ were
ordered as desired in sequence w. This indicates the presence of a
pair of events posted to the same event queue by a pair of transitions
in z such that these events were differently ordered in w. This
contradicts the constraints of z which should have preserved the
relative ordering between transitions inw posting to the same event
queue. Hence, z does not satisfy case 2 or 3.
Now consider the case 1.b according to which r is dependent
with a transition r′l ∈ enabledFuture(r′j) such that r′l 6∈ w
and r′j is a post transition in w. We choose nearest such r
′
j
w.r.t. r′l. In other words, if r
′
l ∈ enabledFuture(r′i) and r′l ∈
enabledFuture(r′k) such that r
′
k ∈ enabledFuture(r′i) where
{r′i, r′k} ⊆ z are post transitions in w, then we choose r′j = r′k.
From (i) the constraints of Definition B.10, (ii) knowing that a sub-
set of transitions in enabledFuture(r′j) executed in z were not
executed in w and (iii) r′j being the nearest such post to whose
enabledFuture set r′l belongs, we infer that a suffix of the handler
of the post r′j ∈ w is not executed in w. Let e be the event posted
by r′j . Either a set of transitions from such a suffix of e’s handler
are included in z, or r′l is a transition executed to eventually enable
a transition from such a suffix of e’s handler. In either case since
these transitions do not belong to w, these transitions have been
added to z so as to make an event e′ dequeued inw executable such
that e′ is blocked on e’s event queue when e is the executable event.
From the concurrency semantics of the event-driven model consid-
ered, an event handler is executed to completion before the next
25 2018/8/5
event on the corresponding event queue is dequeued. We know that
both the events e and e′ are posted to w. Then, atleast one among
the handlers of e and e′ must have been executed to completion.
Since we have assumed that e’s handler is partially executed in
w, clearly event e′’s handler has been executed to completion in
w. This implies that index(w, post(e′)) < index(w, post(e))
(due to FIFO processing of events). This inference contradicts their
ordering in z since e′ is blocked when e is executable in z. This in
turn violates the constraints assumed on z. Thus, we have shown
that a transition sequence z constructed this way cannot satisfy
case 1.b.
From the above arguments we have established the existence of
a transition sequence z = r′1.v constructed as per the constraint
M1 for which neither of cases 1.b or 2 holds. Then, such a transi-
tion sequence must satisfy the case 1.a according to which a tran-
sition r ∈ nextTrans(s′m) is dependent with a transition r′l 6∈ w
such that r′l ∈ enabledFuture(r ′1 ). This shows that a transition
sequence satisfying the constraints M1, M2 and M3 of Construc-
tion B.11 exists in SG.
Lemma B.14. Reordering r and r′l identified by Construction B.11
by reordering some pair of transitions in v, is either not possi-
ble or will only result in a sequence v′ (executed from state s′1)
such that for v′ and any extension γ to v′ one of the following
holds — (i) the dependence graph of a transition r′j ∈ Rv′.γ ∪
nextTrans(last(v′.γ)) such that r′j is executed in both w and z,
becomes non identical toDG(r′j , w, s), or (ii) there exists a pair of
dependent transitions p ∈ v′.γ and q ∈ nextTrans(last(v′.γ))
such that q is executed prior to p in w, or (iii) there exists a pair of
dependent transitions p ∈ v′.γ and q ∈ nextTrans(last(v′.γ))
such that q ∈ w, p 6∈ w and p ∈ enabledFuture(p′) where p′ is a
post in w.
Proof. We prove this by contradiction. Assume that a result-
ing transition sequence v′ executes r before r′l such that
identicalDG(r, w, r′1.v
′, s) holds, and without resulting in any
scenario listed in (i), (ii) or (iii) above. Then such a transition se-
quence r′1.v′ clearly has more number of transitions from w com-
pared to z = r′1.v, with their dependence graphs consistent with
that found in the context of w. Also, since no extension to v′ satis-
fying (ii) or (iii) is possible when r and r′l are reordered as per our
assumption, an extension to r′1.v′, say γ, must hit a state where a
transition r′ ∈ nextTrans(last(r′1.v′.γ)) belonging to w is de-
pendent with a transition r′′ ∈ v′ such that r′′ 6∈ w. If not, an ex-
tension to r′1.v′ will result in a dependence-covering sequence for
w. Then, r′1.v′.γ is a transition sequence satisfying the constraints
M1, M2 and M3 of Construction B.11, and having more transitions
from w than z. This implies that z did not satisfy the constraint M4
of Construction B.11. Thus, one of the properties (i), (ii) or (iii)
must hold on any such sequence r′1.v′.
Lemma B.15. Transition r′1 must be reordered w.r.t. some transi-
tion r′µ ∈ v (where z = r′1.v) belonging to w such that r′µ posts an
event to the same destination event queue as r′1, so as to obtain a
transition sequence z′ from the state s which satisfies the following
properties — (1) either r is executed prior to r′l in z
′ or only r is
executed in z′, (2) every transition r′j in z which also belongs to
w is executed in z′ such that identicalDG(r′j , w, z
′, s), (3) there
exists atleast one extension γ to z′ where neither of the follow-
ing hold: (a) there exists a pair of dependent transitions p ∈ z′.γ
and q ∈ nextTrans(last(z′.γ)) such that q is executed prior to
p in w, or (b) there exists a pair of dependent transitions p ∈ z′.γ
and q ∈ nextTrans(last(z′.γ)) such that q ∈ w, p 6∈ w and
p ∈ enabledFuture(p′) where p′ is a post in w.
Proof. From Lemma B.14 we have established that attempting
to reorder r′l and r by reordering any pair of transitions in the
sequence v (executed from state s′1 reached on executing r′1 from
state s) including r′l and r themselves, can only result in a sequence
which satisfies conditions (i), (ii) or (iii) listed in Lemma B.14
which are clearly not consistent with the constraints 1, 2 and 3
listed in this lemma. The transition sequence w executed from state
s satisfies all of the conditions 1, 2 and 3 listed above. However,
transition r′1 is not executed in w. Hence, some transition, say r′µ,
belonging to w and executed in v must be reordered w.r.t. r′1 so as
to reorder r and r′l with neither breaking the dependence graphs of
transitions in z belonging to w nor resulting in scenarios described
by 3(a) or 3(b) listed in the lemma. Then, the transition r′µ too must
be a transition posting to the same event queue as the destination
event queue of r′1. This is because if r′µ is a non-post transition
or r′µ is a transition posting to some other queue, then reordering
r′µ and r′1 neither alters the final global state reached nor the final
event queue configuration which affects the order between event
handlers, because r′1 would then commute with such a r′µ.
Intuition to prove that EM-DPOR explores a dependence-cover-
ing sequence for case D. In the cases B and C the transition
r′1 belonging to the backtracking set L and executed at state s,
was a non-post transition. Hence a transition in w, say r, which
was dependent with r′1 could be easily identified leading to a non
dependence-covering sequence of w. We then argued that EM-
DPOR would attempt to reorder r′1 and r, and add a backtracking
choice at state s which would break the property assumed on the
backtracking set L at s. Thus we were able to prove the existence
of a dependence-covering sequence of w starting from a transition
in the set L, through proof by contradiction.
In case D however r′1 ∈ L executed at state s is a post transi-
tion, which makes it harder to identify a transition inw that must be
reordered with r′1 to obtain a dependence-covering sequence of w.
This is because even though ordering between events posted to the
same queue affect the ordering between dependent transitions, the
ordering between transitions posting to the same event queue are
not directly captured in a dependence-covering sequence. Hence,
the influence of r′1 on the non-post transitions in w can only be
identified through the interference from non-post transitions in the
enabledFuture set of r′1. Lemma B.15 establishes that r′1 must
be reordered with a transition r′µ ∈ v posting to the same event
queue as the destination of r′1 where r′µ ∈ w, so as to explore more
transitions from w in the resulting sequence but without resulting
in adversarial scenarios i, ii and iii listed in Lemma B.14. This
could eventually lead to a dependence-covering sequence of w.
In order to identify such an r′µ, we systematically generate a set
Γ of transition sequences starting from z by flipping the ordering
between certain dependent transitions and transitions posting to
the same event queues belonging to Rz ∪ nextTrans(last(S.z)).
A few pairs of dependent transitions and transitions posting to the
same event queues and seen in transition sequences of the set Γ, are
encoded as a tree called Γ-tree. Intuitively the Γ-tree encodes
all pairs of dependent transitions and post operations explored
in the subspace reached from s′1 (state reached on executing
r′1) such that exploring every pair of transitions in Γ-tree in a
manner consistent to obtain a dependence-covering sequence of w,
requires reordering r′µ with r′1. We will then show that EM-DPOR
too is capable of identifying all the transition pairs of Γ-tree
ultimately leading to the identification that r′µ must be reordered
with r′1.
To aid the proof we define a tree called Γ-tree which can
encode certain transition pairs which are of interest to the proof.
26 2018/8/5
Definition B.16. Γ-tree is a tree with each of its nodes being a set
of ordered pairs of transitions and its root node being {(r′1, r′µ)}.
Let Γnode = {(c1, d1), (c2, d2) . . . (cχ, dχ)} be a non-root node
in the Γ-tree. Then,
N1. For all i ∈ [1, χ], di ∈ w and ci may or may not be a
transition of w such that if ci ∈ w then di is executed prior
to ci in w. If ci 6∈ w then either ci ∈ enabledFuture(r′1), or
ci ∈ enabledFuture(rj) where rj is a post transition in w.
N2. Each pair (ci, di) is such that either ci and di are dependent
transitions, or ci and di are transitions posting events to the
same event queue.
N3. If Γnode is a leaf node of Γ-tree then it only contains pairs of
dependent transitions as its members. If it is a non-leaf node
then it contains atleast one pair of transitions posting to the
same event queue.
N4. Transition pairs ci and di can either be from two different
threads or two different handlers on the same thread. If it is
the latter then Γnode is a singleton set. However, if Γnode has
multiple transition pairs then each pair (ci, di) are such that
thread(ci) 6= thread(di).
N5. There exists a subspace Scd of SG reachable from the state
s′1 (reached on executing r′1 ∈ L), such that in Scd it is not
possible for di from every pair of transitions in Γnode to execute
prior to ci. In other words, there always exists one pair of
transitions ci and di such that di cannot be executed prior to
ci in Scd even when for all the other pairs (cj , dj), j 6= i, dj
executes prior to cj in Scd. Attempting to reorder (ci, di) within
Scd will alter the order between another pair of transitions
in Γnode, thus making the resultant transition sequence non
dependence-covering w.r.t. w.
N6. In the subspace Scd, the transitions c1 and dχ satisfy one
of the following criteria — (a) c1 and dχ are transitions of
two different event handlers on the same thread such that
event(task(dχ)) is blocked when event(task(c1)) is exe-
cutable, or (b) a transition prior to dχ in the task of dχ is en-
abled by a transition in the event handler blocked on thread(c1)
when c1 is the next transition on that thread, or (c) c1 needs to
be executed to enable a transition q blocked in an event han-
dler such that either event(task(dχ)) is blocked on thread(q)
when q is the next transition on that thread, or a transition prior
to dχ in the task of dχ is enabled by a transition in the event
handler blocked on thread(q) when q is the next transition on
that thread.
N7. Let ec and ed respectively be the executable event related to c1
and the blocked event related to dχ (as identified by N6 above)
in the subspace Scd. The events ec and ed posted to the same
thread are such that, either ec is not posted in the transition
sequence S.w whereas ed is posted in w or ed is posted prior to
ec in w.
N8. The parent node of Γnode in Γ-tree is a node Γpar which
contains (post(ec), post(ed)) as a transition pair. Reordering
post(ec) and post(ed) results in a state space where every
transition di in the transition pairs of the Γnode can be executed
prior to corresponding ci thus making them consistent w.r.t.
ordering observed in w. We refer to Γnode as the child of Γpar
obtained on exploring post(ec) prior to post(ed).
N9. Γnode has the same number of child nodes as the number of
pairs of posts in Γnode.
N10. Every path in the tree from the root to a node containing atleast
one pair of dependent transitions encodes a non dependence-
covering sequence of w from state s, say vk, which identifies
one pair of dependent transitions which either are ordered dif-
ferently compared to their ordering in w or form a new incom-
ing dependence into a transition in w.
We can systematically construct certain interesting non
dependence-covering transition sequences of w using Γ-tree
paths, each of which have a transition b belonging to w whose
DG over the constructed transition sequence does not match
DG(b, w, s).
Construction B.17. A transition sequence vk is constructed using
a path of Γ-tree by performing steps I, II and III below. The order
between those transitions in vk which are not explicitly specified
by the step II below can be arbitrary but valid w.r.t. the orders fixed
for transitions reasoned in step II and consistent w.r.t. dependence
graph over w.
Step I. Start from the root of the Γ-tree.
Step II. At each node Γnode = {(c1, d1), (c2, d2) . . . (cχ, dχ)},
pick a pair of transitions (ci, di) such that ci will be executed prior
to di in the sequence vk while the order of other transition pairs (if
can be executed in vk) are consistent w.r.t. w i.e., dj is executed
prior to cj for j 6= i.
Step III. If the pair (ci, di) selected are non-post dependent transi-
tions then the construction of vk is complete, else move to the child
obtained on exploring ci prior to di and repeat Step II.
Observations for Construction B.17. From the step III of Con-
struction B.17 we note that the process of constructing a transition
sequence of interest can stop even at an intermediate node. A tran-
sition sequence vk identified by this construction has one transition
di ∈ w (corresponding to the last pair of transitions selected from
a Γ-tree node) which has dependence with a prior executed tran-
sition ci such that either ci 6∈ w or di is executed prior to ci in w.
Hence, this construction cleanly identifies a pair of transitions in vk
which need to be reordered so as to eventually obtain a dependence-
covering sequence of w.
Lemma B.18. A Γ-tree defined by Definition B.16 can be con-
structed in the state space SG.
Proof. We prove this by giving a sketch for constructing Γ-tree
starting with the transition sequence z = r′1.v constructed as per
Construction B.11.
Figure 12 pictorially represents the Γ-tree. The variables
a and b in the root stand respectively for r′1 and r′µ. We an-
notate the only child of the root node as Γ0. Except the root
node, every other node Γ[k1...kj ] contain transition pairs of the
form (a[k1...kj ]i, b[k1...kj ]i), such that exploring the transition
a[k1...kj−1]kj prior to b[k1...kj−1]kj in a transition sequence re-
sults in the discovery of the subtree rooted at Γ[k1...kj ]. This
makes (a[k1...kj−1]kj , b[k1...kj−1]kj ) the transition pair corre-
sponding to Γ[k1...kj ] in its parent node. The last pair of tran-
sitions in the set corresponding to Γ[k1...kj ] is identified as
(a[k1...kj ](ab)k1...kj , b[k1...kj ](ab)k1...kj ), where (ab)k1...kj sym-
bolically denotes the count of the number of transition pairs in the
node Γ[k1...kj ].
From the constraint M3 of Construction B.11, r′l is in the set
enabledFuture(r′1). Based on this and the Definition B.10 we
can identify a chain of post transitions related to r′l, which is a
subsequence of z = r′1.v identified henceforth as pη . . . p2.p1. The
chain of posts pη . . . p2.p1 is such that (i) pη = r′1, (ii) for any
i ∈ [1, η−1], pi is either in the handler of the event posted by pi+1
or pi has been added to enable a blocked transition in the handler
of the event posted by pi+1, and (iii) the transition r′l is either in
the handler of the event posted by p1 or r′l is a transition added to
enable a blocked transition in the handler of the event posted by
p1. We encode each of the transitions in the chain pη . . . p2.p1 and
r′l as the first transition in the ordered pair of transitions belonging
to different Γ-tree nodes in the leftmost branch of the Γ-tree in
Figure 12. Through this construction sketch we will reason that for
27 2018/8/5
{ 𝑎, 𝑏 }
{ 𝑎1, 𝑏1 , 𝑎2, 𝑏2 , . . . (𝑎(𝑎𝑏), 𝑏(𝑎𝑏))}
{ 𝑎[1]1, 𝑏[1]1 , 𝑎[1]2, 𝑏[1]2 , . . . (𝑎[1](𝑎𝑏)1 , 𝑏[1](𝑎𝑏)1)} {(𝑎[ 𝑎𝑏 ]1, 𝑏[ 𝑎𝑏 ]1), (𝑎[ 𝑎𝑏 ]2, 𝑏[ 𝑎𝑏 ]2), . . . (𝑎[ 𝑎𝑏 ](𝑎𝑏)(𝑎𝑏) , 𝑏[ 𝑎𝑏 ](𝑎𝑏)(𝑎𝑏))}
{(𝑎[𝑘1…𝑘𝑗]1, 𝑏[𝑘1…𝑘𝑗]1), (𝑎[𝑘1…𝑘𝑗]2, 𝑏[𝑘1…𝑘𝑗]2), . . . (𝑎[𝑘1…𝑘𝑗](𝑎𝑏)𝑘1…𝑘𝑗
, 𝑏[𝑘1…𝑘𝑗](𝑎𝑏)𝑘1…𝑘𝑗
)}
{(𝑎[1…1𝜑]1, 𝑏[1…1𝜑]1), (𝑎[1…1𝜑]2, 𝑏[1…1𝜑]2), . . . (𝑎[1…1𝜑](𝑎𝑏)1…1𝜑 , 𝑏[1…1𝜑](𝑎𝑏)1…1𝜑)}
{ . . . } { . . . }
{ . . . } { . . . }
{ . . . } { . . . }
𝑎 - 𝑟1′
𝑏 - 𝑟𝜇′ which is a post transition in 𝑤
𝛤0
𝛤(𝑎𝑏)𝛤1
𝛤1…1𝜑
𝛤𝑘1…𝑘𝑗
(𝑟𝑙′) (𝑟)
Figure 12: Tree encoding (Γ-tree) of the set Γ of transition sequences used in identifying a post transition r′µ ∈ w executed in v, which is
to be reordered with r′1.
any i ∈ [1, η − 1], pi is the first transition in a pair belonging to a
node whose parent node contains the transition pi+1 in a member
pair. Similarly, r′l is a transition in a pair belonging to a node whose
parent node contains the transition p1 in a member pair.
In case of r′l, r is the transition occupying the second position
in the pair corresponding to r′l. In Figure 12, the node annotated
Γ1...1ϕ identifies the Γ-tree node containing the pair (r
′
l, r). In
this node we use (a[1...1ϕ]1, b[1...1ϕ]1) to denote (r
′
l, r), where ϕ
denotes the count of “1”s in the first part of the subscript. Indeed
we will reason that ϕ = η−1 and for ϑ ∈ [1, η−1], a[1...1ϑ−1]1 =
pη−ϑ.
Let us now see how to identify the rest of the transition pairs in
the node Γ1...1ϕ . Assume thread(r
′
l) 6= thread(r). Let P be a set
of transitions such that a transition p ∈ P if index(S.z, p) →S.z
task(r) and index(S.z, p) > index(S.z, r′l). Clearly, all the
transitions in P were executed prior to r in w as well (by M1 in
Construction B.11). Now in order to execute r prior to r′l, all the
transitions in the set P also need to execute prior to r′l. However,
attempting to explore transitions in set P from the state s′l−1 (from
where r′l is executed in sequence z) will result in one of the three
scenarios listed in Lemma B.14. Concretely, this happens because
of one of the following reasons.
S1. A non-post transition c belonging to P or belonging to a task
h on whose thread the task of some transition in P is blocked,
gets shifted prior to r′l even though c has dependence with a
transition d ∈ w such that d can be executed only after r′l and d
is executed prior to c in z, or
S2. A post transition c belonging to P or belonging to a task h
on whose thread the task of some transition in P is blocked,
gets shifted prior to r′l and gets reordered w.r.t. a post transi-
tion d ∈ w such that d can be executed only after r′l and d is
executed prior to c in z. The reordering of posts c and d in turn
breaks the DG of a transition d′ ∈ w making it non-identical
toDG(d′, w, s) either by reordering it w.r.t. a dependent transi-
tion c′ ∈ w or by exploring a dependent transition c′ 6∈ w prior
to d′.
The transition pair (c, d) identified above is the transition pair
(a[1...1ϕ]2, b[1...1ϕ]2) in the set corresponding to the node Γ1...1ϕ .
The transition pair (a[1...1ϕ]3, b[1...1ϕ]3) can be identified by at-
tempting to explore b[1...1ϕ]2 prior to a[1...1ϕ]2 by using a strategy
similar to the one devised to reorder b[1...1ϕ]1 and a[1...1ϕ]1. How-
ever when doing so we also need to try to explore b[1...1ϕ]1 prior
to a[1...1ϕ]1, else we will obtain a transition sequence similar to z
which is already established to be a non dependence-covering se-
quence ofw. Similarly, attempting to reorder the recently identified
pair of transitions while keeping the order between prior identi-
fied transition pairs in Γ1...1ϕ consistent w.r.t. dependence graph
of w, aids in identifying newer transition pairs to be added to
Γ1...1ϕ . However, due to Lemma B.14 and the state space being
finite and acyclic, we will soon run out of transition pairs which
can be added this way. Indeed, attempting to reorder the last transi-
tion pair consisting of a[1...1ϕ](ab)1...1ϕ and b[1...1ϕ](ab)1...1ϕ using
the above technique will result in exploring a transition sequence
where r′l = a[1...1ϕ]1 gets explored prior to r = b[1...1ϕ]1, thus
re-identifying an already added transition pair. However, in the se-
quence w each transition b[1...1ϕ]i was explored prior to a[1...1ϕ]i
or a[1...1ϕ]i was not even explored. This indicates that the order-
ing between dependent transitions can be made consistent w.r.t. w
by reordering a pair of event handlers related to the transition pairs
in Γ1...1ϕ . Indeed we can show that this can be achieved by re-
ordering handler of the event posted by p1 (belonging to the chain
pη . . . p2.p1) with the handler in which b[1...1ϕ](ab)1...1ϕ is exe-
cuted or a handler that enables a transition prior to b[1...1ϕ](ab)1...1ϕ
in task(b[1...1ϕ](ab)1...1ϕ ). Let e be the event corresponding to the
latter handler. Clearly, post(e) ∈ w. We will be able to show that
p1 posts to the same event queue as e, thus satisfying property N6 of
Construction B.17. This will result in adding the pair of transitions
(p1, post(e)) into the parent node of Γ1...1ϕ thus satisfying the
property N8 of a Γ-tree. The parent node Γ1...1ϕ−1 can be pop-
ulated similarly starting with the reordering of a[1...1ϕ−1]1 = p1
and b[1...1ϕ−1]1 = post(e), and so on eventually identifying the
parent node of Γ1...1ϕ−1 which will contain (p2, ) as a member.
28 2018/8/5
We note that if thread(r′l) = thread(r) then Γ1...1ϕ would
be a singleton set consisting only the pair (r′l, r), and the par-
ent node would be identified as the node with transition pair
(p1, post(event(r))). In general, for any pair of transitions on
the same thread but different handlers we identify the parent node
as the node with the pair of transitions posting the events corre-
sponding to these handlers, as a member.
If c and d identified by the scenario S2 introduced earlier,
are post transitions, then the dependent transition pair (c′, d′)
identified by this scenario becomes a transition pair in one of the
nodes in the subtree that can be generated by exploring c prior
to d in a transition sequence, say vk, from state s′1. Transition
pairs belonging to the nodes of this subtree can be systematically
identified by attempting to reorder c′ explored in vk w.r.t. d′ by
doing as described in the context of reordering transitions a[1...1ϕ]i
and b[1...1ϕ]i belonging to the node Γ1...1ϕ . By only reordering
transitions in the subspace obtained when the post transition c is
explored prior to post transition d, will end up breaking the DG
of some transition in w thus resulting in non dependence-covering
sequences of w. If this is not the case then it implies that the
transition pairs in Γ1...1ϕ added prior to (c, d) can be explored in a
manner consistent w.r.t. w which makes such a transition sequence
dependence-covering w.r.t. w, or contain more transitions from w
than in z thus breaking the constraint M4 of Construction B.11.
For each pair of transitions in the nodes of Γ-tree and the
entire node itself, we assign a level called Γ-idx defined as below.
Definition B.19. The Γ-idx of a tree node, say Γi, referred as
Γ-idx(Γi) is assigned a level same as the Γ-idx of a transition
pair in Γi which has the highest Γ-idx among all the transition
pairs in Γi. The Γ-idx of a pair (c, d) of dependent transitions
is considered to be 0 and referred as Γ-idx((c, d)). Let (c, d) be
a pair of post transitions in a Γ-tree node, say Γpar , such that
Γkid be the child node of Γpar discovered on executing c prior to
d in a transition sequence from state s′1. Then, Γ-idx((c, d)) =
Γ-idx(Γkid) + 1.
Note. Γ-tree essentially identifies all the pairs of transitions
(dependent or posting to the same event queue) which will have
to be systematically identified for reordering by EM-DPOR (by
invoking FindTarget) in order to discover a dependence-covering
sequence ofw, assuming that EM-DPOR initially explored only the
members of L from state s. Also during the process, EM-DPOR
needs to adequately set up data structures such as backtrack,
done and RP sets at the explored states in the subspace reachable
from s′1 so as to eventually invoke FindTarget(r′1.v′,r′1,r′µ)
where r′1.v′ is a transition sequence constructed from Γ-tree
using Construction B.17. After establishing this we can use the
arguments used to prove lemmas corresponding to cases B and C
(Lemma B.4 and B.6) to show that some transition executed in w
prior to r′µ or r′µ itself gets added to the backtracking set L at state
s, thus contradicting the property assumed for L as per the case D.
Note that all the transition sequences which can be constructed
by running the Construction B.17 on the Γ-tree in Figure 12,
have r′1 as their first transition. Hence by induction hypothesis
H1, EM-DPOR explores dependence-covering sequences of all
these transition sequences. The challenge however is to show that
FindTarget gets invoked to reorder r′1 and r′µ. We achieve this by
proving the following property by inducting on the Γ-idx levels of
the Γ-tree nodes.
Lemma B.20. For each node Γnode =
{(c1, d1), (c2, d2) . . . (ck, dk)} in the Γ-tree generated from the
sequence z, EM-DPOR explores a sequence r′1.u whose prefix
reaches a state s′ such that the following properties hold.
P1. For every transition pair (ci, di) in Γnode, for i ∈ [1, k],
ci = next(s
′, thread(ci)) and either thread(ci) ∈ done(s′)
or thread(ci) is not enabled in s′.
P2. There exists a pair (ci, di) in Γnode, for i ∈ [1, k], such that ci
is executed at s′ and FindTarget(r′1.u,ci,di) is invoked such
that for j ∈ [i+ 1, k], index(r′1.u, dj) < index(r′1.u, cj).
P3. For each transition pair (ci, di) in Γnode, for i ∈ [1, k], where
ci and di are post transitions, either (ci, di) ∈ RP (s′) or
FindTarget has been invoked to reorder ci executed at s′ and
the later executed transition di.
Proof. We prove the above property by inducting on the Γ-idx
level of nodes.
Base case (Γ-idx = 0). We present an outline on how to rea-
son about this case. Only leaf nodes of Γ-tree belong to Γ-idx
level 0. Let Γnode = {(c1, d1), (c2, d2) . . . (ck, dk)} be a leaf
node. Let vi be a transition sequence constructed over Γ-tree
starting from the root and ending with a suffix where ci is ex-
plored prior to dependent transition di ∈ w. Let (dependence-
covering sequence of) vi be the first transition sequence related
to Γnode to be explored by EM-DPOR. Exploration of vi by
EM-DPOR is guaranteed due to induction hypothesis H1, since
the first transition of vi is r′1 which is a transition in the set
L. We will then have to show that ci and di will be identi-
fied as racing transitions by the Algorithm Explore leading to
invocation of FindTarget(S.vi,di,ci). Exploring backtracking
choices thus added results in exploring ci+1 prior to di+1. Again
these will be identified as racing transitions and so on. Ultimately,
FindTarget(S.vi−1,ci−1,di−1) gets invoked when threads of
all the other cj transitions are either in done set at the state, say
s′, from where ci−1 is executed or disabled in s′. This proves prop-
erty P1 and P2. Property P3 is not relevant for the base case because
a leaf node does not contain any pair of post transitions.
Induction hypothesis. For a node Γnode such that
Γ-idx(Γnode) = θ, the properties P1, P2 and P3 hold.
Induction step (Γ-idx = θ + 1). Let Γnode =
{(c1, d1), (c2, d2) . . . (ck, dk)} be a node in Γ-tree such
that Γ-idx(Γnode) = θ+ 1. This indicates that the highest Γ-idx
of any pair of transitions in Γnode is θ + 1. Let (ci, di) ∈ Γnode
be a pair of post transitions with its corresponding child node
being Γi = {(c[i]1, d[i]1), (c[i]2, d[i]2) . . . (c[i](cd)i , d[i](cd)i)}.
Then by our assumption on the Γ-idx of (ci, di) and the definition
of Γ-idx, we can establish that Γ-idx(Γi) can be atmost θ.
Then, with the help of induction hypothesis we can show that
FindTarget gets invoked to reorder a transition c[i]j and later
executed transition d[i]j with suitable constraints over done and
RP sets (as established by P1 and P3), resulting in the invocation
of ReschedulePending by the Step 3 of FindTarget (see
line 18). This in turn invokes FindTarget to reorder the post
transitions ci and di. Note that it is important for the RP set to be
adequately set up since the HB relation computed by EM-DPOR
adds edges based on RP set as well (see Definition 3.1). After
backtracking choices are computed at the state from where ci
is executed, (ci, di) get added to the RP set at that state. On
eventually reordering ci and di, ci+1 and di+1 get reordered.
Based on whether these are post or non-post transitions we
can apply suitable reasoning to show how done and RP sets get
populated. Ultimately, we can show that FindTarget gets invoked
to reorder the last pair of transitions belonging to the set Γnode
with the corresponding done and RP sets appropriately set up as
required.
Lemma B.21. EM-DPOR explores a dependence-covering se-
quence for w from state s when set L satisfies case D.
29 2018/8/5
Proof. From Lemma B.18, Γ-tree exists and a Γ-tree can
be generated using the transition sequence z constructed as per
Construction B.11 which too has been proven to exist (see
Lemma B.13). From the definition of a Γ-tree the transition pair
(r′1, r
′
µ) is the only element of the singleton set at the root of the
Γ-tree generated from z. Then, from the property P2 established
by Lemma B.20, FindTarget(S.r′1.u, r′1, r′µ) is invoked for some
transition sequence r′1.u which is a dependence-covering sequence
of a sequence constructed using Construction B.17. Since r′µ ∈ w
we can use the arguments used to prove Lemma B.4 to show that
some transition executed in w prior to r′µ or r′µ itself gets added
to the backtracking set L at state s, thus contradicting the property
assumed for L as per the case D. This in turn proves the existence
of a dependence-covering sequence of w.
B.2.5 Case E
Case E assumes a subset of transitions in the backtracking set L
to be present in w such that the first transition in w from the set
L is of type post. This case additionally assumes that if there
are non-post transitions in the set L then all such transitions are
dependent with some transition in w. This is because if there exists
a non-post transition independent w.r.t. all the transitions in w
then this case becomes equivalent to case A which has already
been shown to result in a dependence-covering sequence of w (see
Lemma B.2). Note that we had considered a variant of case E in
case C where we had assumed the first transition in w from the set
L to be a non-post transition. However, a post transition being the
first transition in w from L makes the reasoning of this case very
similar to that used to establish contradiction to the property of L
in case D.
Construction B.22. Let z : s
r′1−→ s′1
r′2−→ s′2 . . .
r′m−−→ s′m
in SG, where r′1 is the first transition in w from the set L and
v = r′2 . . . r
′
m, be a sequence satisfying the following constraints:
M1. Sequence v consists of transitions belonging to w as well as
transitions outside w. For a transition r′i ∈ v, if r′i ∈ w and
r′i 6∈ enabledFuture(r′1) then identicalDG(r′i, w, z, s). For
a transition r′i ∈ v, if r′i ∈ w and r′i ∈ enabledFuture(r′1)
then either identicalDG(r′i, w, z, s) or r
′
i is the first transi-
tion of a shortest sequence from the state s′i−1 comprising
only of transitions which do not belong to w or belong to
enabledFuture(r′1), to be executed to make an event e blocked
in s′i−1 executable such that e was dequeued in w. Finally,
for a transition r′i ∈ v, if r′i 6∈ w then r′i is the first tran-
sition of a shortest sequence from the state s′i−1 comprising
only of transitions which do not belong to w or belong to
enabledFuture(r′1), to be executed to make an event e blocked
in s′i−1 executable such that e was dequeued in w.
M2. There exists no extension to any prefix α of z which results
in a transition sequence α.γ such that there exists a pair of
dependent transitions c and d with the following properties:
(a) (i) Either c and d are transitions in w such that c 6∈
enabledFuture(r′1), index(w, d) < index(w, c) but
index(γ, c) < index(γ, d), or (ii) c 6∈ w, c 6∈
enabledFuture(r′1), c is a transition in the enabledFuture
set of a post in w, and d ∈ w such that c is executed prior
to d in α.γ, and
(b) Attempting to reorder c and d through some other exten-
sion to α will only result in a transition sequence α.γ′
which breaks the order between another pair of depen-
dent transitions c′ and d′ such that either (i) c′, d′ ∈ w,
c′ 6∈ enabledFuture(r′1), index(w, d′) < index(w, c′)
but index(γ′, c) < index(γ′, d), or (ii) d′ ∈ w, c′ 6∈
enabledFuture(r′1), c′ is a transition in the enabledFuture
set of a post in w, and c′ is executed prior to d′ in α.γ′.
M3. There exists a transition r ∈ nextTrans(s′m) such that r
is a transition in w, r 6∈ enabledFuture(r′1) and r is de-
pendent with a transition r′l executed in v such that (i) r
′
l ∈
enabledFuture(r′1) and (ii) if r′l ∈ w then r is executed prior
to r′l in w.
M4. z is a sequence with maximum transitions from w while satis-
fying the constraints M1, M2 and M3.
We now present the lemma which establishes that a dependence-
covering sequence of w from state s gets explored even when
the set L satisfies the property stated in case E. The proof sketch
of this lemma is similar to that outlined for Lemma B.21 which
reasons about the case D. However, the proof for this case will
use a transition sequence z constructed as per Construction B.22
to generate the Γ-tree.
Lemma B.23. EM-DPOR explores a dependence-covering se-
quence for w from state s when set L satisfies case E.
B.3 Main Result
Theorem B.24. In a finite and acyclic state space SG, whenever
Explore (Algorithm 1) backtracks from a state s to a state prior
to s in the search stack, EM-DPOR has explored a dependence-
covering sequence for any sequence w in SG from s, i.e., the set of
transitions explored from a state s is a dependence-covering set in
s.
Proof. The proof for this theorem is by induction on the order in
which states visited by EM-DPOR are backtracked, as explained in
the proof strategy in Section B.1.
Base case. The first backtracked state is a state with no transi-
tions enabled. Such a state is reached as Algorithm Explore per-
forms a depth first search on the state space of SG which is finite
and acyclic. The induction hypothesis H1 vacuously holds for such
a state with no outgoing transitions.
Induction hypothesis (same as induction hypothesis H1 in Sec-
tion B.1). Let S be a sequence from sinit ∈ SG reaching state s,
explored by Algorithm Explore of EM-DPOR. Let L be the set of
transitions explored by EM-DPOR from the state s. Then, for ev-
ery transition sequence from a state reached on each recursive call
Explore(S.r), for all r ∈ L, the algorithm explores a correspond-
ing dependence-covering sequence.
Induction step. Lemmas B.2, B.4, B.6, B.21 and B.23 prove the
induction step for the exhaustive cases based on the contents of the
set L, introduced in Section B.1.
Thus EM-DPOR explores a dependence-covering sequence for
any sequence w in SG from a state s reached on Explore(S),
which in turn establishes that the set of transitions L explored from
s is a dependence-covering set as per Definition 2.6.
C. Optimizations to EM-DPOR
This section presents two main optimizations that we have applied
to EM-DPOR (see Section 3) to further prune the exploration of
redundant states and transitions. Both of these optimizations refine
the set of pairs of dependent transitions and thus reduce the number
of pairs of transitions considered dependent. We present modifica-
tions to EM-DPOR so as to not miss exploring interesting transition
sequences when using the refined notion of dependence.
C.1 Eliminate read - read Dependence
EM-DPOR algorithm presented in Section 3.3 needs to consider
each pair of read operations to the same shared variable as depen-
30 2018/8/5
t1 t2 t3 t4
r1 post(e1)
r2 post(e2)
r3 read(x)
r4 read(x)
r5 x = 100
e1
e2
(a) initial sequence z1
t1 t2 t3 t4
r2 post(e2)
r1 post(e1)
r3 read(x)
r5 x = 100
r4 read(x)e1
e2
(b) sequence z2
t1 t2 t3 t4
r2 post(e2)
r1 post(e1)
r5 x = 100
r3 read(x)
r4 read(x)e1
e2
(a) sequence z3
Figure 13: An example illustrating challenges in reordering dependent read - write operations.
t1 t2 t3 t4
r1 post(e1)
r2 post(e2)
r4 read(x)
r5 x = 100
r3 read(x)
e1
e2
Figure 14: An interesting sequence z corresponding to Exam-
ple C.1, not explored by EM-DPOR when reads to same variable
are considered independent.
dent, to not miss some interesting interleavings. This may result
in exploring many redundant transition sequences. A minor varia-
tion to Algorithm 1 (Algorithm Explore) while keeping the algo-
rithms FindTarget, ReschedulePending and BacktrackEager
as is solves this problem. With this variation, EM-DPOR considers
a read operation to be dependent only with a conflicting write
operation.
Before presenting the modifications to Algorithm Explore in
Section C.1.2, we discuss some examples for which applying EM-
DPOR presented in Section 3 as is, considering a pair of read
operations to the same shared variable to be independent, does not
explore all possible partial orders of dependent transitions.
C.1.1 Problematic Cases
EXAMPLE C.1. Consider an execution trace z1 given in Fig-
ure 13(a), of an Android program. Among the threads t1, t2 and
t3 and t4, only t1 is associated with an event queue. Sequence z1
has two pairs of may be co-enabled or may be reordered depen-
dent transitions: (r3, r5) and (r4, r5), assuming every pair of read
transitions to be independent.
Assume EM-DPOR to initially explore the sequence z1 given
in Figure 13(a). On exploring a prefix of z1 upto r4, line 3 of
Algorithm 1 (Explore) identifies r4 and r5 to be nearest pair of
dependent and may be reordered transitions executing on different
handlers on the same thread. FindTarget invoked to compute
backtracking choices to reorder r4 and r5 identifies r1 and r2
to be the corresponding diverging posts to be reordered. Thus,
thread t4 is added to backtracking set at the state pre(z1, r1),
i.e., the state from which r1 is executed in sequence z1. This
eventually reorders r1 and r2 and results in exploring sequence z2
(Figure 13(b)). On executing a prefix of z2, transitions r3 and r5
are identified to be nearest dependent and co-enabled transitions.
FindTarget reorders these two, eventually exploring sequence z3
(Figure 13(c)). EM-DPOR does not explore any other partial orders
over r3, r4 and r5 after sequence z3.
We note that, on seeing sequence z1 EM-DPOR does not at-
tempt to reorder r3 and r5, as r3 is not the nearest reorderable de-
pendent transition corresponding to r5 in sequence z1. As a result,
Algorithm Explore considering a read to be only dependent with
a conflicting write operation, misses exploring a sequence similar
to z (Figure 14), where r3 reads the write performed by r5 while
r4 does not.
sinit
s1
si sj. . . .
s2 sn. . . .
Figure 15: Systematic exploration of branches in DFS based dy-
namic POR.
Analysis of Example C.1. A DFS based explorer explores all
paths originating at a state in the state space before backtracking to
a prior state in the search stack and exploring other branches. EM-
DPOR is a POR algorithm which prunes some redundant transi-
tion sequences explored by a naı¨ve DFS based state space explorer.
Hence, EM-DPOR should explore all the interesting interleaving of
dependent transitions originating, say at some state si, before back-
tracking to a prior state in the stack, say s1, and exploring other
branches. This is because, after backtracking to state s1 from si,
the subspace rooted at si will not be visited again. Thus, any inter-
leaving of dependent transitions that could be explored only from
si will be missed, if not explored before backtracking to s1. This
is pictorially depicted in Figure 15. In Figure 15 triangles represent
state space reachable from the states to which the triangles are con-
nected. Even though not shown in the figure, some of the states may
overlap. The thick directed arrows depict the way in which state
exploration proceeds. In case of Example C.1, EM-DPOR back-
tracked from a state even before exploring all the non-redundant
interleaving of dependent transitions reachable from that state. This
is the cause of missing some interesting sequences.
We can solve this issue with EM-DPOR without having to con-
sider every pair of read operations to the same memory loca-
tion as dependent, as follows. In the context of line 3 of Algo-
rithm Explore, when the next transition on a thread t in sate s is
a write, its dependent transition can either be a read or a write
to the same shared variable. Instead of invoking FindTarget to
31 2018/8/5
t1 t2 t3 t4
r1 post(e1)
r2 post(e2)
r3 x = 5
r4 read(x)
r5 read(x)
e1
e2
(a) initial sequence z1
t1 t2 t3 t4
r1 post(e1)
r2 post(e2)
r4 read(x)
r3 x = 5
r5 read(x)
e1
e2
(b) sequence z2
t1 t2 t3 t4
r1 post(e1)
r2 post(e2)
r4 read(x)
r5 read(x)
r3 x = 5
e1
e2
(a) sequence z3
Figure 16: An example illustrating challenges in reordering dependent read - write operations even when a write is attempted to be
reordered with multiple prior reads.
t1 t2 t3 t4
r2 post(e2)
r1 post(e1)
r5 read(x)
r3 x = 5
r4 read(x)e1
e2
Figure 17: An interesting sequence z corresponding to Exam-
ple C.2, not explored by EM-DPOR when reads to same variable
are considered independent.
reorder a write operation r′ with its nearest executed dependent
transition, we identify all the may be co-enabled or may be re-
ordered dependent transitions upto nearest executed write oper-
ation, and compute backtracking choices to reorder all these iden-
tified dependent transitions with the write operation r′.
EXAMPLE C.2. Consider an execution trace z1 given in Fig-
ure 16(a), of an event-driven multi-threaded program. Among the
threads t1, t2, t3 and t4, only t1 is associated with an event queue.
Sequence z1 has two pairs of may be co-enabled dependent transi-
tions: (r3, r4) and (r3, r5), assuming any pair of read operations
to be independent.
Assume EM-DPOR initially explores sequence z1 in Fig-
ure 13(a). Algorithm Explore identifies transition pairs (r3, r4)
and (r3, r5) as dependent, identifies backtracking choices using
FindTarget, and eventually explores sequences z2 and z3 (Fig-
ure 17(b) and (c) respectively). However, EM-DPOR does not ex-
plore any more interleaving of transitions r3, r4 and r5, even if
we use the modification discussed in the analysis presented for Ex-
ample C.1 (this modification computes backtracking choices to re-
order r3 with both r4 and r5 in sequence z3, but is ineffective in
this case). As a result, EM-DPOR misses exploring a transition se-
quence similar to z (Figure 17), where r4 reads the write performed
by r3 while r5 does not.
Analysis of Example C.2 A scenario in case of a pure multi-
threaded program analogous to that in Figure 16, is shown in Fig-
ure 18. Transitions ri, rj and rk executed on threads ti, tj and tk
respectively in Figure 18 correspond to transitions r3, r4 and r5
respectively in Figure 16. Relative order of transitions ri, rj and
rk in Figure 18(a), (b) and (c) correspond to relative order of r3,
r4 and r5 in Figure 16(a), (b) and (c) respectively. On exploring
sequence v1 (Figure 18), DPOR (even EM-DPOR) adds thread tk
to backtracking set at state prior to executing ri, when computing
backtracking choices to reorder ri and rk. This leads to exploring
sequence v4 (Figure 18(d)) whose analogue is not explored by EM-
DPOR in case of Example C.2 when considering read operations
to be independent. Thus, for EM-DPOR to explore sequence z (Fig-
ure 17), FindTarget called to reorder r3 and r5 in sequence z1,
should be able to identify the presence of reads to same variable
between the transitions r3 and r5 and coming from other handlers
on the same thread. FindTarget should then reorder posts of such
handlers with post of e2. However, this involves modifications
to Algorithm FindTarget. Instead of modifying FindTarget, we
provide minor modifications to Algorithm Explore to identify rel-
evant event handlers to be reordered in such scenarios. In case of
Example C.2, our modification identifies events e1 and e2 for re-
ordering on exploring sequence z3 (Figure 16(c)) upto the transi-
tion r5.
In addition to the modification we discussed under analysis for
Example C.1, we do the following in Algorithm Explore. After
computing backtracking choices to reorder a write transition r′
with its nearest executed reorderable dependent transition r, we
assume a temporary happens-before mapping from r to r′. We
then invoke FindTarget to reorder r′ with other conflicting read
transitions upto the nearest executed conflicting write. Invoking
FindTarget assuming such a happens-before relation from r to
r′, enables FindTarget to add tasks corresponding to r into the
set candidates computed by the steps of FindTarget (refer Al-
gorithm 2). In scenarios similar to sequence z3 in Example C.2, this
enables FindTarget to reach Step 3, invoke ReschedulePending
(line 18 in Algorithm 2) and identify post operations of rele-
vant event handlers for reordering. The modified version of Algo-
rithm Explore is presented as Algorithm 5.
C.1.2 Modifications to Algorithm Explore
Algorithm Explore (given in Algorithm 5) modified to consider
any pair of reads to the same variable to be independent, is similar
to Algorithm 1 presented in Section 3 except for lines 5-12 in Al-
gorithm 5. The line numbers referred henceforth correspond to Al-
gorithm 5. Function opType(r) finds the type of visible operation
in transition r. After invoking FindTarget on line 4 to compute
backtracking choices and backtracking state to reorder next(s, t)
with the nearest may be co-enabled or reordered dependent tran-
sition, lines 6-11 are executed only if next(s, t) has a write as
visible operation.
Line 6 adds a temporary happens-before mapping from nearest
dependent transition ri to next(s, t). Note that the happens-before
relation defined in Definition 3.1 does not allow such a mapping.
However, we can achieve the mapping i →w task(next(s, t)) by
assuming each transition to be prefixed by aNOP operation which
does not alter the state. We execute the NOP operation and add a
happens-before mapping from ri to thisNOP , which results in the
required i →w.NOP task(next(s, t)). Line 7 computes the index
of the most recent conflicting write and stores it in i′. Absence
or prior writes to the variable accessed by transition next(s, t),
32 2018/8/5
tk tj ti
ri x = 5
rj read(x)
rk read(x)
(a) initial sequence v1
tk tj ti
rj read(x)
ri x = 5
rk read(x)
(b) sequence v2
tk tj ti
rj read(x)
rk read(x)
ri x = 5
(c) sequence v3
tk tj ti
rk read(x)
ri x = 5
rj read(x)
(d) sequence v4
Figure 18: A scenario analogous to that presented in Figure 16 but in the context of a multi-threaded program.
Input: a transition sequence w: r1 . . . rn and a set rp of posts to be reordered
Let s = last(w); RP (s) = rp1
foreach thread t do2
if ∃i = max({i ∈ dom(w) | ri is dependent and (may be co-enabled or reordered3
with next(s, t)) and i 6→w task(next(s, t))}) then
// Identify backtracking point and choice to reorder ri and next(s, t)
FindTarget(w, ri, next(s, t))4
if opType(next(s, t)) = WRITE then5
Add a happens-before edge between ri and next(s, t)6
Let i′ = max({i′ ∈ dom(w) | opType(ri′ ) = WRITE7
and var(ri′ ) = var(next(s, t))} ∪ {−1})
foreach j ∈ dom(w) | rj is dependent and (may be co-enabled8
or reordered with next(s, t)) and i 6→w task(next(s, t)) and j ≥ i′ do
FindTarget(w, rj , next(s, t))9
end10
Remove the happens-before edge between ri and next(s, t)11
end12
end13
end14
if ∃t ∈ enabled(s) then15
Let backtrack(s) = {t} and done(s) = ∅16
// Perform selective depth-first traversal
while ∃t ∈ (backtrack(s) \ done(s)) do17
Let r = next(s, t); Execute transition r18
if r is a post operation then19
if ∃k = max({k ∈ dom(w) | rk ∈ reorderedPosts(r, w.r)}) then20
Add thread t to backtrack(pre(w, k))21
end22
rp = RP (s) \ {(r, ) ∈ RP (s)}23
end24
Add t to done(s); Explore(w · r)25
end26
end27
Algorithm 5: Explore
assigns −1 to i′. Lines 8–10 compute backtracking choices and
backtracking states to reorder next(s, t) with all the prior may
be co-enabled or reordered dependent transitions upto r′i with no
happens-before mapping between them. Line 11 removes the HB
mapping between r′i and NOP corresponding to next(s, t).
Addition of temporary HB mapping and computing back-
tracking information for all the relevant dependent transitions
when next(s, t) is a write operation, solves the issues explained
through Examples C.1-C.2. In case of Example C.2, line 4 of Al-
gorithm 5 invokes FindTarget to reorder transition r5 and r3
when exploring sequence z3 (see Figure 16). Then, line 6 adds
a temporary happens-before mapping from r5 to r3. Lines 8 and
9 identify r4 as a relevant dependent transition to be reordered
with r3 and invoke FindTarget. Due to happens-before mapping
from r5 to r3, Step 2 of FindTarget (see Algorithm 2 in Sec-
tion 3) compute set candidates = {(t2,⊥), (t1, e2)}. Since both
threads t1 and t2 corresponding to candidates are in done set
at the state from where r4 is executed, Step 3 is reached. Step 3
of FindTarget computes pending = {(t1, e2)} and invokes
ReschedulePending which reorders events e1 and e2, eventu-
ally exploring the sequence given in Figure 17. Thus, modified Al-
gorithm Explore enables EM-DPOR to consider a read opera-
tion to be dependent only with conflicting write operations, and
thus avoids exploring some redundant transition sequences reach-
ing same final states.
C.2 Eliminate Dependence Between Non-conflicting lock
Operations
Dependence relation for an event-driven program with a state space
SG and given in Definition 2.2, considers every pair of lock oper-
ations on the same lock object to be dependent. This holds even
for lock acquires on different event handlers on the same thread.
This is because such operations disable each other in the event-
parallel transition systemPG introduced in Section 2.2 and are thus
considered dependent in PG (see Definition 2.1). When identify-
ing dependent transitions in different event handlers on the same
33 2018/8/5
t1 t2 t3 t4
r1 post(e1)
r2 post(e2)
r3 lock(l)
r4 y = 5
r5 x = 5
r6 unlock(l)
r7 lock(l)
r8 x = 1
r9 unlock(l)
r10 lock(l)
r11 y = 1
r12 unlock(l)
e1
e2
(a) initial sequence z1
t1 t2 t3 t4
r1 post(e1)
r2 post(e2)
r7 lock(l)
r8 x = 1
r9 unlock(l)
r3 lock(l)
r4 y = 5
r5 x = 5
r6 unlock(l)
r10 lock(l)
r11 y = 1
r12 unlock(l)
e1
e2
(b) sequence z2
t1 t2 t3 t4
r1 post(e1)
r2 post(e2)
r7 lock(l)
r8 x = 1
r9 unlock(l)
r10 lock(l)
r11 y = 1
r12 unlock(l)
r3 lock(l)
r4 y = 5
r5 x = 5
r6 unlock(l)
e1
e2
(c) sequence z3
Figure 19: An example illustrating challenges in reordering dependent lock operations when using modified dependence relation..
t1 t2 t3 t4
r2 post(e2)
r1 post(e1)
r10 lock(l)
r11 y = 1
r12 unlock(l)
r3 lock(l)
r4 y = 5
r5 x = 5
r6 unlock(l)
r7 lock(l)
r8 x = 1
r9 unlock(l)
e1
e2
Figure 20: An interesting sequence z corresponding to Exam-
ple C.3, not explored by EM-DPOR.
thread, the dependence relation (see Definition 2.2) defined for SG
uses the dependences identified over PG. Hence, lock acquires on
a common lock by different event handlers on the same thread will
be considered dependent in SG as well. We assume each lock ac-
quired within an event handler to be released within the same event
handler. This is a reasonable assumption as some widely used pro-
gramming language features like Java’s synchronized construct
for nested acquire and release of lock objects support this assump-
tion. Also, acquiring and releasing locks in different event handlers
can be hard to reason and problematic if the event handler acquiring
the lock is not guaranteed to always precede the handler releasing
the lock. With this assumption, any pair of lock operations on the
same lock object executed on different event handlers on the same
thread can never contend or deadlock with each other, as (1) oper-
ations executing on the same thread are never co-enabled, (2) each
handler is assumed to execute to completion before the execution
of another handler, and (3) a lock acquired in an event handler is re-
leased within the same event handler as per our assumption. Hence,
lock acquires from different event handlers on the same thread can-
not simultaneously involve in interesting states like deadlocks. We
thus consider lock operations executed on different event handlers
on the same thread, even if acquiring the same lock object, to be
independent. Consequently, we consider any unlock operation r
to be independent with subsequent lock operations in other event
handlers on the same thread as r.
However in theory, considering operations acquiring the same
lock l in two different handlers h and h′ on the same thread to be
independent is problematic — especially if the same shared vari-
able is accessed (read-write / write-write) by some transi-
tions, say r and r′, in the critical sections protected by the lock
l in h and h′ respectively, resulting in exploring different states on
different ordering of h and h′. This is because r and r′ accessed
within critical sections protected by the same lock in h and h′ re-
spectively, are trivially considered independent in PG (see Defi-
nition 2.1) as they are never co-enabled. Hence, r and r′ may be
considered independent in SG too. However, exploring different
ordering of h and h′ is essential to explore possibly different states
due to conflicting accesses r and r′. In such scenarios, considering
lock acquires corresponding to critical sections of r and r′ to be de-
pendent enables a POR technique to reorder h and h′ even though
the actual conflicting transitions r and r′ are not marked depen-
dent. This will not be possible with our selective lock dependence
proposed above. However in practice, considering all pairs of lock
acquires on different handlers on the same thread to be indepen-
dent does not result in aforementioned problem. This is because,
EM-DPOR over-approximates the set of pairs of dependent tran-
sitions by considering pairs of transitions (a) making conflicting
accesses to shared variables with or without holding a protective
lock, or (b) enabling/disabling each other, to be dependent. Hence,
lock operations on the same object executed on different handlers
on the same thread need not be considered dependent in practice, to
enable EM-DPOR to reorder their respective handlers in case they
access the same shared variable in their critical sections. In the rest
of the section we refer to this over-approximated dependence re-
lation but additionally considering all the pairs of lock operations
and unlock-lock operations executed on different handlers of the
same thread to be independent, as modified dependence relation.
The modified dependence relation preserves dependence be-
tween pairs of lock operations and unlock-lock operations on
same lock objects and executed on different threads. This is be-
cause, a lock acquire disables all other co-enabled lock operations
contending for the same lock, and unlock enables lock opera-
tions waiting for the same lock; making such transitions dependent
due to condition 2 in Definition 2.2. Similar to the proof for Theo-
rem 2.9.1, we can prove that a dependence-covering state space SR
of an Android program A obtained by the modified dependence re-
lation, preserves all deadlock cycles seen in the original state space
SG of A. This is because, a dependence-covering sequence u of a
34 2018/8/5
transition sequence w must preserve the relative order between all
the pairs of lock operations acquiring or contending for the same
lock object and executing on different threads in w, because lock
operations are considered dependent. Thus, if w ∈ SG reaches a
deadlock cycle 〈DC, ρ〉 then u being its dependence-covering se-
quence reaches the same deadlock cycle, as umust preserve the rel-
ative order of acquiring locks among threads involved in the dead-
lock cycle.
Modifications to EM-DPOR to Incorporate Modified
Dependence Relation
EM-DPOR should be able to explore all valid interleaving of op-
erations acquiring the same lock object and executed on differ-
ent threads, even when using modified dependence relation. Ex-
ample C.3 demonstrates that achieving this requires some modifi-
cations to EM-DPOR similar to those introduced in Algorithm 5
described in Section C.1.2.
EXAMPLE C.3. Consider an execution trace z1 explored by EM-
DPOR and given in Figure 19(a), of an event-driven multi-threaded
program. Among the threads t1, t2, t3 and t4, only t1 is attached
with an event queue. EM-DPOR is assumed to use modified depen-
dence relation, thus making transition pairs (r7, r10) and (r9, r10)
independent. Sequence z1 has two pairs of may be co-enabled
dependent transitions with no happens-before mapping between
them: (r3, r7) and (r3, r10). Note that EM-DPOR does not in-
voke FindTarget on transition pairs (r5, r8) and (r4, r11) as they
are ordered by happens-before due to happens-before mapping be-
tween r6 - r7 and r6 - r10 respectively.
On exploring sequence z1 Algorithm Explore identifies tran-
sition pairs (r3, r7) and (r3, r10) as dependent, identifies back-
tracking choices using FindTarget, and eventually explores se-
quences z2 and z3 (Figure 19(b) and (c) respectively). However,
EM-DPOR does not explore any more interleaving of transitions
r3 - r7 - r10 and thus misses exploring a sequence similar to z
(Figure 20), where the locking order of lock l is different com-
pared to that explored by sequences z1, z2 and z3. Also, z reaches
a new state (compared to states reached by z1, z2 and z3) where
variables x and y are assigned values 1 and 5 respectively. Even if
Algorithm Explore is modified to compute backtracking choices
to reorder a lock operation with all the prior executed may be co-
enabled lock operations with no happens-before relation (instead
of only the nearest lock operation), EM-DPOR will not be able to
explore sequence z.
Analysis of Example C.3 The scenario represented in Exam-
ple C.3 is similar to that in Example C.2. Specifically, in Exam-
ple C.3 lock in transition r3 is dependent with transitions r7 and
r10 executed in different handlers on the same thread while r7 and
r10 are mutually independent, similar to the way write in transi-
tion r3 is dependent with read operations in r4 and r5 executed
in different handlers on the same thread in Example C.2. Hence,
we propose modifications to Algorithm Explore similar to those
explained in Section C.1.
In the initial phase of Algorithm Explore which invokes
FindTarget, we do the following if next(s, t) contains a
lock operation. We compute backtracking choices (by invoking
FindTarget) to reorder next(s, t) with the nearest may be co-
enabled (i.e., not executed on thread t) lock operation, say r, ac-
quiring the same lock object. If r is executed in an event handler
(i.e., r is executed on a thread with an event queue), we add a
temporary happens-before mapping from r to next(s, t). We then
compute backtracking choices and backtracking states to reorder
next(s, t) with all the prior lock operations executed in various
handlers on r’s thread which do not have a happens-before map-
ping with next(s, t), till we find a lock operation, say r′, exe-
cuted on a thread other than thread(r) such that index of r′ is
lesser than the index of the lock operations on r’s thread reordered
with next(s, t). After computing backtracking choices to reorder
next(s, t) with all the relevant lock operations, we remove the
temporary happens-before mapping between r and next(s, t) and
continue with the remaining steps in Explore.
35 2018/8/5
