Abstract. We address the problem of statically checking safety properties (such as assertions or deadlocks) for parameterized phaser programs. Phasers embody a non-trivial and modern synchronization construct used to orchestrate executions of parallel tasks. This generic construct supports dynamic parallelism with runtime registrations and deregistrations of spawned tasks. It generalizes many synchronization patterns such as collective and point-to-point schemes. For instance, phasers can enforce barriers or producer-consumer synchronization patterns among all or subsets of the running tasks. We consider in this work programs that may generate arbitrarily many tasks and phasers. We study different formulations of the verification problem and propose an exact procedure that is guaranteed to terminate for some reachability problems even in the presence of unbounded phases and arbitrarily many spawned tasks. In addition, we prove undecidability results for several problems on which our procedure cannot be guaranteed to terminate.
Introduction
We focus on the parameterized verification problem of parallel programs that adopt the phasers construct for synchronization [15] . This coordination construct unifies collective and point-to-point synchronization. Parameterized verification is particularly relevant for mainstream parallel programs as the number of interdependent tasks in many applications, from scientific computing to web services or e-banking, may not be known apriori. Parameterized verification of phaser programs is a challenging problem due to the arbitrary numbers of involved tasks and phasers. In this work, we address this problem and provide an exact symbolic verification procedure. We identify parameterized problems for which our procedure is guaranteed to terminate and prove the undecidability of several variants on which our procedure cannot be guaranteed to terminate in general.
Phasers build on the clock construct from the X10 programming language [5] and are implemented in Habanero Java [4] . They can be added to any parallel programming language with a shared address space. Conceptually, phasers are synchronization entities to which tasks can be registered or unregistered. Registered tasks may act as producers, consumers, or both. Tasks can individually issue signal, wait, and next commands to a phaser they are registered to. Intuitively, a signal command is used to inform other tasks registered to the same phaser that the issuing task is done with its current phase. It increments the signal value associated to the issuing task on the given phaser. The wait command on the other hand checks whether all signal values in the phaser are greater than the number of waits issued by this task, i.e. all registered tasks have passed the issuing task's wait phase. It then increments the wait value associated to the task on the phaser. As a result, the wait command might block the issuing task until other tasks issue enough signals. The next command consists in a signal followed by a wait. The next command may be associated to a sequence of statements that are to be executed in isolation by one of the registered tasks participating in the command. A program that does not use this feature of the next statement is said to be non-atomic. A task deregisters from a phaser by issuing a drop command on it.
The dynamic synchronization allowed by the construct suits applications that need dynamic load balancing (e.g, for solving non-uniform problems with unpredictable load estimates [17] ). Dynamic behavior is enabled by the possible runtime creation of tasks and phasers and their registration/de-registration. Moreover, the spawned tasks can work in different phases, adding flexibility to the synchronization pattern. The generality of the construct makes it also interesting from a theoretical perspective, as many language constructs can be expressed using phasers. For example, synchronization barriers of Single Program Multiple Data programs, the Bulk Synchronous Parallel computation model [16] , or promises and futures constructs [3] can be expressed using phasers.
This paper provides general (un)decidability results that we believe will guide verification of other synchronization constructs. We identify combinations of features (e.g., unbounded differences between signal and wait phases, atomic statements) and properties to be checked (e.g., assertions, deadlocks) for which the parameterized verification problem becomes undecidable. These help identify synchronization constructs with enough expressivity to result in undecidable parameterized verification problems. We also provide a symbolic verification procedure that terminates even on fragments with arbitrary phases and numbers of spawned tasks. We get back to possible implications in the conclusion. We summarize our contributions:
-We show an operational model for phaser programs based on [15, 4, 6, 9] .
-We propose an exact symbolic verification procedure for checking reachability of sets of configurations for non-atomic phaser programs even when arbitrarily many tasks and phasers may be generated. -We prove undecidability results for several reachability problems.
-We show termination of our procedure when checking assertions for nonatomic programs even when arbitrary many tasks may be spawned. -We show termination of our procedure when checking deadlock-freedom and assertions for non-atomic programs in which the difference between signal and wait phases is bounded, even when arbitrary many tasks may be spawned.
Related work. The closest work to ours is [9] , which is the only work on automatic and static formal verification of phaser programs. The work in [9] does not consider the parameterized case. Termination guarantees for its verification procedure require bounding the numbers of generated tasks and phasers. The work of [6] considers the dynamic verification of phaser programs and can therefore only be used to detect deadlocks at runtime. The work in [2] uses Java Path Finder [10] to explore all execution paths of the application. It is however also restricted to work on one concrete input at a time. A more general description of the phasers mechanism of Habanero Java has also been formalized in Coq [7] .
Outline. We describe the phasers construct in Sec. 2. We then formally introduce the construct and show the associated general reachability problem to be undecidable in Sec. 3. We describe in Sec. 4 our symbolic representation and state some of its non-trivial properties. We use the representation in Sec. 5 to define a verification procedure and establish decidability results. We refine our undecidability results in Sec. 6 and summarize our findings in Sec. 7. Fig. 1 . An unbounded number of producers and consumers are synchronized using two phasers. In this construction, each consumer requires all producers to be ahead of it (wrt. the p phaser) in order for it to consume their respective products. At the same time, each consumer needs to be ahead of all producers (wrt. the c phaser) in order for the producers to be able to move to the next phase and produce new items.
Motivating example
The program listed in Fig. (1) uses Boolean shared variables B = {a, done}. The main task creates two phasers (line 4-5). When creating a phaser, the task gets automatically registered to it. The main task also creates an unbounded number of other task instances (lines 7-8). When a task t is registered to a phaser p, a pair (w p t , s p t ) in N 2 can be associated to the couple (t, p). The pair represents the individual wait and signal phases of task t on phaser p.
Registration of a task to a phaser can occur in one of three modes: Sig Wait, Wait and Sig. In Sig Wait mode, a task may issue both signal and wait commands. In Wait mode, a task may only issue wait commands on the phaser. Finally, when registered in Sig mode, a task may only issue signal commands. Issuing a signal command by a task on a phaser results in the task incrementing its signal phase associated to the phaser. This command is non-blocking. On the other-hand, issuing a wait command by a task on a phaser p will block until all tasks registered to p get signal values on p that are strictly larger than the wait value of the issuing task on the same phaser. In this case, the wait phase of the issuing task is incremented. Intuitively, a signal command allows the issuing task to state that other tasks need not wait for it to complete its signal phase. In retrospect, a wait command allows a task to make sure all registered tasks have moved past its wait phase.
Upon creation of a phaser, wait and signal phases are initialized to 0 (except in Wait mode where no signal phase is associated to the task in order to not block other waiters). The only other way a task may get registered to a phaser is if an already registered task spawns and registers it in the same mode (or in Wait or Sig if the registrar is registered in Sig Wait). In this case, wait and signal phases of the newly registered task are initialized to those of the registrar. Tasks are therefore dynamically registered (e.g., lines 7-8). They can also dynamically deregister themselves (e.g., line 10-11).
In this example, an unbounded number of producers and consumers are synchronized using two phasers. Consumers require producers to be ahead of them (wrt. the phaser they point to with p) in order for them to consume their products. At the same time, consumers need to be ahead of all producers (wrt. the phaser pointed to with c) in order for these to produce their items. It should be clear that phasers can be used as barriers for synchronizing dynamic subsets of concurrent tasks. Observe that tasks need not, in general, proceed in a lock step fashion. The difference between the largest signal value and the smallest wait value can be arbitrarily large (several signals before waits catch up). Tasks have then more flexibility to proceed at their own speeds.
We are interested in checking: (a) control reachability as in assertions (e.g., line 20), race conditions (e.g., mutual exclusion of lines 20 and 33 ) or registration errors (e.g., signaling a dropped phaser), and (b) plain reachability as in deadlocks (e.g., a producer at line 19 and a consumer at line 30 with equal phases waiting for each). Intuitively, both problems concern themselves with the reachability of target sets of program configurations. The difference is that control state reachability defines the targets with the states of the tasks (their control locations and whether they are registered to some phasers). Plain reachability can, in addition, constrain values of the phases in the target configurations (e.g., requiring equality between wait and signal values for deadlocks). Observe that control state reachability depends on the values of the actual phases, but these values are not used to define the target sets. For example, assertions are expressed as predicates over Boolean variables (e.g., line 20). Validity of such assertions may depend on respecting phasers synchronizations.
Phaser programs and reachability
We define the syntax and semantics of a core phaser programs language. We make sure the simplified language presented here is representative of the general purpose languages using phasers so that our results have a practical impact. A phaser program prg = (B, V, T) involves a set T of tasks including a unique "main" task main(){stmt}. Arbitrary many instances of each task might be spawned during a program execution. All task instances share a set B of Boolean variables and make use of a set V of phaser variables that are local to individual task instances. Arbitrary many phasers might also be generated during program execution. Syntax of programs is as follows.
Initially, a unique task instance starts executing the main(){stmt} task. A phaser can recall a pair of values (i.e., wait and signal) for each task instance registered to it. A task instance can create a new phaser with v = newPhaser(), get registered to it (i.e., gets zero as wait and signal values associated to the new phaser) and refer to the phaser with its local variable v. We simplify the presentation by assuming all registrations to be in Sig Wait mode. Including the other modes is a matter of depriving Wait-registered tasks of a signal value (to ensure they do not block other registered tasks) and of ensuring issued commands respect registration modes. We use V for the union of all local phaser variables. A task task(v 1 , . . . , v k ) {stmt} in T takes the phaser variables v 1 , . . . v k as parameters (write paramOf(task) to mean these parameters). A task instance can spawn another task instance with asynch(task, v 1 , . . . , v n ). The issuing task instance registers the spawned task to the phasers pointed to by v 1 , . . . , v n , with its own wait and signal values. Spawner and Spawnee execute concurrently. A task instance can deregister itself from a phaser with v.drop().
A task instance can issue signal or wait commands on a phaser referenced by v and on which it is registered. A wait command on a phaser blocks until the wait value of the task instance executing the wait on the phaser is strictly smaller than the signal value of all task instances registered to the phaser. In other words, v.wait() blocks if v points to a phaser such that at least one of the signal values stored by the phaser is equal to the wait value of the task that tries to perform the wait. A signal command does not block. It only increments the signal value of the task instance executing the signal command on the phaser. v.next() is syntactic sugar for a signal followed by a wait. Moreover, v.next(){stmt} is similar to v.next() but the block of code stmt is executed atomically by exactly one of the tasks participating in the synchronization before all tasks continue the execution that follows the barrier. v.next(){stmt} thus requires all tasks to be synchronized on exactly the same statement and is less flexible. Abscence of a v.next(){stmt} makes a program non-atomic.
Note that assignment of phaser variables is excluded from the syntax; additionally, we restrict task creation asynch(task, v 1 , . . . , v n ) and require that parameter variables v i are all different. This prevents two variables from pointing to the same phaser and avoids the need to deal with aliasing: we can reason on the single variable in a process that points to a phaser. Extending our work to deal with aliasing is easy but would require heavier notations.
We will need the notions of configurations, partial configurations and inclusion in order to define the reachability problems we consider in this work. We introduce them in the following and assume a phaser program prg = (B, V, T).
Configurations. Configurations of a phaser program describe valuations of its variables, control sequences of its tasks and registration details to the phasers. Control sequences. We define the set Suff of control sequences of prg to be the set of suffixes of all sequences stmt appearing in some statement task(. . .) {stmt}. In addition, we define UnrSuff to be the smallest set containing Suff in addition to the suffixes of all (i) -T is a finite set of task identifiers. We let t, u range over the values in T .
-P is a finite set of phaser identifiers. We let p, q range over the values in P .
-bv : B → B { * } fixes the values of some of the shared variables.
3
-seq : T → UnrSuff { * } fixes the control sequences of some of the tasks.
, nreg} is a mapping that associates to each task t in T a partial mapping stating which phasers are known by the task and with which registration values.
Intuitively, partial configurations are used to state some facts about the valuations of variables and the control sequences of tasks and their registrations. Partial configurations leave some details unconstrained using partial mappings or the symbol * . For instance, if bv(b) = * in a partial configuration T , P , bv, seq, phase , then the partial configuration does not constrain the value of the shared variable b. Moreovcer, a partial configuration does not constrain the relation between a task t and a phaser p when phase(t)(p) is undefined. Instead, when the partial mapping phase(t) is defined on phaser p, it associates a pair phase(t)(p) = (var, val) to p. If var ∈ V {−, * } is a variable v ∈ V then the task t in T uses its variable v to refer to the phaser p in P 4 . If var is the symbol − then the task t does not refer to v with any of its variables in V. If var is the symbol * , then the task might or might not refer to p. The value val in phase(t)(p) = (var, val) is either the value nreg or a pair (w, s). The value nreg means the task t is not registered to phaser p. The pair (w, s) belongs to (N×N)∪{( * , * )}. In this case, task t is registered to phaser p with a symbolic wait phase w and a symbolic signal phase s. The value * means that the wait phase w (resp. signal phase s) can be any value in N. For instance, phase(t)(p) = (v, nreg) means variable v of the task t refers to phaser p but the task is not registered to p. On the other hand, phase(t)(p) = (−, ( * , * )) means the task t does not refer to p but is registered to it with a arbitrary wait and signal phases. Concrete configurations. A concrete configuration (or configuration for short) is a partial configuration T , P , bv, seq, phase where phase(t) is total for each t ∈ T and where the symbol * does not appear in any range. It is a tuple T , P , bv, seq, phase where bv : B → B, seq : T → UnrSuff, and phase :
. For a concrete configuration T , P , bv, seq, phase , we write isReg(phase, t, p) to mean the predicate phase(t)(p) ∈ V {−} × {nreg} . The predicate isReg(phase, t, p) captures whether the task t is registered to phaser p according to the mapping phase.
a partial configuration c = T , P , bv, seq, phase if renaming and deleting tasks and phasers from c ′ can give a configuration that "matches" c. More formally,
for each b ∈ B and there are injections τ : T → T ′ and π : P → P ′ s.t. for each t ∈ T and p ∈ P : (1) ((seq(t) = seq ′ (τ (t))) =⇒ (seq(t) = * )), and either (2.a) phase(t)(p) is undefined, or (2.b) phase(t)(p) = (var, val) and phase
Semantics and reachability. Given a program prg = (B, V, T), the main task main(){stmt} starts executing stmt from an initial configuration c init = (T init , P init , bv init , seq init , phase init ) where T init is a singleton, P init is empty, bv init sends all shared variables to false and seq init associates stmt to the unique task in T init . We write c −→ c ′ to mean configuration c ′ can be obtained from configuration c by the operational semantic rules defined in Fig. 2 . We write * −→ to mean the reflexive transitive closure of −→. Fig. 3 identifies erroneous configurations.
We are interested in the reachability of sets of configurations (i.e., checking safety properties). We differentiate between two reachability problems depending on whether the target sets of configurations constrain the registration phases or not. The plain reachability problem constrains the registration phases of the target configurations. The control reachability problem only constrains registration
T , P , bv, seq, phase
T , P , bv, seq, phase hd(seq(t)) = assert(cond) cond bv = false T , P , bv, seq, phase ∈ AssertErrors assertion : errors hd(seq(t)) = b ′ := cond ′ (b ′ coincides with b or appears in cond) hd(seq(u)) ∈ {b := cond, if(cond) {stmt}, while(cond) {stmt}, assert(cond)} T , P , bv, seq, phase ∈ RaceErrors race : errors
T , P , bv , seq, phase ∈ DeadlockErrors (deadlock : errors) status, control sequences, or variable values. We will see that decidability of the two problems can be different. The two problems are defined in the following. Plain reachability. First, we define equivalent configurations. A configuration c = T , P , bv, seq, phase is equivalent to configuration c
if bv = bv ′ and there are bijections τ : T → T ′ and π : P → P ′ such that, for all t ∈ T , p ∈ P and var ∈ V {−} , seq(t) = seq ′ (τ (t)) and there are some integers (k p ) p∈P such that phase(t)(p) = (var, (w, s)) iff phase ′ (τ (t))(π(p)) = (var, (w + k p , s + k p )). We write c ∼ c ′ to mean that c and c ′ are equivalent. Intuitively, equivalent configurations simulate each other. We can establish the following: Observe that if the wait value of a task t on a phaser p is equal to the signal of a task t ′ on the same phaser p in some configuration c, then this is also the case, up to a renaming of the phasers and tasks, in all equivalent configurations. This is particularly relevant for defining deadlock configurations where a number of tasks are waiting for each other. The plain reachability problem is given a program and a target partial configuration and asks whether a configuration (equivalent to a configuration) that includes the target partial configuration is reachable. More formally, given a program prg and a partial configuration c, let c init be the initial configuration of prg, then reach(prg, c) if and only if c init * −→ c 1 for c 1 ∼ c 2 and c 2 includes c.
Definition 1 (Plain reachability). For a program prg and a partial configuration c, decide whether reach(prg, c) holds.
Control reachability. A partial configuration c = T , P , bv, seq, phase is said to be a control partial configuration if for all t ∈ T and p ∈ P , either phase(t)(p) is undefined or phase(t)(p) ∈ (V {−, * } × {( * , * ) , nreg}). Intuitively, control partial configurations do not constrain phase values. They are enough to characterize, for example, configurations where an assertion is violated (see Fig. 3 ).
Definition 2 (Control reachability). For a program prg and a control partial configuration c, decide whether reach(prg, c) holds.
Observe that plain reachability is at least as hard to answer as control reachability since any control partial configuration is also a partial configuration. It turns out the control reachability problem is undecidable for programs resulting in arbitrarily many tasks and phasers as stated by the theorem below. Theorem 1. Control reachability is undecidable in general.
Proof. Sktech. We encode the state reachability problem of an arbitrary 2-counters Minsky machine as the control reachability problem of a phaser program. Assume a 2-counters Minsky machine (S, {x, y} , ∆, s 0 , s F ). We construct a phaser program (see Fig. 4 ) that uses boolean shared variables to encode the state s ∈ S of the Minsky machine and to pass information between the different tasks about the current transition to be simulated. The phaser programs builds two chains, one for each counter in {x, y}. Each chain alternates a phaser and a task and encodes the values of its counter with its length. The idea is to have the phaser program simulate all transitions of the counter machine, i.e., increments, decrements and tests for zero. Answering state reachability of the counter machine amounts to checking whether there are reachable configurations where the boolean variables encoding the counter machine can evaluate to the target machine state s F . This can be captured with a control partial configuration.
A gap-based symbolic representation
The symbolic representation we propose builds on the following intuitions. First, observe the language semantics impose the invariant that signal values are always larger or equal to wait values. In addition, our reachability problems from Sec. 3 are defined in terms of reachability of equivalence classes, not of individual configurations. This is because configurations violating considered properties (e.g., assertions or deadlocks) depend on the relations among phases, not on their actual values. For instance, if a wait is enabled with smaller gaps, it will be enabled with larger ones. We therefore propose to track the gaps of the differences between signal and wait values wrt. to an existentially quantified level (per phaser) that lies between wait and signal values of all registered tasks.
We formally define our symbolic representation and describe a corresponding entailment relation. We also establish a desirable property (namely that of being a well-quasi-ordering) on some classes of representations. This property ensures termination of the verification procedure described in Sec. 5. 
, and (ii) (val = nreg) ⇐⇒ (val ′ = nreg), and (iii) if val = (lw, ls, uw, us) and
Constraints. A constraint φ is a tuple T , P , bv, seq, gap, egap where:
-T , P , bv : B → B { * } and seq : T → UnrSuff { * } respectively represent, like for partial configurations, a set of tasks, phasers, a valuation of the Boolean variables and a mapping of tasks to their control sequences.
-gap : T → totalFunctions (P , G). A mapping gap(t) is associated to each task t in T . This mapping associates to each phaser p a pair (var, val) ∈ G. -egap : P → N 2 associates to each phaser p a pair (ew, es) representing lower bounds on gaps of registered tasks that are not explicitly captured by T .
We write isReg(gap, t, p) to mean the task t is registered to the phaser p, i.e., gap(t)(p) ∈ (V {−, * } × {nreg}). A constraint φ is said to be free (resp. Bgap-bounded or B-good) if the set G = gap(t)(p) | t ∈ T , p ∈ P is free (resp. B-gap-bounded or B-good). The dimension of a constraint is the number of its phasers (i.e., |P |). A set of constraints Φ is said to be free, B-gap-bounded, B-good or K-dimension-bounded if each of its constraints are. Denotations. A constraint φ = T φ , P φ , bv φ , seq φ , gap φ , egap φ denotes a configuration c = T c , P c , bv c , seq c , phase c , if: Intuitively, for each phaser, the bounds given by gap constrain the values of the phases belonging to tasks captured by T and registered to the given phaser. This is done with respect to some non-negative level, one per phaser. The same level is used to constrain phases of tasks registered to the phaser but not captured by T . For these, lower bounds are enough as we only want to ensure they do not block executions to target sets of configurations. (lw a , ls a , uw a , us a ) ), with egap a (p a ) = (ew a , es a ), both (ew a ≤ lw b ) and (es a ≤ ls b ) hold.
We say in this case that τ and π witness the entailment of φ a by φ b .
Lemma 2 (Constraint entailment
Proof. Assume a configuration c = T c , P c , bv c , seq c , phase c is denoted by φ b = T b , P b , bv b , seq b , gap b , egap a with φ a ⊑ φ b and φ a = T a , P a , bv a , seq a , gap a , egap a . We show c is also denoted by φ a .
By assumption, we can write T c as a partition T . Observe that τ is a well defined surjection. In addition, we write π to mean the restriction of π φ • π c to P m,m c . Observe that π is a well defined bijection. We show that τ and π witness the denotation of c by φ b . The idea is to propose an encoding for each constraint φ = T , P , bv, seq, gap, egap wrt. some arbitrary total orders < P and < T . We write enc(φ, < T , < P ) for the encoding of φ. We also define an entailment relation ⊑ e on encodings. Then, we show in Lem. 7 that enc(φ, < T , < P ) ⊑ e enc(φ ′ , < T ′ , < P ′ ) implies φ ⊑ φ ′ . Finally, we show in Lem. 8 that ⊑ e is WQO if the encoded dimension-bounded constraints are free or gap-bounded. We start with the named gaps. We can show the following lemma:
A task state of dimension K is any tuple in (UnrSuff × G K ) where K is a natural in N (corresponding to the number of phasers in the constraint to be encoded). We write (s, g 1 , . .
for two task states to mean that they have the same dimension (i.e., K = K ′ ), that (s = s ′ ⇒ s = * ), and that g k g ′ k for each k : 1 ≤ k ≤ K. Using Higman's lemma [11] and Lem. 3, we can show the following:
Let M UnrSuff × G K be the set of finite multisets over (UnrSuff × G K ). We write A ∀ ∃ B, for A and B two multisets in M UnrSuff × G K , if each element a ∈ A can be mapped to an element b ∈ B for which a b. By adapting Higman's lemma [11] and using Lem. 4, we can show the following lemma:
We write A ∃ ∀ B, for A and B finite multisets in M UnrSuff × G K , to mean that each b ∈ B can be mapped to some a ∈ A for which a b. Rado's structure [12, 13] shows that (M (S) , ∃ ∀ ) need not be WQO just because is WQO over S. Still, we establish the following result:
Proof. We proceed by contradiction. Assume, without loss of generality, an in- . . . on k is either constant or strictly increasing, i.e.,:
We rename the sequence A i1 , A i2 , . . . into A 1 , A 2 , . . . . We obtain a ∃ ∀ -bad sequence A 1 , A 2 , . . . of -minimal sets satisfying the constraints depicted in the following figure: 
Observations (1) and (2) Encodings of constraints. Given a finite set Q and an associated total order < Q , we write Q [i] ∈ Q to mean the element of Q with < Q -index i ∈ {1, . . . |Q|} 5 . For instance, given a finite set of phasers P and an associated total order < P , we write P [k] to mean the phaser with < P -index k in P . The encoding of a constraint φ = T , P , bv, seq, gap, egap with respect to total orders < P and < T , written enc(φ, < T , < P ), is a tuple (bv, acc, env ) where:
1. bv : B → B { * } is the same as in φ,
with index j in P , 3. env : {1, . . . |P |} → N 2 associates to each phaser P [j] in P the pair env(j) = egap(P [j] ).
Observe that if two constraints result in the same encoding, then they can be obtained from each other by renaming the tasks and the phasers. As a consequence, if a constraint is free (resp. B-gap-bounded or B-good), then all constraints resulting in the same encoding will also be free (resp., B-gap-bounded or B-good). We define the dimension of an encoding (bv, acc, env ) to be the size of the domain of env (i.e., the dimension of an encoded constraint). A (possibly infinite) set of encodings E is said to be free (resp. gap-bounded or good) if all constraints encoded by any of its elements are free (resp. gap-bounded or good). The set is said to be dimension-bounded if there is natural K in N that is larger than the dimension of any of its elements.
Entailment of encodings. Assume two encodings (bv, acc, env ) and bv
Lemma 7. Let φ = T , P , bv, seq, gap, egap and φ
Proof. From (bv, acc, env) ⊑ e (bv ′ , acc ′ , env ′ ) we deduce |P | = |P ′ | and the existence of a surjection h : {1, . . . , |T ′ |} → {1, . . . , |T |}, such that acc(h(i)) acc ′ (i) for each i ∈ {1, . . . , |T ′ |}, and env (j) ≤ 2 env ′ (j) for each j ∈ {1, . . . , |P ′ |}.
Observe τ is surjective and π is bijective. 3. for each i ∈ {1, . . . , |T ′ |}, we have that acc(h(i)) acc
. By definition of , we get:
and ls ≤ ls ′ and uw ′ ≤ uw and us ′ ≤ us 4. for each j ∈ {1, . . . , |P ′ |}, we have env (j) ≤ 2 env ′ (j). By definition, env(j) = egap(P [j] ) and env
is WQO if the set E of encodings is dimension-bounded and good.
Proof. Assume a dimension-bounded set E of good encodings and an infinite sequence S 1 = (bv 1 , acc 1 , env 1 ), (bv 2 , acc 2 , env 2 ), . . . . We show the existence of i, j : 1 ≤ i < j for which (bv i , acc i , env i ) ⊑ e (bv j , acc j , env j ). Dimension-boundedness of E ensures there are infinitely many encodings in S 1 with the same dimension, say K. We extract the subsequence S 2 consisting in all encodings with dimension K in S 1 . In addition, observe that the set of possible valuations of the Boolean variables is finite. We can therefore extract from S 2 a subsequence S 3 where all elements share the same valuation of the Boolean variables. Let us rewrite S 3 , for simplicity, as the sequence (bv 1 , acc 1 , env 1 ), (bv 2 , acc 2 , env 2 ), . . . . For each i : 1 ≤ i, we can represent the mapping env i as the tuple
K . Using Higman's lemma, we can extract from S 3 a subsequence S 4 , also renamed to (bv 1 , acc 1 , env 1 ), (bv 2 , acc 2 , env 2 ), . . . for simplicity, where
we write m acc i to mean the multiset over (UnrSuff × G K ) where the number of occurrences of an element (s, g 1 , . . . , g K ) coincides with the number of indices j in {1, . . . , L i } for which acc i (j) = (s, g 1 , . . . , g K ). Consider the sequence m acc 1 , m acc 2 , m acc 3 , . . . of elements in M UnrSuff × G K . Using the fact that E is good together with Lem. 5 and 6, we deduce the existence of i, j : i < j for which m acc i ∀ ∃ m acc j and m acc i ∃ ∀ m acc j . We can therefore build a surjection h :
A symbolic verification procedure
We use the constraints from Sec. 4 as a symbolic representation in the workinglist based backward procedure described below. This backward procedure corresponds to an instanciation of the framwork of Well-Structured-TransitionSystems [1, 8] . The procedure takes as arguments a program prg and a ⊑-minimal set Φ of constraints denoting the targeted set of configurations. This set can be easily built from the partial configurations described in Fig. 3 .
Intuitively, the program statement for which the set of predecessors are being computed at line 7 of the procedure can be executed by a task captured by the constraint explicitly (i.e., t ∈ T ) or implicitly (i.e., u ∈ T but satisfying the environment gaps). . Intuitively, we do not exactly capture the predecessors of an atomic instruction as it may encode a test-and-set operation. Such an operation can be made to only be carried by exactly one task. Our representation allows for more tasks (and larger gaps), but the additional tasks may not be able to carry the atomic operation. We would therefore obtain a non-exact over-approximation and avoid this issue by only applying the procedure to non-atomic programs. In fact, we show in Sect. 6 that atomic instructions make undecidable checking reachability problems decided by the procedure. Using Lem. 2, we can show by induction partial correctness. if cinit |= φ then return trace;
Remove from Working and Visited each (ψ, ) s.t. φ ′ ⊑ ψ;
10
Add (φ ′ , φ ′ · t · trace) to both Working and Visited;
11 return unreachable ;
Procedure check(prg,Φ), a simple working list procedure for checking constraints reachability. We can also show the procedure to terminate if we only manipulate boundeddimension and free or bounded-gap constraints. Proof. Sketch. Lem. 9 and 10. Also, The set of target constraints is free and this is preserved by the pre computation in Fig. 5, 6 , 7 and 8.
Theorem 4. Plain reachability for programs generating a finite number of phasers and bounded-gaps is decidable.
Proof. Sketch. Lem. 9 and 10. Also, The set of target constraints is either free or gap-bounded. This is assumed to be preserved by the programs.
Limitations of deciding reachability
We state in the following a number of parameterized reachability problems that are undecidable. First, we recall in the following the reachability problem for a 2-counters Minsky machine (counter-machine for short). We will then reduce the state-reachability problem for 2-counter machines to the relevant parameterized reachability problems. Counter machines. A 2-counters machine is a tuple (S, {x 1 , x 2 } , ∆, s 0 , s F ) where S is a finite set of states, {x 1 , x 2 } are two counters with values in N, s 0 is the initial state, s F is the final state, and ∆ may contain transitions of the form:
Machine configurations are given by triples (s, ν 1 , ν 2 ) where s is a state in S and both ν 1 and ν 2 are natural numbers in N. We write (
We write * −→ for the reflexive transitive closure of −→. The state reachability problem for the 2-counter machine above asks whether (s 0 , 0, 0) * −→ (s F , ν 1 , ν 2 ) for some ν 1 , ν 2 in N.
Theorem 5 (Minsky machines [14] ). The state reachability problem for 2-counter machines is undecidable in general.
Assume a program prg = (B, V, T), its initial configuration c init and a target partial control configuration c. First, we check whether we can reach a configuration exclusively through K-dimension-bounded configurations (i.e., by discarding all paths involving dimensions larger than K):
Definition 3 (Dimension-truncated control reachability). Assume a program prg with initial configuration c init and a partial configuration c. We write reach k (prg, c) to mean that there are n + 1 k-dimension-bounded configurations (c i ) i:0≤i≤n such that c init = c 0 and c = c n−1 and c i −→ c i+1 for i : 0 ≤ i < n − 1 and c n−1 ∼ c n with c n includes c. Theorem 6. Dimension-truncated control reachability is undecidable in general.
Proof. Sketch. We encode the state reachability problem of an arbitrary 2-counters Minsky machine (S, {x, y} , ∆, s 0 , s F ) as the control reachability problem of the phaser program depicted in Figures 9 and 10 . The idea is to associate a phaser xPh to counter x (resp. yPh to counter y) and: (1) to spawn an instance of task xTask (resp. yTask) and register it to xPh (resp. yPh), and (2) to perform a wait on xPh (resp. yPh) to test for zero on counter x (resp. counter y). Decrementing a counter, for example counter x, involves asking an xTask to exit (hence, to deregister from phaser xPh). However, more than one task might participate in the decrement operation. For this reason, each participating task builds a simple path of size 5 from xPh down to child2. If more than one xPh participates in the decrement, then the number of phasers of an intermediary configuration (namely the one where the participating tasks are executing line 35 in Fig.10 ) is at least 5 depending on the number of participants. The assertion at line 19 in Fig.10 ensures at least one task participates in the decrement operation. As a result, the phaser program will reach a configuration sending the variable s to s F via configurations having at most 4 phasers iff the counter machine reaches a configuration with state s F .
Theorem 7.
Control reachability of phaser programs generating a finite number of phasers is undecidable if atomic statements are allowed.
Proof. Sketch. We encode the state reachability problem of an arbitrary 2-counters Minsky machine (S, {x, y} , ∆, s 0 , s F ) as the control reachability problem of the phaser program depicted in Figure 11 . The idea is to associate a phaser xPh to counter x (resp. yPh to counter y) and: (1) to spawn an instance of task xTask (resp. yTask) and register it to xPh (resp. yPh), and (2) to perform a wait on xPh (resp. yPh) to test for zero on counter x (resp. ounter y). Decrementing a counter, for example counter x, involves asking an xTask to exit (hence, to deregister from phaser xPh). Here, we use atomic statements to ensure only one xTask instance is exited. As a result, the phaser program will reach a configuration sending the variable s to s F iff the counter machine reaches a configuration with state s F .
Finally, even with finite numbers of tasks and phasers, but with arbitrary gap-bounds, we can show [9] the following. Theorem 8. Plain reachability of dimension-bounded programs is undecidable.
Conclusion
We have studied parameterized plain (e.g., deadlocks) and control (e.g., assertions) reachability problems for phaser programs. We have proposed an exact verification procedure for non-atomic programs. The procedure can be used for answering both control and plain reachability problems. We summarize our findings in table 7. The procedure is guaranteed to terminate, even for programs that may generate arbitrary many tasks but finitely many phasers, when checking control reachability or when checking plain reachability with bounded gaps.
These results were obtained using a non-trivial symbolic representation for which termination had required showing an ∃ ∀ preorder on multisets on gaps on natural numbers to be a WQO. We believe these general decidability results are useful to reason about synchronization constructs other than phasers. For instance, a traditional static barrier can be captured with one phaser and with bounded gaps (in fact one). Similarly, one phaser with one producer and arbitrary many consumers can be used to capture futures where a "get" instruction can be modeled with a wait. We believe our negative results can also be used. For instance, atomic instructions can be modeled using test-and-set operation and may result in the undecidability of the reachability problem. This suggests more general applications of the work are to be investigated. Table 1 . Summary of the findings for answering reach(prg, c). A stands for allowing the v.next(){stmt} atomic instruction and N for forbidding it (resulting in non-atomic programs). For instance, A✗ says checking control reachability for atomic programs with a parameterized number of tasks, even with bounded-gaps, is undecidable. The row with a bounded numbers of tasks is from [9] where atomic instructions do not change the decidability status. T ′ = T ∪ {t, u} t = u P = P0 P ′ = P k for each i : 1 ≤ i ≤ k Pi = Pi−1 ∪ {pi} (seq t , gap t ) ∈ concretizeTask(seq, gap, t) (seq t,u , gap t,u ) ∈ concretizeTask(seq t , gap t , u) s ′ , s ∈ UnrSuff seq 1 ∈ concretizeSeq(seq t,u , t, s) seq 2 ∈ concretizeSeq(seq 1 , u, stmt)
paramOf ( Fig. 9 . For the proof of Thm.6. Encoding a Minsky machine with the two counters {x, y}. The value of counter x is represented by the number of instances of xTask tasks registred to phaser xPh. The construction described in Fig.10 ensures that runs trying to decrement by more than 1 will result in configurations with larger number of phasers. 5 main () { 6 xPh = n e w P h a s e r() ; 7 yPh = n e w P h a s e r() ; Fig. 11 . In proof of Thm.7 for control reachability of atomic phaser programs. Encoding a Minsky machine with the two {x, y}. The value of counter x is represented by the number of instances of xTask tasks registred to phaser xPh. The construction ensures increments or decrements involve exactly one task.
