Bounded Context Switch Analysis of Multithreaded Programs...

Bounded Context Switch Analysis of MultithreadedPrograms with Dynamic Linked Structures

Ahmed Bouajjani1, Severine Fratani1, and Shaz Qadeer2

1 LIAFA, CNRS & University of Paris 7, {abou,fratani}@liafa.jussieu.fr2 Microsoft Research, Redmond, [email protected]

Abstract. Bounded context switch reachability analysis is an adequate and effi-cient approach for bug detection in multithreaded programs. We address in thispaper the application of this approach to the analysis of multithreaded programswith procedure calls and dynamic linked structures. We define a program seman-tics based on concurrent pushdown systems with visible heaps as stack symbols.(Visible heaps are the heap parts reachable from global and local variables.) Then,based on pushdown analysis techniques, we define an algorithm allowing, givena bound on the number of context switches, and a bound on the size of visibleheaps, to explore the whole configuration space reachable under these bounds.

1 IntroductionAutomated analysis software systems is a highly challenging problem. The behaviors ofsoftware systems may be quite complex and hard to predict due to various aspects suchas multithreading, memory management, procedure calls, etc. Reasoning about thesebehaviors requires considering potentially infinite sets of configurations and verifica-tion problems are obviously undecidable in general. Therefore, approaches based onapproximate analysis are needed. While upper approximations allow to establish thata property holds, under approximations allow to find bugs. In this paper, we proposealgorithmic (automata-based) techniques for under approximate analysis of multithreadprograms with procedure calls which can manipulate dynamic linked structures.

A simple way to get an under approximate analysis is to bound the depth of the ex-plored state space and use finite-state model checking techniques. This approach is in-teresting if bugs appear after a small number of computation steps (like is some classesof systems [5]). This is however not the case in general for multithreaded programs. Insuch a system processes interact through shared memory and are executed in alterna-tion according to some scheduling. Concurrency bugs can only appear after a numberof context switches, i.e, points in the execution where the active thread is stopped andanother one is resumed. Between context switches, a thread may execute an unboundednumber of computation steps (depending on the considered scheduling). Therefore, anatural approach for under approximate analysis of multithreaded program is to per-form a (precise) analysis for a bounded number of context switches [8]. It has beendemonstrated that this is indeed efficient for detecting bugs in multithread programssince they appear in many cases after a small number of context switches [6].

However, bounding the number of context-switches does not allow in general touse finite-state model checkers since each thread may be infinite-state, and unboundedcomputations are possible between context switches. This is the case, e.g., for pro-grams with procedure calls since each thread may have an unbounded stack. In [8, 2],

automata-based techniques for symbolic analysis of pushdown systems have been usedin order to define bounded context switch analysis of programs with finite data domains.In this paper, we consider the more general case of concurrent programs (with procedurecalls) which can create shared objects and manipulate pointers between them. Again, away to deal with this case is to reduce it to finite data case [8, 2] by fixing a bound onthe heap size. An idea which allows a much better coverage of the configuration spaceis to consider a bound on the visible heap at each computation step, i.e., the part of theheap which is reachable from the global variables and the local variables of the runningprocedure (of the active process). Indeed, a heap may have a bounded depth (i.e., its vis-ible parts are always bounded) but have an unbounded size due to unbounded nesting ofprocedure calls. However, defining an algorithm for bounded heap depth analysis is nottrivial for concurrent programs. In [9, 10, 7], the idea of considering visible heaps hasbeen used for the (interprocedural) analysis of sequential programs. Techniques usedin these works are based on procedure summarization and cannot be used for (boundedcontext switch) multithreaded programs since the (infinite) sets of stack configurationsreached by processes must be stored at each context switch. (Moreover, [9, 10] considerabstract semantics, with some restrictions on the class of programs, whereas we mustconsider an exact - sound and complete - semantics.) Nevertheless, the idea of visibleheaps can be used to define a program semantics where the heap is manipulated im-plicitly and not as a shared global structure: each procedure executed by some processmanipulates a local heap structure which is a copy of its visible heap. Therefore, in-formations about heaps become local, which leads to program models based on stackmachines where locally visible heaps constitute the (potentially infinite) stack alphabet.To simulate correctly the “real” heap, local views of procedures and processes must beexchanged at each procedure call/return and context switch. The manipulation of theselocal informations is quite delicate. We prove that our new semantics is correct andwe use it to define an automata-based symbolic analysis algorithm for bounded contextswitch/bounded heap depth analysis. (Proofs are given in Appendix C.)

2 Multithreaded Programs with Dynamic MemoryWe consider programs with multiple threads and procedure calls, which can dynami-cally create objects and manipulate pointers on these objects. More precisely, a sequen-tial program is given as a collection of control flow graphs, one graph for each of itsprocedures, defined by a set of control nodes N, and a set of transitions between thesenodes labeled with actions and tests on the memory heap (representing a set of objectsand their addresses in the memory) defined below. We assume that the control flowgraph of each procedure p has a unique initial control location np

init and a unique termi-nation location np

end reachable after executing a return action. A multithread programconsists of a parallel composition of a fixed number of sequential programs sharing theheap.

Let A be a countable (infinite) domain of memory addresses, and assume thatA contains a special element ⊥ representing the null address and a special element> representing an undefined address. Then, consider a class of objects where eachobject contains n successor fields s1, . . . ,sn ranging over the pointer domain A. LetS = {s1, . . . ,sn}. (We omit aspects related to data manipulation. Data values over finitedata domains can of course be encoded in the successor fields.)

We assume that a program has a set of global pointer variables G ranging overthe memory address domain A. These variables are shared by all parallel threads, andall procedures. Moreover, we consider that each procedure has a set of local pointervariables (also ranging over A). We assume w.l.o.g. that all the procedures have thesame set of local variables L. Given a (global/local) pointer variable v and a successorfield s ∈ S, we denote by v.s the pointer stored in the field s of the object pointed by v.This notation can be extended to sequences of successor fields σ ∈ S∗ in the obviousmanner. When σ is the empty sequence, we consider that v.σ is identical to v.

Programs can perform the following operations on heaps: v.σ := v′.σ′ (pointer as-signment), v.σ := null (pointer annihilation), and v.σ := new (object creation), wherev,v′ are pointer variables, and σ ∈ S∪ {ε}, σ′ ∈ S∗. They can also perform the fol-lowing tests: v.σ#v′.σ′ with # ∈ {=, 6=} (equality/disequality test). In addition, theycan perform the following actions: call(p,v1.σ1, . . . ,vm.σm) (procedure call with pa-rameters), and return (termination of a procedure call), where p is a procedure name,v1, . . . ,vm are pointer variables, and σ1, . . . ,σm ∈ S∗. The effect of executing a state-ment call(p,v1.σ1, . . . ,vm.σm) is to call the procedure p after initialization of its localvariables `1, . . . , `m with the pointer values v1.σ1, . . . ,vm.σm respectively where the vari-ables v1, . . . ,vm are either global variables or local variables of the calling procedure.

3 Program semantics3.1 Heaps as labeled graphs

A global heap is a finite directed graph where vertices correspond to memory addresses,edges are labeled by elements of S, and each element of G appears as a label of somevertex. Formally, a global heap is a tuple GH = (A,∆,Γ) where (1) A is a finite subsetof A containing ⊥ and >, (2) ∆ : S→ (A→ A) associates with each s ∈ S a successormapping, and (3) Γ : G→ A associates with a global variable g an object address. Weassume that ∀s ∈ S. ∆(s)(⊥) => and ∆(s)(>) =>, and ∀a ∈ A, ∆(s)(a) is defined.

Given σ = si1 · · ·sim ∈ S∗, we denote by ∆(σ) the mapping ∆(sim)◦· · ·◦∆(si1). Whenσ is the empty sequence, we consider that ∆(σ) is the identity mapping over A. Then,we define the reachability mapping to be Reach∆ =

Sσ∈S∗ ∆(σ).

Then, we consider that a heap is a global heap augmented by a mapping associatingwith each local variable an address. Formally, a heap is a pair H = (GH,Λ), whereGH = (A,∆,Γ) is a global heap and Λ : L→ A.

3.2 Programs as concurrent heap pushdown systems

We associate with multithreaded programs concurrent stack machines which act on a(global) shared heap. Assume that a program has m parallel processes. The behaviorof such concurrent stack machines is as follows: at each moment, there is one processwhich is running and has access to the heap through the global variables (shared byall processes), and its own local variables (due to procedure calls, the heap may beaccessible from the local variables of the currently running procedure, and also fromthe local variables of the pending procedure executions which are stored in the stackof the process). While this process is running, all the other parallel processes are in anidle mode waiting to be resumed. When a context switch occurs, the active process isinterrupted and some other one is resumed, becoming the new active process.

Sequential programs as stack machines: We associate with each given sequentialprogram (given by its control flow graph) a stack machine. The (infinite) stack alphabetΣ of this machine is the set of pairs 〈n,Λ〉, where n ∈ N and Λ ∈ [L→ A].

We consider in the sequel a transition relation op−−→ between heaps defining thesemantics of basic operations and tests (the definition is given in Appendix A). Then,a heap pushdown system (H-PDS) is a stack machine whose control states are globalheaps, the stack alphabet is Σ, and the (infinite) set of transition rules RG is defined bythe following inference rules:

n1op−−→n2 (GH1,Λ1)

op−−→(GH2,Λ2)(GH1,〈n1,Λ1)〉 ↪→ (GH2,〈n2,Λ2〉) ∈ R

HeapOp

n1call(p,v1.σ1,...,vm.σm)−−−−−−−−−−−−−→n2 Λ2 = Pass(GH1,Λ1,v1.σ1, . . . ,vm.σm)

(GH1,〈n1,Λ1〉) ↪→ (GH1,〈npinit ,Λ2〉〈n2,Λ1〉) ∈ R

Call

n return−−−−→nend

(GH1,〈n,Λ2〉〈n′,Λ1〉) ↪→ (GH1,〈n′,Λ1〉) ∈ RReturn

where Pass(GH1,Λ1,v1.σ1, . . . ,vm.σm) is the mapping `1 7→∆1(σ1)((Γ1∪Λ1)(v1)), . . . , `m 7→∆1(σm)((Γm∪Λm)(vm)) and ` 7→ > for all the other variables ` ∈ L.

Multithreaded programs as concurrent stack machines: We associate with a multi-threaded program with m parallel threads an m-dim concurrent heap pushdown system(CH-PDS). Control states are pairs (i,GH), where i ∈ [1,m] is the index of the activeprocess, and GH is a global heap. The stack alphabet is the set of pairs 〈n,Λ〉 wheren ∈ N is a node of the control flow graph, and Λ is a function from L to A. For everyi∈ [1,m], let Ri

G be the set of transition rules (defined above) associated with the processi. Then, the set of transition rules RG is constructed using the following inference rules:

(GH,ui) ↪→ (GH ′,u′i) ∈ RiG ∀ j 6= i. w j ∈ Σ

((i,GH), [w1, . . . ,ui, . . . ,wm]) ↪→ ((i,GH ′), [w1, . . . ,u′i, . . . ,wm]) ∈ RGLocal

i,k∈{1,...,m} i 6=k((i,GH), [w1, . . . ,wm]) ↪→ ((k,GH), [w1, . . . ,wm]) ∈ RG

Switch

Configurations and computation steps: A configuration of a m-dim CH-PDS is atuple ((i,GH), [u1, . . . ,um]) where i ∈ {1, . . . ,m} is the index of the active (pushdown)process, and u1, . . . ,um ∈ Σ∗ are the local configurations of each of the parallel pro-cesses, i.e., the contents of their stacks. Computation steps of a CH-PDS correspond toprefix rewriting operations applied in parallel on each of the components of the config-urations using the transition rules defined above: given a rule r = (s1, [u1, . . . ,um]) ↪→(s2, [u′1, . . . ,u

′m])∈RG, we define a transition relation⇒r between configurations s.t. for

every two configurations α1 and α2, we have α1 ⇒r α2 iff α1 = (s1, [v1, . . . ,vm]), andfor every j ∈ [1,m], there exists v′j ∈ Σ∗ s.t. v j = u jv′j and α2 = (s2, [u′1v′1, . . . ,u

′mv′m]).

Let⇒ be the union of all the relations⇒r for r ∈ RG.

Bounded heap depth programs: Let k ≥ 1. Let c = ((i,GH), [u1, . . . ,um]) be a con-figuration, where GH = (A,∆,Γ). Then, c is k-bounded iff for every 〈n,Λ〉 appearingin any ui, for any i ∈ {1, . . . ,m}, we have |Reach∆(Γ(G)∪Λ(L))| ≤ k. A program isk-bounded for a set of initial configurations C iff every⇒-reachable configuration fromC is k-bounded. A program has bounded heap depth if it is k-bounded for some k ≥ 1.

Notice that a heap with a bounded depth may have an unbounded size. Indeed, dueto unbounded nesting of procedure calls, it is possible to have an unbounded stack ofenvironments each of them pointing to a different but bounded part of the heap.

4 A program semantics based on local heap representationsWe define in this section a program semantics in terms of concurrent pushdown sys-tems. The difference with the previous semantics is that the heap is not manipulated asan explicitly represented, shared structure. Instead, the heap is manipulated implicitly:each procedure executed by some process manipulates a local heap structure which is acopy of the reachable part of the heap from its local and global variables. Therefore, in-formation about heaps become local, and we can associate with programs a model basedon stack machines where locally visible heaps constitute the stack alphabet. However,in order to simulate correctly operations on the “real” heap, procedures and processesmust exchange (pass/update) their local informations about the heap at each procedurecall/return and context switch. These manipulations of the local heaps are quite delicate.Let us give an informal description of the main ideas behind them.

Consider first the case of a sequential program. At each procedure call, the callerpasses to the callee a copy of its local heap (or a part of it). At the return of the call, thecallee gives back its new local heap (the last one before termination) to the caller whichupdates accordingly its own local heap (corresponding to situation just before the call).To perform correctly these caller/callee communications, a relation between vertices indifferent copies of a same piece of the “real” heap must be maintained (relating verticeswhich are copies of each other, representing the same address in the heap). Moreover,since pointer manipulation may disconnect some vertices from the visible part of aprocedure during its execution, the deletion of these vertices from the local structurecan be problematic since these vertices may still be relevant for further executions ofcaller procedures (pending in the stack). To handle this situation, we introduce a notionof cut points: when a heap is passed from the caller to the callee, cut points represent thefirst vertices in the visible part by the callee which are reachable from the caller or fromother procedures in the stack. Then, during the execution of the procedure, a vertex canbe removed from the locally visible heap only if it becomes unreachable from the localvariables, the global variables, and the cut points.

In the case of parallel programs, an additional but similar mechanism has to beintroduced for passing/updating locally visible heaps at context switches. Intuitively,parallel processes synchronize their views of the heap at each context switch. The activeprocess passes its local heap to all of the other processes which can update their localheaps accordingly (taking into account the modifications on the heap performed by theactive process while they were idle). For that, the active process must maintain in itscontrol state (a global state for all its procedures) a relation between its current localheap and its initial local heap (at the context switch) allowing to determine for each

vertex in the old local heaps whether it has a copy in the local heap returned by theactive process. Also, to deal with vertex deletion, it is necessary to extend the use of cutpoints by considering the reachable vertices from the stacks of each process (in fact,each process needs to distinguish his own cut points from the others).

We prove that the new semantics is correct (sound and complete) w.r.t. the originalsemantics (in section 3) in the sense that they define bisimilar transition systems. Animportant property allowing to prove this fact is that isomorphism between locally vis-ible heaps preserves bisimilarity (i.e., substitution of isomorphic local heaps does notmodify behaviors). This holds because the performed operations and tests on the heapsdo not refer to the precise values of the addresses. (Notice that there is an infinite num-ber of isomorphic heaps of a same size since the address domain is infinite). Then, weconsider a normalization operation for visible heaps which associates to each of theman equivalent heap modulo isomorphism, and we prove that the semantics based onnormalized visible heaps is also correct w.r.t. the original semantics. Our normalizationoperation matches all the isomorphic visible heaps to a finite number of representatives(we do not have a unique representative due to the presence of cut points). Therefore,for sequential programs, our pushdown model construction terminates for bounded heapdepth programs. For concurrent programs, the construction terminates for a finite num-ber of a context switches (and a bounded heap depth).

We give hereafter our construction and state its correctness. Examples are given inAppendix B and correctness proofs are given in Appendix C.

4.1 Locally visible heaps

A cut heap is a tuple CH = (A,∆,Γ,Λ,−→C ) where (A,∆,Γ,Λ) is a heap and

−→C ∈ (2A)m

is a vector of sets of cut points. For each i ∈ {1, . . . ,m}, −→C (i) is the set of cut pointsreachable from the local environments (of the pending procedure executions) stored inthe stack of the process i. Then, a visible heap is a cut heap such that A = Reach∆(Γ(G)∪Λ(L)∪

Smi=1−→C (i)∪{⊥}), i.e., it is a cut heap without garbage. We define an operation

of garbage elimination allowing to obtain a visible heap from a cut heap: given a cutheap CH = (A,∆,Γ,Λ,

−→C ), the visible heap Clean(CH) is given by (A′,∆′,Γ,Λ,

−→C )

where A′ = A∩Reach∆(Γ(G)∪Λ(L)∪Sm

i=1−→C (i)∪{⊥}) and ∀s ∈ S. ∆′(s) = ∆(s)|A′ .

We define an equivalence relation ' between visible heaps which is essentiallygraph isomorphism modulo renaming of vertices. Let V H1 = (A1,∆1,Γ1,Λ1,

−→C1) and

V H2 = (A2,∆2,Γ2,Λ2,−→C2) be two visible heaps and let β : A1 → A2 be a bijection s.t.

β(>) = > and β(⊥) =⊥. Then, V H1 'β V H2 iff (i) ∀s ∈ S. ∀a ∈ A1. β(∆1(s)(a)) =∆2(s)(β(a)), (ii) ∀v ∈ G. Γ2(v) = β(Γ1(v)), and ∀v ∈ L. Λ2(v) = β(Λ1(v)), and (iii)∀i∈ [1,m],

−→C2(i) = {β(c) : c∈−→C1(i)}. Then, V H1'V H2 if there is a β s.t. V H1'β V H2.

4.2 Visible heap transformations

Basic operations and test: We extend the transition relation op−−→ defined previouslyon heaps to a relation between visible heaps which also informs about the correspon-dence between the vertices in the original and the final heaps. Let V H1 = (H1,

−→C1),

and V H2 = (H2,−→C2) be two visible heaps. Then, for every function π : A×A, we have

V H1op−−→π V H2 iff there exists a heap H ′2 s.t. H1

op−−→H ′2 and Clean(H ′2,−→C1)'π V H2.

Heap passing from the caller to the callee (at procedure calls): Let us consider thecase of a procedure call. Let i ∈ [1,m] be the index of the active sequential process, letV H = (A,∆,Γ,Λ,

−→C ) be the visible heap of the caller procedure, and let v1.σ1, . . . ,vk.σk

be the effective parameters which must be assigned respectively to the local variables`1, . . . , `k of the called procedure (considered as its formal parameters). The visible heappassed to the callee procedure (of the process i) is obtained as follows: (1) construct firstthe cut heap CutPassi(V H) which is a copy of V H, where local variables of the calleeprocedure are assigned with their new values, and local variables of the caller procedureare memorized as cut points, (2) then determine the new vector of sets of cut points:cut points of processes j 6= i stay unchanged, cut points of the process i are the firstaddresses reachable from cut points of CutPassi(V H) in the sub-heap correspondingto reachable addresses from the new local variables, the global variables, and the cutpoints of all processes, (3) finally remove the garbage of CutPassi(V H) according tothe new set of cut points.

Formally, let CutPassi(V H, [`1,v1.σ1], . . . , [`k,vk.σk]) be the cut heap (A,∆,Γ,Λ′,−→C′)

where (1) Λ′ is the mapping `1 7→∆(σ1)((Λ∪Γ)(v1)), . . . , `k 7→∆(σk)((Λ∪Γ)(vk)), and` 7→ > for all other variables ` ∈ L, (2) ∀ j ∈ {1, . . . ,m}, j 6= i, we have

−→C′( j) =

−→C ( j),

and (3)−→C′(i) =

−→C (i)∪Λ(L).

Let CH = (A,∆,Γ,Λ,−→C ) be any cut heap. Then, let A′ = Reach∆(Γ(G)∪Λ(L)∪S

j 6=i−→C ( j)), and let ∆′ be the restriction of ∆ to vertices in A′. We define Visiblei(CH)

to be the visible heap Clean(A,∆,Γ,Λ,−→C′) where for every j ∈ [1,m], j 6= i, we have

−→C′( j) =

−→C ( j), and

−→C′(i) = (A′∩Reach∆(

−→C (i)))\∆′(S)(Reach∆(

−→C (i))).

The set A′ is the visible part of the heap from local and global variables and fromcut points in

−→C ( j), for j 6= i. The set

−→C′(i) contains the first vertices in A′ which

are ∆-reachable from−→C (i). The cleaning operation removes all vertices which are ∆-

reachable only from−→C (i), i.e., the set of vertices in Visiblei(CH) is precisely A′.

Finally, let Passi(V H, p,v1.σ1, . . . ,vk.σk) be the set of pairs (V Hπ,π) such thatVisiblei(CutPassi(V H, [`1,v1.σ1], . . . , [`k,vk.σk]))'π V Hπ.

The injective relation π allows to relate addresses in the new visible heap with ad-dresses in the visible heap of the caller. It is used to update the heap of caller aftertermination of the callee procedure.

Heap passing from the callee to the caller (at procedure returns): We consider nowthe case of a procedure return in a process of index i. Given the current visible heap V H2of the terminating procedure and the visible heap V H1 of the caller procedure stored inthe stack, we define an operation updating V H1 according to the effect of the procedurecall on the heap.

Let π2 ⊆ A1×A2 be an injective relation giving the correspondence between thevertices of V H1 and V H2 (i.e., if (a1,a2)∈ π and (a′1,a2)∈ π, then a1 = a′1). We supposethat A1∩A2 = {>,⊥}. Then, let B1 = {a ∈ A1 : 6 ∃a′ ∈ A2. (a,a′) ∈ π2}, let B2 = {a ∈A1 : ∃a′ ∈ A2. (a,a′) ∈ π2}, and let B3 = {a′ ∈ A2 : 6 ∃a ∈ A1. (a,a′) ∈ π2}.

Intuitively, B1 is the set of vertices in A1 such that either they were not reachablein the initial visible heap passed to the called procedure, and therefore they should be

restored in the heap of the caller procedure after the call return, or they became invisibleduring the call execution due to garbage deletion and therefore they should not appear inthe heap after the call return since they were not reachable from cut points. (We explainbelow how to get rid of the vertices in this second category). Vertices in B2 are thosewhich were present before the call, and which are still present after termination of thecall. Finally, B3 is the set of the created vertices during the call.

It can be easily seen that these three sets are disjoint. Moreover, we have B3 ∪π2(B2) = A2. Let us consider the bijection β : A2 → B2 ∪ B3 defined in the obviousway (for every a ∈ A2, if a ∈ B3 then β(a) = a, otherwise β(a) = π2

−1(a)).Let A′1 = B1 ∪B2 ∪B3, and Returni(V H1,V H2,π2) = (A′1,∆

′1,Γ′1,Λ

′1,−→C′1) be a cut

heap such that (1) ∀g ∈ G. Γ′1(g) = β(Γ2(g)), (2) for all ` ∈ L, Λ′1(`) = Λ1(`), (3)−→C1′(i) =

−→C1(i) and ∀ j 6= i,

−→C′1( j) = β(

−→C2( j)), and (4) for every s ∈ S, we have: (i)

∀a ∈ B1. ∆′1(s)(a) = ∆1(s)(a), (ii) ∀a ∈ B2. ∆′1(s)(a) = β(∆2(s)(π2(a))), and (iii) ∀a ∈B3. ∆′1(s)(a) = β(∆2(s)(a)).

We can now define the updating operation. Let V H1 and V H2 be two visible heapsand π2 ⊆ A1×A2 be an injective relation giving the correspondence between the ver-tices of V H1 and V H2. We suppose that A1 ∩A2 = {>,⊥} (otherwise, instead of V H2and π2, consider a new visible heap V H ′2 and π2 ◦ β for some β such that V H2 'β

V H ′2). Then, we define Update-seqi(V H1,V H2,π2) to be the set of pairs (V Hπ,π) whereClean(Returni(V H1,V H2,π2))'π V Hπ.

Notice that (1) the cleaning operation removes the vertices of A1 which were garbagecollected during the procedure call, and (2) for every V H ′2, and every β s.t. V H2'β V H ′2,Update-seqi(V H1,V H2,π2) = Update-seqi(V H1,V H ′2,π2 ◦β).

Proposition 1. For every pair (V H2,π2) ∈ Passi(V H1, p,v1.σ1, . . . ,vm.σm)), and forevery (V H ′1,π

′) ∈ Update-seqi(V H1,V H2,π2), we have V H ′1 'V H1.

Heap updating at context switch: Finally, consider the case of a context switch. As-sume that process i was the last active process and let V Hi = (Ai,∆i,Γi,Λi,

−→Ci ) be its

last visible heap. At the context switch, process i communicates to all the other ones(which were idle) informations about the new heap configuration. For that, the partwhich is shared by all processes is extracted from V Hi and passed to them. Then, eachprocess j 6= i updates accordingly its old visible heap (which corresponds to the heapconfiguration at the previous context switch) before the next active process starts itscomputation. Roughly speaking, this operation is similar to a composition of the twoprevious operations.

Formally, we define Sharedi(V Hi) to be the visible heap V H ′i = (A′i,∆′i,Γ′i,Λ′i,−→C′i ) =

Visiblei(CutPassi(V Hi,∀` ∈ L. [`,>])).Notice that we remove from Ai only vertices that are reachable from local variables

in L or from cut points in−→Ci (i), but which are not reachable from global variables, nor

from cut points. These vertices are not visible from other threads and therefore they donot belong to the shared part of the heap. The cut points in

−→C′i (i) allow to know which

vertices in the shared part are reachable from local variables in the stack of the currentthread. The removed vertices will be added to the heap when the current process willresume later. This is done by an updating operation described below.

Let j ∈ [1,m], let V H j = (A j,∆ j,Γ j,Λ j,−→C j) be the visible heap of the process j, and

suppose Π ⊆ A j×A′i is an injective relation connecting vertices in V H j with verticesin Sharedi(V Hi). We suppose that Ai∩A j = {>,⊥} (otherwise, instead of V H j and Π,consider V H ′j and Π ◦β for some β such that V H j 'β V H ′j). Then, let B2 = {a ∈ A j :∃a′ ∈ A′i. (a,a′) ∈ Π}, and let B3 = {a′ ∈ A′i : 6 ∃a ∈ A j. (a,a′) ∈ Π}. These sets aredisjoint and we have B3 ∪Π(B2) = A′i. Then, consider the bijection β j : A′i → B2 ∪B3defined in the obvious way (for every a∈A′i, if a∈B3 then β j(a) = a, otherwise β j(a) =Π−1(a)).

Let j 6= i, let (A′j,∆′j,Γ′j,Λ′j,−→C′j) = Return j(V H j,V H ′i ,Π), and let

−→C be the vector

fulfilling−→C (k)=

−→C j(k) for k 6= i and

−→C (i)= β j(

−→C′i (i)). Then, Update-par j(V H j,V Hi,Π)

is defined to be the set of all (V H ′j,π,Π j) such that (1) Clean(A′j,∆′j,Γ′j,Λ′j,−→C )'π V H ′j,

and (2) Π j = π−1 ◦β−1j . Moreover, for every mapping Πi : A→ A, we define Update-

pari(V Hi,V Hi,Πi) to be the set of all (V H ′i ,π,π−1) such that V Hi 'π V H ′i .

4.3 Programs as concurrent pushdown systems

Pushdown systems for sequential processes: We define an environment to be a tuplee = 〈n,V H,π〉where n∈N, V H is a visible heap, and π⊆A×A is an injective function(π relates vertices in the current visible heap V H with vertices in the heap of the callerprocedure). Let V be the set of all environments.

Then, we associate with each sequential process a visible heap pushdown system(VH-PDS) which is a stack machine whose stack alphabet is V and whose control statesare injective functions from A to A. These functions are used to maintain a link betweenthe current visible heap of the running sequential process and its initial visible heapsince its last activation (at the initial configuration of the system or at the last contextswitch). This information is needed at the next context switch for updating the visibleheaps of the idle processes. (Informations in control states can be omitted in the case ofa purely sequential program.) Let i be an index of process, the (infinite) set Ri of localtransition rules of the system is defined by the following inference rules:

n1op−−→n2 V H1

op−−→π V H2

(Π,〈n1,V H1,π1〉) ↪→ (Π◦π,〈n2,V H2,π1 ◦π〉) ∈ RHeapOp

n1call(p,v1.σ1,...,vm.σm)−−−−−−−−−−−→n2

(V H2,π2) ∈ Passi(V H1, p,v1.σ1, . . . ,vm.σm)

(Π,〈n1,V H1,π1,〉) ↪→ (Π◦π2,〈npinit ,V H2,π2〉〈n2,V H1,π1〉) ∈ R

Call

n return−−−−→nend (V H ′1,π′) ∈ Update-seqi(V H1,V H2,π2)

(Π,〈n,V H2,π2〉〈n′,V H1,π1〉) ↪→ (Π◦π′,〈n′,V H ′1,π1 ◦π′〉) ∈ RReturn

Concurrent pushdown systems for multithreaded programs: We associate with amultithreaded program with m parallel threads an m-dim concurrent visible heap push-down system (CVH-PDS). The stack alphabet is V, and the (infinite) set of control statesis S = {(i,−→Π) | i∈ [1,m],

−→Π = (

−→Π(1), . . . ,

−→Π(m)),

−→Π( j) : A−→A}. For every i∈ [1,m],

let Ri be the set of local transition rules associated with the process of index i (definedabove). Then, the set of transition rules R of the whole system is given by:

(−→Π(i),γi)↪→(Π′i,γ

′i)∈Ri ∀ j 6=i. w j∈V

−→Π′=(

−→Π(1),...,Π′i,...,

−→Π(m))

((i,−→Π), [w1, . . . ,ui, . . . ,wm]) ↪→ ((i,

−→Π′), [w1, . . . ,u′i, . . . ,wm]) ∈ R

Local

i,k∈{1,...,m} i 6=k ∀ j∈{1,...,m}. w j=〈n j,V H j,π j〉

∀ j∈{1,...,m}. (V H ′j,π′j,Π j)∈Update-par j(V H j,V Hi,

−→Π( j)◦−→Π(i))

∀ j∈{1,...,m}. w′j=〈n j,V H ′j,π j◦π′j〉

((i,−→Π), [w1, . . . ,wm]) ↪→ ((k,(Π1, . . . ,Πm)◦Πk

−1), [w′1, . . . ,w′m]) ∈ R

Switch

with the convention−→Π ◦π = (

−→Π(1)◦π, . . . ,

−→Π(m)◦π).

Configurations and computation steps: A configuration of a CVH-PDS is a tuple((i,−→Π), [v1, . . . ,vm]) ∈ S× [V∗]m where i ∈ {1, . . . ,m} is the index of the active process,

and v1, . . . ,vm ∈ V∗ are the local configurations of all the processes. Let C be the set ofall configurations.

Given r = ((i1,−→Π1), [u1, . . . ,um]) ↪→ ((i2,

−→Π2), [u′1, . . . ,u

′m]) ∈ R , let 7→r⊆ C×C be

the relation s.t. a 7→r a′ iff (1) a = ((i1,−→Π1), [v1, . . . ,vm]) and (2) ∀k ∈ [1,m], ∃v′k ∈ V∗.

Let 7→ be the union of the relations 7→r, for all r ∈ R .Let 7→loc (resp. 7→sw) be the union of all relations 7→r where r is a Local rule (resp.

Switch rule), and let 7→ be the union of all the relations 7→r, for r∈R . Then, we considerthe relation ; = 7→∗loc ◦ 7→sw. For each K ≥ 1, the relation ;K (Kth power of ;)corresponds to 7→-reachability with K−1 context switches (or K consecutive contexts).

Configuration isomorphism and correctness: We extend the equivalence relation' defined on visible heaps to environments in V: we consider that 〈n1,V H1,π1〉 'β

〈n2,V H2,π2〉 iff (1) n1 = n2, and (2) β is a bijection from A1 to A2 such that V H1'β V H2and π2 = π1 ◦β. Given two environments e1, e2, we write e1 ' e2 iff there exists β suchthat e1 'β e2. We extend this equivalence relation to sequences of environments in theobvious manner (e1 · · ·e j ' e′1 · · ·e′k iff j = k and for every i ∈ [1, j], ei ' e′i).

Finally, we extend ' to configurations: let b = ((i,−→Π), [e1ζ1, . . .emζm]) and b′ =

(( j,−→Π′), [e′1ζ′1, . . . ,e

′mζ′m]) be two configurations. Then, b ' b′ iff i = j, for every k ∈

[1,m], ζk ' ζ′k, and there exists πk : A→ A s.t. e′k 'πk ek and−→Π′(k)◦πk =

−→Π(k).

Proposition 2. For every configurations b0,b,b′, if b0 7→∗ b and b′ ' b, then b0 7→∗ b′.

We prove that given a multithreaded program, its associated CH-PDS and CVH-PDS are bisimilar. For that, we exhibit a bisimulation relation between configurationsof the two systems. Intuitively, this relation maps a configuration of the CVH-PDS to a

configuration of the CH-PDS by applying the updating operations through the configu-ration. (Indeed, visible heaps stored in the stacks of the CVH-PDS model are not up todate since they correspond to views of the heap at the moment of their memorization.)

Theorem 1. The relations⇒ and 7→ define bisimilar transition systems.

4.4 A program semantics based on normalized visible heaps

Normalized visible heaps: Visible heaps in normal form are obtained by numberingnodes according to a depth-first traversal of the heap, for a given ordering of global andlocal variables, and the fixed order on the successor fields {s1, . . . ,sn}.

Let us consider a bijection η : L∪G→ [1, |L∪G|]. Then, given an environment〈n,V H,π〉 with V H = (A,∆,Γ,Λ), we define the class [[〈n,V H,π〉]]

ηto be the set of all

environments 〈n,V H ′,π ◦β〉 with V H ′ = (A′,∆′,Γ′,Λ′) such that (1) V H 'β V H ′, (2)A′ = [1, |A|], (3) in the graph (V,∆′∩V 2), where V = Reach∆′(Λ′(L)∪Γ′(G)), verticescorrespond to the depth-first-traversal induced by the order η on root nodes (and thefixed order on successor fields labeling the edges of the graph).

Notice that, if all vertices in V H are reachable from L∪G, then [[〈n,V H,π〉]]η

con-tains a single element. Otherwise, there must be cut points (and may be other verticesreachable from them) which are not reachable from L∪G. Then, [[〈n,V H,π〉]]

ηcontains

in that case environments (with identical reachable parts from L∪G) corresponding todifferent permutations of the vertices reachable from cut points but not from L∪G.

Proposition 3. For every η, if V H is finite, then [[〈n,V H,π〉]]η

is finite.

Concurrent pushdown systems on normalized visible heaps: Let us fix η. We definea program semantics where visible heaps are considered modulo the η-equivalence.Let Vη be the set of all [[e]]

η, for e ∈ V. We consider the set of transition rules Rη

corresponding to the restriction of the set R to the alphabet Vη:

Rη = {((i,−→Π), [α1, . . . ,αm]) ↪→ (( j,−→Π′), [α′1, . . . ,α

′m]) ∈ R | ∀ j, α j,α

′j ∈ Vη

∗}.

Let Cη be the set of all configurations ((i,−→Π), [α1, . . . ,αm]) such that ∀ j, α j ∈Vη

∗.Then, let 7→r,η be the restriction of the transition relation 7→r to configurations in Cη

Let 7→η be the union of the relations 7→r,η for all transition rules r. The relations 7→loc,η,7→sw,η, and ;η are also defined as previously in terms of the restricted relations 7→r,η.

Theorem 2. The relations 7→ and 7→η define bisimilar transition systems.

5 Bounded context switch/heap depth reachability analysis5.1 Bounded visible heap depth programs

Let k be a positive integer. A visible heap V H = (A,∆,Γ,Λ,C) is k-bounded if (1)|Reach∆(Λ(L)∪Γ(G))| ≤ k, and (2) ∀i ∈ {1, . . . ,m}. |Reach∆(C(i))| ≤ k. Notice thatk-boundedness does not imply that |A| ≤ k since there may exist vertices which arereachable from cut points but not from local/global variables. Then, a sequence of en-vironments 〈n1,V H1,π1〉 . . .〈n j,V H j,π j〉 is k-bounded iff ∀i ∈ [1, j], V Hi is k-bounded.A configuration ((i,

−→Π), [α1, . . . ,αm]) is k-bounded iff ∀ j ∈ [1,m], α j is k-bounded.

Theorem 3. Given k ≥ 1, for every k-bounded⇒-computation in the CH-PDS modelof a program there is a bisimilar k-bounded 7→-computation in its CVH-PDS model.

5.2 Bounded heap depth reachability analysis of sequential programs

We extend to VH-PDS the automata-based construction of post∗/pre∗ images for push-down systems (see, e.g., [1, 4, 3]). We assume in the sequel that visible heaps are innormal form according to some fixed ordering η on local and global variables. Sets ofconfigurations are recognized by finite-state automata over the alphabet of normalizedenvironments called Conf-automata. More precisely, initial states in these automatacorrespond to mappings Π, and edges are labeled by elements of Vη. Then, a configu-ration (Π,α) is accepted by the automaton if starting from the initial state Π there is anaccepting run for the sequence α ∈ V∗η.

Given k ≥ 1, and a regular set of k-bounded (local) configurations recognized by aConf-automaton A , we apply a saturation based algorithm Closureη(A ,k) which con-structs a sequence of Conf-automata with increasing languages, each of them beingobtained from the previous one using one of the transition rules of the pushdown sys-tem. The difference here with the existing constructions for pushdown systems is thatthe stack alphabet of the built automata may increase at each step. Therefore, we restrictthe construction to the k-bounded environments. Then, by Proposition 3 the algorithmterminates and produces a finite Conf-automaton representing all reachable configu-ration by k-bounded 7→η-computations, which is a subset of the set of all reachableconfigurations from L(A) (by Theorems 1 and 2), and which contains the set of allreachable configurations by k-bounded⇒-computations (by Theorem 3).

5.3 Reachability analysis of concurrent programs

In order to present our reachability analysis algorithm, we need to introduce some def-initions and notations: A special Conf-automaton is a Conf-automaton for which thereexists a pair (Π,e) such that, for every local configuration (Π′,α) ∈ L(A), Π′ = Π andthere exists α′ ∈ V∗η such that α = eα′, i.e., all words accepted by A start with (Π,e).The pair (Π,e) is then denoted A . An aggregate is a tuple (A1, . . . ,Am) of special Conf-automata. Such an aggregate defines the set of global configurations L(A1, . . . ,Am) ={((i,−→Π), [α1, . . . ,αm]) : i ∈ [1,m],∀ j ∈ [1,m]. (

−→Π( j),α j) ∈ L(A j)}. A finite set of ag-

gregates defines the union of the languages defined by all its elements.Given a Conf-automaton A and (Π,e) with e ∈ Vη, let A(Π,e) be an automaton

recognizing the language L(A)∩ (Π× eVη∗). Clearly, A(Π,e) is a special automaton.

Given (Π,e) and a special automaton A , we denote by (Π,e)�A the special automatonrecognizing the language {(Π,eα) | (Π′,e′α) ∈ L(A)}, i.e., the language of A wherethe first symbol of every word is replaced by e and the initial state is replaced by Π.

Without loss of generality, we consider that the reachability analysis starts from asingle initial configuration where the heap is empty and all pointer variables are equalto null. To define this configuration, for every i∈ [1,m], let A i

/0be the special automaton

recognizing the (singleton) language {(Id{>,⊥},〈niinit ,V H/0, Id{>,⊥}〉)}, where ni

init is

the entry node of the main procedure of process i, and V H/0 = ({>,⊥},∆>,Γ⊥,Λ⊥,−→/0 )

with ∆> being the function mapping> to each address for all successor fields, Γ⊥ (resp.

Input: An m-dim CVH-PDS, and two integers K,k ≥ 1Output: The set of reachable configurations by k-bounded ;K

η -computations.

1 Reach← /0;2 for all i ∈ {1, . . . ,m}3 todo←{(0, i,A1

/0, . . . ,Am

/0)};

4 while todo 6= /0 do5 pop (level, i,A1, . . . ,Am) from todo with minimal level;6 if level = K then7 Reach← Reach∪{(A1, . . . ,Am)};8 else9 let Bi = Closureη(Ai,k) in

10 for all (Π,e′i) such that L(B(Π,e′i)i ) 6= /0

11 for all j ∈ {1, . . . ,m} such that j 6= i12 for all (v1, . . . ,vm) ∈ Updatei, j(A1, . . . ,(Π,e′i), . . . , Am)

13 todo← (level +1, j,v1 �A1, . . . ,vi �B(Π,e′i)i , . . . ,vn �Am);

14 return Reach

Fig. 1. Algorithm for bounded context-switch/heap depth reachability on CVH-PDS.

Λ⊥) being the functions mapping ⊥ to each global (resp. local) variable, and−→/0 being

the vector of functions mapping an empty set of cut points to each process.Finally, given v1, . . . ,vm such that for every ` ∈ [1,m], v` = (

−→Π(`),e`), and given

i, j ∈ [1,m], i 6= j, we denote by Updatei, j(v1, . . . ,vm) the set of tuples (v′1, . . . ,v′m)

such that: (1) for every ` ∈ [1,m], v′` = (−→Π′(`),e′`), and (2) ((i,

−→Π), [e1, . . . ,em]) ↪→sw

(( j,−→Π′), [e′1, . . . ,e

′m]), where ↪→sw refers to the Switch inference rule.

We are now ready to present our bounded reachability analysis algorithm given inFigure 1. The input is a CVH-PDS, the bound on context switches K, and the bound onthe size of visible heaps k. The algorithm computes (in Reach) the set of all reachableconfigurations by k-bounded ;η

K-computations: A set of tasks is maintained in a struc-ture todo. A task is a triple (`, i,A) where ` is the number of context switches done sofar, i is the index of the process chosen to be active, and A is an aggregate. Initially, todocontains the initial configuration of the program with all possible starting active process(lines 2-3). Then, the treatment of a task is as follows: if ` has already reached K then Ais added to Reach (lines 6-7). Otherwise, the set of reachable k-bounded configurationsfrom A by process i is computed (line 9), and then new tasks are produced correspond-ing to all possible context switches from i to some other process j (lines 10-13). Forthat, a case splitting is performed according to all possible visible heaps reached byprocess i (line 10), corresponding to head environments of its possible stacks. Then, thelocal heaps of all processes are updated, and tasks (where ` is incremented) are definedfor all possible next active processes j 6= i (lines 11-12) and added to todo (line 13).

References

1. A. Bouajjani, J. Esparza, and O. Maler. Reachability analysis of pushdown automata: Appli-cation to model-checking. In CONCUR’97. LNCS 1243, 1997.

2. A. Bouajjani, J. Esparza, S. Schwoon, and J. Strejcek. Reachability analysis of multithreadedsoftware with asynchronous communication. In FSTTCS’05. LNCS 3821, 2005.

3. J. Esparza, D. Hansel, P. Rossmanith, and S. Schwoon. Efficient algorithms for model check-ing pushdown systems. In CAV’00. LNCS 1855, 2000.

4. A. Finkel, B. Willems, and P. Wolper. A direct symbolic approach to model checking push-down systems. Electr. Notes Theor. Comput. Sci., 9, 1997.

5. P. Godefroid. Model checking for programming languages using Verisoft. In POPL’97.ACM, 1997.

6. M. Musuvathi and S. Qadeer. Iterative context bounding for systematic testing of multi-threaded programs. In PLDI’07. ACM, 2007.

7. S. Qadeer and S. Rajamani. Deciding assertions in programs with references. TechnicalReport MSR-TR-2005-08, Microsoft Research, September 2005.

8. S. Qadeer and J. Rehof. Context-bounded model checking of concurrent software. InTACAS’05. LNCS 3440, 2005.

9. N. Rinetzky, J. Bauer, T. Reps, M. Sagiv, and R. Wilhelm. A semantics for procedure localheaps and its abstractions. In POPL’05. ACM, 2005.

10. N. Rinetzky, M. Sagiv, and E. Yahav. Interprocedural shape analysis for cutpoint-free pro-grams. In SAS’05. LNCS 3672, 2005.

A Basic operations and tests

We give here a formal definition of the transition relation defining the semantics of basicoperations and tests on heaps. Let H1 = (A1,∆1,Γ1,Λ1) and H2 = (A2,∆2,Γ2,Λ2) betwo heaps, and let op be a heap operation. Suppose G∩L = /0, and let Θi : G∪L→ Ai,(i ∈ {1,2}) be the function that coincides with Γi on G, and coincides with Λi on L.Then,

– op = v := v′.σ′ and A1 = A2, and ∆2 = ∆1 and Γ2 and Λ2 coincide respectively withΓ1 and Λ1 except that Θ2(v) = ∆1(σ′)(Θ1(v′)),

– op = v.s := v′.σ′ and Θ1(v) /∈ {>,⊥} and A1 = A2, and Θ1 = Θ2 and ∆2 coincideswith ∆1, except that ∆2(s)(Θ2(v)) = ∆1(σ′)(Θ1(v′)),

– op = v := null and, A1 = A2, ∆1 = ∆2 and Γ2 and Λ2 coincide respectively with Γ1and Λ1 except that Θ2(v) =⊥,

– op = v.s := null and Θ1(v) /∈ {>,⊥}, A1 = A2, and Θ1 = Θ2, and ∆2 coincides with∆1, except that ∆2(s)(Θ2(v)) =⊥,

– op = v := new and (1) A2 = A1 ∪{a} for some new vertex a 6∈ A1, (2) Γ2 and Λ2coincides respectively with Γ1 and Λ1 except that Θ2(v) = a and, (3) for every s∈ S,∆2(s)(a) =⊥ and ∆2(s) coincides with ∆1(s) on A1.

– op = v.s := new and (1) A2 = A1 ∪{a} for some new vertex a 6∈ A1, (2) Γ2 = Γ1and Λ2 = Λ1, and (3) for every s′ ∈ S, ∆2(s′)(a) = ⊥ and ∆2 coincides with ∆1 onA1 except that ∆2(s)(Θ2(v)) = a.

– op = v.σ#v′.σ′ for # ∈ {=, 6=}, and ∆1(σ)(Θ1(v)) 6=>, ∆1(σ′)(Θ1(v′)) 6=>, H1 =H2, and ∆1(σ)(Θ1(v))#∆1(σ′)(Θ1(v′)).

B Examples

Let us illustrate the comportment of a VH-PDS with some examples. First, we considerthe case of a sequential program. We suppose that there is only one selector S = {s}, thatL contains the variables y, z and G contains the variable g. We consider an environmente1 = 〈n1,V H1,π1〉 (the visible heap V H1 = (H1,C1) is represented figure 2).

1 2

3 4 5 6g

y

C1 = /0

π1

Fig. 2. The pair (V H1,π1)

1 2 3 4g

π2 = {(3,1),(4,2),(5,3),(6,4)}

C2 = {3}

Fig. 3. Result of a call(p) statement

Figure 3 depicts the result of the call of a procedure p without parameters (in-struction call(p)). The result is configuration e1e2 with e2 = 〈n2,V H2,π2〉 such that, if

1 2 3

4

gz

π2 = {(4,3),(3,2),(2,1)}

C2 = {1}

Fig. 4. Result of the application of z :=new, z.s := g.s.s and g := g.s.s.s

1 2

3 4 5

gy

π′1 = π1 ◦π

C1 = /0

Fig. 5. Result of a return statement. π ={(1,1),(2,2),(4,3),(5,4),(6,5)}

V H2 = (H2,C2), then H2 corresponds (modulo π2) to the restriction of H1 to vertices ac-cessible from the global variable g, and C2 consists of the first vertex of H2 which wherereachable in V H1 (i.e., the vertex 4 in V H1 which corresponds in V H2 to π2(4) = 2).

We apply now successively to e2 the heap operations z := new, z.s := g.s.s, g :=g.s.s.s. A result is e3 = 〈n3,V H3,π3〉e1. The pair (V H3,π3) is described Figure 4. Re-mark that the clean operation has removed the vertex called 1 in V H2 which is notaccessible any more from variables and cut points, while the vertex 2 (i.e., 1 in V H3)was preserved because it is accessible from C3. Finally, we apply a return statement andobtain the configuration 〈n4,V H4,π〉 depicted Figure 5. The new heap V H4 is obtainedin the following way. First, the part of V H1 whose nodes do not belong to the domain ofπ3 are added to V H3 and glued according to π4 (the node 2 connected in V H1 with 4, isnow connected to π4(4) = 3), then local variables of V H3 are deleted and missing localvariables of V H1 are replaced (according to π4) and the set of cut point is now C4 = C1.Finally, apply the clean operation with removed the vertex 4 which is became uselesssince unreachable from cut points or variables.

Let us now give an example of program with 2 process working in parallel. We sup-pose the current configuration is ((1,

−→Π), [〈n1,V H1,π〉β,〈nmain2

entry ,V H/0, Id⊥,>〉]), whereV H/0 is the empty visible heap (then, the process of index 2 was not active yet).

2 3 41 2 3 41

6 5g g

y

π1

−→Π = (Id{1,2,3,4}, Id{1,2,3,4})

π2

C1 = ({5}, /0) C1 = ({2,3}, /0)

Fig. 6. Switch to the process 2

Now, the process of index 2 becomes active. The result is represented by a 2-dimconfiguration ((2,

−→Π), [〈n1,V H1,π1〉β,〈n2,V H2,π2〉]) whose top stack is pictured Fig-

ure 6. The active process is marked by a thick edging. Variables x and y are local, and gis global.

Remark that since the heap of the second process was empty, V H2 correspondsexactly to Shared1(V H1). Let us suppose that after the process worked, the config-uration of the automaton is ((2,

−→Π 1), [〈n1,V H1,π1〉β,〈n2,V H ′2,π

′2〉β′]) Now, the pro-

cess of index 1 becomes active. The result is represented by a 2-dim configuration((1,−→Π′), [〈n1,V H ′1,π

′1〉β,〈n2,V H2,π2〉β′]) whose top stack is pictured Figure 7.

3

7

5

2 8 96

3

1

2 8 9

g

x

g

π′1 π′2

C1 = ({5},{2,8}) C1 = ({2,3},{7})

−→Π = (Id{2,3,8,9}, Id{(2,3,8,9)})


The new heap V H ′1 is obtained in the following way. First, compute Shared2(V H2)(see Figure 8) which is V H2 restricted to nodes accessible from global variables andC1(2) (i.e., nodes 2 and 3), and whose new vector of cut points is

−→C = (C2(1),C(2)),

where C(2) is composed by the first vertices of the restricted graph, which are reachablefrom C2(2) and local variables: C(2) = {2,8}.

3

2 8 9

g

C1 = ({2,3},{2,8})


Then, the part of V H1 whose nodes do not belong to the domain of Π(2) are added(without labels in G) to Shared2(V H2), then missing local variables of V H2 are replacedand the set of cut point is now

−→C′1 computed in the following way:

−→C′1(1) = C1(1) and

−→C′2(1) corresponds to C(2). Finally, apply the clean operation is applied, which deletesvertices which are not accessible yet: the nodes 1 and 4 are deleted.

C Correctness of the visible heap based semantics

Let us prove the correctness of our model (Theorem 1). We consider a program withm concurrent threads and prove that the two models of automata (H-PDS and VH-PDS) describing this program are bisimilar. We proceed in two main steps: first, wefocus on H-PDS and VH-PDS associated with a fixed process of index i. We definefor the two models, the notion of valid configurations, and a relation ≡i between validconfigurations of the H-PDS and valid configuration of VH-PDS. We prove that validconfigurations capture reachable configurations (from an empty stack), and that ≡i isa bisimulation between the two local systems. In the second part, we generalize thisapproach to global systems.

C.1 Bisimulation between local systems

Given a program with m concurrent threads, and i index of a process fixed for the restof the subsection. We denote by �i (resp. �i) the transition relation of the associatedH-PDS (resp. VH-PDS). We define a relation ≡i between H-PDS configurations andVH-PDS configurations and prove that ≡i is a bisimulation. For sake of simplicity, weomit the states of the visibly heap automaton and consider that a VH-PDS configurationis a finite sequence of symbols in V.

Definition C1 (Valid VH-PDS configuration) Let β = e1 · · ·e` be a VH-PDS configu-ration with for all j in [1, `], e j = 〈n j,(A j,∆ j,Γ,Λ j,

−→C j),π j〉. We say that β is valid if the

following properties are fulfilled:(1) for all j in [1, `−1], π j ⊆ A j+1×A j and is an injective function,(2) for all j in [1, `−1], for all a j in

−→C j(i), there exists a j+1 such that (a j+1,a j)∈ π j

and a j+1 ∈ Reach∆ j+1(−−→C j+1(i)∪Λ j+1(L)).

Remark 1. If β is valid, then all β′ ' β is valid.

Every VH-PDS configuration 7→-reachable from the initial configuration of theprogram is valid. The initial configuration is β /0 = 〈nmain

entry,V H/0, Id{⊥,>}〉 and V H/0 =

({>,⊥},∆>,⊥,⊥,−→/0 ) with ∆> being the successor function which maps > to each

address, for all successor fields.

Proposition C1 Let β be a VH-PDS configuration, if β /0�i∗β, then β is valid.

Proof: Clearly, the configuration β /0 is valid. Let us prove that for all local configura-tions β and β, if β �i β′ and β is valid, then β′ is valid.

Heap operation If we apply a heap operation op and β = 〈n1,(H1,−→C1),π1〉β1, then

there exists H ′2 such that H1op−−→π H ′2 and β′= 〈n2,V H2,π1◦π〉β1, where Clean(H ′2,

−→C1)'

V H2. Clearly, if β is valid then β′ is valid.

Call statement If we apply a call instruction, β = 〈n1,(H1,−→C1),π1〉β1, and β′ =

〈n2,(H2,−→C2),π1 ◦π〉〈n1,(H1,

−→C1),π1〉β1. Then π is a bijective map from the set of nodes

of Clean(H1,−→C1) to A2, (set of nodes of H2), in addition,

−→C2(i)∈ π(Reach∆1(Λ1(L),

−→C1(i))).

Then β′ is valid.Return statement If we apply a return instruction, and β = 〈n2,(H2,

−→C2),π2〉〈n1,(H1,−→

C1),π1〉β1 and β′ = 〈n1,(H ′1,−→C′1),π1 ◦π〉β1. Then π is bijective map from the set of ad-

dresses of Clean(Returni((H1,−→C1),(H2,

−→C2),π2)) to A′1, (set of nodes of H ′1), in addition,

−→C′1(i) = (π1 ◦π)(

−→C1(i)). Then β′ is valid. 2

Valid VH-PDS configurations will be related with valid H-PDS configurations.

Definition C2 A H-PDS configuration α = (GH,〈n1,Λ1〉 · · · 〈nk,Λk〉) is called valid iffor all `∈ [1,k], Λ` is an application from L to A, where A is the set of addresses of GH.

Definition C3 Let α be a valid H-PDS configuration and β be a valid VH-PDS config-uration. We write α≡i β iff

– α = (GH,〈n1,Λ1〉c2 · · ·ck),– β = 〈n1,V H1,π1〉〈n2,V H2,π2〉e3 · · ·ek,– there exists a visible heap (H1,

−→C1) such that Clean(GH,Λ1,

−→C1) = (H1,

−→C1),

– if k > 1, for all (V H,π) ∈ Update-seqi(V H2,V H1,π1), if β′ = 〈n2,V H,π2 ◦ π〉 ·e3 · · ·ek then c2 · · ·ck ≡i β′. .

Remark C1

1. For all valid VH-PDS configuration β, there exists a valid H-PDS configuration α

such that α ≡ β. Let us explain how find α when β = 〈n1,V H1,π1〉〈n2,V H2,π2〉.Let (GH,Λ2,

−→C′2) = Returni(V H2,V H1,π1), then there exists Λ1 and

−→C1 such that

V H1 'Clean(GH,Λ1,−→C1). Then (GH,〈n1,Λ1〉〈n2,Λ2〉)≡i β.

2. Let α be a valid H-PDS configuration and β be a valid VH-PDS configuration suchthat α ≡i β. Then, for all VH-PDS configuration β′, if β′ ' β then β′ is valid andα≡i β′.

Theorem C1 The relation ≡i is a bisimulation between �i and �i.

Proof: We have to prove the following property: for all α, α′ local H-PDS configura-tions, and all β VH-PDS configuration, with α≡i β,

α �i α′ iff there exists β′ valid such that α

′ ≡i β′ and β �i β

′.

This is proved by Propositions C2, C3 and C4. 2

Let instr be a sequential program instruction (a heap operation, a return statementor a call statement), we denote by �i,instr (resp. �i,instr) the union of all �i,r (resp.�i,r) were r belongs to the set of local rules RGi (resp. in Ri) associated with an edge

n1instr−−−−→n2 of the control flow graph of the process i.Let us consider the case of calling procedure. Let call be a call statement, we prove

that ≡i is a bisimulation between �i,call and �i,call.

Proposition C2 (Call operation) Let call be a call statement, α1 and α2 be valid H-PDS configurations and β1 be a valid VH-PDS configuration such that α1 ≡i β1:

α1 �i,call α2 iff there exists β2 valid such that α2 ≡i β2 and β1 �i,call β2.

Proof: Suppose that α1 = (GH1,〈n,Λ1〉u1) and β1 = 〈n,V H1,π1〉β. From definition of�i,call and �i,call, we have to prove that for a procedure p and parameters v1.σ1, . . . ,vk.σk,

(1) V H2 ' Clean(GH1,Λ2,−→C2) for Λ2 = Pass(GH1,Λ1, p,v1.σ1, . . . ,vk.σk), some

−→C2

and some (V H2,π2) ∈ Passi(V H1, p,v1.σ1, . . . ,vk.σk)(2) α1 ≡i 〈n,V H2,π1 ◦π2 ◦π′2〉β, for (V H ′2,π

′2) ∈ Update-seqi(V H1,V H2,π2),

Since α1 ≡i β1, there exists−→C1 such that

(a) V H1 'Clean(GH1,Λ1,−→C1).

Let ∆ be the successor function of GH1, then from definition of Λ2, we have clearly,Reach∆(Λ1(L)∪Λ2(L)) = Reach∆(Λ1(L)). Let

−→C′1 be the vector defined by

−→C′1(i) =

−→C1(i)∪Λ1(L), and

−→C′1( j) =

−→C1( j), for j 6= i, and `1, . . . `k be the formal parameter of p,

and CH2 = CutPassi((V H1), [`1,v1.σ1], . . . , [`k,vk.σk]), then from (a), we obtain(b) CH2 'Clean(GH1,Λ2,

−→C′1).

Let (H ′,−→C′1) = Clean(GH1,Λ2,

−→C′1), then for all vector of sets of cut points

−→C such

that Clean(GH1,Λ2,−→C ) is a sub-heap of Clean(GH1,Λ2,

−→C′1), we have Clean(H ′,

−→C ) =

Clean(GH1,Λ2,−→C ). In particular, if

−→C′2 is the vector of cut points of Visiblei(H,

−→C′) then

(c) Visiblei(CH2) ' Clean(GH1,Λ2,−→C2) (since from definition, Visiblei(CH2) '

Clean(H ′,−→C2)).

Since V H2 'Visiblei(CH2), (c) implies (1).Finally, from Proposition 1, V H1 'π2◦π′2 V H1, and then from Remark C1(2), condi-

tion (2) is satisfied. 2

Let us prove that if ret is a return statement, then≡i is a bisimulation between �retand �ret.

Proposition C3 (Return operation) Let ret be a return statement, α1 and α2 be validH-PDS configurations and β1 be a valid VH-PDS configuration such that α1 ≡i β1:

α1 �i,ret α2 iff there exists β2 valid such that α2 ≡i β2 and β1 �i,ret β2.

Proof: Straightforward by induction on the length of β1. 2

Finally, let us show that for all heap operation op, the relation ≡i is a bisimulationbetween �i,op and �i,op. We need the following Lemma.

Lemma C1 (Heap operation rule) Let op be a heap operation, α and α′ be local H-PDS configurations, and β ∈ V such that β≡i α:

α↪→i,opα′ iff there exists β′ valid such that α

′ ≡i β′ and β↪→i,opβ

′.

Proof: Suppose α = (GH,〈n1,Λ〉), α′ = (GH ′,〈n′,Λ′〉) and β = 〈n,V H,π〉. The con-dition α≡i β implies ∃−→C such that V H 'Clean(GH,Λ,

−→C ). We can remark that

(1) (GH,Λ) op−−→(GH ′,Λ′) iff ∀−→C′ ⊆ Am, Clean(GH,Λ,

−→C′) op−−→π Clean(GH ′,Λ′,

−→C′).

Indeed, nodes used in op are always reachable from local and global variables, and thusthe clean operation does not remove these vertices. In the same way, we have(2) [∃

−→C′ ⊆ Am. Clean(GH,Λ,

−→C′) op−−→π Clean(GH ′,Λ′,

−→C′)] iff (GH,Λ) op−−→(GH ′,Λ′).

Then, from definition of ≡i, (1) and (2), the following equivalences hold:α↪→i,opα iffn op−−→n′ and (GH,Λ) op−−→(GH ′,Λ′), iffn op−−→n′ and Clean(GH,Λ,

−→C ) op−−→π Clean(GH ′,Λ′,

−→C ) iff

∃β′ = Clean(GH ′,Λ′,−→C ) such that β ↪→i,op β′. 2

Proposition C4 (Heap operation) Let op be a heap operation, α1 and α2 be valid H-PDS configurations, and β1 be a valid VH-PDS configuration such that β1 ≡i α1:

α1 �i,op α2 iff there exists β2 valid such that α2 ≡i β2 and β1 �i,op β2.

Proof: Let us prove this result by induction on k ≥ 1, where k is the length of β1. Thebasis case k = 1 is treated Lemma C1. Let us prove the induction step. Suppose theproposition is true for k ≥ 1, and thatβ1 = 〈n1,V H1,π1〉〈n2,V H2,π2〉β, with |β|= k−1, and k ≥ 1, andα1 = (GH,〈n1,Λ1〉〈n2,Λ2〉u〉).

Suppose in addition that (GH,〈n1,Λ1〉) �i,op (GH ′,〈n′1,Λ′1〉). From Lemma C1,there exists 〈n′1,V H ′1,π

′1〉, such that

– 〈n1,V H1,π1〉�i,op 〈n′1,V H ′1,π′1〉 and

– (GH ′,〈n′1,Λ′1〉)≡i 〈n′1,V H ′1,π′1〉.

In addition, from hypothesis α1 ≡ β1, we have

(1) (GH,〈n2,Λ2〉u〉)≡i 〈n2,V H ′2,π2 ◦π′〉β, where(2) (V H ′2,π

′) ∈ Update-seqi(V H2,V H1,π1).

Let α′1 =(GH ′,〈n2,Λ2〉 · · · 〈nk+1,Λk+1〉), and β′1 = 〈n2,V H ′′2 ,π2◦π′′〉β, where (V H ′′2 ,π′)∈Update-seqi(V H2,V H ′1,π

′′1), the induction step is true iff

(*) α′1 ≡i β′1.

Let us prove (*). Let V H ′2 = (A′2,∆′2,Γ′2,Λ

′2,−→C ′2) and V H ′′2 = (A′′2 ,∆

′′2 ,Γ′′2 ,Λ

′′2 ,−→C ′′2).

We can easily define a new visible heap V H ′2 = (A′2,∆′2,Γ′2,Λ

′2 ∪ Λ′2,

−→C ′2) defined over

the extended set of local variable L∪{v1,v2} and a new heap operation op′ such that:

(3) V H ′2 �i,op’ V H ′′2 , where V H ′′2 = (A′′2 ,∆′′2 ,Γ′′2 ,Λ

′′2∪Λ′′2 ,

−→C ′′2) for some Λ′′2 : {v1,v2}→

A′′2 , and(4) (GH,〈n2,Λ2 ∪Λ〉) �i,op’ (GH ′,〈n2,Λ2 ∪Λ′〉), for some Λ, Λ′ assignment of the

variables {v1,v2}.

We have then,

(1’) (GH,〈n2,Λ2∪Λ〉u)≡i 〈n2,V H ′2,π2 ◦π′〉β, for some Λ assignment of the variables{v1,v2}, (from (3)).

Let us define Λ′2 and op′ for some cases. Suppose that V H1 = (A1,∆1,Γ1,Λ1,−→C1).

– if op = x := x′.σ, and x ∈ G, then let a = ∆1(σ)((Γ1∪Λ1)(x′)), if (π1 ◦π)−1(a) isdefined then Λ′2(v1) = (π1 ◦π)−1(a), Λ′2(v2) => and op′ = x := v1

– if op = x := x′.σ, and x ∈ L, then Λ′2(v1) =⊥, Λ′2(v2) =⊥ and op′ = (v1 = v2)– if op = x.s := x′.σ, then let a = (Γ1 ∪Λ1)(x) and a′ = ∆1(σ)((Γ1 ∪Λ1)(x′)), if

(π1 ◦π)−1(a) and (π1 ◦π)−1(a′) are defined then Λ′2(v1) = (π1 ◦π)−1(a), Λ′2(v2) =(π1◦π)−1(a) and op′= v1.s := v2, else Λ′2(v1) =⊥, Λ′2(v2) =⊥ and op′= (v1 = v2).

Then, by induction hypothesis applied to (4) and (1’), we obtain (GH ′,〈n2,Λ2 ∪Λ〉 · · · 〈n1,Λ1〉) ≡i 〈n2,V H ′′2 ,π2 ◦ π′′〉β, and by deleting the additional variables v1,v2,we prove (*). 2

Bisimulation between global systems

We define now a relation≡ between CH-PDS configurations and CVH-PDS configura-tions. As previously, the relation is defined for valid configurations. A CH-PDS configu-ration ((i,GH), [u1, . . . ,um]) is valid if for all j ∈ [1,m], the local configuration (GH,u j)is valid.

Definition C4 A CVH-PDS configuration ((i,Π), [β1, . . . ,βm]) is valid if the followingproperties are satisfied. Suppose that ∀ j ∈ [1,m], β j = 〈n j,V H j,π j〉β′j, with V H j =

(A j,∆ j,Γ j,Λ j,−→C j), then

(1) for all j ∈ [1,m], β j is a valid (local) configuration, and(2) for all j ∈ [1,m], let A′i be the set of vertices of Sharedi(V Hi), then Π( j)◦Π(i) :

A j→ A′i and is an injective function,

(3) for all j ∈ [1,m], j 6= i, for all a ∈ −→Ci ( j), there exists a′ ∈ A j such that (a′,a) ∈Π( j)◦Π(i), and a′ ∈ Reach∆ j(

−→C j( j)∪Λ j(L)).

(4) for all j ∈ [1,m], j 6= i, for all k 6= j,−→Ci ( j) = Π( j)◦Π(i)(

−→Ck( j)).

Every CVH-PDS configuration 7→-reachable from an initial configuration of theprogram is valid. Initial configurations are all b /0 = ((i,

−−−−→Id{⊥,>}), [β /0,1, . . . ,β /0,m]), for

i ∈ [1,m], and each β /0, j is the initial local configuration of the process of index j (seeSection C.1).

Proposition C5 Let b be a CVH-PDS configuration, if b /0 7→i∗b, then b is valid.

Definition C5 Let a be a valid CH-PDS configuration and b be a valid CVH-PDSconfiguration. We denote a≡ b iff

(1) a =((i,GH), [u1, . . . ,um]), and b =((i,−→Π), [e1β1, . . . ,emβm]), with e j = 〈n j,V H j,π j〉,

(2) for all j∈ [1,m], there exists (V H ′j,π′j,Π′j)∈Update-par(V H j,V Hi,

−→Π( j)◦−→Π(i))

such that (GH,u j)≡ j 〈n j,V H ′j,π j ◦π′j〉β j.

Remark C2

1. Point (2) of the definition of ≡ can equivalently be written:for all j∈ [1,m], ∀(V H ′j,π

′j,Π′j)∈Update-par(V H j,V Hi,

−→Π( j)◦−→Π(i)). (GH,u j)≡ j

〈n j,V H ′j,π j ◦π′j〉β j.

2. Since for all V Hi, (V Hi, IdAi , IdAi) ∈ Update-par(V Hi,V Hi,−→Π( j)◦−→Π(i)), point (2)

of the definition of ≡ can equivalently be written:for all j ∈ [1,m], j 6= i, there exists (V H ′j,π

′j,Π′j) ∈ Update-par(V H j,V Hi,

−→Π( j) ◦

−→Π(i)) such that (GH,u j)≡ j 〈n j,V H ′j,π j ◦π′j〉β j, and (GH,ui)≡i eiβi.

Theorem C2 The relation ≡ is a bisimulation between⇒ and 7→.

Proof: We have to prove that for all valid CVH-PDS configuration b, and all validCH-PDS configurations a and a′ such that a≡ b,

a⇒ a′ iff there exists b′ valid such that a′ ≡ b′ and b 7→ b′.

This is a straightforward consequence of Propositions C6, C7, C8 and C9. 2

Let instr be a program instruction (a heap operation, a return, call or switch state-ment), we denote by ⇒instr (resp. 7→instr) the union of all ⇒r (resp. 7→r) were r be-

longs to the set of local rules RG (resp. in R ) associated with an edge n1instr−−−−→n2 of

the control flow graph of the program.We start by define a relation between visible heaps, and give some lemmas which

will simplify the proofs.

Definition C6 Let V H1 = (H1,−→C1) and V H2 = (H2,

−→C2) be two visible heaps, π : A2→

A1, and i ∈ [1,m]. We denote V H1 �iπ V H2 if there exists V H such that V H1 'V H, with

V H = (H,−→C ) such that

V H =Clean(H2,−→C ),−→C (i)=

−→C2(i), and for all j∈ [1,m], i 6= j,

−→C ( j)∈Reach∆2(

−→C2( j)).

We denote V H1 �i V H2 if V H1 �iπ V H2 for some bijection π.

In other words, if V H1 � V H2, then V H1 is equivalent to V H2 restricted by a cleaningaccording to a new vector of cut points, and these new cut points are reachable from theold ones.

Lemma 1. Let α be a valid local CH-PDS configuration, and β be a valid local CVH-PDS configuration such that α≡i β. Suppose that β = 〈n1,V H1,π1〉β′ and let V H ′1 be avisible heap such that V H ′1 �i

π V H1 for some bijection π. Then α≡i 〈n1,V H ′1,π1 ◦π〉β′.

Proof: Let us prove the lemma by induction on the length of β. If β is reduced to aunique element, the definition of � implies obviously the validity of the lemma. Sup-pose the lemma verified for configurations of length n ≥ 1. Let β′ = 〈n2,V H2,π2〉β′′,with |β′′| = n− 1 and suppose that α = (GH,〈n1,Λ1〉u). From definition, there exists−→C such that Clean(GH,Λ1,

−→C ) ' V H ′1. Let (V H ′2,π

′2) ∈ Update-seqi(V H2,V H1,π1),

and (V H ′′2 ,π′′2) ∈ Update-seqi(V H2,V H ′1,π1 ◦π), we can easily see that V H ′′2 �i V H ′2.Then, applying induction hypothesis, the lemma is fulfilled. 2

Lemma 2. Let b = ((i,−→Π), [e1β1, . . . ,emβm]) and b′ = ((`,

−→Π ′), [e′1β1, . . . ,e′mβm]) be

two valid configurations, and suppose that b 7→sw b′. Then for all j ∈ [1,m], let e′j =〈n j,V H ′j,π j ◦π′j〉, we have:

∀ j ∈ [1,m], Shared j(V H ′j)�i Sharedi(V H ′i ).

Proof: Suppose that e j = 〈n j,V H j,π j〉, with V H j = (H j,−→C j). We have (V H ′j,π

′j,Π j) ∈

Update-par(V H j,V Hi,−→Π( j)◦−→Π(i)). Let us construct Shared j(V H ′j) by using the defi-

nition of Update-par. Consider

(A,∆,Γ,Λ,−→C ) = Return j(V H ′j,Sharedi(V Hi),

−→Π( j)◦−→Π(i)),

where Sharedi(V Hi) = (H ′i ,−→C′i ) and let

−→C′ be the vector of cut points defined by

−→C′(k) =

−→C j(k) for k 6= i and

−→C′(i) = β j(

−→C′i (i)) (β j is given in the definition of Update-par).

From Definition C4(4), for every k 6= j,−→C′(k) = β j(

−→C′i (k)), and from Definition C4(3),

−→C′i ( j) ∈ Reach∆(

−→C ( j)∪Λ(L)).

We have then Sharedi(V Hi) �i Clean(CutPass j((A,∆,Γ,Λ,−→C′), [∀` ∈ L.>]), and

then Shared j(V H ′j)�i Sharedi(V Hi). 2

Proposition C6 (Switch) Let a and a′ be two valid CH-PDS configurations, and b bea valid CVH-PDS configuration such that a≡ b:

a⇒sw a′ iff there exists b′ valid such that a′ ≡ b′ and b 7→sw b′.

Proof: Let a = ((1,GH), [〈n1,Λ1〉u1, . . . ,〈nm,Λm〉um]),b = ((1,

−→Π), [〈n1,V H1,π1〉β1, . . . ,〈nm,V Hm,πm〉βm]),

b′ = ((2,−→Π′), [〈n1,V H1,π

′1〉β1, . . . ,〈nm,V H ′m,π′m〉βm]), and suppose that a ≡ b, and

b 7→sw b′.We have then

(a) (GH,〈n1,Λ1〉u1)≡1 〈n1,V H1,π1〉β1(b) for all j ∈ [2,m], (GH,〈n j,Λ j〉u j)≡ j 〈n j,V H ′j,π

′j〉β j

(c) for all j ∈ [2,m], Shared j(V H ′j)�1 Shared1(V H1) (from Lemma 2).

Suppose in addition that for all j ∈ [1,m], V H ′j = (H ′j,−→C j′), Shared2(V H ′j) = (H j,

−→C j),

and(V H ′′j ,π

′′j ,Π

′′j ) ∈ Update-par2(V H ′j,V H ′2,

−→Π′(1)◦

−→Π′(2)).

We have for all k 6= 2, V H ′′j 'Clean(V H ′j,−→C j), then V H ′′j � j V H ′j and from Lemma 1

(GH,〈n j,Λ j〉u j)≡ j 〈n j,V H ′′j ,π′j ◦π′′j 〉β j. In other words, a′ ≡ b′. 2

Proposition C7 (Heap operation) Let op be a heap operation, a and a′ be two CH-PDS configurations, and b be a CVH-PDS configuration such that a≡ b:

a⇒op a′ iff there exists b′ valid such that a′ ≡ b′ and b 7→op b′.

Proof: We restrict the proof to the case m = 2 (i.e., there were only two processes work-ing in parallel), the general case is similar. Let a =((1,GH), [u1,u2]), a′=((1,GH ′), [u′1,u2]),b = ((1,

−→Π), [〈n1,V H1,π1〉β1,〈n2,V H2,π2〉β2]) and suppose that a≡ b.

From Remark C2(2), Theorem C1 can be applied to (GH,u1) and 〈n1,V H1,π1〉β1.We have then a⇒op a′ iff there exists b′ such that b 7→op b′ with b′=((1,

−→Π′), [〈n′1,V H ′1,π1◦

π′1〉β1,〈n2,V H2,π2〉β2]), and(a) β′1 = 〈n′1,V H ′1,π1 ◦π′1〉β1 is valid,(b) (GH ′,u′1)≡1 β′,(c) V H1

op−−→π′1V H ′1.

In addition, from hypothesis a ≡ b, if we suppose that (V H ′2,π′2,Π

′2) ∈ Update-par1

(V H2,V H1,−→Π(2)◦−→Π(1)), then

(d) (GH,u2)≡2 〈n2,V H ′2,π2 ◦π′2〉β2.

Let us show that a′ ≡ b′ and b′ is valid. Suppose that (V H ′′2 ,π′′2 ,Π′′2) ∈ Update-par1

(V H2,V H ′1,−→Π′(2)◦

−→Π′(1)), then from (b) and Remark C2(2), we just have to prove that

(*) (GH ′,u2)≡2 〈n2,V H ′′2 ,π2 ◦π′′2〉β2.

Suppose that V H ′2 = (H ′2,−→C′2) and V H ′′2 = (H ′′2 ,

−→C′′2 ). From definition of Update-par1,

−→C′′2 =

−→C′2. We use the same method employed in the proof of Proposition C4. Suppose

that u2 = 〈n2,Λ2〉u′2. We can construct a new visible heap V H ′2 (resp. V H ′′2 ) defined overan extended set of local variables L∪L′ and such that by deleting labels in L′ we obtainV H ′2 (resp. V H ′′2 ), and a heap operation op′ such that

(3) V H ′2op−−→π V H ′′2 , with π = π′2

−1 ◦π′′2 and(4) (GH,〈n2,Λ2 ∪Λ〉) �i,op’ (GH ′,〈n2,Λ2 ∪Λ′〉), for some Λ, Λ′ assignment of the

variables {v1,v2} in L′.(5) (GH,〈n2,Λ2∪Λ〉u′2)≡2 〈n2,V H ′2,π2 ◦π′2〉β2

From Theorem C1, (GH ′,〈n2,Λ2 ∪Λ′〉u′2) ≡2 〈n2,V H ′′2 ,π2 ◦π′′2〉β2, and then by delet-ing labels in L′ we obtain that (*). 2

Let us consider the case of calling procedure. Let call be a call statement, we provethat ≡ is a bisimulation between⇒call and 7→call.

Proposition C8 (Call) Let call be a call statement, a and a′ be two CH-PDS configu-rations, and b be a valid CVH-PDS configuration such that a≡ b:

a⇒call a′ iff there exists b′ valid such that a′ ≡ b′ and b 7→call b′.

Proof: We restrict the proof to the case m = 2 (i.e., there were only two processesworking in parallel), the general case is similar. Let a = ((1,GH), [〈n1,Λ1〉u1,u2]), a′ =((1,GH), [〈n′1,Λ′1〉〈n1,Λ1〉u′1,u2]), b = ((1,

−→Π), [〈n1,V H1,π1〉β1,〈n2,V H2,π2〉β2]), and

suppose that a≡ b.From Remark C2(2), Theorem C1 can be applied and we have then a⇒op a′ iff

there exists b′ such that b 7→op b′ with b′ = ((1,−→Π′), [β′1,〈n2,V H2,π2〉β2]), and

(a) β′1 = 〈npinit ,V H ′1,π

′1〉〈n1,V H1,π1〉β1 is valid,

(b) (GH,u′1)≡1 β′1,(c) (V H ′1,π

′1) ∈ Pass1(V H1, p,v1.σ1, . . . ,vk.σk).

In addition, from hypothesis a ≡ b, if we suppose that (V H ′2,π′2,Π


(V H2,V H1,−→Π(2)◦−→Π(1)), then

(d) (GH,u2)≡2 〈n2,V H ′2,π2 ◦π′2〉β2.

Let us show that a′≡ b′. Suppose that (V H ′′2 ,π′′2 ,Π′′2)∈Update-par1 (V H2,V H ′1,

−→Π′(2)◦


(*) (GH,u2)≡2 〈n2,V H ′′2 ,π2 ◦π′′2〉β2.From definition of Pass1, let A = Reach∆(Γ(G)∪Λ′1(L)∪−→C1(2)), then

V H ′1 'Clean(GH,Λ′1,(−→C′1(1),

−→C1(2))), where

−→C′1(1) = (A∩Reach∆(

−→C1(1)∪Λ1(L)))\∆(S)(Reach∆(

−→C1(1)∪Λ1(L))).

Then let A′ = Reach∆(Γ(G)∪−→C1(2)), Shared1(V H ′1)'Clean(GH,>,(−→C′′1 (1),

−→C1(2))),

where−→C′′1 (1) = A′∩Reach∆(

−→C′1(1)∪Λ′1(L))\Reach∆(

−→C′1(1)∪Λ′1(L)).

We have A′ ⊆ A, and since Λ′1(L) ∈ Reach∆(Λ1(L)∪Γ(G)), it appears clearly that−→C′′1 (1)⊆ Reach∆(

−→C′1(1)). Then Shared1(V H ′1)�2 Shared1(V H1).

Then V H ′′2 �2 V H ′2 and then from Lemma 1, the property (*) is fulfilled. 2

Proposition C9 (Return) Let ref be a return statement a and a′ be two CH-PDS con-figurations, and b be a CVH-PDS configuration such that a≡ b:

a⇒ret a′ iff there exists b′ valid such that a′ ≡ b′ and b 7→ret b′.

Proof: We restrict the proof to the case m = 2 (i.e., there were only two processes work-ing in parallel), the general case is similar. Let a =((1,GH), [u1,u2]), a′=((1,GH), [u′1,u2]),b = ((1,

−→Π), [〈n1,V H1,π1〉〈n′1,V H ′1,π

′1〉β1,〈n2,V H2,π2〉β2]), and suppose that a≡ b.

From Remark C2(2), Theorem C1 can be applied and we have then a⇒op a′ iff

there exists b′ such that b 7→op b′ with b′ = ((1,−→Π′), [β′1,〈n2,V H2,π2〉β2], and

(a) β′1 = 〈n′1,V H ′′1 ,π′1 ◦π〉β1 is valid,(b) (GH,u′1)≡1 β′1,

(c) (V H ′′1 ,π′′1) ∈ Update-seq1(V H ′1,V H1,π1).In addition, from hypothesis a ≡ b, if we suppose that (V H ′2,π

′2,Π


(V H2,V H1,−→Π(2)◦−→Π(1)), then

(d) (GH,u2)≡2 〈n2,V H ′2,π2 ◦π′2〉β2.

Let us show that a′≡ b′. Suppose that (V H ′′2 ,π′′2 ,Π′′2)∈Update-par1 (V H2,V H ′′1 ,

−→Π′(2)◦


(*) (GH,u2)≡2 〈n2,V H ′′2 ,π2 ◦π′′2〉β2.

From hypothesis a≡ b and (b), there exists−→C1 and

−→C′′1 such that V H1 =Clean(GH,Λ1,

−→C1)

and V H ′′1 = Clean(GH,Λ′1,−→C′1). Let A = Reach∆(Γ(G)∪

−−−→C1(2)). We have

Shared1(V H1)=Clean(GH,>,(C(1),−→C1(2)), with C = A∩Reach∆(

−→C1(1)∪Λ1(L))\

Reach∆(−→C1(1)∪Λ1(L)), and

Shared1(V H ′′1 )=Clean(GH,>,(C′′(1),−→C1(2)), with C = A∩Reach∆(

−→C′1(1)∪Λ′1(L))\

Reach∆(−→C′1(1)∪Λ′1(L)).

From hypothesis β1 is valid,−→C1(1)⊆Reach∆(

−→C′1∪Λ′1(L)). Then Then Shared1(V H ′1)�2

Shared1(V H1).Then V H ′′2 �2 V H ′2 and then from Lemma 1, the property (*) is fulfilled. 2

Bounded Context Switch Analysis of Multithreaded Programs...

Documents

Transcript of Bounded Context Switch Analysis of Multithreaded Programs...