On Sequentializing Concurrent Programs Ahmed Bouajjani LIAFA, University of Paris 7, France Michael Emmi Gennaro Parlato ✓ University of Southampton, UK

What is this talk about? Use of verification tools for sequential programs to analyze concurrent programs Write a sequential program that simulates the concurrent program Kiss: Keep It Simple and Sequential [Qadeer, Wu— PLDI’04] Many efficient solutions have been developed for sequential programs: SMT-based Bounded Model-Checkers, BDD-based model-checkers, approximation techniques, deductive verification, … Why don’t we exploit them?

code-to-code translation as a plug-in for sequential tools shared vars (SC semantics) Sequ. tool Concsequ tranlsation Instrumentation for the Sequ. tool Concurrent Program T1 T2 Tn SC tools: Bounded model checking: ESBMC (FSE’11) Poirot (by MSR) Storm (CAV’09) … Boolean Programs: Boom, Boppo GETAFIX (PLDI’09) jMoped [SPIN’08] CHESS (MSR) Sequentialization + sequ. tools … Sequ. program A convenient way to get new tools for conc. programs …

What would it be a good sequential simulation? First attempt: Tracking state: C1 X C2 X … Ci … X Cn X Shared Simulation: at each step simulate one move of a thread State space explosion ! Q: Can we avoid such an explosion (cross product of locals)? Yes, if we consider at most 2 context-switches [Qadeer, Wu—PLDI’04] Q: Can we avoid such an explosion (cross product of locals)? A: YES, for certain under-approximation Q: What about complete simulations ? A: NO! (for theoretical reasons) 2 3 3 1 2 1

Related works Up 2 context-switches [Qadeer, Wu—PLDI’04] Many concurrency errors manifest themselves within few context- switches [Musuvathi, Qadeer—PLDI`07] Any fixed # context-switches (finite # of threads) Eager [Lal, Reps—CAV`08] Lazy [La Torre, Parlato, Madhusudan—CAV`09] Round-Robin schedules & parametrized programs Lazy [La Torre, Parlato, Madhusudan—CAV`10] Delay-bounded schedules (thread creation) [Emmi, Qadeer, Rakamaric—POPL`11] Over-approximation [Garg, Madhusudan, TACAS`11]

Proposed sequentializations common characteristics Avoid cross product (compositional) 1 stack for the simulation 1 local state, fixed # of shared states Conc. & Sequ. Programs are in the same class i.e. no additional data structures to simulate parallelism Example: Boolean conc. programs  Boolean (sequential) program Parametrized: increasing the parameter more and more behaviors are captured at the expense of more computational resources Explore as many behaviors as possible Goal

Our contribution General mechanism enabling compositional sequentializations Under-approximations Captures at least or more behaviors than existing sequentializations Existing sequentializations can be seen as a restrictions of ours

Our Concurrent  Sequential Translation - Compositional semantics - Thread interfaces - Bounded semantics (restricted compositional semantics)

Compositional Semantics (code-to-code translation to sequ. programs) P ::= var g:T H H ::= proc p (var l:T ) s s ::= s; s | x := e | skip | assume e | if e then s else s | while e do s | call x := p e | return e | post p e | yield //Concurrent stmt x ::= g | l T1 T2 Tn shared vars (SC semantics) … Main idea of the sequentialization Transform each thread creation into a procedure call: post p e  call g:=p e Only one interaction Solution (return all possible interactions) post p e  call INTERFACE:=p e

Key concept: Thread interface s1 s1’ Thread interface An interface of a thread T in an execution captures the interactions (shared states) of T and all its sub-threads with the remaining threads involved in the execution s2 s2’ s3 s3’ s4 s4’ s5 s5’

How to compute Thread interface Every thread creation is transformed into a procedure call A thread procedure computes an interface of the thread by simulating its code The thread procedure keeps the following data structure to compute the interface EXP: Interface to export BAG: Interfaces imported from posted threads

Updating the interface data-structure: initialization EXP: Interface to export BAG: Interfaces imported from posted threads s1 ∅ The procedure that simulates a thread first initializes the interface data- structure: interface to export is initialized with one round ( s1, s1 ) ( s1 is a guessed shared state) bag of imported interfaces is empty

Updating the interface data-structure: thread creation (post) EXP: Interface to export BAG: Interfaces imported from posted threads At any thread creation: post p e  transformed interface := call thread-p e; Add( BAG, interface );

Updating the interface data-structure context-switch (yield) EXP: Interface to export BAG: Interfaces imported from posted threads a b b At any yield point non deterministically either interact at least once with internal threads, or interact with an external thread

Updating the interface data-structure context-switch (yield) EXP: Interface to export BAG: Interfaces imported from posted threads a At any yield point non deterministically either interact at least once with internal threads, or interact with an external thread Add a new round (a,a) to the interface to export ( a is guessed )

Sequential semantics for conc. programs We’ve obtained a sequential program that simulates the conc. program by computing interfaces Each Thread code p is replaced by the procedure thread-p: Variables: Locals + Interface data-structure Initialize the interface data-structure The code of the original thread is attached Only post, and yield statement are replaced with new code (simulating the operations presented previously) At yield a yield statement (or return) return the exported interface interface data-structure is unbounded

Bounding & Compressing An interface as a list: a b c d e f g h a c e g b d f h

Bounding & Compressing Bound the # nodes in the interface data structure Compress the bag of exported interface as a DAG We merge two node (x, y) and (y,z) into (x,z) x y z Ex 1. Ex 2. x y z

Our Sequentialization Compositional Semantics + Bounding & Compressing

All existing sequentializations can be simulated - Up 2 context-switches [Qadeer, Wu—PLDI’04] - Any fixed # context-switches (finite # of threads) - Eager [Lal, Reps—CAV`08] - Lazy [La Torre, Parlato, Madhusudan—CAV`09] - Round-Robin schedules & parametrized programs - Lazy [La Torre, Parlato, Madhusudan—CAV`10] - Delay bounded schedules (thread creation) [Emmi, Qadeer, Rakamaric—POPL`11]

Sequ. for any fixed # context-switches (finite # of threads) [Lal, Reps—CAV`08] initial shared state T1 T2 Tn round 1 round 2 round k 3 1 2

Conclusions

Thanks! Conclusions: Future works: We have presented a general mechanism enabling compositional sequentializations of concurrent programs (under SC) parameterized (bounding & compressing the # of nodes in the interfaces) more behaviors than existing sequentializations Thread creation, parameterized programs, finite # threads All existing sequentializations can be explained within our framework Weak Memory models: Translation TSO  SC [Atig, Bouajjani, Parlato—CAV`11] TSO  SC  sequential Future works: Experimental evaluation Sequentializations for distributed programs (FIFO channels) ? The Tree-width of Auxiliary Storage [Madhusudan, Parlato—POPL`11] Lazy transformation of our sequentialization [La Torre, Madhusudan, Parlato—CAV`09, CAV`10] Thanks!