natural proofs for asynchronous programs using almost-synchronous reductions - pranav...

Natural Proofs for Asynchronous Programsusing Almost-Synchronous Reductions

Ankush DesaiUniversity of California, Berkeley

[email protected]

Pranav GargUniversity of Illinois at

[email protected]

P. MadhusudanUniversity of Illinois at

[email protected]

AbstractWe consider the problem of provably verifying that an asyn-chronous message-passing system satisfies its local asser-tions. We present a novel reduction scheme for asynchronousevent-driven programs that finds almost-synchronous invari-ants— invariants consisting of global states where mes-sage buffers are close to empty. The reduction finds almost-synchronous invariants and simultaneously argues that theycover all local states. We show that asynchronous programsoften have almost-synchronous invariants and that we canexploit this to build natural proofs that they are correct. Weimplement our reduction strategy, which is sound and com-plete, and show that it is more effective in proving programscorrect as well as more efficient in finding bugs in severalprograms, compared to current search strategies which al-most always diverge. The high point of our experimentsis that our technique can prove the Windows Phone USBDriver written in P [9] correct for the responsiveness prop-erty, which was hitherto not provable using state-of-the-artmodel-checkers.

Categories and Subject Descriptors D.1.3 [ProgrammingTechniques]: Concurrent Programming— Distributed pro-gramming; D.2.4 [Software Engineering]: Software/Pro-gram Verification— Correctness proofs, Model checking;D.2.5 [Software Engineering]: Testing and Debugging

Keywords natural proofs; almost-synchronous reductions;asynchronous programs; concurrency; reductions; distributedprograms

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. Copyrights for components of this work owned by others than theauthor(s) must be honored. Abstracting with credit is permitted. To copy otherwise, orrepublish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from [email protected] ’14, October 20–24, 2014, Portland, OR, USA.Copyright is held by the owner/author(s). Publication rights licensed to ACM.ACM 978-1-4503-2585-1/14/10. . . $15.00.http://dx.doi.org/10.1145/2660193.2660211

1. IntroductionWriting correct asynchronous event-driven programs, whichinvolve concurrently evolving components communicatingusing messages and reacting to input events, is difficult.One approach to testing and verification of such programs isusing model-checking, where the state-space of the program(or the program coupled with a test harness) is exploredsystematically. State-space explosion occurs due to severalreasons— explosion of the underlying data-space domain,explosion due to the myriad interleavings caused due toconcurrency, and explosion due to the unbounded messagebuffers used for communication.

In this paper, our aim is to build model-checking tech-niques that provably verify asynchronous event-driven pro-grams against local assertions. In particular, we are inter-ested in proving programs written in a recently proposedprogramming language P [9], which is an actor-based pro-gramming language which provides abstractions that hidethe underlying data and device manipulations, thus exposingthe high-level protocol. Our primary concern in this paper isto tackle the asynchrony of message passing which causesunbounded message buffers. Our goal is to effectively andefficiently prove (as opposed to systematically test) event-driven programs correct, when the number of processes andthe local data are bounded, but when message buffers areunbounded.

The classical approach to tackle state-space explosionwhen systematically testing concurrent programs usingmodel-checking is partial-order reduction [12, 14]. A con-current program’s execution can be viewed as a partial orderthat captures causality between events. Local state reachabil-ity can then be checked by exploring only one linearizationof every partial order, and partial-order techniques whichgive methods that explore one (or a few) of these lineariza-tions per partial order can result in considerable savings.

In the setting where we want to prove protocols correctusing model-checking, the key criterion to achieve termi-nation is to detect cycles in the state-space. However, inmessage passing systems, global state-spaces are infinite,even when the local data domains and number of processes

709

are bounded, as the message buffers get unbounded. Con-sider the simple scenario where a machine p sends a ma-chine q unboundedly many messages, like in a producer-consumer setting. Even in this simple scenario, systematicmodel-checkers (based on partial-order reduction or other-wise) would fail to terminate checking local assertions, evenwhen the local data stored at p and q is finite, since messagebuffers get unbounded [14]. Consequently, techniques suchas partial-order reduction do not typically help, as they arenot aimed at exploring a finite subset of the infinite reachablestate-space that can guarantee correctness. In this paper, weaim to find and explore such an adequate finite subset, whichwe call almost-asynchronous invariants (ASI).

Almost-synchronous Invariants: Our primary thesis isthat almost-synchronous invariants often suffice to proveasynchronous event-driven programs correct, and further-more, a search for these invariants is also more effectivein finding bugs. Intuitively, almost-synchronous states arethose where the message buffers are close to empty, andalmost-synchronous invariants are collections of such statesthat ensure that all local states have been discovered. Forinstance, in the producer-consumer example above, explor-ing the sends of p immediately followed by the receive inq discovers an almost-synchronous invariant where messagebuffers are bounded by one, though blindly exploring thestate-space would never lead to termination.

The primary contribution of this paper is a sound andcomplete reduction scheme that discovers almost-synchronousinvariants using model-checking. The key idea is to exploreinterleavings that keep the message buffers small, while atthe same time finding a closure argument that argues thatall local states have been discovered, at which point we canterminate. Intuitively, for any partial order described by thesystem, we aim to “cover” this using a linearization that hassmall buffer sizes. The reduction scheme is quite involved,and even subverts the semantics of the underlying system,for instance throwing away messages into ether, to achievesmall buffer sizes.

Natural Proofs: The technique set forth in this paper isa method involving natural proofs. Intuitively, the idea be-hind natural proofs is to find some simplicity of real-worldinstances and exploit them to find a simple proof of cor-rectness, even when the general verification problem may beundecidable. Traditional approaches to tackling undecidableproblems in verification are to find decidable fragments; nat-ural proofs, in contrast, do not restrict the class of problems,but rather strives to exploit the simplicity of the individualinstances by searching for simple proofs only.

The problem of checking whether an asynchronous pro-gram is correct, even when the number of machines and localdata are bounded, is an undecidable problem [8]. Our thesisis that asynchronous systems often have a natural proof us-ing a small set of almost-synchronous global states that canbe used to prove the program correct. For instance, when a

process p sends a message to q, a global state would captureall possible states q could be in at that time; however, thedesigner of the program would actually be concerned withand argue about the states q could be in when it receives themessage currently being sent. Almost-synchronous invari-ants are states that capture these kinds of global states, wheremessage-buffers are close to empty. Finding these almost-synchronous global states often suffices in capturing the dy-namics of the communication protocol and proving that itsatisfies its specification.

Our automated solution strategy is hence to find such a setof almost-synchronous invariants, prove that they are suffi-cient to cover all local states, and that they verify the local as-sertions. We discover almost-synchronous invariants in thispaper using state-space exploration and model-checking.

Natural proofs have been studied earlier in the entirelydifferent domain of logic-based verification of programsmanipulating dynamic data-structures [28, 33, 38]. In thatsetting, the logics have an undecidable validity problem,and natural proofs give sound (but incomplete) techniquesfor proving validity of verification conditions in many pro-grams.

Verifying asynchronous event-driven programs in P: Oneof our primary motivations is to verify real-world asyn-chronous event-driven device-driver programs written in Pagainst a property called responsiveness.

Asynchronous event-driven programs typically have lay-ers of design, where the higher layers reason with how thevarious components (or machines) interact and the proto-col they follow, and where lower layers manage more data-intensive computations, controlling local devices, etc. How-ever, the programs often get written in traditional languagesthat offer no mechanisms to capture these abstractions, andhence over time leads to code where the individual layers areno longer discernible. High level protocols, though often firstdesigned on paper using clean graphical state-machine ab-stractions, eventually get lost in code, and hence verificationtools for such programs face the daunting task of extractingthese models from the programs.

The natural solution to the above problem is to build aprogramming language for asynchronous event-driven pro-grams that preserves the protocol abstractions in code. Apartfrom the difficulty in designing such a language, this prob-lem is plagued by the reluctance of programmers to adopta new language of programming and the discipline that itbrings. However, this precise solution was pioneered in anew project at Microsoft Research recently, where, duringthe development of Windows 8, the team building the USBdriver stack decided to use a domain-specific language forasynchronous event-driven programs called P [9]. Programswritten in P capture the high-level protocol using a collec-tion of interacting state machines that communicate witheach other by exchanging messages. The machines, inter-nally, also have to do complex tasks such as process data

710

and perform low level control of devices, reading sensors orcontrolling devices, etc., and these are modeled using exter-nal foreign functions written in C.

The salient aspect of P is that it is a programmingparadigm where the protocol model and the lower level dataand control are simultaneously expressed in the same lan-guage. P programs can be compiled to native code for execu-tion, while the protocol model itself can be extracted cleanlyfrom the code in order to help perform analysis, especiallythose relevant to finding errors in the protocol. Writing codein P gives immediate access to designers to correct errorsfound by analysis tools during the design phase itself, andsignificantly contributed to building a more reliable USBstack [9]. Maintenance of the code in P automatically keepsthese models up to date, enabling verification mechanismsto keep up with evolving code.

The primary specification that P programs are required tosatisfy in [9] is responsiveness. Each state declares the pre-cise set of messages a machine can handle and the precise setof messages it will defer, implicitly asserting that all othermessages are not expected by the designer to arrive whenin this state. Receiving a message outside these sets hencesignals an error, and in device drivers, often leads drivers tocrash. The work reported in [9] includes a systematic testingtool for the models using model-checking, where the systemis explored for hundreds of thousands of states to check forerrors. However, such model-checking seldom succeeds inproving the program correct, since there are many sourcesof infinity, including message buffer sizes.

In this paper, we present the almost-synchronous invari-ant reduction using a model called event-driven automatathat closely resembles P programs, though our algorithm canbe easily adapted to other actor-based concurrency models aswell.

Implementation and Evaluation: We have implementedour reduction mechanism technique for discovering almost-synchronous invariants (ASI) of P programs. Our invariantsynthesis is built over the Zing model-checker [4], adaptingit to explore the state-space of P programs using our reduc-tion strategy. The existing systematic model-checker for Pprograms (also implemented in Zing) [9] almost never ter-minates, and can finish exhaustive state-space explorationonly when message buffers are bounded in some fashion.We show however that our reduction can handle such P pro-grams without bounding buffers. We show two classes ofresults over a set of P programs analyzed for the respon-siveness property. The first class of results show that ourreduction can prove P programs correct, for arbitrary mes-sage buffer sizes. Our reduction works faster, despite han-dling unbounded buffers, than the naive exploration doeson reasonably bounded buffers. The second class of resultsshow that our reductions also help in finding bugs in incor-rect P programs, exploring less states and performing fasterthan iterated depth-first search techniques. The high point

of our experiments is the complete verification of the USBWindows Phone Driver, which our tool can prove responsivewith no bound on message buffers, a proof that has hithertobeen impossible to achieve using current model-checkers.

2. MotivationThe key idea of this paper is that almost-synchronous invari-ants often suffice to find proofs of local assertions in event-driven asynchronous programs. Given an asynchronous pro-gram with local assertions, we would like to explore a set ofreachable global states that covers all reachable local states.However, this set of global states need not be the set of allreachable global states (partial-order reduction [12, 14] alsoworks this way; all global states are not explored, but all lo-cal states are covered).

Synchronous states, intuitively, is the set of global stateswhere message buffers are empty. From the perspective ofrely-guarantee reasoning [20], when a machine p sends amessage to machine q, p is not quite concerned with whatthe state of q is when the send-event happens, but rather isconcerned with the state of q when it receives the messageit sends, which is essentially what synchronous states cap-ture. However, synchronous invariants (invariants contain-ing synchronous states) may themselves not suffice to provea system correct for two reasons: (a) in order to ensure thatall synchronous states have been explored, we may need toexplore asynchronous states (where message buffers are notempty), and (b) certain local states may manifest themselvesonly in asynchronous states. Almost-synchronous invariantsare invariants of the system expressed using global stateswhere message buffers are close to empty, but for whichinductiveness of the invariant is provable and which cov-ers all local states. The primary thesis of this paper is thatalmost-synchronous invariants (ASI) often exist for event-driven asynchronous programs, and natural proofs that tar-get finding such invariants can prove their correctness effi-ciently.

We will present, in Section 4, a reduction scheme (calledalmost-synchronous reduction) that will explore a selectiveset of interleavings that leads to the discovery of ASIs andsimultaneously proves their inductiveness. The primary aimof the reduction is to explore interleavings that keep the mes-sage buffers to the minimal size needed, while still ensuringthat all local states are eventually explored. The reductionwill be sound and complete— all errors will be detected (ifthe search finishes) and all reported errors will be real errors.

The first rule of our almost-synchronous reduction (pre-sented in Section 4) is to schedule receive-events wheneverthey are enabled, suppressing send-events. This rule ensuresthat messages are removed from message queues (which areFIFO and one per process) as soon as possible, thus ensuringmessage buffers are contained, and as we show in practice,often bounded. Moreover, this prioritization is sound as re-

711

ceive events that are enabled do not conflict with other re-ceive or send events.

Figure 1:ProducerConsumerScenario

To appreciate this prioritization, con-sider the producer-consumer scenario onthe right, where process p sends an un-bounded number of messages to q, whichq receives (p could do this by having a re-curring state send out messages receivedby a recurring state of q).

The reduction that we propose willexplore this scenario (partial-order) us-ing the linearization consisting of an un-bounded number of rounds, where in eachround p sends to q followed by q immedi-ately receiving the message from p, thusexploring an essentially synchronous in-terleaving where the message buffer is bounded by 1. Fur-thermore, and very importantly, when exploring this inter-leaving, the search will discover that the global state repeats,which includes the local states of all machines and the con-tents of all message buffers. This is entirely because the mes-sage buffer gets constantly depleted causing the global stateto recur.

Similarities and differences with partial-order reduction:Note that techniques such as partial-order reduction [12, 14]do not necessarily help in this scenario. Even an optimalstatic or dynamic partial-order reduction that promises toexplore every partial-order using just one linearization, can-not assuredly help. In the above example, if the linearizationchosen is the one where the sends from p are all exploredfirst (or a large number of them are explored) before thecorresponding receives are explored, then each global statealong this execution would be different because the mes-sage buffer content is different in each step. This turns outto be true for both depth-first and breadth-first searches withpartial-order reduction. Note that this problem does not, ingeneral, arise when systems communicate through boundedshared memory only; it is message-passing that causes theproblem.

Partial-order reduction techniques are targeted to reduc-ing the number of interleavings of every partially orderedexecution explored, but are not aimed at choosing the inter-leavings explored carefully so as to reduce the global config-uration, in particular the size of message buffers. Our almost-asynchronous reduction, on the other hand, chooses inter-leavings that reduce message-buffer sizes. This itself can re-sult in a few linearizations of every partial order explored,but this is incidental. For instance, if linearizations of a par-tially ordered execution all have near zero buffer sizes, ourreduction could explore all of them. In fact, a more ideal re-duction would combine almost-asynchronous reductions andpartial-order reductions; this is left as an interesting futurework to explore.

Despite the above differences, our reduction has manysimilarities to partial-order reductions. In particular, theproof that our reduction is sound and complete in discov-ering all local states is similar to the corresponding proofsfor partial-order reduction— we show that for every exe-cution that reaches a local state, there is another executionwithin our reduced system that is equivalent (respects thesame partial order) and hence reaches the same local state.

Handling truly asynchronous behaviors: If a systemreadily always presents synchronous events (all sends en-abled always have the matching receive events immediatelyenabled in the receiving process), and one can solely ex-plore the executions with synchronous events only and keepthe sum of all message buffer sizes to 1. While this oftenhappens, it does not typically happen all the time in a sys-tem’s evolution, which is why we need almost-synchronousglobal states to be explored. Let us consider several scenar-ios where such asynchrony happens and explain how ourreduction technique mitigates this.

First, consider the scenario in Figure 2 where p wantsto send a message to q and q also is sending a messageto p. Clearly, we cannot explore synchronous messages atthis point, and we need to let these sends happen with-out their corresponding receive events. It turns out that inmany asynchronous message-passing programs, this sce-nario does occur (even the simple elevator example in [9]has such a scenario). However, it turns out that the system

Figure 2:

often quickly recovers where p aftersending the message, soon gets to a re-ceive mode where it accepts the mes-sage from q, and similarly q, after send-ing its message, soon receives the mes-sage from p. Hence a careful executionof these sends followed by prioritizingreceive-events over send-events often letsus recover a synchronous state. The re-duction that we propose will explore such an interleavingthat leads to recovery of a synchronous state after a mildasynchronous excursion.

Figure 3:

Let us now consideranother example, the oneshown in Figure 3— here pis sending a message to q,and q is sending a message tor, where r is able to receivemessages from either. As wehave argued before, note that scheduling only synchronousevents in this situation, which means only scheduling thesend of q and the receive of r, will lead to incompleteness(i.e., the exploration can miss local states). For instance, itmay be the case that p, after sending the message to q, sendsa message to r (denoted by the dotted arrow), and r receivesthis message before the send-event of q happens. This ex-ecution will be missed if we only scheduled synchronous

712

Figure 4: Rules for the construction of the destination setwhen q has an empty queue and is waiting to receive anevent. Note that the dotted arrow from p marked q denotesthat p is a potential sender of q.

events. Hence it is important to note that scheduling onlysynchronous events is complete only when in the currentstate all sends have matching receives enabled.

The simplest way to address the problem is to enableboth the sends of p and q. However, this could lead toflooding the message queues unnecessarily, for example ifp and q continue sending more messages. Our mechanismwill actually split this scenario into two cases. The firstcase is when p is a potential sender to r, i.e., in somestate of p, it could send a message to r. When that’s thecase, the above execution we outlined could happen, and ourreduction will enable both sends of p and q, which will leadto the execution being discovered.

However, in the case when p is not a potential sender tor (and assuming there are no other processes), we will dothe following. We will enable the send of q (followed by thereceive of this message in r). Also, we will allow a movethat blocks process q, which means that process q will notbe able to transition any longer and remains blocked forever.Once q is blocked, all processes that are sending messagesto q are essentially sending messages that will never getreceived, and hence they can send their messages to ether,i.e., we can lose these messages and not store them in theconfiguration at all. In the above scenario, we will enable amove that blocks q, and hence allow p to send its messageto q (which promptly gets lost), and in this way enable p toproceed while at the same time keep message buffers small.Note that blocking any process at any time is always sound.Completeness is harder to establish, and crucially dependson the topology of the system, including the communicationbehavior of the machines. In the above scenario, it does turnout that blocking q is complete as well. When there are moreprocesses in the system, the condition under which we willallow such a blocking is more complex, depending on the setof potential senders to r, etc.

All the above scenarios are treated uniformly in our re-duction using destination sets. A destination set is a subsetof processes that is defined for every system configuration.For configurations in which none of the receive events areenabled, we construct its destination set and explore onlythose events that send messages to a process in the destina-tion set. Figure 4 illustrates the rules for the construction ofthe destination set for the case when process q has an emptymessage buffer queue and is waiting to receive a message. Ifin that configuration a process p, which is a potential senderto q, is indeed sending a message to q, the destination set weconstruct is {q} and our reduction explores this send eventfrom p to q (Figure 4A). Otherwise, if p itself has an emptyqueue and is waiting to receive (as in case Figure 4B), pwhen enabled might evolve to reach a state that sends a mes-sage to q. Our reduction, in this case, needs to explore allinterleavings of send events that might enable p and hencethe destination set is {p, q}. Finally, if p is sending a messageto a different process r (Figure 4C), p might evolve after thissend to reach a state that sends a message to q. To accountfor this scenario, our reduction will need to explore the sendfrom p to r and hence the destination set is {r, q}.

From a given configuration, our reduction only selec-tively explores a subset of the enabled events, namely thosethat send a message to processes in the destination set. Suchselective exploration is unfair and can completely miss thebehavior of processes whose events were not explored [14,45]. To ensure that our search is not unfair with respectto some processes, our reduction also enables a transitionthat blocks processes whose events were chosen to be se-lectively explored. The use of blocked processes is anotherunique aspect of our reduction, and crucially relies on thesemantics of message passing. A generic reduction tech-nique, such as partial-order reduction, which works by han-dling shared memory and message passing uniformly cannotachieve such reductions, as what we do strays away from thenormal semantics of transitions on the global state. In otherwords, we are under-approximating the global state descrip-tion itself, while preserving soundness and completeness.

A simple P program: Figure 5 presents a toy example in P,that implements the distributed commit protocol. The systemconsists of a Client machine, a Coordinator and two Replicamachines. The client sends new transaction (newTran) re-quests to the coordinator machine. The coordinator machinedequeues these requests and processes them by coordinatingwith the replicas in the system. It does so by sending Commitrequests to the replica machines and waiting for a Vote fromthem. Once the coordinator has received votes from both thereplicas, it sends a nextTran message back to the client. Onlyafter receiving this message can the client send a new trans-action to the coordinator. In this way, the protocol ensuresthat the client machine sends a newTran request only afterthe coordinator has finished processing the previous transac-tion. Note that the set of messages deferred in any state of

713

SendRequest

Deferred:Action:

send(Coordinator ,newTran);

start nextTran

(a) Client Machine

WaitTranDeferred:Action:

skip

start

AskReplicas

Deferred:Action:

send(Replica 1 ,Commit);send(Replica 2 ,Commit);

CollectVoteDeferred:Action:

skip

AckToClientDeferred:Action:

send(Client ,nextTran);raise(unit);

newTran

voteunit

vote

(b) Coordinator Machine

InitDeferred:Action:

skip

start

SendVoteDeferred:Action:

send(Coordinator ,Vote);raise(unit);

Commit

unit

(c) Replica Machine

Figure 5: Distributed Commit Protocol in P

the above P program is empty; our reduction can also handleP programs with non-empty deferred sets.

Figure 6 shows the queuing architecture for the dis-tributed commit protocol indicating the communication pat-tern amongst the machines in the system. An edge from p toq represents that p is a potential sender of q. In this particularexample, the client can only send a message to the coordina-tor; the coordinator sends a message to the client and to boththe replicas, and the replicas in turn send messages back tothe coordinator. In section 4, we use this example to describeour reduction algorithm.

3. Event-driven automataIn this section we introduce an automaton model, calledevent-driven automata (EDA), for modeling event-drivenprograms, inspired by and very similar to P programs. Event-driven automata are however a lot simpler, allowing us to de-fine the reductions and prove precise theorems about them.We will then lift the reductions to general programs, includ-ing programs written in P (see Section 5).

In our automaton model, a program is a finite collectionof state machines communicating via messages. Each statemachine is a collection of states, has local variables and has

Figure 6: The queuing architecture for the Distributed Com-mit Protocol in Figure 5.

a set of actions. Each machine also has a single FIFO queueinto which other machines can enqueue messages. We willnot restrict any of the sets (states, domain of local variables,payload on messages, etc.) to be finite; all of them can be in-finite, and hence our automata can model event-driven soft-ware. For instance, P programs allow function calls in localmachines; these can be modeled in our automata using anappropriate encoding of the call-stack in the state. Also, forsimplicity, we will assume there is no process/machine cre-ation; our reduction does extend to this setting, but it is moreclear to explain our algorithms without these complications.Section 5 describes how we extend our algorithms to workon general P programs.

A message is modeled as a pair π = (m, l), consisting of amessage type m (from a finite set) and an associated payloadl belonging to some (finite or infinite) domain. Let M bea finite set of message types and let DomM be the payloaddomain. Then, a message π belongs to Π = M × DomM . Wefix M, DomM , and Π for the rest of the paper.

Let Dom be the domain for the local variables in the statemachines. Without loss in generality, we assume that eachmachine in the program has a single local variable, and fixDom for the rest of the paper. Also let us denote f T to be theclass of all (computable) functions of type T .

Event-driven automata (EDA): An event-driven automa-ton over Π = (M×DomM) and Dom is a tuple P = ({Pi}i∈N),where N = {1, · · · , n}, n ∈ N, and eachPi = (Qs

i ,Qri ,Q

inti , q

0i , val0i ,Ti,Defi, q

erri ), where

• Qi = Qsi ]Qr

i ]Qinti ]{q

erri } is the set of states, partitioned

into states that send a message Qsi , states that receive

messages Qri , internal states Qint

i , and an error state qerri .

• q0i ∈ Qs

i ∪ Qri is the initial state of Pi;

• val0i ∈ Dom is the initial valuation for the local variablein Pi;

• Ti is the set of transitions for Pi and is partitioned intosend transitions T s

i , receive transitions T ri and internal

transitions T inti .

Send transitions are of the form:

714

T si : Qs

i −→ (Qinti ∪ {q

erri })× (N\{i})×M × f Dom−→DomM ,

Receive transitions are of the form:T r

i : Qri × M −→ (Qint

i ∪ {qerri }) × f Dom×DomM−→Dom

Internal transitions are of the form:T int

i : Qinti −→ 2(Qs

i∪Qri∪{q

erri })× f Dom−→Dom

;

• Defi : Qri −→ 2M associates a deferred set of messages to

each receive state. �

When T si (q) = (q′, j,m, f ), this means that machine Pi,

when in state q and local variable valuation v can transitionto q′, sending the message of type m with a payload f (v)to machine P j. Note that a machine cannot send messagesto itself (we assume this mainly for technical convenience).Similarly, when T r

i (q,m) = (q′, f ), this means that Pi can re-ceive message (m, l) when in state q and valuation v, and up-date its state to q′ and local variable to f (v, l). When T int

i (q)contains (q′, f ), it means that Pi can (non-deterministically)transition from state q and local variable valuation v to stateq′ and local valuation f (v).

Note that, by definition, send transitions are determinis-tic, and receive transitions are deterministic for any receivedmessage; true local non-determinism is only present in in-ternal transitions. Also note that every send or receive tran-sition takes the control of the machine to an internal stateand is immediately followed by an internal transition whichnon-deterministically transitions the machine to a send or areceive state. From the way we have defined transitions, theautomaton can transition from any state to the error state qerr

iand from the error state, no further transitions are enabled.

As we noted above, in our automaton model, messagessent to a machine are stored in a FIFO queue. However, as inP programs, we allow the possibility to influence the orderin which the messages are received by deferring them. Ina given receive state q in machine Pi, some messages canbe deferred, which is captured by the set Defi(q). When amachine is in this state, it skips all the messages that are inits deferred set and dequeues the first message that is not inits deferred set.

The communication model we follow is that whenever amachine sends a message to another machine, the message isimmediately added to the receiver’s queue. This is the samecommunication model as in P, which was mainly designed tomodel event-driven programs running on a single machine,for example an operating system driver. Note that this com-munication model is, however, general enough and can beused to also model distributed systems where messages sentby a machine reach the receiving machine after arbitrarytime delay (but in FIFO order). One can model such a sys-tem by introducing a separate channel process between ev-ery pair of machines. This process dequeues messages fromits sender and immediately forwards it to the receiver. Sincethere are multiple channel processes forwarding messages toa given machine, interleavings between them has the sameeffect as having messages delivered with delay.

C[i] =(qi, vi, µi

)(q′i , f ) ∈ T int

i (qi)

Ci−→ C[i 7→ (q′i , f (vi), µi)]

internal

C[i] = (qi, vi, µi) C[ j] = (q j, v j, µ j)T s

i (qi) = (q′i , j,m, f )

Ci! j−−→ C

[i 7→ (q′i , vi, µi)

][j 7→

(q j, v j, µ j (m, f (vi))

)] send

C[i] =(qi, vi, µi (m, l) µ′i

)µi ∈ [Defi(qi) × DomM]∗ m < Defi(qi)

T ri (qi,m) = (q′i , f )

Ci?−→ C[i 7→ (q′i , f (vi, l), µi µ

′i)]

receive

→ =i−→ ]

i! j−−→ ]

i?−→

Figure 7: Semantics of EDA

3.1 Formal semantics of EDAA (global) configuration of an EDA consisting of n machinesis a tuple C = ({Ci}i∈N) , where N = {1, · · · , n}, and whereCi (denoted as C[i]) is the local configuration of the ith

machine. The configuration C[i] belongs to (Qi×Dom×Π∗).The first and the second component of C[i] refer to thecurrent state of the i’th machine and the value of its localvariable; the third component is the incoming message queueto machine Pi, modeled as a sequence of pairs of a messagetype and a payload. For a given configuration C and a localconfiguration of the i’th machine C′i , let C[i 7→ C′i ] bethe configuration which is the same as C except that its ith

configuration is C′i .The initial configuration of the EDA is Cinit where Cinit[i] =

(q0i , val0i , ε) for all i ∈ N. The rules for the operational se-

mantics of EDAs are presented in Figure 7. The rules forthe send and the internal transitions are straightforward; therule for a receive transition is slightly more complex. Froma receive state qi, machine Pi skips all the messages in itsqueue that are in its deferred set and dequeues the first mes-sage m from its queue that is not in its deferred set. The stateof the machine and the value of its local variable is updatedaccording to the semantics of the receive transition.

Let ReachG be the set of global configurations of the EDAthat can be reached from its initial configuration, and it canbe computed as lfp(λS .Cinit ∪ {C′ | C → C′,C ∈ S }). LetBadG = {C | C[i] = (qerr

i , vi, µi) for some vi, µi, and i ∈ N}be the set of error configurations of the EDA. Then we saythat the EDA is safe or correct if ReachG ∩ BadG = ∅.

Note that even when the states, Dom and DomM are finite,the problem of checking whether a given EDA is safe is anundecidable problem [8].

715

4. Almost-Synchronous Reductions forEvent-driven Automata

Given an event-driven automaton, we describe in this sectiona reduction that selectively explores a subset of the globalreachable configurations of the EDA, such that the explo-ration is sufficient to cover all the local states that can bereached by the EDA. Our reduction mechanism does so byconstructing almost-synchronous invariants, which are in-variants for proving local assertions in asynchronous pro-grams and are expressed as a set of global configurations ofthe system where the message buffers are close to empty 1.Finally, we argue in this section that our reduction is bothsound and complete and can be effectively used for verify-ing local assertions in asynchronous/distributed programs.

Given an automaton P, we present a construction of atransition system PR such that the set of reachable states ofPR correspond to a reduced set of global configurations ofP that form an almost-synchronous invariant of the system.Unlike standard reductions, the states as well as transitionswill be different than that of the automaton. States in PRare of the form (C, B) where C is a configuration of theautomaton P and is of the form ({Ci}i∈N), Ci ∈ (Qi × Dom ×Π∗), and B ⊆ N is a subset of blocked machines.

As briefly motivated in Section 2, transitions in PR prior-itize receive actions over send transitions, thereby ensuringthat the message queues remain small. From a configurationthat cannot receive any further messages from its queues,PRenables a subset of send transitions whose choice depends onthe communication pattern amongst the machines in the cur-rent configuration as well as the system-wide global com-munication pattern amongst machines that is statically de-termined. Naively enabling only a subset of send transitionswill miss out on exploring states that can be reached on tak-ing transitions that are never enabled. To circumvent thisproblem, PR allows at every step a move that blocks thosemachines whose send transitions were prioritized.

Blocked machines remain forever blocked and can takeno transitions. Furthermore, messages sent to blocked ma-chines do not end up in its queue, but are lost to ether, sincethe blocked machine will anyway not receive them. Conse-quently, these transitions deviate from the semantics of EDA,but we will show that nevertheless the reduced transition sys-tem is sound and complete in discovering all local states.

Before we give the construction of PR, let us first intro-duce certain concepts that are important for understandingthe construction.

Definition 4.1 (Senders). For a given machine j ∈ N anda configuration C of the EDA, senders(j, C) is the set ofmachines i ∈ N such that C[i] = (qi, vi, µi) and T s

i (qi) =

(q′i , j,m, f ), for some qi, q′i , vi, µi,m, f . �

1 Almost-synchronous invariants are not actually global invariants! They arein fact a subset of reachable configurations that cover all local states and thatcan be used to prove that no other local states are reachable.

Intuitively, senders( j,C) is the set of all machines i thatare sending a message to machine j in configuration C. Thisis used to capture the communication pattern amongst themachines in the current configuration.

Definition 4.2 (Potential-Senders). For a given machine j ∈N, potential-senders(j) is the set of machines i ∈ N suchthat there exists a send state qi ∈ Qs

i such that T si (qi) =

(q′i , j,m, f ) for some q′i ,m, f . �

Unlike senders, the notion of potential senders is inde-pendent of the current configuration. The potential sendersof a machine j is the set of all machines that can possiblysend a message to it. This depends on the system-wide globalcommunication pattern amongst the machines which can bestatically determined.

Definition 4.3 (Unblocked-Senders). For a given ma-chine j ∈ N and an extended configuration (C, B),unblocked-senders( j,C, B) is the set of machines i ∈ N suchthat i < B and i ∈ senders( j,C). �

For a state (C, B) of the transition system PR, unblocked-senders( j,C, B) = senders( j,C) \ B. Given that the ma-chines in B are blocked and not allowed to transition,unblocked-senders( j,C, B) captures the set of machines thatare allowed to send a message to j from the current state(C, B).

Definition 4.4 (isReceiving). Given a machine j ∈ N anda configuration C such that C[ j] = (q j, v j, µ j), the predicateisReceiving( j,C) is true iff q j ∈ Qr

j.

Example 1. Consider the producer-consumer scenario inFigure 1 and let C be its starting configuration. Then,senders(q,C) = {p}, senders(p,C) = ∅, and p ∈

potential-senders(q). Also, isReceiving(p,C) = false whileisReceiving(q,C) = true.

Secondly, consider the scenario in Figure 3 and let Cbe its starting configuration. Then, senders(r,C) = {q},senders(q,C) = {p}, and potential-senders(r) = {p, q}.Further, senders(p,C) = ∅, isReceiving(r,C) = true andisReceiving(q,C) = isReceiving(p,C) = false.

We now introduce an important concept, called destina-tion sets. From an extended configuration (C, B) of the tran-sition system PR, our reduction mechanism only explores asubset of the possible send transitions. From a state (C, B) ofPR, our algorithm enables only those transitions that send amessage to machines in a destination set, which is definedbelow.

Definition 4.5 (Destination sets). Given an extended config-uration (C, B), X ⊆ N, a subset of machines, is a destina-tion set if X contains at least one machine x ∈ N such thatunblocked-senders(x,C, B) , ∅ and for all machines y suchthat there is an x′ ∈ X with y ∈ potential-senders(x′) andy < B, the following conditions hold:

1. if isReceiving(y,C) is true, then y ∈ X,

716

2. if for some machine z ∈ N, y ∈ unblocked-senders(z,C, B),then z ∈ X. �

In other words, for an extended configuration (C, B), adestination set X is a set that includes a machine who has atleast one unblocked sender, and for every machine x ∈ X, ify is a potential sender of x, then (1) if y is in receive mode,then y ∈ X, and (2) if y is unblocked and in send mode, thenthe machine it is sending to is in X.

Note that there could be many destination sets for an ex-tended configuration. Also, note that the set of all machinesis always a destination set, provided there is at least one ma-chine with an unblocked sender.

Further, note that the two conditions on X are monotonic,and hence we can start with a single machine x that hasat least one unblocked sender, and close it with respect tothe two conditions to get the least set containing x that is adestination set.

We now fix a particular choice of destination set for everyextended configuration (C, B) that has a machine with at leastone unblocked sender. This could be the one obtained bychoosing a canonical machine with an unblocked sender andclosing it with respect to the two conditions, as describedabove.

In any case, let us fix a function destination-set that mapsevery extended configuration (C, B) to a destination set ifthere is at least one machine with an unblocked sender, andto the empty set otherwise.

Example 2. In the scenario in Figure 2, let C be the startingconfiguration and let the blocked set B be empty. Then wecan argue that one of the destination sets is {q}. This can becomputed by taking q, which has an unblocked sender, andclosing it with respect to the conditions, which doesn’t addany more machines. Note that {p} is also a destination set.

Thus, in the reduction, if we choose the destination set{q}, then we will enable the send from p to q. Now if p aftersending the message gets to a receive state, the destinationset constructed for this new state will be {p}, which will forceus to enable the other send, from q to p.

Example 3. In the scenario in Figure 3, let C be the startingconfiguration and let the blocked set B be empty. Then noticethat {r, q} is a destination set, with r having an unblockedsender. However, {r} is not a destination set, and in fact {r, q}is the smallest destination set including {r}. If we choose thisdestination set, then our reduction will enable all the sendtransitions to them, i.e., the sends from p to q and from q tor. Notice the fact that p being a potential sender to r forcesour reduction to also enable the send transition from p to q.

The ReductionWe are now ready to define the reduction. The informalalgorithm for the reduction is as follows.

Given that the system is in an extended configuration (C, B),we will explore the following transitions from it:

• If any machine is in receive mode and there is an un-deferred message on its incoming queue, then we willschedule all such receive events and disable all sendevents.• If no receives can happen, then we construct the set X =

destination-set(C, B). Then we schedule all sends thatsend to some machine in X, including sends emanatingfrom X. Furthermore, we also enable a transition thatblocks the unblocked senders to X.

The first rule prioritizes receives over sends. The secondone selects a subset of sends to enable, depending on the des-tination set computed. Furthermore, it also enables blockingthe unblocked senders to X, which results in a new configu-ration where senders to X will not be explored, while othersend events can be explored. Also, note that sends to blockedmachines will have their messages sent to ether.

Figure 8 describes the construction of the transition sys-tem PR with a transition relation −→⊆ (C × 2N) × (C × 2N).The initial state of PR is (Cinit, ∅) where Cinit is the initialconfiguration of the EDA P and the set of blocked machinesis empty. Let us define ReachR, in the natural way, as theset of states reachable by PR from its initial state. By defi-nition, ReachR is an almost-synchronous reduction of the setof configurations that can be reached by P.

If PR is in state (C, B) such that a receive transition isenabled from the configuration C of EDA P, PR priori-tizes the receive transition (rule Receive in Figure 8). Theother three rules in Figure 8– send-to-unblocked , send-to-blocked and block apply only when no receive transitionsare enabled from configuration C (captured by the conditionNoReceivesEnabled(C)). In this case, our reduction mecha-nism first constructs the destination set for the current state(C, B). Then, PR enables all send transitions that send a mes-sage to a machine j belonging to this set. This case is splitinto two rules: the rule send-to-unblocked handles the casewhere j is not blocked and the second rule send-to-blockedhandles the case where j is blocked and the message sentis not enqueued but is lost to ether. In the latter case, notethat the configuration of the sender machine i is only up-dated, and the receiver j’s configuration is unaffected. At thesame time, to ensure that our selective exploration does notmiss any behaviors, from the state (C, B), PR also blocks themachines i whose send transitions to machines j were se-lectively enabled (rule Block). Note that Figure 8 does notdepict the internal transitions. However, PR does include in-ternal transitions ((C, B) can transition to (C′, B) if any inter-nal transition takes C to C′), and in fact these internal transi-tions are prioritized so that they immediately happen. Since

717

receiveC

i?−→ C′

(C, B) −→ (C′, B)

send-to-unblocked

NoReceivesEnabled(C) Ci! j−−→ C′

j ∈ destination-set(C, B) i, j < B

(C, B) −→ (C′, B)

send-to-blocked

NoReceivesEnabled(C) Ci! j−−→ C′

j ∈ destination-set(C, B) i < B j ∈ B

(C, B) −→(C[i 7→ C′[i]

], B

)

block

NoReceivesEnabled(C)B′ =

{i | i ∈ unblocked-senders( j,C, B), j ∈ destination-set(C, B)

}B′ , ∅

(C, B) −→ (C, B ∪ B′)

whereNoReceivesEnabled(C) : for all k, if C[k] = (qk, vk, µk) and isReceiving(k,C)= true, then µk ∈ [Defk(qk) × DomM]∗

Figure 8: The reduced transition system PR whose reachable states ReachR is an almost-synchronous reduction that includesall local states reachable in P.

there is no shared state, we do not need to interleave inter-nal transitions in different machines, and hence they happenatomically with the earlier send/receive transition.

Observe that whenever a machine is added to the blockedset, it is in a send state (the rule block in Figure 8). It followsthat a machine, if blocked, remains forever blocked and cantake no further transitions.

Explaining the reduction through an example: Let usnow explain our reduction algorithm through the distributedcommit protocol presented in Figure 5. In the initial config-uration of the system, the client machine is in a state that issending a message to the coordinator; the coordinator andthe replicas are in a state waiting to receive a message (isRe-ceiving is true for both the coordinator and the replicas). Thedestination-set is {Coordinator} with the unblocked-sendersbeing the {Client}. Hence, our ASI scheduler will execute thesend event of the client machine followed immediately bythe event where the coordinator receives this sent message(as receives are prioritized) (in parallel, we will also enablea move that blocks the client machine in the initial config-uration; however there will be no further moves along thisbranch of exploration). The ASI exploration now reaches aconfiguration where the client is waiting for the nextTranmessage from the coordinator and coordinator is sendingthe Commit message to the first replica. The destination-setin this configuration is {Replica 1}, and the ASI scheduler

this time schedules the coordinator, which sends the Commitmessage, followed by the first replica receiving that message(in parallel, we will also enable a move that blocks the co-ordinator; but as before there will be no further moves alongthis branch). The exploration now reaches a configurationwhere the client is still waiting for the next transaction fromthe coordinator, as before; the coordinator is sending a Com-mit message to the second replica and the first replica issending the Vote message back to the coordinator. Similarto the case before, the destination-set in this configurationis {Replica 2} and the ASI scheduler schedules the event inwhich the coordinator sends the Commit message to the sec-ond replica (thereby moving to a state in which it is nowwaiting for Vote messages) and the second replica imme-diately receives it (in parallel, we will enable a move thatblocks the coordinator followed by the send of the Vote mes-sage from the first replica to the coordinator). From the re-sulting configuration, ASI explores the send of the Vote mes-sages from Replica 1 and Replica 2 to the coordinator andtheir corresponding receives (the branch where these repli-cas are blocked will end immediately), thereby moving thesystem to the configuration where both the replicas are intheir initial state and the coordinator is in the state AckTo-Client, ready to send a nextTran message to the client ma-chine. In this configuration, the destination-set is {Client}and the unblocked-senders is the {Coordinator}. The ASIscheduler, in this configuration, will thus schedule the send

718

of the nextTran message followed by scheduling its receiveby the client (in parallel, we also explore the branch wherethe coordinator is blocked; but this branch will have no fur-ther events). Executing this send-receive pair takes the sys-tem back to its initial configuration and our ASI schedulerwill stop having explored all the local states and havingfound no unresponsive configurations.

We now turn to the soundness and completeness argu-ment for our ASI reductions. Let BadR = {(C, B) | C ∈

BadG}. Also let −→∗⊆ (C × 2N) × (C × 2N) be the transi-tive closure of the single step transition relation −→ of PR.We next argue that only exploring states that are reachable inPR is both sound and complete with respect to proving thecorrectness of the automaton P. In other words, a local stateis reachable in the program iff it is reachable in the reducedtransition system.

Theorem 4.6 (Soundness). If some state (Ce, Be) ∈ ReachR∩

BadR, then there exists a configuration C′ ∈ ReachG∩BadG.

Proof sketch: Consider thePR-reachable, error trace (Cinit, ∅)−→ · · · (C, B) −→ · · · (Ce, Be) where (Ce, Be) ∈ BadR. Thenwe can show that essentially the same set of actions canbe mimicked in P as well, except that the configurationsmay contain a bit more information on certain messagebuffers. As we traverse the trace in PR, at any point, weconstruct a P-reachable configuration C′ which is same asC except for the queue contents of machines that have beenalready blocked along the error trace. For receive, send-to-unblocked and block transitions along the error trace, theupdate to C′ is straight forward. On a send-to-blocked tran-sition along the error trace, the update to C′ departs fromthe update to (C, B). The update to C′, in this case, followsthe semantics of EDA P and enqueues the message into thequeue of the blocked machine. As we know that machinesthat have been blocked cannot take any further transitions,this means that the message enqueued in the blocked ma-chine’s queue will be never received by it as we move for-ward along the error trace. Hence, though C′ differs from Cit never diverges away from it (i.e., a PR-transition enabledfrom (C, B) will be always enabled from configuration C′;also the states of machines in C′ are the same as the states ofmachines in C). Since Ce ∈ BadR, it follows that configura-tion C′e we end up with is such that C′e ∈ ReachG∩BadG. �

We next argue the completeness of our reduction mecha-nism. For that, let us introduce→B⊆ C × C for B ⊆ N suchthat C →B C′ if configuration C′ of automaton P is reach-able from C along a P-trace that involves no transition byany of the machines in the set B. Formally,

→B= (⋃

i<Bi−→) ∪ (

⋃i<B

i! j−−→) ∪ (

⋃i<B

i?−→)

and let →∗B be the transitive closure of →B. The complete-ness result, Theorem 4.8, follows essentially from the fol-lowing lemma. This lemma asserts that whenever we canreach an error configuration from a configuration C in the

original program without involving any transition of ma-chines in the set B, we can reach an error configuration inthe reduced transition system from the extended configura-tion (C, B).

Lemma 4.7. If for configurations C,Ce and set B ⊆ N suchthat C →∗B Ce where Ce ∈ BadG, then there exists C′, B′ suchthat (C, B) −→∗ (C′, B′) and (C′, B′) ∈ BadR.

Proof sketch: First, we will assume that C < BadG, for oth-erwise the lemma is obvious. The proof is by contradiction.Assume that there are configurations C,Ce and set B ⊆ Nsuch that C →∗B Ce where Ce ∈ BadG, and that there isno PR-state (C′, B′) ∈ BadR such that (C, B) −→∗ (C′, B′).Let us consider an ordering over the space of C,Ce and B.Let this ordering be the standard lexicographic ordering over(N × N × N), where the first component is the length of thetrace C →∗B Ce; the second component is the sum (over allmachines) of the messages pending in the queues in configu-ration C; and the third component is size of the complementof the blocked set B. This is a well-founded ordering. Letus pick configurations C,Ce and set B that satisfy all the as-sumptions and is smallest with respect to this lexicographicordering.

We show that we can always make “progress” along theC →∗B Ce trace via a PR-transition, thereby getting a smallercounter-example with respect to the lexicographic ordering,leading to a contradiction.

We split using two cases, the first when a receive isenabled in configuration C, and the second when no receiveis enabled.

Case 1: Let us first consider the case when machine i (i < B)in configuration C is ready to receive a message from itsqueue. Let the→∗B-trace be τ : C →B · · · →B Ce. Now, con-sider the case where there is a transition of machine i in thesequence τ. Then the first transition of machine i in τ must

be a receive event. Consider the trace τ′ = Ci?−→B C1 →B

· · · →B Ce obtained from τ by moving this receive transitionto the front; this is a valid→∗B-trace. Using rule receive in thereduced transition system, it follows that (C, B) −→ (C1, B)and also that there exists no state (C′, B′) ∈ BadR such that(C1, B) −→∗ (C′, B′). Note that τ′-suffix from C1 to Ce has ashorter length than τ. This means that the choice C1,Ce andB is a strictly smaller counter-example, which is a contradic-tion.

When no transition of i is present along τ, the trace τ1 :

C →B · · ·Cei?−→B C′e obtained from τ by augmenting it with

transition i? is a valid →∗B-trace such that C′e ∈ BadG. As

before, trace τ′1 = Ci?−→B C1 →B · · ·C′e is also a valid →∗B-

trace but one whose suffix from C1 to C′e has the same lengthas τ. However, note that C1 has one less message pending inits queues compared to C. Using the same argument as theone above, the choice C1,C′e and B is a counter-example andis strictly smaller than C,Ce and B, which is a contradiction.

719

Case 2: Now consider the second case when no re-ceive transitions are enabled in configuration C. Let X =

destination-set(C, B).Consider the subcase where the →∗B-trace τ : C →B

· · · →B Ce contains a transition that sends a message tox ∈ X. Let p!x be the first such transition occurring alongτ. We will argue that the transition p!x in this case can becommuted to the beginning and it is possible to construct

a valid →∗B-trace τ′ : Cp!x−−→B C1 · · · →B Ce. From the

rules send-to-unblocked or send-to-blocked, it follows that(C, B) −→ (C1, B). We can argue that C1,Ce and B is asmaller counter-example (since the suffix of τ′ from C1 isshorter), leading to a contradiction. Now let us argue thatthe first transition of p in τ is p!x (if this is so, it is easysee that p!x can be commuted to the front). By definition,p ∈ potential-senders(x) and p < B. We will show that inC, p is in a state sending to x. If p is in a receive state inC, then by the definition of destination sets, p ∈ X (sincex ∈ X, p ∈ potential-senders(x), and p is in a receive state).This implies that in τ, before the send event by p happens,there must be a send-event by some machine to p (since weare in the case where the buffers to enabled receivers areempty). Since p ∈ X, this send is a send event to X, whichcontradicts the assumption that p!x was the first transitionalong τ sending a message to a machine in X. If p is in a sendstate in C but it is sending a message to a machine y , x,then from the definition of destination sets, y ∈ X. Again,this implies that τ has a transition p!y for y ∈ X before thep!x event, which is again a contradiction. The only optionleft is that p!x is enabled in configuration C.

We still need to arrive at a contradiction when the →∗B-trace τ : C →B · · · →B Ce contains no transitionthat sends a message to a machine x ∈ X. Let B′ =⋃

x∈X unblocked-senders(x,C, B) for x ∈ X. Since τ has notransitions sending messages to X, τ involves no transi-tions by machines in B′. Now let us show that B′ is non-empty. Note that the machine involved in the first tran-sition along τ is an unblocked sender. This implies thatX = destination-set(C, B) is non-empty. Hence, there mustbe an unblocked sender to X (by definition of destinationsets). Hence B′ is non-empty. From the rule block, it fol-lows that (C, B) −→ (C, B ∪ B′) . Also, C →∗B∪B′ Ce is true.Since B ∪ B′ is strictly larger than B, the counter-exampleC,Ce and B ∪ B′ is smaller, which is a contradiction. �

Theorem 4.8 (Completeness). If some configuration C ∈ReachG ∩ BadG, then there exists C′, B′ such that (C′, B′) ∈ReachR ∩ BadR.

Proof: The theorem follows directly from the above lemmaby substituting B in the lemma to be the empty set and C tobe the initial state Cinit of the automaton P. �

5. Lifting ASI Reductions to PA P program [9] is a collection of state machines commu-nicating via asynchronous events or messages. Each statemachine in P is a collection of states; it has a set of localvariables whose values are retained across the states of themachine, has an entry method which is the state in whichthe control transfers to on the creation of a new machineand finally, has a FIFO incoming queue through which othermachines can send messages to it. Each state in a P state ma-chine has an entry function which is the sequence of state-ments that are first executed whenever the control reachesthat state. Additionally, each state has a set of transitionsassociated with incoming message types, has a set of ac-tion handlers associated with the incoming message types,as well as a classification of certain message types as be-ing deferred or ignored in the given state. After the entryfunction has been executed, the P machine continues to re-main in the same state till it receives a message in its queue.The machine dequeues the first message from its queue thatis not deferred and checks if the message is ignored in thecurrent state. If it is, the message is simply dropped fromthe queue, and the machine continues to remain in the samestate. If the message is not ignored, the machine dequeuesthe message; the next state to which the machine transitionsto along with the update to its local state on dequeuing themessage is determined by the state’s transitions and actionhandlers. P statements include function calls and calls to for-eign functions that are used to model interaction with the en-vironment. A P state machine can have call statements andcall transitions in it which are used to implement hierarchicalstate machines.

We will describe next the mapping between P featuresand the EDA we introduced in Section 3. EDAs do not sup-port dynamic creation and deletion of machines. We did notfind this to be a serious limitation as most driver programswritten in P and distributed protocols we modeled in P had astatically determined bounded number of machines. Hencethe global communication pattern, amongst the machines inthe EDA, required for our reductions could also be staticallydetermined.

Also note that we do not restrict the domain Dom for thelocal variables in the state machines to be finite. The entrystatement in each state can have multiple sends which can beencoded as a separate send state in EDA connected by localinternal transitions. The nondeterministic choice statementcan be encoded in the form of nondeterminism on internaltransitions. The set of out going transition in each P statecan be easily mapped on to transitions in EDA. Actions in Pcan be expanded as a state transition logic implementing theaction handler. Similarly, the call statements and call transi-tions can be handled by repeating the sub-state machines atall call points. By encoding a stack in the local state of themachines, we can model function calls in P programs, in ourautomaton.

720

Every machine Pi in an EDA has an error state qerri that

can be used to model local assertions in the P program.An important safety property in P programs is to check theresponsiveness of the system, i.e., for every receive state,if m is the first message in the queue that is not deferred,then there should be a receive action enabled from this statethat handles m. Checking if a P program is responsive canbe easily reduced to checking that the error state qerr

i is notreachable, for all i ∈ N.

The upshot of the above relationship is that the reductionalgorithms for EDAs described in the earlier sections can beeasily lifted to P programs. States in P can perform multipleactions within the state (such as internal actions and send-ing multiple messages), but these can be broken down intosmaller states to simulate our reduction.

6. ImplementationWe have implemented our ASI reductions by adapting theZing model-checker [4]. The P compiler translates P pro-grams into Zing models, preserving the input programs ex-ecution model. The explorer in Zing supports guided-searchbased on a scheduler that is external to the model checker.The ASI reduction in Zing is implemented in the form anexternal ASI scheduler that guides the explorer on which setof actions are enabled in the current state and the explorerthen iterates over these actions. The Zing program is instru-mented appropriately to communicate the current state con-figuration information to the ASI scheduler. This instrumen-tation is performed automatically by our modified P com-piler. The model is instrumented to pass information suchas (1) the current state of each state machine, whether itsin a send or a receive state (2) size of the message queues,etc. Based on the current state of each state machine, andthe communication pattern amongst the machines, the ASIscheduler calculates the destination set mentioned in Sec-tion 4. Using this destination set, the set of next actions to beperformed are prioritized by the ASI scheduler and executedby the Zing explorer.

The implementation of the reduction can be seen as acomposition of an almost synchronous ASI scheduler andthe asynchronous Zingmodel, exploring only the state spaceof the composite system. Most part of the ASI reductioncan be implemented as being external to the model checkerexcept for the case when a state machine is pushed into ablocked state. The blocking of a state machine is part of thestate of the system and is handled as a special case. A specialstate machine called blocking-state-machine is created withrespect to each state machine in the model. The job of theblocking-state-machine is to enqueue a special event blockin the associated state machine. Each state machine in P isextended to handle block event in all states, such that on de-queuing the block event it enters a new state where it keepsdropping all enqueued messages. Now the ASI schedulercan block a state machine by simply scheduling the corre-

sponding blocking-state-machine and atomically executingthe transitions enqueuing and dequeueing the block event.

7. EvaluationIn this section we present an empirical evaluation of theASI reduction approach for verifying P programs and alsoevaluate it for finding bugs in them. All the experimentsreported are performed on Intel Xeon E5-2440, 2.40GHz, 12cores (24 threads), 160GB machine running 64 bit WindowsServer OS. The Zing model checker can exploit multiplecores during exploration as its iterative depth-first searchalgorithm is highly parallel [44]. We report the timing resultsin this section for the configuration when Zing is run with24 threads and uses iterative depth bounding by default forexploring the state space.

In order to thoroughly evaluate our ASI technique, weevaluate it on models from various domains. We used Pfor writing all our benchmarks, and used the P compiler togenerate Zing models for verification. Our benchmark suiteincludes:

• the Elevator controller model described in [9],• the OSR driver used for testing USB devices,• the Truck Lifts distributed controller protocol,• Time Synchronization standards protocol used for syn-

chronization of nodes in distributed systems,• the German cache coherence protocol, and• the Windows Phone (WP) USB driver, which is the ac-

tual driver shipped with the Windows Phone operatingsystem.

Note that the lines of code reported in Table 1 are for themodels when written in P, which is a domain specific lan-guage in which protocols can be written very compactly. Wecould not evaluate our ASI reduction approach on the Win-dows 8 USB driver used in [9] as it was not available tous. We, however, evaluated our technique on the WindowsPhone USB driver under a license agreement.

7.1 Verifying P programs:Message buffers in P programs can become unbounded andtheir systematic exploration by Zing will fail to prove suchprograms correct in the presence of such behaviors [9]. Ingeneral, the queues can become unbounded when a statemachine pushes events into them at arbitrarily fast rates.For Zing to be able to explore such models, P users areallowed to provide a bound on the maximum number ofoccurrences of an event in a message queue. This indirectlybounds the queue size of each state machine during the statespace exploration.

Table 1 shows the results for the Zing Bounded ModelChecker [9] as well as our ASI based reduction technique.The Zing results are only for an under-approximation of thestate space, restricted by bounding the maximum number of

721

ModelsLines Zing Model Checker Almost-synchronous Invariants

of code (with buffer bounds) (with no buffer bounds)in P Bound on max Total Time State-space Total Time Program

occurrence of an number of (h:mm) exhaustively number of (h:mm) Provedevent in queue states Explored? states Correct?

Elevator 270 2 1.4 × 106 0:22 Yes 2.8 × 104 0:08 YesOSR 377 2 3.1 × 105 0:16 Yes 3.9 × 103 0:02 Yes

Truck Lifts 290 2 3.3 × 107 2:07 Yes 1.1 × 105 0:24 YesTime Sync (Linear Topology) 2200 4 7.4 × 1010 5:34 Yes 1.0 × 107 3:07 Yes

German 280 3 > 1 × 1012 * No 4.7 × 108 2:32 YesWindows Phone USB Driver 1440 3 > 1 × 1012 * No 2.4 × 109 3:48 Yes

* denotes timeout after 12 hours

Table 1: Results for proof based on almost-synchronous invariants for P.

BuggyZing Bounded Model Checker Almost-synchronous Invariants

Models(with buffer bounds) (with no buffer bounds)

Bound on max occurrence Total number Time Bug Total number Time Bugof an event in queue of states (h:mm) Found? of states (h:mm) Found?

Truck Lifts 2 950005 1:17 Yes 13453 0:14 YesTime Sync (Ring Topology) 4 * * No 129973 1:37 Yes

German 3 595723 0:44 Yes 2345 0:10 YesWindows Phone USB Driver 3 1616157 2:04 Yes 23452 0:38 Yes

* denotes timeout after 12 hours

Table 2: Results for bug finding using almost-synchronous invariants for P

occurrences of an event to a constant value that was pickedby the P developers on the basis of domain knowledge [9].On the other hand, our results for ASI reduction are for thecomplete verification of the models, where message buffersare unbounded. For ASI, we report the total number of statesexplored, the time taken by the tool, and whether it was ableto prove the programs correct or not.

Our ASI reduction was able to verify completely theWindows Phone (WP) driver and the German protocol, whilethe Zing bounded model checker failed to explore the statespace completely (even when message buffers we bounded)for these models. The P language is being mainly used inMicrosoft currently for the development of the WindowsPhone USB drivers. The most surprising result here is thatour reduction-based technique was able to verify that thisdriver is responsive (i.e., there is no reachable configurationwhere a machine receives a message that it cannot handle).

For comparatively smaller models, ASI was able to provethe models correct much faster than Zing because of thelarge state space reduction obtained. Zing is a state of the artexplicit-state model checker tuned for efficiently exploringP programs. It uses state caching to avoid re-explorations.However it does not implement partial-order reduction tech-niques as prior experience suggested they were not very use-ful in this domain. As described in Section 2, partial-orderreduction can easily fail to keep message buffers small (as

in the producer-consumer scenario) and hence often lead toinfinite state-spaces, which precludes exhaustive search.

We found in the ASI exploration that, for our benchmarkprograms, the size of message queues never exceeded four,thus indicating that the queues remain bound to a small sizeunder our reduction. On the other hand, even after bound-ing the queue sizes, Zing bounded model checker could notprove large P programs correct or took a very long time. Itis important to note that exploring the system with message-buffers bounded by four does not prove the system correctfor arbitrary buffer sizes. Our technique proves the systemcorrect, and in the end we get to know what buffer sizewould have been enough (it is not possible to compute mes-sage buffer bounds that ensure completeness without doingthe exploration). The experimental results illustrate that test-ing exhaustively even a highly under-approximated reach-able space takes more time. This highly under-approximatedsearch is the current testing strategy for P programs, wheredevelopers had chosen bounds on duplicate messages inqueues based on system knowledge, to explore using Zing.

7.2 Finding bugs in P programs:To demonstrate the soundness of our approach, we createdbuggy versions of the models in our benchmark suite byintroducing known safety errors in them. Table 2 showsresults in terms of the number of states explored and the

722

time taken before finding the bug, with and without ASI.The search terminates as soon as a bug is found. The ta-ble shows that our reduction technique explores orders ofmagnitude less states and also finds bugs faster for all themodels. For the Time Synchronization model with nodes ina ring topology, Zing bounded model checker failed to findthe bug while ASI was able to find it. The comparison ofASI with naive iterative DFS and the results we obtain sug-gest that almost-synchronous reductions may also be a goodreduction strategy for finding bugs faster. Note that severalbounding techniques have been studied earlier in the contextof finding concurrent bugs [10, 30, 43]. Finding better ex-ploration strategies that combine these bounding techniqueswith ASI is part of future work.

8. Related WorkThe reachability problem for finite state machines communi-cating via unbounded fifo queues is undecidable [8]. The un-decidability stems from the fact that the unbounded queuescan be used to simulate the tape of a Turing machine. Tocircumvent this undecidability barrier, there has been workin several directions. It has been shown that the problem be-comes decidable under certain restrictions like when the fi-nite state machines communicate via unbounded lossy fifoqueues that may drop messages in an arbitrary manner [2],when the communication is via a bag of messages and notvia fifo queues [19, 39], when only one kind of message ispresent in the message queues [35], when the language ofeach fifo queue is bounded [17], or when the communicationbetween the machines adheres to a forest architecture [22].For verification of these machines communicating via mes-sages, techniques that over-approximate the set of reachablestates have also been studied [8, 34].

Several under-approximate bounding techniques havebeen explored to find bugs, even when the machines haveshared memory, including depth-bounding [13], boundedcontext-switching reachability [22, 36, 37], bounded-phasereachability [7], preemption-bounding [31], delay-bounding [10],bounded-asynchrony [11], etc. These techniques systemat-ically explore a bounded space of reachable states of theconcurrent system and are used in practice for finding bugs.It has also been shown that several of these bounding tech-niques admit a decidable model-checking problem evenwhen the underlying machines have recursion [21, 27, 36]

Unlike the above bounding techniques which are notcomplete, partial order reduction (POR) methods retaincompleteness while trying to avoid exploring interleavingsthat have the same partial order [14, 29]. POR techniques usepersistent/stubborn sets [15, 45] or sleep sets [16] to selec-tively search the space of reachable states of the concurrentsystem in a provably complete manner. Dynamic POR [12]and its variants [23, 24, 32, 42] including the recently pro-posed optimal one [1] significantly improve upon the ear-lier works by constructing these sets dynamically. Dynamic

POR for restrictions of MPI programs where synchronousmoves are sufficient have also been explored in [32, 40, 41].

Message sequence charts (MSC), which provide a speci-fication language for specifying scenarios of different com-munication behaviors of the system, have a partial order se-mantics, and high-level message sequence charts can com-bine them with choice and recursion. While checking lin-ear time properties of scenarios of these graphs is undecid-able [3], surprisingly, checking MSO properties over MSCsdirectly was shown to be decidable in [25]. Furthermore,this kind of model-checking can be done using linearizationsthat keep the message buffers bounded [26], similar to thealmost-synchronous interleavings explored in this paper.

The work reported in [19] solves the problem of dataflow analysis for asynchronous programs using an under-approximation and over-approximation bounding the coun-ters representing the pending messages, where messages aredelivered without in non-fifo order. The authors in [5, 6]present a technique where choreography of asynchronousmachines can be checked when the asynchronous communi-cation can be replaced by synchronous communication. Theauthors use their analysis technique for verifying channelcontracts in the Singularity operating system [18]. Thoughour approach of almost-synchronous reduction has a simi-lar flavor, we do not restrict our analysis to systems whereasynchronous message passing can be entirely replaced bysynchronous communication.

Our present work builds on top of P [9], which is alanguage for writing asynchronous event-driven programs.While [9] uses a model checker to systematically test P pro-grams for responsiveness, our reduction technique providesa methodology for verifying P programs. In addition, our ex-periments strongly suggest that our reductions can be alsoused to find bugs much faster.

9. Conclusions and Future DirectionsWe have shown an sound and complete reduction for asyn-chronous event-driven programs that can effectively controlthe size of message buffers, leading to faster techniques toboth prove and find bugs in programs. Exploring almost-synchronous interleavings that grow the buffers only whenthey really need to grow seems to capture more interestinginterleavings as well as discover smaller adequate invariants.

Limitations of ASI: We would like to emphasize here thatour technique is incomplete and there are simple scenarioswhere the ASI reduction might not terminate and thus failto prove a program correct. Figure 9 shows such a scenariowhere p sends an unbounded number of messages to r fol-lowed by a message sent to q. The process q receives themessage from p, then sends a message to r. The process rreceives this message from q and then receives all the (un-bounded number of) messages that p has sent to it. In thisscenario, we would choose {q, r} as a destination set, and

723

hence p!r would be enabled continuously, leading to an un-bounded number of messages and the exploration will notterminate.

Figure 9:

There are several inter-esting questions worthy offuture study. First, we be-lieve that partial-order re-ductions can help furtherreduce the number of in-terleavings, once almost-synchronous reductions havecurtailed the blow-up due tounbounded message-buffers.Combining partial-order re-duction techniques withalmost-synchronous reduc-tions would be worthwhile.Secondly, though almost-synchronous invariants often suffice, there are instanceswhere environment machines can flood message buffers.We believe that in these cases, a simple over-approximationof these channel contents will be sufficient in proving pro-grams correct. Finding a tractable but adequate approxima-tion scheme would be useful. Third, in the framework ofevent-driven programs, it would be interesting to compareASI with other under-approximate bug-finding techniquesthat work by bounding scheduling metrics such as delaybounding [10] and context bounding [30]. Also, since ASIis an independent reduction technique, there is potential incombining it with these bounding techniques for findingbugs faster. Finally, there are several other message-passingdomains where we believe that our reductions could be use-ful; in particular, analysis of truly distributed programs (suchas protocols for replicated database systems in the cloud) andanalysis of MPI programs for verifying high-performancecomputing algorithms could benefit from our technique.

AcknowledgmentsThe second and third authors were partially funded by theNSF Expeditions in Computing ExCAPE Award #1138994.The first author was partially funded by the TerraSwarm Re-search Center, one of six centers supported by the STAR-net phase of the Focus Center Research Program (FCRP),a Semiconductor Research Corporation program sponsoredby MARCO and DARPA.

References[1] P. Abdulla, S. Aronis, B. Jonsson, and K. Sagonas. Optimal

dynamic partial order reduction. POPL ’14, pages 373–384,New York, NY, USA, 2014. ACM.

[2] P. A. Abdulla and B. Jonsson. Verifying programs with unre-liable channels. In LICS, pages 160–170, 1993.

[3] R. Alur and M. Yannakakis. Model checking of messagesequence charts. CONCUR ’99, pages 114–129, London, UK,

UK, 1999. Springer-Verlag.

[4] T. Andrews, S. Qadeer, S. K. Rajamani, J. Rehof, and Y. Xie.Zing: A model checker for concurrent software. In CAV, pages484–487, 2004.

[5] S. Basu and T. Bultan. Choreography conformance via syn-chronizability. WWW ’11, pages 795–804, New York, NY,USA, 2011. ACM.

[6] S. Basu, T. Bultan, and M. Ouederni. Synchronizability forverification of asynchronously communicating systems. InVMCAI, pages 56–71, 2012.

[7] A. Bouajjani and M. Emmi. Bounded phase analysis ofmessage-passing programs. TACAS’12, pages 451–465,Berlin, Heidelberg, 2012. Springer-Verlag.

[8] D. Brand and P. Zafiropulo. On communicating finite-statemachines. J. ACM, 30(2):323–342, Apr. 1983. ISSN 0004-5411.

[9] A. Desai, V. Gupta, E. K. Jackson, S. Qadeer, S. K. Rajamani,and D. Zufferey. P: safe asynchronous event-driven program-ming. In PLDI, pages 321–332, 2013.

[10] M. Emmi, S. Qadeer, and Z. Rakamaric. Delay-boundedscheduling. POPL ’11, pages 411–422, New York, NY, USA,2011. ACM.

[11] J. Fisher, T. A. Henzinger, M. Mateescu, and N. Piterman.Bounded asynchrony: Concurrency for modeling cell-cell in-teractions. In FMSB, pages 17–32, 2008.

[12] C. Flanagan and P. Godefroid. Dynamic partial-order reduc-tion for model checking software. POPL ’05, pages 110–121,New York, NY, USA, 2005. ACM.

[13] P. Godefroid. Model checking for programming languagesusing verisoft. POPL ’97, pages 174–186, New York, NY,USA, 1997. ACM.

[14] P. Godefroid. Partial-Order Methods for the Verification ofConcurrent Systems - An Approach to the State-ExplosionProblem. PhD thesis, University of Liege, 1995.

[15] P. Godefroid and D. Pirottin. Refining dependencies improvespartial-order verification methods (extended abstract). CAV’93, pages 438–449, London, UK, UK, 1993. Springer-Verlag.

[16] P. Godefroid and P. Wolper. Using partial orders for the effi-cient verification of deadlock freedom and safety properties.Formal Methods in System Design, 2(2):149–164, 1993.

[17] M. G. Gouda, E. M. Gurari, T. H. Lai, and L. E. Rosier. Ondeadlock detection in systems of communicating finite statemachines. Comput. Artif. Intell., 6(3):209–228, July 1987.ISSN 0232-0274.

[18] G. C. Hunt and J. R. Larus. Singularity: Rethinking thesoftware stack. SIGOPS Oper. Syst. Rev., 41(2):37–49, Apr.2007. ISSN 0163-5980.

[19] R. Jhala and R. Majumdar. Interprocedural analysis of asyn-chronous programs. POPL ’07, pages 339–350, New York,NY, USA, 2007. ACM.

[20] C. B. Jones. Tentative steps toward a development method forinterfering programs. ACM Trans. Program. Lang. Syst., 5(4):596–619, 1983.

[21] S. La Torre, P. Madhusudan, and G. Parlato. A robust class ofcontext-sensitive languages. In LICS, pages 161–170, 2007.

724

[22] S. La Torre, P. Madhusudan, and G. Parlato. Context-boundedanalysis of concurrent queue systems. In TACAS, pages 299–314, 2008.

[23] S. Lauterburg, M. Dotta, D. Marinov, and G. Agha. A frame-work for state-space exploration of java-based actor programs.ASE ’09, pages 468–479, Washington, DC, USA, 2009. IEEEComputer Society. ISBN 978-0-7695-3891-4.

[24] S. Lauterburg, R. K. Karmani, D. Marinov, and G. Agha. Eval-uating ordering heuristics for dynamic partial-order reductiontechniques. FASE’10, pages 308–322, Berlin, Heidelberg,2010. Springer-Verlag.

[25] P. Madhusudan. Reasoning about sequential and branchingbehaviours of message sequence graphs. ICALP ’01, pages809–820, London, UK, UK, 2001. Springer-Verlag.

[26] P. Madhusudan and B. Meenakshi. Beyond message sequencegraphs. In FSTTCS, pages 256–267, 2001.

[27] P. Madhusudan and G. Parlato. The tree width of auxiliarystorage. In POPL, pages 283–294, 2011.

[28] P. Madhusudan, X. Qiu, and A. Stefanescu. Recursive proofsfor inductive tree data-structures. In POPL, pages 123–136,2012.

[29] A. W. Mazurkiewicz. Trace theory. In Advances in Petri Nets,pages 279–324, 1986.

[30] M. Musuvathi and S. Qadeer. Iterative context bounding forsystematic testing of multithreaded programs. In Proceedingsof the 2007 ACM SIGPLAN Conference on ProgrammingLanguage Design and Implementation, PLDI ’07, pages 446–455, New York, NY, USA, 2007. ACM.

[31] M. Musuvathi and S. Qadeer. Iterative context boundingfor systematic testing of multithreaded programs. PLDI ’07,pages 446–455, New York, NY, USA, 2007. ACM.

[32] R. Palmer, G. Gopalakrishnan, and R. M. Kirby. Semanticsdriven dynamic partial-order reduction of mpi-based parallelprograms. PADTAD ’07, pages 43–53, New York, NY, USA,2007. ACM.

[33] E. Pek, X. Qiu, and P. Madhusudan. Natural proofs for datastructure manipulation in c using separation logic. In PLDI,page 46, 2014.

[34] W. Peng and S. Puroshothaman. Data flow analysis of com-municating finite state machines. ACM Trans. Program. Lang.Syst., 13(3):399–442, July 1991. ISSN 0164-0925.

[35] W. Peng and S. Purushothaman. Analysis of a class of com-municating finite state machines. Acta Inf., 29(6/7):499–522,1992.

[36] S. Qadeer and J. Rehof. Context-bounded model checkingof concurrent software. TACAS’05, pages 93–107, Berlin,Heidelberg, 2005. Springer-Verlag.

[37] S. Qadeer and D. Wu. Kiss: keep it simple and sequential. InPLDI, pages 14–24, 2004.

[38] X. Qiu, P. Garg, A. Stefanescu, and P. Madhusudan. Naturalproofs for structure, data, and separation. In PLDI, pages 231–242, 2013.

[39] K. Sen and M. Viswanathan. Model checking multithreadedprograms with asynchronous atomic methods. CAV’06, pages300–314, Berlin, Heidelberg, 2006. Springer-Verlag.

[40] S. F. Siegel. Efficient verification of halting properties for mpiprograms with wildcard receives. VMCAI’05, pages 413–429, Berlin, Heidelberg, 2005. Springer-Verlag.

[41] S. F. Siegel and G. S. Avrunin. Modeling wildcard-free mpiprograms for verification. In PPOPP, pages 95–106, 2005.

[42] S. Tasharofi, R. K. Karmani, S. Lauterburg, A. Legay,D. Marinov, and G. Agha. Transdpor: A novel dynamicpartial-order reduction technique for testing actor programs.FMOODS’12/FORTE’12, pages 219–234, Berlin, Heidel-berg, 2012. Springer-Verlag.

[43] P. Thomson, A. F. Donaldson, and A. Betts. Concurrency test-ing using schedule bounding: An empirical study. In Proceed-ings of the 19th ACM SIGPLAN Symposium on Principles andPractice of Parallel Programming, PPoPP ’14, pages 15–28,New York, NY, USA, 2014. ACM. .

[44] A. Udupa, A. Desai, and S. K. Rajamani. Depth boundedexplicit-state model checking. In SPIN, pages 57–74, 2011.

[45] A. Valmari. Stubborn sets for reduced state space generation.In Proceedings of the 10th International Conference on Appli-cations and Theory of Petri Nets: Advances in Petri Nets 1990,pages 491–515, London, UK, UK, 1991. Springer-Verlag.

725

natural proofs for asynchronous programs using almost-synchronous reductions - pranav...

Documents