On Sequentializing Concurrent Programs?

Ahmed Bouajjani1 , Michael Emmi1?? , and Gennaro Parlato2

1

LIAFA, Universite Paris Diderot, France

{abou,mje}@liafa.jussieu.fr
School of Electronics and Computer Science
University of Southampton, UK
[email protected]

Abstract. We propose a general framework for compositional underapproximate concurrent program analyses by reduction to sequential
program analysesso-called sequentializations. We notice the existing
sequentializationsbased on bounding the number of execution contexts,
execution rounds, or delays from a deterministic task-schedulerely on
three key features for scalable concurrent program analyses: (i) reduction
to the sequential program model, (ii) compositional reasoning to avoid
expensive task-product constructions, and (iii) parameterized exploration
bounds. To understand how those sequentializations can be unified and
generalized, we define a general framework which preserves their key
features, and in which those sequentializations are particular instances.
We also identify a most general instance which considers more executions,
by composing the rounds of different tasks in any order, restricted only
by the unavoidable program and task-creation causality orders. In fact,
we show this general instance is fundamentally more powerful by identifying an infinite family of state-reachability problems (to states g1 , g2 , . . .)
which can be answered precisely with a fixed exploration bound, whereas
the existing sequentializations require an increasing bound k to reach each
gk . Our framework applies to a general class of shared-memory concurrent
programs, with dynamic task-creation and arbitrary preemption.

Introduction

Concurrent program analysis is difficult due to the high computational complexity

that arises when considering every intricate task interleaving. To avoid such
high computational complexity, bounded (underapproximating) exploration is
emerging as a general technique. In general, one characterizes a subset of the
concurrent program semantics by a bounding parameter k. As k is increased we
explore more behaviors, at the expense of more computational resources; in the
limit we explore every behavior. A bounded exploration technique is effective
when useful information (e.g., the presence of bugs) is obtained by spending a
relatively small amount of computational resources (i.e., using low values of k).
?
??

Partially supported by the project ANR-09-SEGI-016 Veridyc.

Supported by a fellowship from the Fondation Sciences Mathematiques de Paris.

By characterizing a subset of the concurrent program semantics by a bounding

parameter (e.g., bounded context-switch [22]), it is often possible to reduce
concurrent program exploration to sequential program exploration [23, 20, 15, 17,
8, 14]essentially by constructing an equivalent program without concurrency
primitives (e.g., task creation, preemption). Such sequentializations are desirable,
both practically and theoretically, for several reasons. First, they reduce the
exploration problem of any concurrent program to the well-understood model
of sequential programs, and are not limited by finite-data programs, per se.
Here several practical verification algorithms exist by way of finite-data software
model checking [24, 5, 3, 16]), (infinite-state) fixed point computations [6, 25,
12], and (e.g., SMT-based) bounded software verification algorithms [7, 18].
Second, they compute the behavior of each concurrent task compositionally
i.e., without considering the local-state valuations of other tasks. Third, they
enable incremental analysis, trading-off computing resources for the amount of
explored behaviors, by varying a bounding parameter k N. (The parameter k
determines the (asymptotic) budget of the sequential program exploration. In
practice, the reductions add O(k) variables to the resulting sequential program,
resulting in an increasingly-expensive (in k) sequential program exploration.)
Indeed these sequentialization-based analyses have been applied to discover (in
some cases previously-unknown) bugs in device drivers [20, 15, 17, 19, 8].
Our principal aim in this work is to develop a theory of parameterized,
compositional, concurrent-to-sequential program analysis reductions. Specifically,
we make the following contributions:
To identify the fundamental mechanisms enabling compositional sequentializations, thus formulating a framework in which to define them (Section 3).
To formulate a most general sequentialization in our framework which expresses as many concurrent behaviors as possible (Section 4), while maintaining compositionality, and without extending the class of programs in which
tasks are originally writtene.g., by adding unbounded counters.
To classify the existing sequentializations in our framework, and compare
them w.r.t. the behaviors explored for their bounding parameters (Section 5).
Besides enlightening the mechanisms which enable sequential reduction, we
believe our gained insight can guide further advances, for instance by considering
other restrictions to our framework with efficient encodings.
Using the three features discussed above ((i) reduction to sequential programs,
(ii) compositionality, and (iii) parameterization), the existing sequentializations
work by characterizing each concurrent task by an interface of k global-state valuation pairs (where k is the bounding parameter). These k global-state valuation
pairs represent a computation of a task which is interrupted k 1 timesthe
valuations give the initial and final global-states per execution round. Each
tasks interface is then computedin isolation from other tasksby beginning
each round from the guessed global-state valuation, performing a sequence of
sequential program steps, then eventually moving to the next round, by updating
the current global-state to the next-guessed valuation. Contiguous interfaces
(i.e., where the final global-state valuations of one matches the initial valuations
2

of the other) are then glued together to form larger computations. Intuitively,
this interface composition builds executions according to a round-robin schedule
of k rounds; a complete execution is formed when each ith final global-state of
the last tasks interface matches the (i + 1)st initial global-state of the firsts.
When there are a fixed number of statically-created tasks, interfaces are simply
composed in task-identifier order. In the more general case, with dynamically
created tasks, interfaces are composed in a depth-first preorder over the ordered
task-creation tree. (Note by viewing the task-identifier order as the task-creation
order, the dynamic case subsumes the static.)
Thus, besides features/constraints (i), (ii), and (iii)which we feel are desirable, and important to maintain for efficiency and scalability of the resulting
program analysesthe existing sequentializations are constrained by: (iv) roundrobin executions (in depth-first order on the ordered task-creation tree). Though
other schedules can be simulated by increasing the (round) bounding parameter
k when the number of tasks is bounded, for a fixed value of k, only k-round
round-robin schedules are explored.
The most general instance of the framework we propose in Section 4 subsumes
and extends the existing round-robin based (i.e., context- and delay-bounded)
sequentializations. As in these previous approaches, we restrict ourselves to
explorations that are (i) sequential, (ii) compositional, and (iii) parameterized,
in order to compute task interfaces over k global-state valuation pairs. However,
for the same analysis budget3 (i.e., the bounding parameter k), the general
instance expresses many more concurrent behaviors, essentially by relaxing the
round-robin execution order, and decoupling each task from any global notion
of rounds. We consider that each tasks interface is constructed by composing
the rounds of tasks it has created in any order that respects program order,
and task-creation causality orderi.e., a task is not allowed to execute before a
subsequent preemption of the task that created it. Thus the simulated concurrent
execution need not follow a round-robin schedule, despite the prescribed task
traversal order; the possible inter-task interleavings are restricted only by the
constraint that at most k sub-task round summaries can be kept at any moment
indeed this constraint is necessary to encode the resulting sequentialization with
a bounded number of additional (finite-domain) program variables.
In fact, the most general instance of our framework is fundamentally more
expressive than the existing sequentializations, since there are infinite sequences
of states (e.g., g1 , g2 , . . .) which can be reached with a fixed exploration bound,
whereas the existing sequentializations require an increasing bound k to reach each
gk . This gain in expressiveness may or may not be accompanied by an analysis
overhead. For enumerative program analysis techniques (e.g., model checking,
systematic testing), one may argue that considering more interleavings will have a
negative impact on scalability. This argument is not so clear, however, for symbolic
techniques (e.g., SMT-based verification, infinite-state fixed-point computations),
which may be able to reduce reasoning over very many interleavings to very
few, in practice [20]. Although many device driver bugs have been discovered
3

See Section 4 for complexity considerations.

within few interleavings [21], reducing the number of interleavings could indeed
cause missed bugs in other settings. Furthermore, our hope is that enlightening
the mechanisms behind sequentialization will lead to the discovery of other
succinctly-encodable instances of compositional sequentialization.

Concurrent Programs

We consider a simple but general concurrent programming model in the style of

single-threaded event-driven programs. (The style is typically used as a lightweight
technique for adding reactivity to single-threaded applications by breaking up
long-running computations into a collection of tasks.4 ) In this model, control
begins with an initial task, which is essentially a sequential program that can
read from and write to global (i.e., shared) storage, and post additional tasks
(each post statement specifies a procedure name and argument) to an initially
empty task buffer of pending tasks. When control returns to the dispatcher, either
when a task yields controlin which case it is put back into the task bufferor
completes its execution, the dispatcher picks some task from the task buffer, and
transfers control to it; when there are no pending tasks to pick, the program
terminates. This programming model is powerful enough to model concurrent
programs with arbitrary preemption and synchronization, e.g., by inserting a
yield statement before every shared variable access.
Let Procs be a set of procedure names, Vals a set of values containing true
and false, and T the sole type of values. The grammar of Fig. 1 describes our
language of asynchronous programs, where p ranges over procedure names. We
intentionally leave the syntax of expressions e unspecified, though we do insist
the set of expressions Exprs contains Vals and the (nullary) choice operator ? .
The set of program statements s is denoted Stmts. A sequential program is an
asynchronous program which contains neither post nor yield statements.
A (procedure-stack) frame h`, si is a valuation ` Vals to the procedure-local
variable l, along with a statement s to be executed. (Here s describes the entire
body of a procedure p that remains to be executed, and is initially set to ps
top-level statement sp .) A task w is a sequence of frames representing a procedure
stack, and the set (Vals Stmts) of tasks is denoted Tasks. An (asynchronous)
configuration c = hg, w, mi is a global-variable valuation g Vals along with a
task w Tasks, and a task buffer multiset m M[Tasks].
To define the transition relation between configurations, we assume the
existence of an evaluation function JKe : Exprs (Vals) for expressions without
def
program variables, such that J?Ke = Vals. For convenience, we define e(g, `) =
Je[g/g, `/l]Ke since g and l are the only variables, the expression e[g/g, `/l] has
no free variables. To select the next-scheduled statement in a configuration, we
define a statement context S as a term derived from the grammar S ::=  | S; s,
and write S[s] for the statement obtained by substituting a statement s for the
unique occurrence of  in S.
4

As our development is independent from architectural particularities, tasks may

correspond to threads, processes, asynchronous methods, etc.

P ::=
H ::=
s ::=
|
|
|
x ::=

var g:T H
proc p (var l:T ) s
s; s | x := e | skip | assume e
if e then s else s | while e do s
call x := p e | return e
post p e | yield
g | l

Fig. 1. The grammar of asynchronous programs. Each program P declares a single

type-T global variable g, and a sequence of procedures named p1 . . . pn Procs . Each
procedure p has single type-T parameter l, and a top-level statement (i.e., the procedure
body) denoted sp . This program syntax is made simple only to simplify presentation;
various extensionse.g., to multiple global and local variablescan be encoded by
varying the type T ; see the full version of this paper [4].
Post

`0 e(g, `)


w0 = `0 , sp


hg, h`, S[post p e]i w, mi aP g, h`, S[skip]i w, m {w0 }

wm

hg, , mi aP hg, w, m \ {w}i

Yield

Complete
hg, h`, S[return e]i , mi

Dispatch

aP

hg, , mi

w0 = h`, S[skip]i w


hg, h`, S[yield]i w, mi aP g, , m {w0 }

Fig. 2. The transition relation aP for an asynchronous program P is given by combining

the transitions above with the sequential transition relation sP .

The transition relation aP of an asynchronous program P is defined in Fig. 2

as a set of operational steps on configurations. The transition relation sP for the
sequential program statements (see the full version of this paper [4]) is standard.
The Post rule gives a newly-created task to the task buffer, while the Yield
rule gives the currently-executing task to the task buffer. The Dispatch rule
chooses some task from the buffer to execute, and the Complete rule disposes a
completed task.
A configuration hg, h`, si , i is called initial, and is sequential when s does not
contain post (nor yield) statements. An (asynchronous) execution of a program
P (from c0 to cj ) is a configuration sequence h = c0 c1 . . . cj where
c0 is initial, and
ci aP ci+1 for 0 i < j.
We say a configuration c = hg, w, mi (alternatively, the global value g) is reachable
in P (from c0 ) when there exists an execution of P from c0 to c. The asynchronous
semantics of P , written {|P |}a , maps initial configurations to reachable global
values, i.e., {|P |}a (c0 ) = g if and only if g is reachable in P from c0 . When P is a
sequential program, the sequential semantics of P , written {|P |}s , maps initial
sequential configurations to reachable global values.
5

Compositional Semantics

Here we define a compositional semantics for asynchronous programs on which to

base our reduction to sequential programs. To do so, we characterize each posted
task by an interface exposing only global-state valuations to other tasks. Each
interface summarizes not only the computation of a single task, but also the
computations of all descendants of tasks it has posted. In particular, an interface
is a sequence hg1 , g10 i . . . hgk , gk0 i of global-state valuation pairs summarizing a
computation which is interrupted k 1 times; the computation begins with global
state g1 , is interrupted by an external task at global state g10 , is resumed at g2 ,
etc. We call the computation summarized by each pair hgi , gi0 i the ith round. A
larger computation is then formed from a collection of task interfaces, by gluing
together contiguous rounds (e.g., summarized by hg1 , g2 i and hg2 , g3 i), while
maintaining the order between rounds from the same interface.
We construct interfaces inside a data-structure called a summary bag. Besides
the sequence Bex of rounds which will be exported as the current tasks interface
(see Fig. 3a), the bag maintains a collection Bim of interfaces imported from
posted tasks (see Fig. 3c). At any yield-point, the current task can begin a new
round, by guessing 5 the global-state valuation that will begin the next round (see
Fig. 3b), or, if the current global-state valuation matches the start of the first
unconsumed round from some imported interface (as does ha, bi in Fig. 3d), the
current task can consume that round and update the current global state; this
amounts to interleaving the round of a posted task at the current control point.
With this view of recursive interface constructioninterfaces are constructed
from interfaces of sub-tasksthe reduction to sequential programs is nearly
straightforward. To compute the imported summary of a posted task, we translate
the post statement into a procedure call which returns the computed interface
for the posted task. At yield points, we will repeatedly, nondeterministically
choose to begin a new round, consume a round from an imported interface, or
step past the yield statement. For the moment the only obstacle is how to store
the unbounded summary bag; we address this issue in Section 4.
To define the compositional semantics we formalize the summary-bag operations. A summary bag B = hBex , Bim i pairs the round sequence Bex to be
exported from the current task, along with a collection Bim of round sequences
imported from sub-tasks. The empty bag B = h, i is an empty sequence paired
with an empty collection. The operations to add the current round (), import a
sub-task interface (), and consume a sub-task round ( ) are defined as
hBex , Bim i hg, g 0 i = hBex hg, g 0 i , Bim i ,

def

hBex , Bim i  Bex 0 = Bex , Bim Bex 0 ,


def

hBex , Bim i hg, g 0 i = Bex , Bim 0

def

add round
import interface
consume round,

where Bim 0 is obtained by removing hg, g 0 i from the head of a sequence in Bim ,
and hBex , Bim i hg, g 0 i is undefined if hg, g 0 i is not at the head of Bim .
5

An enumerative analysis algorithm can handle guessing by attempting every reached

global valuation; a symbolic algorithm just creates a new symbol.

Summary create

Summary export

d
c

a
c
f e

b
d
f

(a)

b
c

(b)

Summary
consume

Summary import

(c)

(d)
b
a
c
e

ba
d
f

d
c

b
a

Fig. 3. The summary bag operations. Circles represent global valuations (double circles
equivalences), and are paired together in rounded rectangle round summaries. Interfaces
are drawn as stacked round summaries, and shading is used only to easily identify
summaries. (a) Export a constructed interface, (b) begin a round by finalizing the
current round ha, bi, and guessing a valuation c to begin the next, (c) import sub-task
interface, (d) interleave the first unconsumed round ha, bi of a sub-task, updating the
current global state from a to b. The round-summaries Bex to be exported appear above
the dotted line, and the collection Bim of imported sub-task interfaces appears below.

We define the compositional transition relation of asynchronous programs by

augmenting the sequential transitions sP with a new set of transitions for the
asynchronous control statements, over a slightly different notion of configuration.
In order to build interfaces, each configuration carries the global-state valuation
at the beginning of the current round (denoted g0 below), as well as the current
valuation. A (compositional) configuration c = hg0 , g, w, Bi is an initial valuation
g0 Vals of the global variable g, along with a current valuation g Vals, a task
w Tasks, and a summary bag B.
Fig. 4 lists the transitions cP for the asynchronous control statements. The
NextRound rule begins a new round with a guessed global-state valuation, and
the SubTask rule collects the posted tasks interface. The task-summarization
relation p `0 ; Bex used in the SubTask rule holds when the task h`0 , sp i can
execute to a yield, or return, point having constructed the interface Bex i.e., when
there exists g, g0 , g1 Vals, w Tasks, and Bim such that hg, g, h`0 , sp i , B i c
P
hg0 , g1 , w, hBex , Bim ii, where w is of the form h`, S[yield]i w0 or h`, S[return e]i.
The Interleave rule executes a round imported from some posted task, and
finally, the Resume rule simply steps past the yield statement.
A configuration hg, g, h`, si , B i is called initial. A (compositional) execution
of a program P (from c0 to cj ) is a configuration sequence h = c0 c1 . . . cj where
7

NextRound
B0 = B hg0 , gi
hg0 , g, h`, S[yield]i w, Bi

cP

SubTask
`0 e(g, `)

g 0 Vals

g , g , h`, S[yield]i w, B

Interleave


B0 = B g, g 0

c

hg0 , g, h`, S[yield]i w, Bi P g0 , g 0 , h`, S[yield]i w, B0

p `0 ; Bex
B0 = B  Bex


hg0 , g, h`, S[post p e]i w, Bi cP g0 , g, h`, S[skip]i w, B0

Resume
hg0 , g, h`, S[yield]i w, Bi cP hg0 , g, h`, S[skip]i w, Bi

Fig. 4. The compositional transition relation cP for an asynchronous program P is

given by combining the transitions above with the sequential transition relation sP .

c0 is initial, and
ci cP ci+1 for 0 i < j.
A compositional execution describes the progression of one task only; progressions of sub-tasks are considered recursively as separate executions to compute
the task-summarization relation ;. We say a configuration c = hg0 , g, w, Bi
(alternatively, the global value g) is reachable in P (from c0 ) when there exists an
execution from c0 to c, without using the NextRound rule.6 The compositional
semantics of P , written {|P |}c , maps initial configurations to reachable global
values, i.e., {|P |}c (c0 ) = g if and only if g is reachable in P from c0 .
Although their definitions are wildly different, the compositional and asynchronous semantics are equivalent. To see that every asynchronous execution h
has a corresponding compositional execution, consider, inductively, how to build
the interface summarizing the projection of h a given tasks sub-task segments.
Consider the task A of Fig. 5 which posts B and C. To simulate the asynchronous
(sub-) execution of Fig. 5a, A builds an interface with two uninterruptible rounds
(see Fig. 5c): the first sequencing segments 1 and 2, and the second sequencing
3, 4, 5, and 6. To build this interface, A must import two-round interfaces from
B and C each; note that each round of B and C may recursively contain many
interleaved segments of sub-tasks.
Theorem 1. The compositional semantics and asynchronous semantics are
identical, i.e., for all programs P we have {|P |}c = {|P |}a .7
The proof to this theorem appears in the full version of this paper [4].

Bounded Semantics

As earlier sequentializations have done by constraining the number of rounds [20,

15], by constraining the size of the summary bag, we can encode the bag contents
with a fixed number of additional variables in the resulting sequential program.
Since we are interested in exploring as many behaviors as possible with a limitedsize bag, an obvious point of attention is bag compression. Thus we define an
6

Disallowing use of the NextRound rule in the top-level execution ensures that
unchecked guessed global-state valuations are not considered reachable.
We consider initial configurations hg, h`, si , i and hg, g, h`, si , B i as equal.

An asynchronous
(sub-)
execution
An asynchronous
(sub-)
execution
An asynchronous
(sub-) execution
simulated
by compositional
simulated
by compositional
execution
simulated
by compositional
executionexecution
A A BA B BA
AC A BC C C B B C C

(a)

A
1

(b)

2 3

b a b c b dc

b1 a d

A3

b
C

be 3d

ea

b
c B
e 2
f C 4
B
5
6 C c 4e
2 b
f b
g g c5e h
f6d

g g

g 6g

34

cde

fe

54

e g f

f
h

a1
4

d3

c1

b
f3

e4

1,2
3,4,5,6

b2
5

f h g g

a
d

A A

(c)

c
f

hh
1,2

c
h

1,2

a a 3,4,5,6 c c
d3,4,5,6 h
d
h

g4

6 6

Fig. 5. Simulating an asynchronous execution (a) as a compositional execution, where

task A posts B and C, then is interrupted by B, then is eventually re-dispatched, and
upon completion is followed directly by C, which is interrupted by B before completing.
(b) The bag used to reconstruct As interface, and (c) the constructed interface for A.

additional operation to free a space in the bag by merging two contiguous

(w.r.t. the global valuation) summaries, essentially removing the possibility for
future reordering between the selected segments. In doing so, we must maintain
causal order by ensuring the bag remains acyclic, and what was before a collection
Bim of summary sequences imported from sub-tasks now becomes a directed
acyclic graph (DAG) of summaries. To maintain program order in the presence
of merging, summaries are now consumed only from the roots of Bim .
def
The size |B| = |Bex | + |Bim | of B is the sum of the length of the sequence
Bex and the number
ofnodes of the DAG Bim . The bag simplification operation

hBex , Bim i  Bex , Bim 0 obtains Bim 0 from Bim by merging two nodes n and n0 ,
labelled, resp., by hg1 , g2 i and hg2 , g3 i, such that either
(a) there is no directed path from n to n0 in Bim , or
(b) there is an edge from n to n0 in Bim
(see Fig. 6); in either case the merged node is labelled hg1 , g3 i. Note that when
B  B 0 we have |B 0 | = |B| 1. Though we could simulate this merge operation in
the (unbounded) compositional semantics, by eventually consuming consecutively
n and n0 into the exported summary list, the merge operation allows to eagerly
express the interleavingthough disallows any subsequent interleaving between
n and n0 . Merging summaries eagerly fixes a sequence of inter-task execution
segments, trading the freedom for external interleaving (which may have uncovered
additional, potentially buggy, behaviors) for an extra space in the bag.
We define the k-bounded compositional semantics of P, written {|P |}kc , by
restricting the compositional semantics {|P |}c to executions containing only
configurations hg0 , g, w, Bi such that |B| k, and adding the additional transition
Compress

B  B0
.
hg0 , g, w, Bi cP hg0 , g, w, B 0 i
9

merge
disconnected

(a)

merge
consecutive

(b)

Fig. 6. The bag simplification operations: (a) merging two disconnected but contiguous
round summaries ha, bi and hb, ci (resulting in (b)), and (b) merging two consecutive
and contiguous summaries ha, ci and hc, di (resulting in the small adjacent bag).

As we increase k, the set of k-bounded semantics grows monotonically, and in the

limit, the k-bounded semantics is the compositional semantics. For two functions
f, g : A (B), we write f g when for all a A, f (a) g(a).
Theorem 2. The sequence of bounded compositional semantics forms a monotonically increasing chain whose
S limit is identical to the compositional semantics,
i.e., {|P |}0c {|P |}1c . . . kN {|P |}kc = {|P |}c .
Remark For simplicity, we present a compositional semantics in which information
(i.e., the summary bags) only flows up from each sub-task to the task that posted
it. However, an even more compact semanticsin the sense that more behaviors
are expressed with the same bag-size boundis possible when each task not only
returns summaries, but also receives summaries as a parameter. For example, to
interleave 2k summaries of two sub-tasks, one can pass the k summaries of the
first sub-task to the second, and merge them with the seconds summaries, as
they are created, keeping only k at a time. Otherwise, one must interleave the two
tasks summaries outside, which means keeping 2k summaries for the enclosing
task to interleave. Since the extension is purely technical, and not so insightful,
we omit its description here. However, the results stated in the remainder of this
paper are presented in terms of the bag-size bound w.r.t. this extension.
Note on Complexity For the case where variables have finite-data domains, determining whether a global valuation is reachable is NP-complete8 (in k) for
the bounded-task k-context bounded and unbounded-task k-delay bounded sequentializations [20, 8], and PSPACE-complete (in k) for the unbounded-task
k-context bounded sequentialization [17]. Since these cases are reducible to our
semantics (see Section 5), it follows that global-state reachability is PSPACE-hard
(in k) in the most general instance of our framework. Since the number of bag
8

Here the literature has assumed a fixed number of finite-state program variables in
order to ignore the effect of complexity resulting from data. Indeed the reachability
problem is EXPTIME-complete in the number of variables, due to the logarithmic
encoding of states in the corresponding pushdown system.

10

configurations is (singly) exponential in k, membership in EXPTIME is not hard

to obtain. The practical difference between the NP/PSPACE-complete complexities of other sequentialization-based analyses is unclear; as sub-exponential time
algorithms are not known for NP problems, exponential time is spent in the
worst case, either way. Note however, that these complexity considerations are of
limited significance, since we target an arbitrary class of sequential programsnot
only programs with finite-data.

Global-Round Explorations

To understand the relationship between our bounded compositional exploration

and the existing sequentializable analyses, we proceed in two steps. First we
describe a restriction of our bounded semantics in which every task agrees on a
global notion of execution rounds, i.e., where each task executes (at most) one
uninterrupted segment per global round. Second we show that this restriction
captures and unifies the existing sequentializable analyses based on bounded
context-switch and bounded delay.
A k global-round execution of a program P is an asynchronous execution
of P where (i) each task executes in (up to) k uninterrupted segments called
roundswith the restriction that sub-tasks can only execute in, or after, the
round in which it is createdand (ii) the ith round of every task is executed before
the (i + 1)st round of any task, in the depth-first order over the task-creation tree;
see Fig. 7a. Thus we can view each task as executing across a grid of k rounds,
being interrupted k 1 times by the other tasks. With this view, each task can
be characterized by an interface consisting of 2k global state valuations: the k
global-state valuations seen by the task at the beginning of each round, and the
k global-state valuations seen at the end (as in Fig. 7a). A tasks interfaces are
computed by guessing the initial global-state valuation of each round, following
some number of sequential transitions, then nondeterministically advancing to
the next round, keeping the computed local state, but updating the global-state
to the next-guessed valuation. Given the interfaces for each task, sequentialization
of the k global-round schedules is possible, by a reduction that executes each task
once, according to the linear task-order, over a k-length vector of global-state
valuations. The k global-round semantics of P , written {|P |}kgr is the set of global
valuations reachable in a k global-round execution of P .
Though we have defined the global-round semantics w.r.t. the asynchronous
semantics, in fact we can restrict the k-bounded compositional semantics to
compute only k global-round interfaces. During construction of the j th roundsummary of the current task t, the export-list contains j 1 summaries (of rounds
1 . . . j 1) for t and its current sub-tasks, i.e., all descendants of ts thus-far
posted tasks. At the same time, the bag maintains a (k j + 1)-length list of
summaries accumulating the rounds j . . . k of ts current sub-tasks. Just before t
begins round j + 1, the accumulated summary of round j for ts current sub-tasks
is consumed, so that the exported summary of round j captures the effect of one
round of t, followed by one round of ts current sub-tasks. When t posts another
11

Bounded round (sub-) execution

Delay-bounded (sub-) execution

A

B
(a)

(b)

Fig. 7. (a) 3 global-round exploration, and (b) 4-delay exploration, for a program in
which task A creates B and E, and task B creates C and D. Each tasks interface (drawn
with dashed-lines) summarizes 3 uninterrupted computations (drawn with squiggly
arrows) of the task and all of its sub-tasks. Bold arrows connect global-state valuations,
and dotted arrows connect local-state valuations. Note that the 3-round exploration
allows each task 2 interruptions, while the 4-delay exploration allows all tasks combined
only 4 interruptions.

task ti (in round j), the k j + 1 summaries exported by ti note ti and its
descendants can only execute after round j of tare combined with the k j + 1
accumulated summaries of ts current sub-tasks.9 Thus when t completes round
k, each round i summarizes round i of t followed by round i of each sub-task of
t, in depth-first order, over the ordered task-creation tree of t.
Theorem 3. The k global-round semantics is subsumed by the k-bounded compositional semantics, i.e., for all programs P we have {|P |}kgr ( {|P |}kc .
In fact, our compositional semantics captures many more behaviors than k
global-round analyses. For example, many behaviors cannot be expressed in k
(global) rounds, though can be expressed by decoupling the rounds of different
tasks. Intuitively, the additional power of our compositional semantics is in
the ability to reuse the given bounded resources locally, ensuring only that the
number of visible resources at any point is bounded. The full version of this
paper [4] illustrates an example demonstrating this added analysis power.
Theorem 4. There exists a program P , k0 N, and a sequence g1 , g2 , . . .
{|P |}kc 0 of global-state valuations such that for all k N, gk
/ {|P |}kgr .
5.1

Context-bounding

In its initial formulation, the so-called context-bounded (CB) analyses explored

the asynchronous executions of a program with a fixed number of statically
9

Using the extension described at the end of Section 4, this combination does not
require additional bag space.

12

allocated tasks, with at most two context-switches between tasks [23]. Shortly
thereafter, Qadeer and Rehof [22] extended CB to explore an arbitrary bound k
of context-switches.
Later, Lal and Reps [20] proposed a linear round-robin task-exploration
order, and instead of bounding the number of context-switches directly, bounded
the number of rounds in an explored round-robin schedule between n tasks.
(It is easy to see that every k-context bounded execution with an unrestricted
scheduler is also a k-round execution with a round-robin scheduler.) With this
scheduling restriction, it becomes possible to summarize each task is execution
by an interface of k global-state valuation pairs, describing a computation that
is interrupted by tasks (i + 1), (i + 2), . . . , n, 1, 2, . . . , (i 1), k 1 times. In fact,
this schedule is just a special case of the k global-round exploration, restricted
to programs with a fixed number of statically-created tasks. La Torre et al. [17]s
subsequent extension of this k-round round-robin exploration to programs with
a parameterized amount of statically-created tasks is also a special case of k
global-round exploration, restricted to programs with an arbitrary number of
statically-created tasks.
To formalize this connection, let a static-task program be an asynchronous
program P which does not contain post statements, and an initial configuration
hg, h`, si , i is (resp., parameterized) static-task initial when s is of the form
post p1 (); ...; post pn ()

(resp., while ? do post p ()).

A k-round (resp., parameterized) CB execution of a static-task program P is

an asynchronous execution of P from a (resp., parameterized) static-task initial
configuration c0 , where the initially posted tasks are dispatched in a round robin
fashion over k rounds. The k-round (resp., parameterized) CB semantics of P ,
written {|P |}kcb (resp., {|P |}kcb ) is defined, as before, as the set of global valuations
reachable from c0 in a k-round (resp., parameterized) CB execution of P .
Theorem 5. The k-round (parameterized) CB semantics is equal to the k globalround semantics, i.e., for all static-task programs P we have {|P |}kcb() = {|P |}kgr .
5.2

Delay-bounding

Emmi et al. [8]s recently introduced delay-bounded (DB) exploration10 expands

on the capabilities of Lal and Reps [20]s k-round CB exploration with its ability
to analyze programs with dynamic task-creation (i.e., with arbitrary use of the
post statement). Like CB, the DB exploration considers round-based executions
with a linear task-exploration order, though with dynamic task-creation the order
must be defined over the task-creation tree; DB traverses the tree depth-first.
In fact, Emmi et al. [8]s delay-bounded semantics is a variation of the k globalround semantics which, for the same bound k, expresses many fewer asynchronous
executions. In essence, instead of allowing each task k1 interruptions, the budget
10

Since we are interested here in analyses amenable to sequentialization, we consider

only the depth-first delay-bounded task-scheduler [8].

13

of interruptions is bounded globally, over the entire asynchronous execution; see

Fig. 7b. It follows immediately that each task executes across at most k rounds,
in the same sense as in the k global-round semantics. Since the mechanism behind
delay-bounding is not crucial to our presentation here, we refer the reader to
Emmi et al. [8]s original work for the precise definition of k-delay executions. The
k-delay semantics of P , written {|P |}kdb is the set of global valuations reachable
in a k-delay execution of P .
Theorem 6. The k-delay semantics is subsumed by the k global-round semantics,
i.e., for all programs P we have {|P |}kdb {|P |}kgr .
However, like the separation between k-global round semantics and k bounded
semantics, there are families of behaviors that can be expressed with a fixed
number of global rounds, though cannot be expressed with a fixed number of
delays: for instance, behaviors which requires an unbounded number of tasks be
interrupted (once) cannot be expressed with any finite number of delays.
Theorem 7. There exists a program P , k0 N, and a sequence g1 , g2 , . . .
{|P |}kgr0 of global-state valuations such that for all k N, gk
/ {|P |}kdb .
5.3

Context-bounding vs. Delay-bounding

It follows from Theorems 5 and 6 that context-bounding simulates delay-bounding

on static-task programs. In fact, we can also show that delay-bounding simulates
context-bounding, for programs with a fixed number of tasks, by combining
Theorem 5 with the following theorem.
Theorem 8. For a fixed number n of tasks, the k global-round semantics is
subsumed by the nk-delay semantics, i.e., for all static-task programs P with
n-tasks we have {|P |}kgr {|P |}nk
db .
However, by Theorems 5 and 7, delay-bounding cannot simulate k-round
parameterized context-bounded executions, since no fixed number of delays can
express the unbounded number of potential context-switches.

Related Work

The technique of reducing a concurrent program behaviors to sequential program behaviors has garnered much attention in recent years. Based on the
notion of context-bounding [23, 22, 21], Lal and Reps [20] showed how to encode the bounded-round round-robin schedules of a concurrent program with
statically-allocated tasks as a sequential program. La Torre et al. [15] gave a more
efficient encodingin the sense that unreachable global-state valuations are never
exploredand later extended the approach to programs with an unbounded
number of statically-allocated tasks [17]. Emmi et al. [8] have recently extended
the basic insight of round-based scheduling to sequentialize programs with an
14

unbounded number of dynamically-created tasks. Empirical evidence suggests

such techniques are indeed useful for bug-finding [21, 19, 11, 17]. For a more
thorough comparison of these sequentializations, see Section 5.
Recently Kidd et al. [14] have shown how to sequentialize priority preemptive
scheduled programs, and Garg and Madhusudan [10] have proposed an overapproximating sequentialization, albeit by exposing task-local state to other tasks.
Both reductions assume a finite number of statically-declared tasks.
More generally, sequentialization could be seen as any linear traversal of
the task-creation tree. The sequentializations we consider here are restricted
to depth-first traversal, since they target sequential recursive programs, whose
unbounded structure is, in general, contained to the procedure stack; the stackbased data-structure used for the depth-first traversal can be combined with the
programs procedure stack. However, if one is willing to target other program
models, one can consider other task-tree traversals, e.g., breadth-first using queues,
or a completely non-deterministic traversal respecting the task-creation order,
keeping, for instance, a multiset of horizon tasks. Atig et al. [1, 2]s bounded
explorations of programs with dynamic task-creation, by reduction to Petri-net
reachability, are sequentializable in this sense.
Our characterization of sequentializability could also be relaxed to allow
the exchange of local-state valuations (or alternatively, unbounded sequences
of global-state valuations) between tasks. For instance, explorations based on
bounded languages [13, 9] take this approach, essentially restricting concurrent
exploration to inter-task interactions conforming to a regular pattern; then each
task is executed in isolation by taking its product with the pattern-automaton.
We simply note that the existing sequentializations avoid the (possibly expensive)
computation of such a product.

Conclusion

We have proposed a framework for parameterized and compositional concurrent program analysis based on reduction to sequential program analysis. Our
framework applies to a general class of shared-memory concurrent programs,
with arbitrary preemption and dynamic task-creation, and strictly captures the
known (round-based) sequentializations. It is our hope that this understanding will lead to further advances in sequential reductions, e.g., by enlightening
efficiently-encodable instances of the general framework.
Though we have unified the existing sequentializations while maintaining
their desirable qualities (i.e., sequential program model, compositionality, parameterization) by relaxing the global round-robin schedule, we are aware of
one remaining restriction imposed by our framework. Besides the round-robin
restriction imposed by the existing sequentializations, there is an implicit restriction imposed by translating task-creation directly to procedure calls: the
tasks created by a single task are visited in the order they are created. Though
further generalization is possible (e.g., by adding unbounded counters to the
target program), such reductions will likely lead to much more complex analyses.
15

Bibliography

[1] M. F. Atig, A. Bouajjani, and T. Touili. Analyzing asynchronous programs

with preemption. In FSTTCS 08: Proc. IARCS Annual Conference on
Foundations of Software Technology and Theoretical Computer Science,
volume 2 of LIPIcs, pages 3748. Schloss Dagstuhl - Leibniz-Zentrum fuer
Informatik, 2008.
[2] M. F. Atig, A. Bouajjani, and S. Qadeer. Context-bounded analysis for
concurrent programs with dynamic creation of threads. In TACAS 09: Proc.
15th International Conference on Tools and Algorithms for the Construction
and Analysis of Systems, volume 5505 of LNCS, pages 107123. Springer,
2009.
[3] T. Ball and S. K. Rajamani. The slam project: debugging system software
via static analysis. In POPL 02: Proc. 29th ACM SIGPLAN-SIGACT
Symposium on Principles of Programming Languages, pages 13. ACM,
2002.
[4] A. Bouajjani, M. Emmi, and G. Parlato. On sequentializing concurrent
programs. 2011. http://hal.archives-ouvertes.fr/hal-00597415/en/.
[5] S. Chaudhuri. Subcubic algorithms for recursive state machines. In POPL
08: Proc. 35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 159169. ACM, 2008.
[6] P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model
for static analysis of programs by construction or approximation of fixpoints.
In POPL 77: Proc. 4th ACM SIGACT-SIGPLAN Symposium on Principles
of Programming Languages, pages 238252. ACM, 1977.
[7] R. DeLine and K. R. M. Leino. BoogiePL: A typed procedural language
for checking object-oriented programs. Technical Report MSR-TR-2005-70,
Microsoft Research, 2005.
[8] M. Emmi, S. Qadeer, and Z. Rakamaric. Delay-bounded scheduling. In
POPL 11: Proc. 38th ACM SIGPLAN-SIGACT Symposium on Principles
of Programming Languages, pages 411422. ACM, 2011.
[9] P. Ganty, R. Majumdar, and B. Monmege. Bounded underapproximations. In CAV 10: Proc. 22nd International Conference on Computer Aided
Verification, volume 6174 of LNCS, pages 600614. Springer, 2010.
[10] P. Garg and P. Madhusudan. Compositionality entails sequentializability. In
TACAS 11: Proc. 17th International Conference on Tools and Algorithms
for the Construction and Analysis of Systems, LNCS. Springer, 2011.
[11] N. Ghafari, A. J. Hu, and Z. Rakamaric. Context-bounded translations
for concurrent software: An empirical evaluation. In SPIN 10: Proc. 17th
International Workshop on Model Checking Software, volume 6349 of LNCS,
pages 227244. Springer, 2010.
[12] B. Jannet and A. Mine. The Interproc analyzer. http://pop-art.
inrialpes.fr/interproc/interprocweb.cgi.

[13] V. Kahlon. Tractable dataflow analysis for concurrent programs via bounded
languages, July 2009. Patent WO/2009/094439.
[14] N. Kidd, S. Jagannathan, and J. Vitek. One stack to run them all: Reducing
concurrent analysis to sequential analysis under priority scheduling. In SPIN
10: Proc. 17th International Workshop on Model Checking Software, volume
6349 of LNCS, pages 245261. Springer, 2010.
[15] S. La Torre, P. Madhusudan, and G. Parlato. Reducing context-bounded
concurrent reachability to sequential reachability. In CAV 09: Proc. 21st
International Conference on Computer Aided Verification, volume 5643 of
LNCS, pages 477492. Springer, 2009.
[16] S. La Torre, P. Madhusudan, and G. Parlato. Analyzing recursive programs
using a fixed-point calculus. In PLDI 09: Proc. ACM SIGPLAN Conference
on Programming Language Design and Implementation, pages 211222. ACM,
2009.
[17] S. La Torre, P. Madhusudan, and G. Parlato. Model-checking parameterized concurrent programs using linear interfaces. In CAV 10: Proc. 22nd
International Conference on Computer Aided Verification, volume 6174 of
LNCS, pages 629644. Springer, 2010.
[18] S. K. Lahiri and S. Qadeer. Back to the future: revisiting precise program
verification using smt solvers. In POPL 08: Proc. 35th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, pages 171
182. ACM, 2008.
[19] S. K. Lahiri, S. Qadeer, and Z. Rakamaric. Static and precise detection of
concurrency errors in systems code using SMT solvers. In CAV 09: Proc.
21st International Conference on Computer Aided Verification, volume 5643
of LNCS, pages 509524. Springer, 2009.
[20] A. Lal and T. W. Reps. Reducing concurrent analysis under a context bound
to sequential analysis. Formal Methods in System Design, 35(1):7397, 2009.
[21] M. Musuvathi and S. Qadeer. Iterative context bounding for systematic
testing of multithreaded programs. In PLDI 07: Proc. ACM SIGPLAN
Conference on Programming Language Design and Implementation, pages
446455. ACM, 2007.
[22] S. Qadeer and J. Rehof. Context-bounded model checking of concurrent
software. In TACAS 05: Proc. 11th International Conference on Tools and
Algorithms for the Construction and Analysis of Systems, volume 3440 of
LNCS, pages 93107. Springer, 2005.
[23] S. Qadeer and D. Wu. KISS: Keep it simple and sequential. In PLDI 04:
Proc. ACM SIGPLAN Conference on Programming Language Design and
Implementation, pages 1424. ACM, 2004.
[24] T. W. Reps, S. Horwitz, and S. Sagiv. Precise interprocedural dataflow
analysis via graph reachability. In POPL 95: Proc. 22th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, pages 4961.
ACM, 1995.
[25] T. W. Reps, S. Schwoon, S. Jha, and D. Melski. Weighted pushdown systems
and their application to interprocedural dataflow analysis. Sci. Comput.
Program., 58(1-2):206263, 2005.
17