Peephole Partial Order Reduction.

Page 1

Peephole Partial Order Reduction
Chao Wang1, Zijiang Yang2, Vineet Kahlon1, and Aarti Gupta1
1NEC Laboratories America, Princeton, NJ
{chaowang,kahlon,agupta}@nec-labs.com
2Western Michigan University, Kalamazoo, MI
zijiang.yang@wmich.edu
Abstract. We present a symbolic dynamic partial order reduction (POR) method
for model checking concurrent software. We introduce the notion of guarded in-
dependent transitions, i.e., transitions that can be considered as independent in
certain (but not necessarily all) execution paths. These can be exploited by using
a new peephole reduction method. A symbolic formulation of the proposed peep-
hole reduction adds concise constraints to allow automatic pruning of redundant
interleavings in an SMT/SAT solver based search. Our new method does not di-
rectly correspond to any explicit-statealgorithm in the literature, e.g., those based
on persistent sets. For two threads, our symbolic method guarantees the removal
of all redundant interleavings (better than the smallest persistent-set based meth-
ods). To our knowledge, this type of reduction has not been achieved by other
symbolic methods.
1Introduction
Verifying concurrent programs is hard due to the large number of interleavings of tran-
sitions from different threads. In explicit-state model checking, partial order reduction
(POR) techniques [7, 17, 20] have been be used to exploit the equivalence of interleav-
ings of independent transitions to reduce the search state space. Since computing the
precise dependencerelation may be as hard as verification itself, existing POR methods
often use a conservative static analysis to compute an approximation. Dynamic partial
order reduction [6] and Cartesian partial order reduction [11] lift the need of apply-
ing static analysis a priori by detecting collision (data dependency) on-the-fly. These
methods in general can achieve more reduction due to the more accurate collision de-
tection. However, applying these POR methods (which were designed for explicit-state
algorithms) to symbolic model checking is not an easy task.
A major strength of SAT-based symbolic methods [2] is that property dependent and
data dependent search space reduction is automatically exploited inside modern SAT
or SMT (Satisfiability Modulo Theory) solvers, through the addition of conflict clauses
and non-chronologicalbacktracking.Symbolic methods are often more efficient in rea-
soning about variables with large domains. However, combining classic POR methods
(e.g.,thosebasedonpersistent-sets[8])with symbolicalgorithmshasprovento bediffi-
cult [1, 15, 10, 3, 13]. Thedifficultyarises fromthefact that symbolicmethodstypically
manipulate a large set of states implicitly as opposed to manipulating states individu-
ally. Capturing and exploitingtransitions that are dynamicallyindependentwith respect
to a set of states is much harder than it is for individual states.
C.R. Ramakrishnan and J. Rehof (Eds.): TACAS 2008, LNCS 4963, pp. 382–396, 2008.
c ? Springer-Verlag Berlin Heidelberg 2008

Page 2

Peephole Partial Order Reduction383
T1
i = foo() ;
...
a[i] = 10 ;
a[i] = a[i]+20;
*p = a[j] ;
A
B
C
T2
j = bar() ;
...
a[j] = 50 ;
a[j] = a[j]+100;
*q = a[i] ;
α
β
γ
Fig.1. tA,tB are independent with tα,tβ when i =
j; tC is independent with tγ when (p = q).
A
A
A
A
B
B
B
C
C
B
C
C
{ }
βγ
β
α
α
α
α
β
β
γ
γ
γ
{A,B,C,α,β,γ}
Fig.2. The lattice of interleavings
For example, in Fig. 1 there are two concurrent threads accessing a global array
a[ ]. The two pointers p and q may be aliased. Statically, transitions tA,tBin thread
T1are dependent with tα,tβin T2. Therefore, POR methods relying on a static anal-
ysis may be ineffective. Note that when i ?= j holds in some executions, tA,tBand
tα,tβbecome independent, meaning that the two sequences tA;tB;tα;tβ;tC;tγ; and
tα;tβ;tA;tB;tC;tγ; are equivalent. However, none of the existing symbolic partial or-
der reduction methods [1, 15, 10, 3, 13] takes advantage of such information1. Among
explicit-state POR methods, dynamic partial order reduction [6] and Cartesian partial
orderreduction[11]areabletoachievesomereductionbydetectingconflictson-the-fly;
in any individual state s, the values of i and j (as well as p and q) are fully determined,
making it much easier to detect conflicts. However, it is not clear how to directly apply
these techniques to symbolic model checking, where conflict detection is performed
with respect to a set of states.
Missing out these kind of partial-order reductions can be costly, since the symbolic
model checker needs to exhaustively search among the reduced set of execution se-
quences. The number of valid interleavings (sequences) can be large even for moderate
sized programs. For the running example, we can capture all possible interleavings us-
ing a lattice structure (Fig. 2). Let Q = {tA,tB,tC,tα,tβ,tγ} be the set of transitions
from both threads. Each vertex in the figure represents a distinct subset of Q, consisting
of the executed transitions up to that point. The top vertex is { } and the bottom ver-
tex is {tA,tB,tC,tα,tβ,tγ}. A path from top to bottom denotes a unique interleaving.
For example, the left-most path corresponds to tA;tB;tC;tα;tβ;tγ. The set of vertices
forms a powerset 2Q.
In this paper, we present a new peephole partial order reduction method to exploit
the dynamic independence of transitions. To this end, we introduce a new notion of in-
dependence relation called guarded independence relation (GIR). It is an extension of
1Themethod in[13] can reduce equivalent interleavings if wereplace i=foo()and j=bar()
with i=1 and j=2, but not in the general case.

Page 3

384C. Wang et al.
theclassic(conditional)independencerelation[14,8]:insteadofdefiningindependence
withrespecttoeitherasinglestate orforallglobalstates, wedefinetheGIR relationRG
withrespecttoa predicateoverprogramsvariables.Each?t1,t2,cG? ∈ RGcorresponds
toapairoftransitionst1,t2thatareindependentiffcGholds.A majoradvantageofGIR
is that it can be accurately computed by a simple traversal of the program structure. We
furtherproposea peepholereductionwhich conciselycapturesthe guardedindependent
transitions as constraints over a fixed numberof adjacent transitions to restrict the satis-
fiability formula during symbolic search (e.g., in bounded model checking). The added
constraints allow the underlying SAT/SMT solver to prune search space automatically.
Adding these GIR constraints requires identification of a pattern in a fixed sized time
window only.
The basic observation exploited by various POR methods is that different execution
sequencesmay correspondto the same equivalenceclass. Accordingto Mazurkiewicz’s
trace theory [16], two sequences are equivalent if they can be obtained from each other
by successively permuting adjacent independent transitions. In this sense, our peephole
POR method has the same goal as the classic POR methods[7, 17, 20, 6, 11]; however,
it does not directly correspondto any existing method.In particular,it is not a symbolic
implementation of any of these explicit-state methods. For a system with two threads,
our method can guarantee optimality in reduction; that is, all redundant interleavings
are removed (proof is in Section 3.2). To our knowledge, there has not been such guar-
antee among existing POR methods. We also show an example on which our method
achieves strictly more reduction than any persistent-set based method. Finally, the pro-
posed encoding scheme is well suited for symbolic search using SAT/SMT solvers.
To summarize, our main contributions are: (1) the notion of guarded independence
relation, which accurately captures independence between a pair of transitions in terms
of predicates on states; (2) a peephole partial order reduction that adds local constraints
based on the guardedindependencerelation, along with a symbolic formulation;(3) the
guarantee of removing all redundant interleavings for systems with two threads. This
kindofreductionhasnotbeenachievedbyprevioussymbolicmethods[1,15,10,3,13].
2Guarded Independence Relation
In this section, we review the classic notion [14, 8] of independenttransitions, and then
present the new notion of guarded independence relation.
Let Ti(1 ≤ i ≤ N) be a thread with the set transiof transitions. Let trans =
?N
index by tidt1, and denote the enabling condition by ent1. If t1is a transition in Ti
from control location loc1 to loc2 and is guarded by cond, then ent1is defined as
(pci= loc1)∧cond. Herepci∈ Viis a special variablerepresentingthe threadprogram
counter. Let S be the set of global states of the system. A state s ∈ S is a valuation of
all local and global variables. For two states s,s?∈ S, s
by applying t1, and s
⇒ s?denotes a sequence of state transitions.
i=1transibe the set of all transitions. Let Vibe the set of local variables in thread
Ti, and Vglobalbe the set of global variables. For t1 ∈ transi, we denote the thread
t1
→ s?denotes a state transition
ti...tj

Page 4

Peephole Partial Order Reduction385
2.1 Independence Relation
Definition 1 (Independence Relation[14,8]).R ⊆ trans×trans is anindependence
relation iff for each ?t1,t2? ∈ R the following two properties hold for all s ∈ S:
1. if t1is enabled in s and s
→ s?, then t2is enabled in s iff t2is enabled in s?; and
2. if t1,t2are enabled in s, there is a unique state s?such that s
t1
t1t2
⇒ s?and s
t2t1
⇒ s?.
In other words, independent transitions can neither disable nor enable each other, and
enabled independenttransitions commute. As pointed out in [7], the definition has been
mainly of semantic use since it is not practical to check the above two properties for all
states todeterminewhichtransitionsareindependent.Instead,traditionallycollisionde-
tection often uses conservativebut easy-to-checksufficient conditions.For instance, the
following properties [7] have been used in practice to compute independent transitions:
1. the set of threads that are active for t1is disjoint from the set of threads that are
active for t2, and
2. the set of objects that are accessed by t1is disjoint from the set of objects that are
accessed by t2.
Note that some independent transitions may be conservatively classified as dependent,
like t1:a[i] = e1and t2:a[j] = e2when i ?= j, since it is not clear statically if a[i] and
a[j] refer to the same element. This can in turn lead to a coarser persistent set.
In the conditional dependence relation [14, 8], two transitions are defined as inde-
pendent with respect to a state s ∈ S (as opposed to for all s ∈ S). This extension
is geared towards explicit-state model checking, in which persistent sets are computed
for individual states. A persistent set at state s is a subset of the enabled transitions
that need to be traversed in adaptive search. A transition is added to the persistent set
if it has any conflict with a future operation of another thread. The main difficulty in
persistent set computation lies in detecting future collision with enough precision. Al-
though it is not practical to compute the conditional dependence relation for each state
in S for collision detection purposes, there are explicit-state methods (e.g., [6, 11]) to
exploit such dynamically independent transitions. However, these classic definitions of
independence are not well suited for symbolic search.
2.2Guarded Independence Relation
Definition 2. Twotransitionst1,t2areguardedindependentwithrespecttoacondition
cGiff cGimplies that the following properties hold:
1. if t1is enabled in s and s
2. if t1,t2are enabled in s, there is a unique state s?such that s
t1
→ s?, then t2is enabled in s iff t2is enabled in s?; and
t1t2
⇒ s?and s
t2t1
⇒ s?.
This can be considered as an extension of the conditional dependence relation; instead
of defining ?t1,t2,s? with respect to a state s ∈ S, we define ?t1,t2,cG? with respect to
a predicate over local and global program variables. The independence relation is valid
for all states in which cGholds, i.e., it is valid with respect to a (potentially large) set of

Page 5

386 C. Wang et al.
states. Unlike the previous definitions, when computing GIR, we are able to apply the
two properties in Definition 2 precisely.
The guard cGcan be efficiently computed by a traversal of the structure of the pro-
gram. For a transition t, we use VRD(t) to denote the set of variables read by t, and
VWR(t) to denote the set of variables written by t. We define the potential conflict set
between t1and t2from different threads to be
Ct1,t2= VRD(t1) ∩ VWR(t2) ∪ VRD(t2) ∩ VWR(t1) ∪ VWR(t1) ∩ VWR(t2) .
Inourrunningexample,CtA,tα= {a[i],a[j]}.ForaC-likeprogram,welistthedifferent
scenarios under which we compute the guarded independence relation RG:
1. when Ct1,t2= ∅, add ?t1,t2,true? to RG;
2. when Ct1,t2= {a[i],a[j]}, add ?t1,t2,i ?= j? to RG;
3. when Ct1,t2= {∗pi,∗pj}, add ?t1,t2,pi?= pj? to RG;
4. when Ct1,t2= {x}, consider the following cases:
a. RD-WR: if x ∈ VRD(t1) and the assignment x := e appears in t2, add
?t1,t2,x = e? to RG;
b. WR-WR: if x := e1appears in t1and x := e2appears in t2, add ?t1,t2,e1=
e2? to RG;
c. WR-C: if x appears in the condition cond of a branchingstatement t1, such as
if(cond), and x := e appears in t2, add ?t1,t2,cond = cond[x → e]? to RG,
in which cond[x → e] denotes the replacement of x with e.
Overall the computational complexity is O(|trans|2), where |trans| is the number of
transitions. If desired, the set of rules can be easily extended to handle a richer set of
language constructs.
Rules 1,2, and 3 correspond to standard semantics of a program. Pattern 4(a) states
that two read/write operations to the same variable are guarded independentif the write
operation does not change its value. Pattern 4(b) states that two write operations to the
same variable are guarded independent if their newly assigned values are the same. In
these two cases, cGmay evaluate to true more frequently than one may think, espe-
cially when these variables have small ranges and when they are used for branching
purposes. If b is a Boolean variable, then b := e1and b := e2independent in two of
the four possible cases. Pattern 4(c) is a special case of 4(a): clearly x = e implies
cond = cond[x → e]; however, there are cases when x ?= e but cond = cond[x → e].
For example, let if(x < 10) be a transition in thread 1 and x := e be in thread
2. They are guarded independent if (x < 10) = (e < 10), even if x changes af-
ter the assignment. Multiple patterns can appear in the same pair of transitions. In such
cases, cGis a conjunctionor disjunctionofindividualconditions.For example,consider
t1:if(a[i]>5)andt2:a[j]:=x.HerecGis definedas i ?= j∨((a[i] > 5) = (x > 5)).
In symbolic search based on SMT/SAT solvers, the guarded independence relation
can be compactly encoded as symbolic constraints in the problem formulation, as de-
scribed in the next section. These constraints facilitate automatic pruning of the search
space.