Analysis of Concurrent Software Models Using Partial Order Views Qiang Sun, Yuting Chen, Jianjun Zhao, Shanghai Jiaotong University 25-Oct-15

Outline Motivation An approach to analysis of concurrent software models using partial order views Some simple examples

Motivation Checking and analyzing the software design model become crucial Analysis of concurrent software behavioural models still faces challenges – Data races, atomicity violations, bugs A number of analyses are on the basis of state models – A process can be modeled as a state machine in which the transitions are atomic or indivisible actions executed by the process. – LTS: Labeled Transition Systems – FSP (Finite State Processes), CCS, CSP

Analyzing a state model usually faces difficulties – Combination of state models leads to state space explosion

Solution? Modeling concurrency using partial orders Modeling concurrency using partial orders – Partial order view Extraction of partial orders of interest events from state machines – Partial orders can also be extracted from partial behavioral models. BiG provides the mechanism of the model transformation and synchronization. – State machine ↔ Pomset model

Labeled Partial Order (LPO) – A partial order is a pair (E, <), where < is an irreflexive transitive binary relation on the vertex set E. – A labeled partial order (lpo) is a structure (E, ∑, μ, <), where (E, <) is a partial order, and μ : E→∑ labels the vertices of E with elements of the set ∑. – (E, ∑, μ, <) and (E’, ∑’, μ’, <’) over the same set of labels ∑ are isomorphic if – there exists a bijection τ: E→E’ such that for all u, v ∈ E, μ(u)= μ’(τ(u)), and u < v iff τ(u) <’ τ(v).

Partial Order Multi-Set (Pomset) A pomset [E, ∑, μ, <] is the isomorphism class of an lpo (E, ∑, μ, <). – A pomset [E, ∑, μ, <] is finite if E is finite. – Two pomsets [E, ∑, μ, <] and [E’, ∑’, μ’, <’] are isomorphic if there exist bijections τ : E→E’ and ν: ∑ → ∑’, such that for all u, v ∈ E and for all a ∈ ∑, μ(u) = a iff μ’ ( μ (u)) = ν(a), and u < v iff τ(u) <’τ(v).

Two Operations Let – p = [E, ∑, <, μ] – p' = [E’, ∑, <’, μ’] – E ∩ E' = Φ. Series operation – p;p’ = [E ∪ E’, ∑, (< ∪ <’ ∪ (E×E’)), μ ∪ μ’] Parallel operation – p||p’ = [E ∪ E’, ∑, (< ∪ <’), μ ∪ μ’]

Pomset Model – Actions & events An action may occur more than once. ∑ An occurrence of an action is an event. E Pomset model helps analyze and understand the behaviors of concurrent software better. – Happens-before relationship for the events of interest – Calculating the possible traces – Pomset model can avoid state space explosion; the increment of the events is linear. AB

Analysis of Concurrent Software Models Using Partial Order Views To extract pomset model – Computing the partial order of events within one process. – Merging partial orders of different processes through parallel operation. To analyze pomset model and check event traces To revisit state model whether we detect abnormal event traces Bidirectional Graph Transformation technique provides with support in transforming state model to pomset model and keeping model synchronization. – The result can be easily mapped back to the original LTS.

SMALL EXAMPLES

Semaphore Semaphore LTS Loop 0 1 up down up down critical up down critical 2

Begin up critical 1down critical 2down End

Elevator System Outer request – FLOOR × {UP, DOWN} Inner request – FLOOR TO GO TO Controller of elevators – Out requests: accessing request queue – Inner requests: message passing 5 floors and 2 elevators

0 send Outer request queue 013 send receive send 2 receive User in elevator Inner request buffer getREQ receive response receive elevator

getREQ send receive send receive send receive Begin responseEnd

get send receive send receive send receive Begin responseEnd remove

0 send Outer request queue send receive send 2 receive User in elevator Inner request buffer response 1’ receive getremove elevator

getREQ receive response receive getREQ send receive send receive send receive Begin responseEnd get send receive send receive send receive Begin responseEnd remove response 1’ receive getremove

Two elevators Outer request queue response 1’ receive getremove Elevator response 1’ receive getremove Elevator 2

Begin get1get2 remove1remove2 get1 → get2 → remove1 → remove2

Lock & Unlock Begin lock get1get2 remove1 remove2 unlock Begin lock get1get2 remove1 remove2 unlock

Outer request queue response 1’ receive getremove Elevator 1 1’’1’’’ unlock lock response 1’ receive getremove Elevator 2 1’’1’’’ unlock lock

Partial order event model provides engineers with – A different view about the events occurring in the concurrent software system and their order. – Bidirectional model transformation technique helps transform state model to partial order event model Detection of potential errors is possible from taking advantage of information about partial order event model – To detect data races by associating the events to accessing the shared memory – To detect atomicity violations by associating actions to accessing resources – Determination of the real bugs usually relies on human judgements – Bidirectional model transformation technique helps reveal the bugs in the state model if any abnormal event traces are found

Conclusions State model is widely used in practice Pomset model can avoid state space explosion An approach to checking and analyzing state model using pomset model BiG provides the mechanism of model transformation and bug elimination

Future Work A systematic approach Correctness of the approach – Case studies and experiments Tool Support