Safety Verification of Phaser Programs by Ganjei, Zeinab et al.
ar
X
iv
:1
70
8.
02
80
1v
1 
 [c
s.P
L]
  9
 A
ug
 20
17
Safety Verification of Phaser Programs
Zeinab Ganjei, Ahmed Rezine, Petru Eles and Zebo Peng
Linko¨ping University, Sweden
Abstract
We address the problem of statically checking control state reacha-
bility (as in possibility of assertion violations, race conditions or run-
time errors) and plain reachability (as in deadlock-freedom) of phaser
programs. Phasers are a modern non-trivial synchronization construct
that supports dynamic parallelism with runtime registration and dereg-
istration of spawned tasks. They allow for collective and point-to-point
synchronizations. For instance, phasers can enforce barriers or producer-
consumer synchronization schemes among all or subsets of the running
tasks. Implementations are found in modern languages such as X10 or
Habanero Java. Phasers essentially associate phases to individual tasks
and use their runtime values to restrict possible concurrent executions.
Unbounded phases may result in infinite transition systems even in the
case of programs only creating finite numbers of tasks and phasers. We in-
troduce an exact gap-order based procedure that always terminates when
checking control reachability for programs generating bounded numbers
of coexisting tasks and phasers. We also show verifying plain reachability
is undecidable even for programs generating few tasks and phasers. We
then explain how to turn our procedure into a sound analysis for checking
plain reachability (including deadlock freedom). We report on preliminary
experiments with our open source tool.
1 Introduction
We focus on safety verification of programs using phasers for synchronization
[1, 2, 3]. This sophisticated construct dynamically unifies collective and point-
to-point synchronizations. For instance, it allows for dynamic registration and
deregistration of tasks allowing for a more balanced usage of the computing
resources when compared to static barriers or producer-consumer constructs [4].
The construct can be added to any parallel programming language with a shared
address space. For instance, it can be found in Habanero Java [3], an extension of
the Java programming language. Phasers build on the clock construct from the
X10 programming language [1]. They can be created dynamically and spawned
tasks may get registered or deregistred at runtime.
Intuitively, each phaser associates two phases (hereafter wait and signal
phases) to each registered task. Apart from creating phasers and registering
1
each other to them, tasks can individually issue wait and signal commands
to a phaser they are registered to. Intuitively, signal commands are used to
inform other registered tasks the issuing task is done with its signal phase. The
command is non-blocking. It increments the signal phase associated to the is-
suing task on the given phaser. The wait command is instead used to check
whether all registered tasks are done with (i.e., have a signal phase that is strictly
larger than) the issuing task’s wait phase. This command may get blocked by a
task that did not yet finish the corresponding phase. Unlike classical barriers,
phasers need not force registered tasks to wait for each other at each single
phase. Instead they allow them to proceed with the following phases (by issu-
ing signal commands), or even to exit the construct by deregistering from it.
Such dynamic behavior allows for better load balancing and performance, but
comes at the price of making it easy to introduce programming mistakes such as
assertion violations, race conditions, runtime errors and, in the important situ-
ation where wait and signal commands are decoupled for maximum flexibility,
deadlocks. We summarize our contributions in this work:
• We propose an operational model based on [2, 3, 5].
• We show undecidability of checking deadlock-freedom for programs with
fixed numbers of tasks and phasers.
• We describe an exact gap-order based symbolic verification procedure for
checking control state reachability (as in assertion violations, race condi-
tions or runtime errors) and plain reachability (as in checking deadlock
freedom).
• We show termination of the procedure for control state reachability when
numbers of tasks and phasers are fixed.
• We describe how to turn the procedure into a sound over-approximation
for plain reachability.
• We report on our preliminary experiments with our open source tool.
Related work. We are not aware of automatic formal verification works that
focus on constructs allowing for such a degree of dynamic parallelism. Unlike
[6], we focus on fully automatic verification and consider the richer and more
challenging phaser construct. The work of [5] considers the dynamic verification
of phaser programs and can therefore only reason about particular program
inputs and runs. The work in [7] uses Java Path Finder [8] to explore several
runs, but still for one concrete input at a time. The works in [9, 10] target
gap-order systems. Although phaser programs share some of their properties
(larger gaps can do more), the results in [9, 10] do not apply since gap-order
systems crucially forbid exact increments.
Outline. We describe a phaser program and recall some preliminaries in
Sections 2 and 3. This is followed in Section 4 by a formal description of
phaser programs and of the properties we want to check. We also establish the
2
undecidability of checking deadlock freedom. In Section 5, we introduce our gap-
order based symbolic representation. In Section 6 we describe our verification
procedure and show decidability of checking control state reachability. We then
introduce our relaxation procedure for checking plain reachability and briefly
describe in Section 7 our applicatoin of view abstraction to the parameterized
case. Finally, we report on our experiments and conclude the work.
2 Motivating example
The program listed in Fig. (1) uses Boolean shared variables B = {a, b, done}. A
main task creates two phasers (lines 5 and 6). When creating a phaser, the task
gets automatically registered to it. The main task also creates three other task
instances (lines 9, 10 and 11). Several tasks can be registered to several phasers.
When a task t is registered to a phaser p, a pair of numbers (waittp, sig
t
p), each in
N∪ {+∞}, is associated to the couple (t, p). The pair represents the individual
wait and signal phases of task t on phaser p.
Registration of a task to a phaser can occur in one of three modes: Sig Wait,
Wait and Sig. In Sig Wait mode, a task may issue both signal and wait
commands. In Wait mode, a task may only issue wait commands on the
phaser. Finally, when registered in Sig mode, a task may only issue signal
commands. Issuing a signal command by a task on a phaser results in the task
incrementing its signal phase associated to the phaser. This command is non-
blocking. On the other-hand, issuing a wait command by a task on a phaser
p will block until all tasks registered on p exhibit signal values on p that are
strictly larger than the wait value of the issuing task on phaser p. In this case,
the wait phase of the issuing task is incremented. Intuitively, a signal command
allows the issuing task to state other tasks need not wait for it to complete its
signal phase. In retrospect, a wait command allows a task to make sure all
registered tasks have moved past its wait phase.
Upon creation of a phaser, wait and signal phases are initialized to 0 (except
inWaitmode where the signal phase is instead initialized to +∞ in order to not
block other waiters). The only other way a task may get registered to a phaser is
if an already registred task does register it in the same mode (or in Wait or Sig
if the registrar is registered in Sig Wait). In this case, wait and signal phases
of the newly registered task are initialized to those of the registrar. Tasks are
therefore dynamically registered (e.g., lines 9-11). They can also dynamically
deregister themselves (e.g., lines 25-26);
In this example, two producers and one consumer are synchronized using two
phasers. The consumer requires the two producers to be ahead of it (wrt. the
phaser main pointed to with prod) in order for it to consume their respective
products. At the same time, the consumer needs to be ahead of both producers
(wrt. the phaser main pointed to with cons) in order for these to produce their
pair of products. It should be clear that phasers can be used as barriers for
synchronizing dynamic subsets of concurrent tasks. Observe producers need
not, in general, proceed in a lock step fashion. Producers may produce many
3
1 bool a, b, done;
2 main()
3 {
4 done = false;
5 prod = newPhaser(Sig Wait);
6 cons = newPhaser(Sig Wait);
7 cons.signal ();
8
9 asynch(aProducer , prod(Sig), cons(Wait));
10 asynch(bProducer , prod(Sig), cons(Wait));
11 asynch(abConsumer , prod(Wait), cons(Sig));
12
13 prod.drop();
14 cons.drop();
15 }
16
17 aProducer(p(Sig), c(Wait))
18 {
19 c.wait();
20 while(¬done){
21 a = true;
22 p.signal ();
23 c.wait();
24 };
25 p.drop();
26 c.drop();
27 }
28 bProducer(p(Sig), c(Wait))
29 {
30 c.wait();
31 while(¬done){
32 b = true;
33 p.signal ();
34 c.wait();
35 };
36 p.drop();
37 c.drop();
38 }
39
40 abConsumer(p(Wait), c(Sig))
41 {
42 while(¬done){
43 p.wait();
44 assert(a ∧ b);
45 a = false;
46 b = false;
47
48 if(ndet())
49 done = true;
50 c.signal ();
51 };
52 c.drop();
53 p.drop();
54 }
Figure 1: Two producers and one consumer are synchronized using two phasers.
In this construction, the consumer requires both producers to be ahead of it (wrt.
prod phaser) in order for it to consume their respective products. At the same
time, the consumer needs to be ahead of both producers (wrt. cons phaser) in
order for these to be able to produce their pair of products.
4
aProducer : @23
bProducer : @34
main : @15
abConsumer : @42(phaser) (phaser)
prod cons
p
(sig = 90)
p
(sig = 91)
p
(wait = 90)
c
(wait = 90)
c
(wait = 91)
c
(sig = 91)
Figure 2: Possible wait and signal phase values for Fig. (1). Observe that there
is no a priori bound on the values of the different wait and signal phases. In
this example, the difference between signal and wait phases is bounded. This is
not always the case in general.
items before consumers “catch up”.
We are interested in checking: (a) control state reachability as in assertions
(e.g., line 44), race conditions (e.g., mutual exclusion of lines 20 and 49) or
runtime errors (e.g., signaling a dropped phaser), and (b) plain reachability as
in deadlocks (e.g., a producer at line 23 and a consumer at line 50 with equal
phases). Intuitively, both problems concern themselves with the reachability
of target sets of program configurations. The difference is that control state
reachability defines the targets with the states of the tasks (their control loca-
tions and whether they are registered to some phasers). Plain reachability can,
in addition, use values or relations between values of involved phases. Observe
that control state reachability depends on the values of the actual phases, but
these values are not used to define the target sets. For example, assertions are
expressed as predicates over boolean variables (e.g., line 44). Establishing such
an assertion requires capturing the constraints imposed by the phasers on the
program behaviors.
Our work proposes a sound and complete algorithm for checking control
state reachability in case a bounded number of tasks and phasers are gener-
ated. The algorithm can handle arbitrarily large phases, e.g., generated using
nested signaling loops. The algorithm starts from a symbolic representation
of all bad configurations and successively computes sets of predecessor config-
urations. We show termination based on a well-quasi-ordering argument that
imposes restrictions on what can be expressed with our symbolic representation.
For instance putting upper bounds on differences between phases is forbidden.
Deadlock configurations cannot be faithfully captured with such restricted rep-
resentations. Intuitively, a deadlocked configuration will have a cycle where
each involved task is waiting for the task to its right but where the wait phase
of each task equals the signal phase of the task it is waiting for. We show the
5
problem of checking deadlock freedom to be undecidable even for programs only
generating a bounded number of tasks and phasers. We explain how to turn
our verification algorithm into a sound but incomplete procedure for checking
deadlock-freedom. Precision can then be augmented on demand to eliminate
false positives.
3 Preliminaries
We use N and Z for natural and integer numbers respectively. We write A⊎B to
mean the union of disjoint sets A and B. We let Pfn (A,B) be the set of partial
functions from A to B and use ∅A for the empty function over A, i.e., ∅A(a)
is undefined (written ∅A(a) ↑) for all a ∈ A. Given function g ∈ Pfn (A,B)
we write g(a) ↓ to mean that g(a) is defined and write g \ {a} to mean the
restriction of g to the domain A\{a}. We write g[a← (b)] for the function that
coincides with g on A except for a that is sent to b. We abuse notation and let
g[{ai ← bi | i ∈ I}], for a set {ai | i ∈ I} of pairwise different elements, mean
the function that coincides with g on A except for each ai that is sent to the
corresponding bi. We sometimes write a function g as a set {a 7→ g(a) | a ∈ A}.
It is then implicitly undefined outside of A.
4 Language
A program may use a set B of shared boolean variables and a set V of local
phaser variables:
prg ::= bool b1, . . . , b|B|;
task1(v11 , . . . , vk1) {stmt1}
. . .
taskn(v1n , . . . , vkn) {stmtn}
stmt ::= v = newPhaser() |
| asynch(task, v1, . . . , vk)
|
| v.drop() |
| v.signal() |
| v.wait() |
| exit
|
| stmt; stmt |
| b = cond |
| assert(cond)
|
| while(cond) {stmt} |
| if(cond) {stmt}
cond ::= ndet() |
| true |
| false |
| b |
| cond∨ cond
|
| cond ∧ cond |
| ¬cond
A program consists in a set of tasks T. A task is declared with task(v1, . . . , vk) {stmt}
where v1, . . .vk are phaser variables that are local to the declared task. A task
can also create a new phaser with v = newPhaser() and store the identifier
of the phaser in a local variable v. We let V be the union of all local phaser
variables. When creating a phaser, a task gets registered to it. To simplify our
description, we will assume all registrations to be in Sig Wait mode. Including
6
the other modes is a matter of changing the initial phase values at registra-
tion and of statically ensuring the issued commands respect the registration
mode. A task can deregister itself from a phaser referenced by a variable v with
v.drop(). It can also issue signal or wait commands on a phaser on which it
is registered and that is referenced by v. A task can spawn another task with
asynch(task, v1, . . . , vn). The issuing task registers the spawned task to the
phasers it points to with v1, . . . , vn. The issuing task need not wait for the
spawned task and may directly continue its execution.
Assume a phaser program prg = (B, V, T). We inductively define the finite set
S of control sequences as follows. S is the smallest set containing: (i) suffixes of
each “stmti” appearing in some “taski(v1i , . . . , vki) {stmti}”; and (ii) suffixes
of “stmti; while(cond) {stmti}; stmtj” (respectively “stmti; while(cond) {stmti}”)
for each “while(cond) {stmti}; stmti” (respectively “while(cond) {stmti}”) in
S; and (iii) suffixes of “stmti; stmtj” (respectively “stmti”) for each “if(cond) {stmti}; stmtj”
(respectively “if(cond) {stmti}”) appearing in S. We write s to mean some
control sequence in S, and hd(s) and tl(s) to respectively mean the head and
the tail of the sequence s.
4.1 Semantics.
A configuration c of prg = (B, V, T) is a tuple (T , P , bv,pc,pv,ϕ) where:
• T is the current finite set of task identifiers. We let t, u range over the
values in T .
• P is the current finite set of phaser identifiers. We let p, q range over the
values in P .
• bv : B→ {true, false} is a total mapping that associates a value to each
b ∈ B.
• pc : T → S is a total mapping that associates tasks to their remaining
sequences (i.e., control location).
• pv : T → Pfn (V, P) is a total mapping that associates, to each task iden-
tifier in T , a partial mapping from the local phaser variables V to phaser
identifiers P . It captures the values of the phaser variables V of each task.
• ϕ : P → Pfn
(
T ,N2
)
is a total mapping that associates to each phaser
p ∈ P a partial mapping ϕ(p) that is defined exactly on the identifiers of
the tasks registered to p. For such a task t, ϕ(p)(t) is the pair (waittp, sig
t
p)
representing wait and signal values of t on p.
The set of tasks T is altered by asynch(task, v1, . . . , vn) and exit statements
(rules (asynch) and (exit) in Fig.(3) of the appendix). The set of phasers
P is updated upon creation of new phasers (rule (newPhaser) in Fig.(3)) of
the appendix. The mapping pv associates values to program phaser variables.
Accessing variables with undefined values, or phasers to which the task is not
7
currently registered, leads to runtime errors (rule (runtime error)). The total
mapping ϕ captures states of phasers. It associates to each phaser identifier p in
P a partial mapping ϕ(p). This partial mapping is defined for a task identifier
t ∈ T (i.e., ϕ(p)(t) ↓) iff the task t is registered to the phaser p. In this case,
ϕ(p) gives the waiting phase waittp and the signaling phase sig
t
p of the task t on
the phaser p. Initially, a unique “main” task t0 starts executing its stmtmain
with no phasers. ϕ is the empty function with an empty domain ∅∅. After a
task t executes a v := newPhaser() statement (rule (newPhaser) in Fig.(3)) of
the appendix, a new phaser p is associated to the variable v using pv and ϕ(p)
becomes the partial function {t 7→ (0, 0)}. The initial configuration is cinit =
({t0} , {} , bvfalse, {t0 7→ stmt} ,∅,∅), where a “main” task with identifier t0
and code stmt is the unique initial task. No phasers are present in the initial
configuration, and all boolean variables are mapped to false.
Given two configurations c and c′ with c = (T , P , bv,pc,pv,ϕ), we write
c
t
−→ c′ if there is a task t ∈ T such that one of the rules in Fig.(3) of the
appendix holds. We use
∗
−→ for the reflexive transitive closure of −→ and write
c
∗
−→ c′ to mean that c′ is reachable from c. A configuration is said reachable if
it is reachable from the initial configuration cinit.
4.1.1 Control-state reachability
Checking the possibility of assertion violations, of runtime errors and of race
conditions amounts to checking reachability of configurations respectively in
badConfs
(n,p)
assert, badConfs
(n,p)
runtime and in badConfs
(n,p)
race for some number of tasks
n and number of phasers p. We introduce in Section 5 a complete procedure
for checking reachability of such sets of configurations and show it to be sound
for programs with a fixed upper bounds on numbers of generated phasers and
tasks.
4.1.2 Plain reachability and deadlocks.
We are also interested in checking the possibility of deadlocks. For this we need
to define the notion of a blocked task. Assume in the following a configuration
c = (T , P , bv,pc,pv,ϕ).
Definition 1 (Blocked). A task t ∈ T is blocked at phaser p ∈ P by task
u ∈ T if hd(pc(t)) = v.wait() with pv(t)(v) = p and ϕ(p)(t) = (waittp, ) when
ϕ(p)(u) = ( , sigup ) and sig
u
p ≤ wait
t
p.
Intuitively, a task t is blocked by a task u if it cannot finish its wait command
on some phaser because it is waiting for task u that did not issue enough signal
commands on the same phaser.
Definition 2 (Deadlock). (T , P , bv,pc,pv,ϕ) is a deadlock configuration if each
task of a non empty subset U ⊆ T is blocked by some task in U.
Theorem 1 (Deadlock-Freedom). It is undecidable in general, even for pro-
grams with only three phasers and four tasks, to check for deadlock-freedom.
8
Proof. Sketch. We encode the reachability problem of any given 3-counters
reset-VAS (vector addition system with reset arcs) as the reachability problem
of a configuration with a simple cycle involving three tasks. Indeed, reachability
of configuration (sF , 0, 0, 0) (three counters x, y, z with zero values at some con-
trol location sF ) is undecidable for reset-VASs. Figures (4-5) in the appendix
describe a phaser program where a main task t spawns three tasks {t12, t23, t31}
s.t. t$a$b runs task$a$b for each $a$b ∈ {12, 23, 31}. The main task orches-
trates the simulation and is registered to three phasers p1, p2 and p3. Main
and the other tasks use their respective local variable v$i, for i ∈ {1, 2, 3}, to
point to phaser p$i. The idea is to encode the value of counter x$b using the
difference sig
t$a$b
p$b −wait
t$b$c
p$b , for $a$b$c ∈ {123, 231, 312}. Resets of counter x$b
are encoded by asking task t$a$b to exit (hence deregistering from all phasers)
and having task t$b$c spawn a new task$a$b. Finally asking each task t$a$b to
perform a wait on phaser v$a ensures a simple cycle of size 3 is built exactly
when the three counters are 0.
5 Symbolic verification of phaser programs
We briefly introduce gap-order constraints and use them to define a symbolic
representation (hereafter constraints) that we use in Section 6 for checking reach-
ability.
5.1 Gap-order constraints and graphs [11, 12, 10, 9].
Gap-order constraints can be regarded as a particular case of the octagons or the
unit two variables per inequality (utvpi) constraints. Assume in this section that
x and y are integer variables and that k is an integer constant. We use X and Y
to mean finite sets of integer variables. A valuation val is a total function X →
Z. Valuations are implicitly extended to preserve constants (i.e. val(k) = k for
any k ∈ Z). A gap-order clause δ over X is an inequality of the form a− b ≥ k
where a, b ∈ X ∪ {0}. A gap-order constraint ∆ over X is a finite conjunction
of gap-order clauses over the same set X . Observe that (x = y + 2 ∧ y ≤ 5)
is essentially a gap-order constraint because it can be equivalently rewritten as
the conjunction (x− y ≥ 2 ∧ y − x ≥ −2 ∧ 0− y ≥ −5). Given a gap-order
constraint ∆ over X and a valuation val : X → Z, we write val |= ∆ to mean
that val(a)− val(b) ≥ k holds for each gap-order clause δ : a− b ≥ k appearing
in ∆. We let Sat(∆) be the set {val : X → Z | val |= ∆}.
A gap-order graph (or graph for short) ℘ over X is a graph (V,E) with
vertices V = X ∪ {0} where edges in E are of the form a
k
−→ b with a, b ∈ V and
weight k in Z ∪ {−∞,+∞}. We let varsOf(℘) = X . Given a gap-constraint
∆ over X , we can build the graph graphOf (∆) with vertices X ∪ {0} and
where E only contains a representative a
k
−→ b edge for each clause a − b ≥ k
appearing in ∆. A valuation val : X → Z satisfies a graph ℘ = (V,E) (written
val |= ℘) iff val(a)− val(b) ≥ k for each a
k
−→ b ∈ E. We let Sat(℘) be the set
{val : X → Z | val |= ℘}. Clearly, Sat(graphOf (∆)) = Sat(∆). The closure
clo (℘) of a graph ℘ = (V,E) is the unique complete graph with the same
vertices V and where a
k′
−→ b is an edge of clo (℘) iff k′ ∈ Z ∪ {−∞,+∞} is
the least upper bound of all weight-sums for any path in ℘ from a to b. Closure
allows us to deduce (0−x ≥ −7) from (y−x ≥ −2∧ 0− y ≥ −5). The result of
the closure procedure is a special graph ℘false denoting the graph without any
satisfying valuation each time a weight k=+∞ is generated. The closure of a
graph can be computed in polynomial time and we get Sat(clo (℘)) = Sat(℘).
We define the degree of a graph ℘ (written degreeOf(℘)) to be 0 if no edge in
clo (℘) has a negative weight apart from −∞. Otherwise, degreeOf(℘) is the
largest natural k ∈ N such that there is an edge in clo (℘) with weight −k. For
instance, the degree of the graph resulting from (x − y ≥ 2 ∧ y − x ≥ −4) is
4. We systematically close all manipulated graphs and write G(X) for the set
of closed graphs over X . Given a graph ℘, we write ℘[x/y] to mean the graph
obtained by replacing the vertex x by the vertex y. We abuse notation and write
℘[{xi/yi | i ∈ I}], for pairwise different xi elements to mean the simultaneous
application of the individual substitutions. For a set of variables Y , we write
℘ ⊖ Y to mean the graph obtained by removing the variables in Y from the
vertices of ℘. Given two closed graphs ℘ and ℘′ over the same X , we write
℘ ⊑G ℘
′ to mean that each directed edge in ℘ is labeled with a larger weight in
℘′. As a result, Sat(℘′) ⊆ Sat(℘). Finally, we write ℘ ℘′ to mean the closure
of the graph obtained with merging the two sets of vertices and edges. As a
result, Sat(℘ ℘′) = Sat(℘) ∩ Sat(℘′).
5.2 Constraints as a symbolic representation.
A constraint φ is a tuple (T , P , bv,pc,pv,γ) where the only difference with the
definition of a configuration (T , P , bv,pc,pv,ϕ) is the adoption of a gap-order
constraint γ instead of ϕ. More specifically, γ : P → ∪U⊆T G(∪t∈U{ω
t
p, σ
t
p})
is a total mapping that associates a gap-order graph to each phaser p ∈ P .
Intuitively, we use variables ωtp and σ
t
p to constrain in graph γ(p) possible val-
ues of both wait (waittp) and signal (sig
t
p) phases of each task t registered to
phaser p. As a result, we can check if task t is registered to phaser p accord-
ing to graph ℘ = γ(p) by checking if {ωtp, σ
t
p} ⊆ varsOf(℘). We will write
Reg(p, ℘) to mean the set of tasks {t | {ωtp, σ
t
p} ⊆ varsOf(℘)}. We also write
isReg(t, p, ℘) for the predicate t ∈ Reg(p, ℘). Observe that the language seman-
tics impose that, for each phaser p and for any pair t, u of tasks in Reg(p, ℘),
the predicate 0 ≤ waittp ≤ sig
u
p is an invariant. For this reason, we always
safely strengthen, in any obtained γ(p) = ℘, weights k in σtp
k
−→ ωup , σ
t
p
k
−→ 0
and ωtp
k
−→ 0 with max(k, 0). The following definition helps us characterize
configurations for which our procedure terminates.
Definition 3 (degree and freeness of constraints). A constraint (T , P , bv,pc,pv,γ)
has as degree the largest degree among all its graphs γ(p) for p ∈ P if P is not
empty and 0 otherwise. Furthermore, a constraint is said to be “free” if, for
10
any p ∈ P , the only edges in γ(p) with weights different from −∞ are edges
of the forms (i) σtp
k(σtp,ωup )
−−−−−→ ωup , (ii) σ
t
p
k(σtp)
−−−→ 0, or (iii) ωtp
k(ωtp)
−−−→ 0 for some
t, u ∈ Reg(p,γ(p)) and k(σtp,ωup ), k(σtp), k(ωtp) ∈ N
Free constraints are only allowed to impose, for the same phaser, non-
negative lower bounds on differences between signals and waits, between signals
and 0, and between waits and 0. Like degree-0-constraints, free constraints are
not allowed to put a positive upper bound on how much a signal is larger than
a wait. Unlike degree-0-constraints, they are not allowed to put bounds on the
differences among signal values, or among wait values. For instance a free con-
straint cannot impose σtp − σ
u
p = 0 while a degree-0-constraint can. Intuitively,
freeness does not oblige our verification procedure to maintain exact differences
when firing ”signal” or ”wait” instructions, jeopardizing termination. This will
be stated in Section 6.
5.3 Denotations of constraints.
Given a configuration c = (T , P , bv,pc,pv,ϕ) and a constraint φ = (T ′, P ′, bv ′, pc′, pv ′, γ ′),
we say that c satisfies φ, and write c |= φ, if c satisfies (up to a renaming of the
tasks and the phasers) conditions imposed by φ. More concretely, c |= φ if bv =
bv ′ and there are bijections τ : T → T ′ and pi : P → P ′ such that: (i) pc(t) =
pc′(τ(t)) for each t ∈ T ; and (ii) pi(pv(t)(v)) = pv ′(τ(t))(v) for each t ∈ T and
v ∈ V; and (iii) the renaming of tasks and phasers in ϕ wrt. τ and pi satisfies γ ,
i.e., (iii.a) for each t ∈ T and each p ∈ P , ϕ(p)(t) ↓ iff isReg(τ(t), pi(p), γ (pi(p))),
and (iii.b) for each p′ ∈ P ′, ℘(
∧
t′∈Reg(p′,γ(p′))((ω
t′
p′ , σ
t′
p′) = ϕ(pi
−1(p′))(τ−1(t′)))) |=
γ(p′). We let [[φ]] denote {c | c |= φ}. Intuitively, [[(T , P , bv,pc,pv,γ)]] contains
all configurations c with the same number of tasks and phasers and such that
there are renamings of tasks and phasers that preserve in c the correspondence
between pc, pv and γ . We write [[Φ]], for a set Φ of constraints, to mean the
union ∪φ∈Φ[[φ]]. Given a program (B, V, T), we can exactly characterize with a
finite set of constraints all configurations involving n tasks and p phasers and
satisfying the premises of rules (runtime error), (assert. fault), (race) and
(deadlock) from Fig.(3) of the appendix.
Lemma 1 (Characterizing badness). Given a program (B, V, T) and natural
numbers (n, p), we can exhibit finite sets of constraints badCstrs
(n,p)
race , badCstrs
(n,p)
assert,
badCstrs
(n,p)
runtime and badCstrs
(n,p)
deadlock such that:
badConfs(n,p)race = [[badCstrs
(n,p)
race ]]
badConfs
(n,p)
assert = [[badCstrs
(n,p)
assert]]
badConfs
(n,p)
runtime = [[badCstrs
(n,p)
runtime]]
badConfs
(n,p)
deadlock = [[badCstrs
(n,p)
deadlock]]
In addition, we can choose the constraints in badCstrs
(n,p)
deadlock to be of degree 0
while those in badCstrs
(n,p)
race , badCstrs
(n,p)
assert or in badCstrs
(n,p)
runtime to be free.
11
Proof. Observe that n and p are given naturals. Fix a task set T = {t1, . . . , tn}
of size n and a phaser set P = {p1, . . . , pp} of size p. We can therefore enumerate
all tuples (T , P , bv,pc,pv) where:
• bv : B→ {true, false} is a total mapping that associates a value to each
b ∈ B.
• pc : T → S is a total mapping that associates tasks to a sequence s ∈ S
• pv : T → Pfn (V, P) is a total mapping that associates, to each task iden-
tifier in T , a partial mapping from the local phaser variables V to phaser
identifiers P .
Let C be the set of such tuples. Observe that tuples in C are missing information
about tasks’ registration and wait and signal values. We complete this infor-
maiton in the following. Given a set U ⊆ T of tasks and a phaser p ∈ P , we
write topOf (U, p) to mean the graph of the conjunction
∧
t,u∈U(σ
t
p ≥ ω
u
p ≥ 0).
Observe that an invariant of all phaser programs is that signal and wait phases
(of all tasks registered on a given phaser) are always non-negative with the for-
mers always larger or equal than the laters. For this reason, topOf (U, p) is
the weakest possible graph where the set U is registered to a phaser p. Ob-
serve that topOf (U, p) is free. We now finish the definitions of badCstrs
(n,p)
race ,
badCstrs
(n,p)
assert, badCstrs
(n,p)
runtime, badCstrs
(n,p)
deadlock:
• Add to badCstrs
(n,p)
race all constraints (T , P , bv,pc,pv,γ) where:
– (T , P , bv,pc,pv) is a tuple of C with two different tasks t and u in T
executing a read or a write on a boolean variable with at least one
of them writting it (see badConfs
(n,p)
race in Fig. 3) of the appendix.
– The total mapping γ associates topOf (Up, p) to each phaser p, where
U is some subset of T . Intuitively, for each phaser p, we consider all
registration possibilities (some subset U ⊆ T ) while imposing the
weakest possible constraints on the signal and wait phases of the
registred tasks. Observe γ is free.
• Add to badCstrs
(n,p)
assert all constraints (T , P , bv,pc,pv,γ) where:
– (T , P , bv,pc,pv) is a tuple of C with some task t in T executing an
assertion on a boolean condition that evaluates to false with bv (see
badConfs
(n,p)
assert in Fig. 3) of the appendix.
– The total mapping γ associates topOf (Up, p) to each phaser p, where
U is some subset of T . Observe γ is free.
• Add to badCstrs
(n,p)
runtime all constraints (T , P , bv,pc,pv,γ) where:
– (T , P , bv,pc,pv) is a tuple of C with some task t in T is executing a
statement that involves a phaser variable v.
12
– Again, the total mapping γ associates topOf (Up, p) to each phaser
p, where U is some subset of T . In addition, we require that either
pv(t)(v) ↑ or p = pv(t)(v) with t 6∈ Reg(p,γ(p)). (see badConfs
(n,p)
runtime
in Fig. 3) of the appendix. Observe γ(q) is free for all q on which γ
is defined. Observe γ is free.
• Add to badCstrs
(n,p)
deadlock all constraints (T , P , bv,pc,pv,ϕ) where:
– (T , P , bv,pc,pv) is a tuple of C where a set of tasks t0, ..., tm−1 in T
are executing wait commands on phaser variables v0, ..., vm−1 in V.
– Again, the total mapping γ associates topOf (Up, p) to each phaser p,
where U is some subset of T . We however require that: pi = pv(vi)
for each i : 0 ≤ i < m and, ti is waiting for t(i+1)%m in γpi, i.e.,
γpi imposes the wait phase of ti on pi is equal to the signal phase
of t(i+1)%m on pi. In other words, the edge σ
t(i+1)%m
pi
0
−→ ωtipi in γpi.
(see badConfs
(n,p)
deadlock in Fig. 3) of the appendix. Observe the graphs
in γ are not all free since some of them put an upper bound on how
large some signal value are compared to some wait values. They are
however of degree 0 since the only negative weights are −∞.
By construction, we have considered all possible tuples (T , P , bv,pc,pv) and reg-
istration combinations. We have all considerd the weakest possible constraints
on the phases for the registred tasks. In addition, any configuration in the
denotation constraints will belong to the corresponding bad set.
5.4 Entailment.
We say that a constraint φ = (T , P , bv,pc,pv,γ) is weaker than a constraint φ′ =
(T ′, P ′, bv ′, pc′, pv ′, γ ′), written φ ⊑ φ′, to mean the following. First, the two
constraints have the same number of phasers and tasks, agree on the values of
the boolean variables and, up to renamings, on the values of the phaser variables
and on which tasks are registered to which phasers. Second, the constraints on
the wait and signal values are stronger in φ′ than in φ. More formally, φ ⊑ φ′
if bv = bv ′ and there are bijections τ : T → T ′ and pi : P → P ′ s.t. for each
t ∈ T and p ∈ P the following four conditions hold: (i) pc(t) = pc′(τ(t)); and (ii)
pi(pv(t)(v)) = pv ′(τ(t))(v); and (iii) pi(Reg(p,γ(p))) = Reg(pi(p), γ ′(pi(p))); and
(iv) γ(p) ⊑G γ
′(pi(p))
[{
ω
τ(t)
pi(p)/ω
t
p, σ
τ(t)
pi(p)/σ
t
p | t ∈ Reg(p,γ(p))
}]
. Clearly, φ ⊑ φ′
implies [[φ′]] ⊆ [[φ]]. We say that ⊑ is sound.
We can show that ⊑ is a well-quasi-order1 over constraints of bounded de-
grees and involving fixed numbers of tasks and phasers since ⊑G is itself a
well-quasi-ordering over graphs of bounded degrees over a finite set of variables
([11, 9]).
1A reflexive and transitive binary relation  is a well-quasi-order over a set A if there is
no infinite sequence a0, a1, . . . of A elements s.t. ai 6 aj for all i < j.
13
Lemma 2 (WQO). Given k, n, p ∈ N, the entailment relation ⊑ over the set of
constraints of degree k involving at most n tasks and p phasers is a well-quasi-
order.
Proof. Assume an infinite sequence φ1, φ2, . . . of constraints where φi = (Ti, Pi, bvi, pci, pvi, γ i)
where |Ti| = n and |Pi| = p for all i ≥ 1 and where all appearing graphs have
degree k or less. We can assume wlog that Ti = Tj and Pi = Pj for any i, j ≥ 1.
We show there are i < j such that φi ⊑ φj . There is a finite number of different
values for bvi, pci, pvi and for the domains of γ i(p) for each p ∈ P . We can
therefore extract an infinite subsequence where:
• bvi = bvj , pci = pcj , pvi = pvj , and
• for each p ∈ P , the domains of γ i(p) and γ j(p) coincide.
Observe that for each phaser p ∈ P , the graphs γ i(p) are the same up to possible
differences on the weights. Let  be the component-wise ordering on vectors.
Each graph γ i(p) is of degree k or less. We can therefore organize its weights
as a vector vectorOf (γ i(p)) with elements in Z ∪ {−∞,+∞} but where the
only allowed negative elements are those larger than −k. The vecotrs can be
organized in a way that vectorOf (γ i(p))  vectorOf (γj(p)) means γ i(p) ⊑G
γj(p). We then repeat the following steps for each p ∈ P : using Higman’s
lemma [13] and the degree boundedness of the constraints, we extract an infinite
sequence of constraints where vectorOf (γab(p))  vectorOf (γac(p)) if ab <
ac.
6 Verification Procedure
Input: A program prg = (B, V, T), a set Φbad of pairwise ⊑-incomparable constraints,
maximum upper bounds t• and p• (in N ∪ {+∞}) on coexisting tasks and
phasers.
Output: A symbolic run to Φbad or the value unreachable
1 Initialize both Working and Visited to {(φ, φ) | φ ∈ Φbad};
2 while there exists (φ, τ) ∈ Working do
3 remove (φ, τ) from Working;
4 let (T , P , bv, pc, pv, γ) = φ;
5 if |T | > t• or |P | > p• then continue;
6 if cinit |= φ then return τ ;
7 foreach t ∈ T do
8 foreach φ′ ∈ pre(t, φ) do
9 if ψ 6⊑ φ′ for all (ψ, ) ∈ Visited then
10 Remove from Working and Visited each (ψ, ) for which φ′ ⊑ ψ;
11 Add (φ′, φ′ · t · τ) to both Working and Visited;
12 return unreachable ;
Procedure check(prg,Φbad,t
•, p•), a simple working list procedure for check-
ing constraints reachability.
14
We discuss in the following the procedure check depicted below and assume
a program prg and a set Φbad of constraints the reachability of which we want
to check. Φbad can for example be any subset of badCstrs
(n,p)
deadlock (degree 0) or
of badCstrs
(n,p)
assert (free) in case we want to check the possibility of a deadlock
or of an assertion violation.
It is not difficult to show that [[pre(t, φ)]] (obtained as described in Fig.(6)
of the appendix) coincides with {c′ | c′
t
−→ c and c ∈ [[φ]]}. Using the sound-
ness of ⊑, we can show by induction the partial correctness of the procedure
check(prg,Φbad,+∞,+∞).
Lemma 3 (Partial correctness). If check(prg,Φbad,+∞,+∞) returns unreachable,
then cinit 6
∗
−→ [[Φbad]]. If it returns a trace φn · tn · · · t1 ·φ1 then there are cn, . . . c1
with cn = cinit, c1 ∈ [[Φbad]] and ci
ti−→ ci−1 for i : 1 < i ≤ n.
Proof. Sketch. Assume a constraint φ = (T , P , bv,pc,pv,γ). It should be
clear that we can complete the definition of  (with the rules for the non-
phaser-related statements) in such a way that [[∪t∈T pre(t, φ)]] coincides with
{c′ | c′ −→ c with c ∈ [[φ]]}. We can establish by induction the following proce-
dure invariants. At iteration m:
• Workingm ⊆ Visitedm
• (φn, φn · tn · · · t1 · φ1) ∈ Visitedm then there are cn, . . . c1 with cn ∈ [[φn]]
and c1 ∈ [[Φbad]] and ci
ti−→ ci−1 for i : 1 < i ≤ n.
• If c = cm is such that: ci
ti−→ ci−1 for i : 1 < i ≤ m with c1 ∈ [[Φbad]] then,
by soundness of ⊑, there is (φ, τ ) ∈ Visitedm such that cm ∈ [[φ]].
Theorem 2 (Free termination). check(prg,Φbad,t
•,p•) terminates for t•, p• ∈ N
and free Φbad.
Proof. Sketch. Freeness is preserved by the pre computation (Fig.(6) of the
appendix). Then we use, similar to [14, 15], the fact that non-termination would
allow us to build an infinite sequence of constraints passing the test at line 9
of the procedure. More concretely, let φ1, φ2, . . . be the sequence of constraints
that pass (in that order) the test at line 9. If a constraint φi is replaced by
another constraint φk, then φk ⊑ φi. This holds for any replaced constraint. By
transitivity, this means all replacements happen with weaker constraints. This
means φi 6⊑ φj , for any i < j. This violates well quasi ordering of ⊑ over the
degree-0 constraints.
In order to check reachability of arbitrary constraints, we may need to force
termination. We do this by soundly bounding the degree of generated con-
straints using a relaxation ρk. The relaxation ρk((T , P , bv,pc,pv,γ)) replaces,
in each graph γ(p), each weight k′′ s.t. k′′ < −k with −∞.
15
1 foreach φ′′ ∈ pre(t, φ) do
2 Let φ′ = ρk(φ
′′);
Fig. 6. Systematic relaxation
Theorem 3 (Forced termination). Independently of the degree of Φbad, Proce-
dure check(prg,Φbad,t
•,p•), where line 8 is replaced by the two lines of Fig. (6),
is sound and guaranteed to terminate.
Proof. Soundness is due to the validity of ρk(φ) ⊑ φ while the termination
argument relies, similarly to Theorem (2), on well-quasi orederness of ⊑ on
the set of constraints with bounded degree and fixed numbers of tasks and
phasers.
7 The parameterized case
We apply view abstraction [16] to derive a sound analysis for programs with
arbitrary numbers of coexisting tasks. In this preliminary work, only the number
of tasks is parameterized. Assume a program prg = (B, V, T).
Constraint views. The view (T , P , bv,pc,pv,γ)|U of a constraint (T , P , bv,pc,pv,γ)
wrt. set U ⊆ T is the tuple (U, P , bv,pc|U , pv|U , {p 7→ γ(p)|U | p ∈ P}) where:
i) pc|U is the restriction of pc to the domain U.
ii) pv|U is the restriction of pv to the domain U.
iii) γ(p)|U is obtained by restricting the variables of γ(p) to
{
σtp, ω
t
p | t ∈ U
}
,
i.e., capturing U’s signals and waits.
Intuitively, views are obtained by projecting on subsets of tasks. A view φ|U
is said to be of size k = |U|. For k ≥ 0, we aim to compute a least fixpoint Ψk
starting from αk(constraintOf(cinit)) and satisfying Ψk ⊑ αk(postρ(γk(Ψk)))
(Φ ⊑ Ψ if there is φ ∈ Φ with φ ⊑ ψ for each ψ ∈ Ψ). The idea is to restrict
the computations to a finite number of tasks using the abstraction αk and the
concretization γk (see [16] for more details). The operator postρ consists in a
simple post computation (see Fig. (7) of the appendix) followed by a relaxation ρ
that bounds the degree of the obtained views to some predetermined value. The
relaxation is applied to ensure termination for bounded view sizes. Intuitively,
any postρ reachable constraint will have all its views of size k captured by some
views in Ψk.
Abstraction and conretizations are defined as follows:
1. Abstraction αk(Φ) of set Φ is the union α
1
k(Φ) ∪ α
2
k(Φ) where:
(a) α1k(Φ) = {(T , P , bv,pc,pv,γ) ∈ Φ | |T | ≤ k}
(b) α2k(Φ) =
{
φ|T | φ ∈ Φ ∧ |T | = k
}
.
16
2. Concretization γk(Φ) of a set Φ is the union γ
1
k(Φ) ∪ γ
2
k(Φ) where:
(a) γ1k(Φ) = Φ, and
(b) γ2k(Φ) is the set of φ = (T , P , bv,pc,pv,γ) constraints s.t. U ⊆ T ∧
|U| = k implies φ|U ∈ Φ
We first compute the fixpoint using only α1k and γ
1
k. If the denotation of
the fixpoint’s views intersects the one of Φbad, then we return the faulty trace.
Because we only use α1k and γ
1
k, the only approximation is due to the relaxation
ρ. The precision of the relaxation can then be increased. Otherwise, we use
αk and γk in order to over-approximate the fixpoint. If the obtained views still
do not include bad configurations, then we conclude that no matter how many
tasks are generated, bad configurations are unreachable. In case the views do
include bad configurations then we restart the analysis with views of bigger sizes
(i.e., restart with a larger k).
8 Experimental Results
We report on experiments with our open source prototype hjVerify2 for the
verification of phaser programs. We conducted experiments on 12 different
programs (some of which are from [5]). We considered both deadlocks and
assertions reachability problems. For each property, we considered correct and
buggy versions. This gave 48 different instances with 2 to 3 phasers and 2 to 4
tasks (except for the parameterized case). Our tool uses global phaser and task
variables as in [5]. We have experimented with adapting the view abstraction
technique [16] to verify phaser programs generating arbitrary many tasks, i.e.,
parameterized verification where the number of phasers is fixed. (see appendix
for more details.) We report on two parameterized examples. Experiments were
conducted on a 2.9GHz processor with 8GB of memory.
2https://gitlab.ida.liu.se/apv/hjVerify
17
program property safe / buggy times
01.Loopless
deadlock: ok / trace 1s / 1s
assertion: ok / trace 1s / 1s
02.Iterative deadlock: ok / trace 1s / 1s
averaging assertion: ok / trace 1s / 1s
03.Ordered deadlock: ok / trace 1s / 1s
phasers assertion: ok / trace 13s / 1s
04.Conditional
deadlock: ok / trace 2s / 1s
assertion: ok / trace 4s / 7s
05.Loop Synch.
deadlock: ok / trace 178s / 145s
assertion: ok / trace 7s / 13s
06.Nested forks
deadlock: ok / trace 2s / 1s
assertion: ok / trace 1s / 1s
07.Conditional deadlock: ok / trace 1s / 1s
membership assertion: ok / trace 12s / 3s
08.Producer- deadlock: ok / trace 37s / 222s
consumer assertion: ok / trace 79s / 34s
09.Parameterized deadlock: ok / trace 20s / 1s
loopless assertion: ok / trace 67s / 1s
10.Parameterized deadlock: ok / trace 1s / 1s
iterative-averaging assertion: ok / trace 1s / 1s
11.Running-2
deadlock: ok / trace 5s / 1s
assertion: ok / trace 26s / 4s
12.Running-3
deadlock: ok / trace 4318s / 128s
assertion: ok / trace 18631s / 54s
Our implemented procedure does not eagerly concretize all tasks states as
described in the predecessor computation of Section 5. Instead we collect con-
ditions on the phases of the threads that did not take any action yet and lazily
concretize them. Reported times for checking deadlocks are the sums of the
times required to check reachability for each cycle. The prototype is only a
proof of concept. For instance, the example (12.Running-3) is a variant of (11-
Running-2) where a task instance is spawned twice leading to two symmetrical
tasks (out of four). This required up to three orders of magnitude more time
to check. We believe partial order reduction techniques would help here. Other
relevant heuristics would be to make use of priority queues and to organize the
minimal sets. All examples are available on the tool homepage.
9 Conclusion
We have proposed a gap-order based reachability analysis for phaser programs.
We have showed our analysis to be exact and guaranteed to terminate when
checking runtime, race and assertion errors. We have established the undecid-
ability of deadlock verification and explained how to turn our analysis into a
sound over-approximation. To the best of our knowledge, this is beyond the ca-
18
pabilities of current verification techniques which currently only target concrete
inputs to phaser programs. We are currently working on tackling the param-
eterized case and have obtained preliminary encouraging results. Apart from
improving the scalability of the tool and from using it in combination with pred-
icate abstraction and abstract interpretation in order to analyze actual source
code, we are investigating the applicability of the presented techniques for the
verification of similar synchronization constructs.
References
[1] P. Charles, C. Grothoff, V. Saraswat, C. Donawa, A. Kielstra,
K. Ebcioglu, C. von Praun, and V. Sarkar, “X10: An object-
oriented approach to non-uniform cluster computing,” SIGPLAN
Not., vol. 40, no. 10, pp. 519–538, Oct. 2005. [Online]. Available:
http://doi.acm.org/10.1145/1103845.1094852
[2] J. Shirako, D. M. Peixotto, V. Sarkar, and W. N. Scherer, “Phasers: a uni-
fied deadlock-free construct for collective and point-to-point synchroniza-
tion,” in 22nd annual international conference on Supercomputing. ACM,
2008, pp. 277–288.
[3] V. Cave´, J. Zhao, J. Shirako, and V. Sarkar, “Habanero-java: the new
adventures of old x10,” in Proceedings of the 9th International Conference
on Principles and Practice of Programming in Java. ACM, 2011, pp.
51–61.
[4] J. Shirako, D. M. Peixotto, V. Sarkar, and W. N. Scherer, “Phaser accumu-
lators: A new reduction construct for dynamic parallelism,” in Parallel &
Distributed Processing, 2009. IPDPS 2009. IEEE International Symposium
on. IEEE, 2009, pp. 1–12.
[5] T. Cogumbreiro, R. Hu, F. Martins, and N. Yoshida, “Dynamic deadlock
verification for general barrier synchronisation,” in 20th ACM SIGPLAN
Symposium on Principles and Practice of Parallel Programming, ser.
PPoPP 2015. New York, NY, USA: ACM, 2015, pp. 150–160. [Online].
Available: http://doi.acm.org/10.1145/2688500.2688519
[6] D.-K. Le, W.-N. Chin, and Y.-M. Teo, “Verification of static and dynamic
barrier synchronization using bounded permissions,” in International Con-
ference on Formal Engineering Methods. Springer, 2013, pp. 231–248.
[7] P. Anderson, B. Chase, and E. Mercer, “Jpf verification of habanero java
programs,” SIGSOFT Softw. Eng. Notes, vol. 39, no. 1, pp. 1–7, Feb.
2014. [Online]. Available: http://doi.acm.org/10.1145/2557833.2560582
[8] K. Havelund and T. Pressburger, “Model checking java programs using
java pathfinder,” International Journal on Software Tools for Technology
Transfer (STTT), vol. 2, no. 4, pp. 366–381, 2000.
19
[9] R. Mayr and P. Totzke, “Branching-time model checking gap-order con-
straint systems,” Fundamenta Informaticae, vol. 143, no. 3-4, pp. 339–353,
2016.
[10] L. Bozzelli and S. Pinchinat, “Verification of gap-order con-
straint abstractions of counter systems,” Theoretical Computer
Science, vol. 523, pp. 1 – 36, 2014. [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S030439751300892X
[11] P. Z. Revesz, “A closed-form evaluation for datalog queries with integer
(gap)-order constraints,” Theoretical Computer Science, vol. 116, no. 1,
pp. 117–149, 1993.
[12] S. Lahiri and M. Musuvathi, “An efficient decision proce-
dure for utvpi constraints,” in Frontiers of Combining Systems
(FroCos ’05). Springer Verlag, May 2005. [Online]. Available:
https://www.microsoft.com/en-us/research/publication/an-efficient-decision-procedure-for-utvpi-constraints/
[13] G. Higman, “Ordering by divisibility in abstract algebras,” Proceedings of
the London Mathematical Society, vol. 3, no. 1, pp. 326–336, 1952.
[14] P. A. Abdulla, K. Cerans, B. Jonsson, and Y.-K. Tsay, “General decid-
ability theorems for infinite-state systems,” in Logic in Computer Sci-
ence, 1996. LICS’96. Proceedings., Eleventh Annual IEEE Symposium on.
IEEE, 1996, pp. 313–321.
[15] A. Finkel and P. Schnoebelen, “Well-structured transition
systems everywhere!” Theoretical Computer Science, vol.
256, no. 1, pp. 63 – 92, 2001. [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S030439750000102X
[16] P. A. Abdulla, F. Haziza, and L. Hol´ık, “All for the price of few,” in
International Workshop on Verification, Model Checking, and Abstract In-
terpretation. Springer, 2013, pp. 476–495.
20
hd(pc(t)) = v := newPhaser() ∧ p 6∈ P ∧ P ′ = P ∪ {p} ∧ pv ′ = pv [t← (pv(t)[v ← (p)])]
∧ ϕ′ = ϕ[p← ({t 7→ (0, 0)})] ∧ pc′ = pc[t← (tl(pc(t)))]
(T , P , bv,pc,pv,ϕ)
t
−→
(
T , P ′, bv,pc′, pv′,ϕ′
) (newPhaser)
hd(pc(t)) = v.signal() ∧ pv(t)(v) = p ∧ ϕ(p)(t) = (waittp, sig
t
p) ∧
ϕ′ = ϕ
[
p←
(
ϕ(p)
[
t←
(
(waittp, 1 + sig
t
p)
)])]
(T , P , bv,pc,pv,ϕ)
t
−→
(
T , P , bv,pc[t← (tl(pc(t)))],ϕ′
) (signal)
hd(pc(t)) = assert(cond) ∧ bv(cond) = true
(T , P , bv,pc,pv,ϕ)
t
−→ (T , P , bv,pc[t← (tl(pc(t)))], pv,ϕ)
(
assert.ok
)
hd(pc(t)) = v.drop() ∧ pv(t)(v) = p ∧ ϕ(p)(t) ↓ ∧ ϕ′ = ϕ[p← (ϕ(p)[t← (↑)])]
(T , P , bv,pc,pv,ϕ)
t
−→
(
T , P , bv,pc[t← (tl(pc(t)))], pv,ϕ′
) (drop)
hd(pc(t)) = asynch(task, v1, . . . vk){s1} ∧ paramOf(task) = (w1, . . . wk) ∧
for each i : 1 ≤ i ≤ k. pv(t)(vi) = pi ∧ ϕ(pi) ↓ ∧
u 6∈ T ∧ pv ′ = pv [u← ({wi 7→ pv(t)(vi) | 1 ≤ i ≤ k})] ∧ pc
′ = pc[u← (s1)] ∧
ϕ′ = ϕ[{pi ← ϕ(pi)[u← (ϕ(pi)(t))] | pv(t)(vi) = pi for pi ∈ P and 1 ≤ i ≤ k}]
(T , P , bv,pc,pv,ϕ)
t
−→
(
T , P , bv,pc′[t← (tl(pc(t)))], pv,ϕ′
) (asynch)
hd(pc(t)) = v.wait() ∧ pv(t)(v) = p ∧ ϕ(p)(t) = (waittp, sig
t
p) ∧
∀u ∈ T .
(
ϕ(p)(u) = (waitup , sig
u
p ) ⇒ wait
t
p < sig
u
p
)
∧ ϕ′ = ϕ
[
p←
(
ϕ(p)
[
t←
(
(1 + waittp, sig
t
p)
)])]
(T , P , bv,pc,pv,ϕ)
t
−→
(
T , P , pv,pc[t← (tl(pc(t)))],ϕ′
) (wait)
hd(pc(t)) = exit ∧ pv ′ = pv \ {t} ∧ pc′ = pc \ {t} ∧ ϕ′ = ϕ[{p← (ϕ(p) \ {t}) | p ∈ P}]
(T , P , bv,pc,pv,ϕ)
t
−→
(
T \ {t} , P , bv,pc′, pv ′,ϕ′
) (exit)
hd(pc(t)) = assert(cond) ∧ bv(cond) = false
(T , P , bv,pc,pv,ϕ) ∈ badConfs
(|T |,|P|)
assert
(
assert.
fault
)
hd(pc(t)) = s ∧ (s = v.drop() ∨ s = v.signal()
∨ s = v.wait() ∨ s = asynch(task, . . . , v, . . .) ) ∧ (pv(t)(v) ↑ ∨ ϕ(pv(t)(v))(t) ↑)
(T , P , bv,pc,pv,ϕ) ∈ badConfs
(|T |,|P|)
runtime
(
runtime
error
)
{t0, . . . tn} ⊆ T ∧ {p0, . . . pn} ⊆ P ∧ ∀ i : 0 ≤ i ≤ n. hd(pc(ti)) = vi.wait() ∧
pv(ti)(wi) = p(i+1)%n ∧ pv(ti)(vi) = pi ∧ wait
ti
p(i+1)%n
≥ sig
t(i+1)%n
p(i+1)%n
(T , P , bv,pc,pv,ϕ) ∈ badConfs
(|T |,|P|)
deadlock
(deadlock)
hd(pc(t)) = b := cond ∧ hd(pc(u)) = s′ ∧ t 6= u ∧

s′ = b := cond′ ∨ b appears in cond′ and
 (s
′ = if(cond′) {stmt}∨
s′ = while(cond′)
{
stmt′
}
∨
s′ = assert(cond′) ∨ s′ = b′ = cond′)




(T , P , bv,pc,pv,ϕ) ∈ badConfs(|T |,|P|)race
(race)
Figure 3: Operational semantics of phaser statements.
21
q in {s0 , s1, ..., sF}
com in {done , check , t12_dec_x1 ,t12_inc_x1 , t12_reset_x1 ,t23_dec_x2
, t23_inc_x2 , ...};
main(){
v1 = newPhaser ();
v2 = newPhaser ();
v3 = newPhaser ();
q = s0;
com = done;
asynch (task12 ,v1 ,v2 ,v3);
asynch (task23 ,v2 ,v3 ,v1);
asynch (task31 ,v3 ,v1 ,v2);
v1.drop();
v2.drop();
v3.drop();
while(true){
// check reachability
if(( * ) && (q == sF)){
com = check;
exit;
};
// let f,g,h be strings automorphisms on strings
// that coincide with the identity except for
// that (f($a)=1, f($b)=2 and f($c)=3) , (g($a)=2,
// g($b)=3 and g($c)=1) and (h($a)=3, h($b)=1
// and h($c)=2) . Syntactically apply each
// morphism to the remaining part of the while loop.
// case (si ,inc (x$a ),sj)
if (( * ) && (q == si)){
com = t($c$a)_inc_x ($a);
while(com != done){};
q = sj;
};
// case (si ,dec (x$a ),sj)
if(( * ) && (q == si)){
com = t$a$b_dec_x$a;
while(com != done){};
q = sj;
};
// case (si ,reset (x$a ),sj)
if(( * ) && (q == si)){
com = t$a$b_reset_x$a;
while(com != done){};
q = sj;
};
};
}
Figure 4: The main task orchestrates the encoding of the reachability of any
three counters reset machine as reachability of a deadlock configuration of a
phaser program.
22
// Syntactically apply each morphism in {f,g,h} to the whole body
// text of the task. This gives three tasks task12 (v1 ,v2 ,v3),
// task23 (v2 ,v3 ,v1) and task31 (v3 ,v1 ,v2)
task$a$b (v$a ,v$b ,v$c){
while(true){
if(com = t$a$b_inc_x$b){
v$b.sig ();
com = done;
};
if(com = t$a$b_dec_x$a){
v$a.sig ();
com = t$b$c_dec_x$a;
v$a.wait ();
while(com != t$a$b_dec_x$a){};
com = done;
};
if(com = t$a$b_dec_x$b){
v$b.wait ();
com = t$c$a_dec_x$b;
};
if(com = t$a$b_dec_x$c){
v$c.sig ();
com = t$b$c_dec_x$c;
v$c.wait ();
while(com != t$a$b_dec_x$c){}
com = t$c$a_dec_x$c;
};
if(com = t$a$b_reset_x$a){
v$a.sig ();
com = t$b$c_reset_x$a;
while(com != t$a$b_reset_x$a){};
v$a.wait ();
asynch (taskc$a ,v$c ,v$a ,v$b);
com = done;
};
if(com = t$a$b_reset_x$b){
com = t$b$c_reset_x$b;
exit;
};
if(com = t$a$b_reset_x$c){
v$c.sig ();
com = t$b$c_reset_x$c;
while(com != t$a$b_reset_x$c){};
v$c.wait ();
com = t$c$a_reset_x$b;
};
if(com = check ){
v$a.sig ();
v$a.wait ();
};
};
}
Figure 5: Three tasks: task12, task23 and task31 synchronize with the main
task in the encoding of the reachability of any three counters reset machine as
reachability of a deadlock configuration of a phaser program.
23
pc′ = pc[t← (v := newPhaser();pc(t))] ∧
pv(t)(v) = p ∧ pv ′ = pv[t← (pv(t)[v ← (↑)])] ∧{
ωtp 7→ 0, σ
t
p 7→ 0
}
|= γ(p) ∧ γ ′ = γ \ {p} ∧
(isReg(u, p,γ(p)) =⇒ u = t)
(T , P , bv,pc,pv,γ)
t
 
(
T , P \ {p} , bv,pc′, pv′, γ ′
) (newPhaser I)
pc′ = pc[t← (v := newPhaser();pc(t))] ∧
pv(t)(v) = p ∧ pv ′ = pv [t← (pv(t)[v ← (q)])] ∧{
ωtp 7→ 0, σ
t
p 7→ 0
}
|= γ(p) ∧ γ ′ = γ \ {p} ∧
(isReg(u, p,γ(p)) =⇒ u = t)
(T , P , bv,pc,pv,γ)
t
 
(
T , P \ {p} , bv,pc′, pv ′, γ ′
) (newPhaser II)
pc′ = pc[t← (v.signal();pc(t))] ∧ pv(t)(v) = p ∧ isReg(t, p,γ(p)) ∧
℘ =
(
γ(p) graphOf
(
∧u∈Reg(p,γ(p))(σ
t
p > ω
u
p ≥ 0)
))
∧ isSat(℘) ∧ γ ′ = γ
[
p←
(((
℘
[
σtp/σ
]
graphOf
(
σtp = σ − 1
))
⊖ {σ}
))]
(T , P , bv,pc,pv,γ)
t
 
(
T , P , bv,pc′, pv,γ ′
) (signal)
pc′ = pc[t← (v.wait();pc(t))] ∧ pv(t)(v) = p ∧ isReg(t, p,γ(p)) ∧
℘ =
(
γ(p) graphOf
(
∧{u∈Reg(p,γ(p))}(σ
u
p ≥ ω
t
p > 0)
))
∧ isSat(℘) ∧ γ ′ = γ
[
p←
(((
℘
[
ωtp/ω
]
graphOf
(
ωtp = ω − 1
))
⊖ {ω}
))]
(T , P , bv,pc,pv,γ)
t
 
(
T , P , bv,pc′, pv,γ ′
) (wait)
pc′ = pc[t← (v.drop();pc(t))] ∧ pv(t)(v) = p ∧ ¬isReg(t, p,γ(p)) ∧
γ ′ = γ
[
p←
((
γ(p) graphOf
(
(σtp ≥ ω
t
p ≥ 0) ∧u∈Reg(p,γ(p)) (σ
u
p ≥ ω
t
p ≥ 0) ∧ (σ
t
p ≥ ω
u
p ≥ 0)
)))]
(T , P , bv,pc,pv,γ)
t
 
(
T , P , bv,pc′, pv,γ ′
) (drop)
pc′ = pc[t← (asynch(task, v1, . . . vk){s1};pc(t))] ∧ paramOf(task) = (w1, . . . wk) ∧ u ∈ T \ {t} ∧
pv′ = pv \ {u} ∧ pc(u) = s1 ∧ ∀i : 1 ≤ i ≤ k. pv(t)(vi) = pv(u)(wi) = pi ∧
(isReg(t, pi, γ(pi))⇔ isReg(u, pi, γ(pi))) ∧
℘i =
(
γ(pi) graphOf
(
ωtpi = ω
u
pi
∧ σtpi = σ
u
pi
))
∧
isSat(℘i) ∧ γ0 = γ ∧ γi = γ i−1
[
pi ←
((
℘i ⊖
{
ωupi
, σupi
}))]
(T , P , bv,pc,pv,γ)
t
 
(
T \ {u} , P , bv,pc′ \ {u} , pv′, γn
) (asynch)
t 6∈ T ∧ pc′ = pc[t← (exit)] ∧ f ∈ Pfn (V, P) ∧ pv′ = pv ⊎ {t 7→ f} ∧ Q ⊆ P ∧
γ ′ = γ
[{
p← ϕ(p) graphOf
(
(σtp ≥ ω
t
p ≥ 0) ∧u∈Reg(p,γ(p)) (σ
u
p ≥ ω
t
p ≥ 0) ∧ (σ
t
p ≥ ω
u
p ≥ 0)
)
| p ∈ Q
}]
(T , P , bv,pc,pv,γ)
t
 
(
T ∪ {t} , P , bv,pc′, pv ′, γ ′
) (exit)
Figure 6: Derivation rules for computing pre(t, φ) as union of all
{φ′ | φ
t
 φ′ with φ = (T , P , bv,pc,pv,γ) and t ∈ T }.
24
pc(t) = v := newPhaser(); s ∧ p 6∈ P ∧
P
′ = P ∪ {p} ∧ pv ′ = pv[t← (pv(t)[v← (p)])]
∧ γ ′ = γ
[
p←
(
graphOf
(
ωtp = σ
t
p = 0
))]
(T , P , bv,pc,pv,γ)
t
−→
(
T , P ′, bv,pc[t← (s)], pv ′, γ ′
) (newPhaser)
pc(t) = v.signal(); s ∧
pv(t)(v) = p ∧ isReg(t, p,γ(p)) ∧
γ ′ = γ
[
p←
(((
γ(p)
[
σtp/σ
]
graphOf
(
σtp = σ + 1
))
⊖ {σ}
))]
(T , P , bv,pc,pv,γ)
t
−→
(
T , P , bv,pc[t← (s)], γ ′
) (signal)
pc(t) = assert(cond); s ∧
bv(cond) = true
(T , P , bv,pc,pv,γ)
t
−→ (T , P , bv,pc[t← (s)], pv,γ)
(
assert.
ok
)
pc(t) = v.drop(); s ∧ pv(t)(v) = p ∧
isReg(t, p,γ(p)) ∧ γ ′ = γ
[
p←
(
γ(p) ⊖
{
ωtp, σ
t
p
})]
(T , P , bv,pc,pv,γ)
t
−→
(
T , P , bv,pc[t← (s)], pv,γ ′
) (drop)
pc(t) = asynch(task, v1, . . . vk){s1}; s2 ∧ paramOf(task) = (w1, . . . wk) ∧
for all i : 1 ≤ i ≤ k. pv(t)(vi) = pi ∧ isReg(t, pi, γ(pi)) ∧
u 6∈ T ∧ pv ′ = pv[u← ({wi 7→ pv(t)(vi) | 1 ≤ i ≤ k})] ∧ pc
′ = pc[u← (s1)] ∧
γ ′ = γ
[{
pi ← γ(pi) graphOf
(
ωtpi
= ωupi
∧ σtpi
= σupi
)
| pv(t)(vi) = pi for pi ∈ P and 1 ≤ i ≤ k
}]
(T , P , bv,pc,pv,γ)
t
−→
(
T , P , bv,pc′[t← (s2)], pv,γ
′
) (asynch)
pc(t) = v.wait(); s ∧ pv(t)(v) = p ∧ isReg(t, p,γ(p)) ∧
pi =
∧
u∈Reg(p,γ(p))
(
ωtp < σ
u
p
)
∧ isSat(γ(p) pi) ∧
γ ′ = γ
[
p←
(((
(γ(p) pi)
[
ωtp/ω
]
graphOf
(
ωtp = ω + 1
))
⊖ {ω}
))]
(T , P , bv,pc,pv,γ)
t
−→
(
T , P , pv,pc[t← (s)], γ ′
) (wait)
pc(t) = exit ∧ pv′ = pv \ {t} ∧ pc′ = pc \ {t} ∧
γ ′ = γ
[{
p← γ(p)⊖
{
ωtp, σ
t
p
}
| p ∈ P
}]
(T , P , bv,pc,pv,γ)
t
−→
(
T \ {t} , P , bv,pc′, pv′, γ ′
) (exit)
Figure 7: Computing post(t, (T , P , bv,pc,pv,γ)) for some t ∈ T . Phasers’ re-
lated part of the symbolic successor computation used during the view abstrac-
tion based parameterized analysis of phaser programs.
25
