Analysis of Concurrent Software Analysis of Concurrent Software Models Using Partial Order ViewsModels Using Partial Order Views

Qiang Sun, sun-qiang@sjtu.edu.cnYuting Chen, chenyt@cs.sjtu.edu.cn Jianjun Zhao, zhao-jj@cs.sjtu.edu.cn

Shanghai Jiaotong University Apr 22, 2023

OutlineOutline

• Motivation

• An approach to analysis of concurrent software models using partial order views

• Some simple examples

MotivationMotivation

• Checking and analyzing the software design model become crucial

• Analysis of concurrent software behavioural models still faces challenges– Data races, atomicity violations, bugs

• A number of analyses are on the basis of state models– A process can be modeled as a state machine in which the transitions

are atomic or indivisible actions executed by the process. – LTS: Labeled Transition Systems – FSP (Finite State Processes), CCS, CSP

• Analyzing a state model usually faces difficulties– Combination of state models leads to state space explosion

Solution?Solution?

• Modeling concurrency using partial ordersModeling concurrency using partial orders– Partial order viewPartial order view

• Extraction of partial orders of interest events from state machines– Partial orders can also be extracted from partial behavioral models.

• BiG provides the mechanism of the model transformation and synchronization.– State machine ↔ Pomset model

Labeled Partial Order (LPO)Labeled Partial Order (LPO)

– A partial order is a pair (E, <), where < is an irreflexive transitive binary relation on the vertex set E.

– A labeled partial order (lpo) is a structure (E, ∑, μ, <), where (E, <) is a partial order, and μ : E→∑ labels the vertices of E with elements of the set ∑.

– (E, ∑, μ, <) and (E’, ∑’, μ’, <’) over the same set of labels ∑ are isomorphic if

– there exists a bijection τ: E→E’ such that for all u, v ∈ E, μ(u)= μ’(τ(u)), and u < v iff τ(u) <’ τ(v).

Partial Order Multi-Set (Pomset)Partial Order Multi-Set (Pomset)

• A pomset [E, ∑, μ, <] is the isomorphism class of an lpo (E, ∑, μ, <). – A pomset [E, ∑, μ, <] is finite if E is finite.– Two pomsets [E, ∑, μ, <] and [E’, ∑’, μ’, <’] are

isomorphic if • there exist bijections τ : E→E’ and ν: ∑ → ∑’, such

that for all u, v ∈ E and for all a ∈ ∑, μ(u) = a iff μ’ (μ(u)) = ν(a), and u < v iff τ(u) <’τ(v).

Two OperationsTwo Operations

• Let – p = [E, ∑, <, μ] – p' = [E’, ∑, <’, μ’] – E ∩ E' =Φ.

• Series operation– p;p’ = [E∪E’, ∑, (< <’ (∪ ∪ E×E’)), μ ∪μ’]

• Parallel operation– p||p’ = [E∪E’, ∑, (< <’)∪ , μ ∪μ’]

• Pomset Model– Actions & events

• An action may occur more than once. ∑• An occurrence of an action is an event. E

• Pomset model helps analyze and understand the behaviors of concurrent software better.– Happens-before relationship for the events of interest– Calculating the possible traces– Pomset model can avoid state space explosion; the increment of the

events is linear.

A B

Analysis of Concurrent Software Models Analysis of Concurrent Software Models Using Partial Order ViewsUsing Partial Order Views

• To extract pomset model– Computing the partial order of events within one process.– Merging partial orders of different processes through parallel

operation.

• To analyze pomset model and check event traces • To revisit state model whether we detect abnormal event

traces• Bidirectional Graph Transformation technique provides with

support in transforming state model to pomset model and keeping model synchronization.– The result can be easily mapped back to the original LTS.

SMALL EXAMPLESSMALL EXAMPLES

Semaphore Semaphore

• Semaphore LTS

• Loop

-1 0 1

up

up down

0

1

2

up

down

critical 1 0

1

2

up

down

critical 2

Begin

up

up

critical 1 down

critical 2 down

End

Elevator SystemElevator System

• Outer request– FLOOR × {UP, DOWN}

• Inner request– FLOOR TO GO TO

• Controller of elevators– Out requests: accessing request queue– Inner requests: message passing

5 floors and 2 elevators

0 send

Outer request queue

0 1 3

send send

receive receive

-1

send

2

send

receive

User in elevator

Inner request buffer

0 1 2 3 4

5

getREQ receive

response

response response

response

receive receive

elevator

getREQ

send

receive

send

receive

send

receive

Begin

response End

get

send

receive

send

receive

send

receive

Begin

response End

remove

0 send

Outer request queue

0 1

0 1 3

send send

receive receive

-1

send

2

send

receive

User in elevator

Inner request buffer

2 3 4

5

response

response response

response

1’receive receive receive

get remove

elevator

0 1 2 3 4

5

getREQ receive

response

response response

response

receivereceivegetREQ

send

receive

send

receive

send

receive

Begin

response End

get

send

receive

send

receive

send

receive

Begin

response End

remove0 1 2 3 4

5

response

response response

response

1’

receive receive receive

get remove

Two elevatorsTwo elevators

Outer request queue

0 1 2 3 4

5

response

response response

response

1’receive receive receive

get remove

Elevator 1

0 1 2 3 4

5

response

response response

response

1’receive receive receive

get remove

Elevator 2

Begin

get1 get2

remove1 remove2

get1 → get2 → remove1 → remove2

Lock & UnlockLock & Unlock

Begin

lock lock

get1 get2

remove1 remove2

unlock unlock

Begin

lock lock

get1 get2

remove1 remove2

unlock unlock

Outer request queue

0 1 2 3 4

5

response

response response

response

1’

receive receive receive

get remove

Elevator 1

1’’ 1’’’

unlocklock

0 1 2 3 4

5

response

response response

response

1’

receive receive receive

get remove

Elevator 2

1’’ 1’’’

unlocklock

• Partial order event model provides engineers with – A different view about the events occurring in the concurrent software

system and their order.– Bidirectional model transformation technique helps transform state model

to partial order event model

• Detection of potential errors is possible from taking advantage of information about partial order event model– To detect data races by associating the events to accessing the shared

memory – To detect atomicity violations by associating actions to accessing resources– Determination of the real bugs usually relies on human judgements – Bidirectional model transformation technique helps reveal the bugs in the

state model if any abnormal event traces are found

ConclusionsConclusions

• State model is widely used in practice

• Pomset model can avoid state space explosion

• An approach to checking and analyzing state model using pomset model

• BiG provides the mechanism of model transformation and bug elimination

Future WorkFuture Work

• A systematic approach

• Correctness of the approach– Case studies and experiments

• Tool Support