Graph models for reachability analysis of concurrent...
Transcript of Graph models for reachability analysis of concurrent...
Graph Modelsof Concurrent
MAUF{O PEZZE
Politecnico di Milano
RICHARD N. TAYLOR
for Reachability AnalysisPrograms
University of California — Irvine
and
MICHAL YOUNG
Purdue University
The problem of analyzing concurrent systems has been investigated by many researchers, and
several solutions have been proposed. Among the proposed techniques, reachability
analysis—systematic enumeration of reachable states in a finite-state model—is attractive
because it is conceptually simple and relatively straightforward to automate and can be used m
conjunction with model-checking procedures to check for application-specific as well as general
properties. This article shows that the nature of the translation from source code to a modeling
formalism is of greater practical importance than the underlying formalism. Features ldentitled
as pragmatically important are the representation of internal choice, selection of a dynamic or
static matching rule, and the ease of applying reductions. Since combinatorial explosion is the
primary impediment to application of reachability analysls, a particular concern in choosing a
model is facilitating divide-and-conquer analysis of large programs. Recently, much interest in
finite-state verification systems has centered on algebraic theories of concurrency. Algebraic
structure can be used to decompose reachability analysis based on a flowgraph model. The
semantic equivalence of graph and Petri net-based models suggests that one ought to be able to
apply a similar strategy for decomposing Petri nets. We describe how category-theoretic treat-ments of Petri nets provide a basis for decomposition of Petri net reachability analysis.
Material in this article and the work of M. Pezz> was sponsored by the Air Force Materiel
Command, Rome Laboratory, and the Advanced Research Projects Agency under contract
number F30602-94-C-0218.
The work of R. N. Taylor was sponsored by the Defense Advanced Research Projects Agency
under grant MDA972-91-J-1O 10.
The ccmtent of the information does not necessarily reflect the position or the policy of the U.S.
Government, and no official endorsement should be inferred. The work of M. Young was
sponsored by the National Science Foundation under grants CCR-9157629 and INT-9217432.
Authors’ addresses: M. Pezze, Dipartimento di Elettronica e Informazione, Politecnico di Milano,
Piazza Leonardo da Vinci 32, Milano, Italia; email: [email protected]. it; R. N. Taylor, Depart-
ment of Information and Computer Science, University of California, Irvine, CA 92717-3425;
email: taylor~ics.uci. edu; M. Young, Software Engineering Research Center, Department of
Computer Sciences, Purdue University, West Lafayette, IN 47907-1398; email: young(~
cs.purdue.edu.
Permission to make digital/hard copy of all or part of this material without fee is granted
providled that the copies are not made or distributed for profit or commercial advantage, the
ACM ,copyright/server notice, the title of the publication, and its date appear, and notice is given
that copying is by permission of the Association for Computing Machinery, Inc. (ACM). To copy
otherwise, to republish, to post on servers, or to redistribute to lists requires prior specific
permission and/or a fee.
019915 ACM 1049-331X/95/0400-0171 $03.50
.4CM Transactions on Software Engmeermg and Methodology, Vol. 4, No 2. April 1995. Paws 171-213
172 . Mauro Pezze et al.
Categories and Subject Descriptors: D. 1,3 [Programming Techniques]: Concurrent Program-
ming; D.2.2 [Software Engineering]: Tools and Techniques—Petri nets; D.2.5 [Software
Engineering]: Testing and Debugging-debuggtng cuds; D.3.3 [Programming Languages]:
Language Constructs and Features—concurrent programming structures; F.3 1 [Logics and
Meanings of Programs]: Specifying and Verifying and Reasoning about ProWams—snechcmz-
cal verification
General Terms: Reliability, Verification
Additional Key Words and Phrases: Ada tasking. process algebra, static analysis
1. INTRODUCTION
The problem of analyzing concurrent 1 systems has been investigated by
many researchers. Several approaches have been proposed, ranging from
formal verification to testing and debugging, Between these poles lie special-
purpose, before-run-time analyses that fall short of fully general program
verification but provide strong assurance of critical program properties such
as freedom from deadlock. The inherent complexity of concurrent computa-
tion makes it unlikely that any single contemporary or future analysis
technique will provide an acceptable combination of expense and assurance
for all circumstances.
Among the proposed techniques, reachability analysis—systematic enu-
meration of reachable states in a finite-state model—is attractive because it
is conceptually simple and relatively straightforward to automate and can be
used in conjunction with model-checking procedures (e.g., Clarke et al. [ 1986]
and Wolper [1986]) to check for application-specific as well as general proper-
ties. Reachability analysis has been used successfully for some time in limited
domains like simple communication protocols [Holzmann 1987; Sunshine
198 1]. Combinatorial explosion has largely stymied application of reachabil-
ity analysis to general concurrent programs, although recent work in compo-
sitional analysis holds promise for scalable application.
One thread of research related to reachability analysis involves extracting
models from program texts. Since Taylor [ 1983] proposed a reduced flow-
graph model for reachability analysis of programs expressed in Ada and
related languages, a variety of alternative representations have been pro-
posed. Long and Clarke [1989] proposed a “task interaction graph” represen-
tation that captures synchronization structure more succinctly than Taylor’s
original model (an important attribute since it slows the combinatorial
explosion that is the primary limiting factor in applying reachability analy-
sis). Shatz et al. have proposed extracting Petri nets from Ada programs in
order to use existing Petri net analysis tools [ Shatz and Cheng 1988] and net
reduction techniques [Shatz et al. 1990].
1We use the term concurrent in a general sense for systems with multiple threads of control,
without regard to whether those threads of control are physically distributed or share physical or
lo~cal memory space, Although different organizations present them own problems (e.g., unreli-
able communication in physically distributed systems), basic problems of coordination are
common to all of them.
ACM TransactIons on Software Engineering and Methodology, Vol 4, No 2, April 1995
Reachability Analysis . 173
Thi,s article shows that the nature of the translation from source code to a
model ing formalism is of greater practical importance than the underlying
formalism. The choice of model does not depend on expressive power, since
finite-state models are formally equivalent in this regard. The main contribu-
tion of this article is identification of the following differences among models
and charact erization of their impact on practical choice of models for
reachability analys is, particularly as regards sizes of the composite state-
space representations produced:
—Matching rule: Petri nets and other net-like models use a static matching
rule, while flowgraph models use a dynamic matching rule. The choice of
matching time has no impact on the final reachability graph but may
impact model translation and consequently tool structure and efficiency
when reanalyzing portions of an evolving program.
—Reductions: Enumerative approaches generally depend on local graph
transformations to reduce the number of states explored. While a reduction
in one model generally has an analogue in another, the ease of identifying
and applying rewrites may be quite different, The more-specialized flow-
gra,ph models have an advantage in preserving structural information, but
the more-established general models such as nets have more well devel-
oped theory and tools to depend on.
—Representation of internal choice: We contend that a “refusals” model is
preferable to a “silent-move” model for reachability analysis because it
permits a more-compact representation. This appears to be an advantage
of ~lowgraph models over net models.
—Compositionality: A practical analysis technique for large, realistic applica-
tions must permit analysis of subsystems in isolation; preferably it should
support composition of analysis results in a manner that avoids or limits
combinatorial explosion. The complexity of concurrent computation~ pre-
vents inherently global analysis techniques from scaling up. For flowgraph
models, the rapidly developing theory of process algebras [Hennessy 1988;
Hoare 1985; Milner 1989] provides a foundation for hierarchical analysis.
Yeh and Young have exploited algebraic structure to decompose reacha-
bility analysis of a graph model which is close to Taylor’s reduced flow-
graph model [Yeh 1993; Yeh and Young 1991]. The correspondence be-
tw,een flovvgraph rnoclels and Petri net models of Ada tasking suggests that
the same approach should be applicable to hierarchical analysis with Petri
2The complexity is manifested as the “state explosion problem” for reachability analysis.
However, as with other intractable problems, the complexity is inherent to the problem rather
than the solution technique. (We can take deadlock detection as a representative problem for
which NP-completeness and PSPACE-completeness results abound [Apt 1983; Ladner 1979;
Smolka 1984: Taylor 1983]: race detection and a number of other problems in concurrency
analysis have identical lower bounds. ) The complexity may be manifested in other forms fm-
other analysis techniques, e.g., an analysis algorithm requiring time polynomial in the number of
processes must either be less accurate than reachability analysis or apply to a more-restricted
class of programs or properties.
ACM Transactions on Software Engineering and Methodology, Vol. 4, No 2, Aprd 1995
174 . Mauro Pezze et al.
nets. We recall the essentials of a cate gory-theoretical treatment of nets to
show how compositional analysis may be ap plied with nets.
1.1 Outline of the Article
Section 2 reviews representative graph-based models that have been used for
reachability analysis of programs in Ada-like languages: task flowgraphs3
and concurrency graphs, as they are introduced in Taylor [1983], task inter-
action graphs (TIGs) and task interaction concurrency graphs as introduced
in Long and Clarke [1989], and Petri nets and reachability graphs as intro-
duced in Murata [ 1989], Peterson [1989], and Reisig [1985], This material is
provided to make the article self-contained; readers familiar with these
models may wish to skim or skip Section 2.
Section 3 describes the correspondence between flowgraph models through
reference to a general model, which allows their significant differences to be
isolated. We show that a primary difference is in the treatment of internal
choice and assess the impact of this difference on performance. In Section 4
we show that the main difference between Petri nets and Taylor’s reduced
flowgraph model is the point in analysis at which communicating actions are
matched (static versus dynamic matching). Pragmatic reasons for choosing a
Petri net representation or a more-specialized flowgraph representation,
including the applicability of reduction techniques, are also discussed. Section
5 considers the suitability of graph models for hierarchical analysis with
reductions based on algebra, a necessary condition for reachability analysis
that scales to systems with many tasks. Adapting flowgraph models to permit
application of algebraic theories of concurrency to reachability analysis is
outlined first, followed by a similar application of category theory to nets.
Section 6 summarizes the main factors that affect a choice among the models.
Details of task flowgraphs, task interaction graphs, and Petri nets are
relegated to Appendix A.
2. RELATED WORK
This section recalls the models used for reachability analysis of concurrent
programs and outlines alternative analysis techniques. Detailed definitions of
concurrency graphs, as defined in Taylor [ 1983], task interaction concurrency
graphs, as described in Long and Clarke [ 1989], and Petri nets are provided
in Appendix A.
2.1 Reachability Analysis of Concurrent Programs
Two broad classes of models have been used for supporting reachability
analysis of programs: flowgraph-based models [Apt 1983; Clarke et al. 1986;
3In Taylor [1983] task flowgraphs are called simply flowgraphs; the name task flowgrapks has
been introduced here to avoid confusion with definitions that appear later in the article and will
be used consistently through the article to refer to flowgraphs as defined in Taylor [ 1983].
ACM Transactions on Software Engmeermg and Methodology, Vol, 4, No, 2, April 1995.
ReachabilRy Analysis . 175
Long and Clarke 1989; McDowell 1989; Smolka 1!384; Taylor 1983] and Petri
nets [Morgan and Razouk 1987; Shatz and Cheng 1988; Shenker et al. 1986].
The use of flowgraph-based models for analyzing concurrent programs was
first presented in Taylor [1983], which defined task flowWaphs and concur-
rency flowgraphs. An improved model is described in Long and Clarke [1989]
that defined task interaction graphs (TIGs) and task interaction concurrency
graphs (TICGS). An algorithm for reachability analysis of Petri nets was first
presented in Karp and Miller [1.969]. Reachability analysis of Petri nets has
been used for anal yzing concurrent programs by several authors [Beaven et
al. 1991; Morgan and Razouk 1987’; Shatz and Cheng 1988; Shatz et al. 19901.
Task flowgraphs and TIGs have been defined as models of the Ada task
systelm. In this article, Ada represents only a common concrete point of
reference; similar techniques can be defined for other concurrent languages
with rendezvous synchronization. In this article, we consider only a subset of
Ada. The considered subset of Ada is described in Appendix A.
Tad. Flowgraphs and Concurrency Graphs. A task flowgraph represents
the structure of a single Ada task, abstracting all the aspects that are
unnecessary for determining possible sequences of synchronization activities.
For present purposes a synchronization activity is an entry call, an acceptstatement, select, select-else, task-begin, or task-end.4 A task flowgraph can
be obtained from an annotated flowgraph produced by a compilation system
by ignoring all the nodes representing statements not involved in determin-
ing synchronization activities. As an example, the task flowgraphs corre-
sponding to the Ada tasks of Figure 1 are presented in Figure 2. Notice that
the loop of task T 1 is explicitly represented, because it contains a syn chro-
nization statement (a selective wait).
Nodes of task flowgraphs representing synchronization activities are called
state-nodes; a state-node n‘ is called a successor of a state-node n, n‘ E
SZLCC( n), if there is a path from n to n‘ such that there is no state-node
between the first and last node on the path. (Informally, this means that a
single step of a task in a modeled execution may involve several “internal”
steps through control branches and other nontasking activity.)
An Ada program can be represented by the set of task flowgraphs corre-
sponding to the tasks in the program. The execution space of an Ada program
can be described by a concurrency graph, a flowgraph where nodes, also
callecl concurrency-nodes, are k-tuples of state-nodes, one node for each task
i%wgraph, and edges represent actions (state transitions) in the program.
A concurrency graph is a kind of reachability graph, where nodes represent
states of executions, and arcs represent possible transitions in the system.
dTo be precise, Ada rmdczvous must be modeled by two steps (engage and finish) for the generalcase mc]udmg synchronization activities within accept bodies Each of the models di scussed in
this article provides a special-case optimization for rendezvous without nested synchronization.
Since this consideration is essentially independent of tbe graph model used, wc present only the
“optimi zeal” form to keep the examples as simple as possible.
ACM Transactions on Software Fmgneermg and Methodology, Vol. 4. No. 2. April 1995
176 . Mauro Pezze et al
with text io;
procedure main istask TO;task T1 is
entry P;entry Q;
end Tl;task T2;
task body TO isbegin --(1)
T1 .P; --(2)end TO; --(3)
task body T 1 ispackage boolean_io is new text_ io.enumeration_ io(boolean):
done: boolean;begin --(4)
loop --(5)select --(6)
accept P; --(7)or
accept Q; --(8)end select;boolean_ io.get(done);
exit when done;end loop; --(9)
end Tl; --(lo)
task body T2 isbegin --(11)
T1.Q; --(12)end T2; --(13)
beginNULL;
end main;
Fig. 1, A simple Ada program,
Task TO Task T1 Task T2
10 begin
12-TIP
{30 end
40 begin lB begin
Ilz~ T1. Q
1130 end
I
+10. end
Fig, 2. Task flowgraphs corresponding to the Ada program of Figure 1.
ACM Transactlcms on Software Engineering and Methodology, VO1 4, No 2. April 1995
Reachability Analysis . 177
<1,6,
<2,6,
13>
:1,4,12>
<3,6,13> <3,10,13>
Fig.3. Theconcurrency graph corresponding tothe Adaprogram of Figurel.
As an example, the concurrency graph corresponding to the Ada program of
Figure 1 is shown in Figure 3. Nodes in Figure 3 are labeled with triples
describing the state of the three tasks. Note that the transitions in the
concurrency graph correspond to the successor function rather than the task
flowgraphs per se. For instance, the execution of the begin statement of Task
T1 corresponds to the flow from the initial node (1, 4, 11) to node (1, 6, 11)
in one step; node 5 in the flowgraph of Task T1 is not considered.
Task Interaction Graphs and Task Interaction Concurrency Graphs. Task
interaction graphs (TIGs) and task interaction concurrency graphs (TICGS)
were introduced for reducing the size of task flowgraphs and concurrency
graphs. TIGs are defined starting from a division of the statements of a single
task into regions called task regions. A task region is a portion of code that
starts from the task-beg in, or from a statement that can immediately follow
the execution of an accept or an entry call, and ends with an accept or an
entry call or with the end statement of the task. As an example, the task
regions for the Ada program of Figure 1 are shown in Figure 4.
A task interaction graph (TIG) is a flowgraph whose nodes correspond to
the task regions and whose edges represent task interactions, i.e., flow of
control between task regions; edges are labeled with the type of represented
interaction. The initial node is the task region corresponding to the begin
statement, and the final nodes are those regions in which the task-end
statement appears. The nodes of TIGs will be also called TIG-nodes. TheTIG-node corresponding to the initial region of the task is called the initial
TIG-node of the TIG. The TIG-nodes corresponding to regions of the task
where the execution may end are called final TIG-n odes of the TIG. The TIGs
ACM Transactions on Software Engmeerlng and Methodology, Vol 4, No 2, April 1995
178 . Mauro Pezz& et al
E3y”n5
l—f!rlulrf’f,{,,l
mk body T 1M
1
lII,lW[packaged... bmiwn
KJgmn
1
mlllul
m.tdhk body T2 I, “K’[]n
3 IU(>pKk’1 6 begin
.’,.spt P,
––––J––- ‘ E
T Q,,),
L.C.P1Q,ml <elect
7end T2,
hoolm.,c Ea(dmeJ 4 boolean_w get(do”ej
e>,! when dune, CM when don.end loop md loop,
end T I end Tlft”ul
Imp kn>p re~,<,tl
,.1,,1 select.x.qlt P d“ep! P,
,,r <,,
&L~LI[Q _ W+ Q,
end ,,l.. !, end \eleLt
Fig. 4 Task regions in the Task Interaction Graph (TIG) model of the Ada program of Figure 1.
Regions are single entry, which causes duplication of the loop body.
Task TO Task T1 Task T2
11
T1. P
2e
Fig, 5. Task
w3A
AA!!?
accept P accept Q
accept p
5 4
accept Qaccept P
accept Q
interaction graphs (TIGs ) for the Ada program
T6
1
T1. Q
70
of Figure 1.
corresponding to the Ada program of Figure 1 are shown in Figure 5. Final
TIG-nodes are indicated by a double circle.5
An Ada program can be represented by means of the set of TIGs corre-
sponding to the tasks of the program. The execution space of an Ada program
represented as a set of TIGs can be represented by means of a TICG, a
flowgraph whose nodes are tuples of TIG-nodes, one for each TIG in the
program, and edges corresponding to the possible interactions between tasks
in the program. As an example, the TICG corresponding to the Ada program
of Figure 1 is shown in Figure 6. TICG-nodes are labeled with triples that
describe the state of the three tasks that comprise the Ada program. Note
that state (2, 5, 6) is a potential deadlock (the loop could be executed exactly
once), but the node representing this state has out-edges. Additional inform a-
51n the full TIG model, including task initiation and termination, final TIG-nodes would have no
out-edges Even m the full model, though, the control branch to the end statement is not
represented by an edge; only the actual termination, which is a kind of task interaction, is
represented.
ACM Transactions on Software Engineering and Methodology, Vol 4, No. 2, Aprd 1995
Reachability Analysls . 179
<1,3,6>
/“@\<2,5,6- 0 <1,4,7>
1<2,4,7@ L● <2,5,7>
Fig. 6. The task interaction concurrency graph (TICG) corresponding to the Ada program ofFigure 1.
Fig.7. APetrinet corresponding tothe Adaprogram of Figurel
tion that must be associated with TIG edges to determine potential deadlocks
is describedin Section 3.2,
Petri Nets, Petri nets were originally proposed as a model for representing
and analyzing concurrent systems (not necessarily software). They have also
been used for representing and analyzing Ada programs [Mandrioli et al.1985; Morasca and Pezz& 1989; Shatz et al. 1990]. A Petri net is a bipartite
graph; the two set of nodes are called places and transitions. Tokens are usedto mark places to indicate the current state of the net. As an example, one
possible representation of the Ada program of Figure 1 is presented in Figure
7. In ~Figure 7 transitions represent actions; places represent conditions; and
arcs give the relations between conditions and actions. Transitions are la-
beled for the reader’s convenience according to their correspondence to the
statements of Figure 1.
Different algorithms for obtaining a Petri net from Ada programs can be
defined, resulting in different representations. The translation chosen in the
ACM Transactions on Software Engmeermg and Methodology, Vol 4, No. 2, Aprd 1995
180 . Mauro Pezze et al,
example of Figure 7 models only control flow and synchronization and is
similar to that used by Shatz et al. in the TOTXL system.G The net models of
Mandrioli et al. [1985] and Beaven et al. [1991; 1992] are also similar in their
essentials; the latter is a colored net model but can in principle be unfolded
into a conventional Petri net,
The set of places connected to a transition t by an arc entering t is called
the preset of transition t and is indicated as “t.Similarly, the set of places
connected to a transition t by an arc exiting t is called the postset of
transition t and is indicated as t‘.
The dynamic behavior of a system modeled by means of a Petri net can be
represented by a firing rule, which describes the effect of actions on the
marking of the net. A transition is enabled in a marking if there is at least
one token in each place of its preset. The firing of a transition t enabled in a
marking m removes a token from each place of “ t and adds a new token in
each place of t”.The set of markings reachable from the initial marking by
means of a finite number of firings is called the reachability graph of the
Petri net.
The reachability graph of the Petri net of Figure 7 is presented in Figure 8.
The labels associated with the nodes of the reachability graph of Figure 8
represent the places that are marked in the corresponding Petri net.
A Petri net is safe if for each reachable marking the number of tokens in
each place is at most one. From the reachability graph of Figure 8 it is easy to
verify that the Petri net of Figure 7 is safe. It is always possible to represent
an Ada program composed of a fixed number of tasks by means of a safe net.
Intuitively, if the number of tasks in the program is bounded, it is possible to
represent the tasks by disjoint sets of places and the state of each task by a
single token. In the net of Figure 7 places p., p ~, and p ~ represent the set of
possible states for task TO; places p~, pb, p~, p~, and p ~ represent the set of
possible states for task T 1; places p8, pg, and p lo represent the set of set of
possible states for task T2. Since each place represents the state of exactly
one task, only the token corresponding to such a task can mark that place.
The resulting net is thus safe.
2,2 Other Models of Ada Tasking
The models discussed above are representative of those used for reachability
analysis and will serve to illustrate important design decisions to be faced in
extracting such models from concurrent programs. Other analysis techniques,
also based on graph models, can be applied for some of the same problems,
but the important tradeoffs may be different. Although the remainder of this
GThe Petri net model produced by T’OT’fi has inconsequential differences owing to a construc-
tion mechanism based on merging places from templates instantiated for each statement.
TOTAL also inserts auxiliary places to help with bookkeepmg (e.g., a place that remams marked
while a rendezvous is engaged, so that queries can refer to this one place rather than several).
The consequence of this difference is that TOTAL’s nets are safe but not conservative, while the
net models we will produce are conservative (the total number of tokens is preserved by every
transition firing); this is an unimportant difference in the context of this article.
ACM TransactIons m Software Engineering and Methodology, Vol 4, No 2. April 1995
Reachability Analysis . 181
<Po
<PI
<PO, P6, P1O> <Pi, P4, P9>
,P4, P1O>O
I
<Pi, P7, P1O><P2, P4, P
t<P2, P5’, P1O*
<P2, P6, P1
<P2, P7, PI
Fig. 8. The reachability graph of the Petri net of Figure 7,
article is focused exclusively on models for reachability analysis, we briefly
review some alternative approaches and models here.
Invariant Analysis. Petri nets have an extensive theory, from which has
grown multiple analysis techniques. One of these is analysis using net
invariants, which involves finding integer solutions to a set of equations
representing a net [Peterson 1989]. In the worst case the analysis is still
exponential, but some nets with very large state-spaces can be analyzed in
reasonable time. For detection of circular waits, invariant analysis is pes-
simistic (may report potential waits that do not occur), but the solutions
generated may be used to guide and prune a reachability analysis. Such
potential synergism between techniques favors models like Petri nets for
which multiple analysis approaches have been developed.
Constrained Expressions. The analysis of constrained expressions
[Avrunin et al. 19861 represents possible interactions among tasks by a set ofinequalities relating counts of event occurrences. System descriptions for
constrained-expression analysis are customarily written as extended regular
expressions but are equivalent to automata that may be considered as analternative graph model for analysis. Additional inequalities represent unde-
sirable behaviors, e.g., deadlock, and a minimum (shortest trace) solution is
sought to the complete system of linear inequalities. Absence of a solution
ACM TransactIons on Software Engineering and Methodology, Vol. 4, No, 2, Aprd 1995,
182 . Mauro Pezze et al.
implies absence of the undesirable system behavior, Algorithms used in the
linear programming part of constrained-expression analysis could in principle
be exponential, but acceptable performance has been obtained for systems
well beyond what would be possible using exhaustive state enumeration
[Avrunin et al. 1991], particularly in systems with many identical tasks. The
analysis is pessimistic, but a solution to the equations can be used in a
heuristic search for an erroneous behavior in the program state-space.
BDD-Based Symbolic Model Checking. Binary decision diagrams (BDDs)
[Bryant 1986], which are (usually) extremely dense encodings of boolean
functions, can be used to encode a transition relation symbolically. A proposi-
tional temporal logic formula may likewise be encoded in a BDD, and the two
may be combined to verify the formula [Burch et al. 1990]. The worst-case
complexity of BDD-based symbolic checking is exponential, and practical
examples with (provably) no polynomial-space BDD encoding are known; but
very promising results have been obtained for sequential circuits and other
parallel systems with regular structure.
The usual approach in representing a system of several tasks in a BDD is
to represent each individual task essentially by enumerating states and
transitions, but to represent their parallel evolution by encoding the next-state
rule rather than enumerating states [Enders et al. 1991]. Individual transi-
tion sequences may be implicitly explored when the system representation is
combined with a specification formula, but it may also happen that the
combination of a very regular system with a specification implicitly explores
large classes of possible sequences together, without exploring each individu-
ally,
The limited empirical evidence on efficacy of BDD-based symbolic model
checking for analyzing programs suggests that it can be more or less efficient
depending on the structure of the program under analysis [Corbett 1994;
Ratel et al. 1991], In principle one could encode any of the graph models
considered here using BDDs, by encoding their transition rules. In practice
the tradeoffs may be quite different: in the discussion which follows we will
consider the number of distinct states and transitions that must be explored
as a critical property of graph models for reachability analysis; for BDD-based
analysis the absolute size of a state-space may be less important than its
regularity.
Conservative Flow Analysis. A quite different approach, but with some of
the flavor of constrained expressions and Petri net invariants, is conservative
polynomial-time approximation of concurrent behavior using flow analysis.
Masticola and Ryder [ 1990; 1991] have developed a hypergraph model of Ada
programs together with a set of necessary conditions for deadlock. Only
specific deadlock conditions that can be analyzed using polynomial-time flow
analysis algorithms are detected in the analysis. Dwyer and Clarke [ 1994]
have generalized these techniques to a more-general class of safety proper-
ties. Conservative flow analysis is the only approach considered in this
section with guaranteed polynomial time and space requirements; the price of
course is pessimism, e.g., reports of deadlocks when none can occur.
ACM Transactions on Software Engineering and Methodology, Vol 4, No 2. Aprd 1995
Reachablllty Analysis . 183
Summary of Alternative Models. We do not expect any of the alternative
models to displace reachability analysis completely, although each is clearly
more effective for some problems. We do expect a reasonable toolkit for
analy,is to provide several analysis capabilities and that more-conservative
nonenumerative approaches may be attempted before one resorts to state-
space exploration. Except for symbolic model checking, each of the alternative
analyses is more pessimistic than reachability analysis. Except for conserva-
tive flow analysis, each approach is based on an underly ing graph model
that, in principle at least, might be used also for reachability y analysis. One
might therefore consider suitability for nonenumerative analyse s as a crite-
rion in choosing a graph model for reachability analysis. However, as we have
noted,, the performance considerations in choosing a graph model for reacha-
bility analysis may be quite different from those for nonenumerative tech
niques, since the latter are less sensitive to the size of a state-space and mo
re sensitive to its regularity.
Modular, hierarchical analysis, addressed in Section 5 with regard to
reachability analyses, will be important to other analyses, including even
polynomial time analyses, for systems of sufficient size.
3. LA13ELED FLOVVGRAPH MODELS
Both task flowgraphs and task interaction graphs are annotated graphs
whose! definition refers to the Ada task semantics. However the two models
are difficult to compare, since their definitions are based on different aspects
of the Ada task semantics (synchronization activities for task flowgraphs,
task regions for task interaction graphs). To compare the two models, we
refer to a common model—labeled flowgraphs-that expresses the essential
semantics of the two approaches. Besides providing a basis for comparison,
labeled flowgraphs replace the informal semantics of task flowgraphs as
described in Taylor [1983] by a simple and precise operational semantics.
Labeled flowgraphs are used later in this article as a basis for comparing
these models with Petri nets.
The translation highlights a key difference between the two models consid-
ered, as well as other models of rendezvous concurrency. Task flowgraphs
represent internal choice using internal moves (similar to the ~ action of CCS
[Milner 19801), while task interaction graphs represent internal choice as aproperty of task states (similar to acceptance sets [Hennessy 1988] or refusals
[Brookes et al. 19841). We show that the latter choice is chiefly responsible forthe performance advantages claimed for task interaction graphs and that this
advantage is bought at the expense of a considerably more complex check for
potential deadlock at each state in the reachability graph.
3.1 Labeled Flowgraplw and Concurrency Flowgraphs
To give a general rule for building reachability graphs from sets of labeledflowgraphs derived in different ways from Ada programs, we introduce a set
of labels, similar to the labels used in process algebras for modeling elemen-
tary alctions [Baeten and van Glabeek 1987; Bergstra and Klop 1984; Milner
ACM Transactions on Software Engmeermg and Methodology, Vol 4, No. 2, April 1995
184 . Mauro Pezze et al,
1989]. The correspondence with process algebras is discussed in greater detail
in Section 5.1.
Definition 3.1.1 ( Actions). Let L = 2 u z u H be a finite set of elements
called actions. 2, called the set of names, and ~, called the set of conames,
are subsets of L such that names o = Z are in one-to-one correspondence
with conames 6 E z. G is called the complementary action of u. By a small
abuse of notation, we denote the union of this bijection and its inverse as a
function “bar” of one argument, so that ~ = a. H is the set of noncommuni-
cating actions, and the distinguished element q = H is called the silent
action.
We write 2, ~, or H where no confusion arises about which set L they are
taken from,
Definition 3.1.2 (Flowgraph ). A flowgraph is a 4-tuple G = (N, A, s, T)
where
—N is a finite set of elements called nodes,
—A c N x N, called the edges,
—s = ~, the distinguished start node,
—T c N, the set of terminal nodes.
Definition 3.1.3 ( Labeled Flowgraph). A labeled flowgraph is a 6-tuple
G=(N, A, L,s, T,l) where
—N is a finite set of elements called nodes;
—L = Z u % u H is a set of actions;
—A c N X N X L is a set of labeled edges. We write n ~ n’ to indicate that
there is an edge from n to n‘ whose label is x.
—s e N, the distinguished start node;
—T ~ N, the set of terminal nodes.
The presence of complementary actions in different labeled flowgraphs
allows the identification of corresponding synchronization actions in different
processes,
Definition 3.1.4 ( Reachability Graph). Given a domain N, a distinguished
start node nO = M, and a successor relation r L N X N, the reachabilitygraph is the smallest flowgraph G = ( ill, A, n ~, T ) such that (1) A/f G N, (2)
ifn, =iWand(nl, nJ) ~rthen(nl, nj) ●A,and(3)ifn J~lW and ~nj~ill
such that (n,, ~z~) ● r, then n, = T.
For reachability graphs built from flowgraph models, the domain of nodes
will be the cross product of nodes from individual flowgraphs, while for safe
Petri nets the domain of nodes will be the powerset of Petri net places. The
relation r may connect some unreachable nodes to other unreachable nodes,
hence the definition of a reachability graph as the smallest graph meeting
the conditions described above.
ACM TransactIons on Software Engmeermg and Methodology, Vol. 4, No. 2, Aprd 1995
Reachability Analysls . 185
Task T1
begi7
. . . . . . . . . . . . Fig. 9. The labeled flowgraph corre-. . . . ...”
,.. . spending to task T1 of the Ada pro-...
Pgram of Figure 1 for task flowgraphs.
Bold arcs indicate labeled flowgraphs
c
for task T1 of Figure 1, while dotted
... 0“1, accept (P) ,.oaccept (Q) arcs recall the task flowgraph of task. . . ,.... . . . ..,, 7’1 in Figure 2,. . ..’”
. ...,P
end
De&inition 3.1.5 (Program). A program is a finite set of labeled flowgraphs
sharing the same set of labels.
Definition 3.1.6 (Concurrency State). Given a program P = {( N,, Ai, L, s,,
T,, Li) I 1 s i s k}, a concurrency state is a k-tuple (nl, . . . , n~ ) of nodes, one
for each labeled flowgraph in the program; a concurrency state N’ =
( n~, . . . . n~ ) is a successor of a concurrency state N = ( nl,..., nk ) if and only
if either q i ,j such that
or 3 i such that
(1) ‘dp # i(nj = nP)
(2) 3X G H(n, ~ n;).
The initial concurrency state is the k-tuple ( SI, . . . . sk ).
Informally a concurrency state represents a global program state as a tuple
of local process states. The successor relation moves a pair of processes
through edges labeled with an action and a matching coaction or moves a
single task through a noncommunicating action. The concurrency flowgraph
is the reachability graph with the domain of nodes being concurrency states,
the initial node being the initial concurrency state, and with the successor
relation of Definition 3.1.6.
Task Flowgraphs as Labeled Flowgraphs. A syntax-directed construction
of labeled flowgraphs from structured Ada programs is straightforward. We
illustrate the key aspects through a simple example: the labeled flowgraph of
task Tl of Figure 1 (see Figure 9).The labeled flowgraph models obtained from an Ada program do not
correspond directly to task flowgraphs but to the successor relation in the
task flowgraph model. The concurrency graph for the labeled flowgraph
ACM Transactions on Software Engineering and Methodology, Vol 4, No. 2, Aprd 199.5.
186 . Mauro Pezze et al,
Fig 10. The labeled flowgraph corresponding to task T 1 of the Ada F()
Tprogram of Figure 1 for the TIG model, The TIG shown in Figure 5
can be easily obtained from
splitting the TIG-nodes.
the TIG shown m this figure by suitably
FM / -6
model corresponds to the reachability graph for the task flowgraph model of
the same Ada program.
In Figure 9, arcs represent synchronization actions (accept statements and
task-begin). A select statement is represented with arcs with different labels
leaving the same node. For example arcs ~ and @ from node select to node
select represent the two choices of the select statement of task T 1 of the Ada
program of Figure 1. A conditional statement is represented by arcs with the
same label, leaving the same node. For example the two arcs labeled ~ both
leaving node select represent the loop-exit statement of the Ada program of
Fig-are 1, After accepting a call on P the task can either terminate, if it exits
the loop, or wait for accepting a further call within the same loop. The
representation of conditional statements is the key characteristic of task
flowgraphs. Its implications are discussed later in this section.
TIGs as Labeled Flowgraphs. The TIG model can similarly be represented
by labeled flowgraphs. A syntax-directed construction of labeled flowgraphs
from structured Ada programs is straightforward. We illustrate the key
aspects through the same example used in the paragraphs above: the labeled
flowgraph of task T1 of Figure 1 is shown in Figure 10.
In Figure 10, conditional statements are not represented with the layout of
the graph: the possible termination of task T 1 after each iteration of the loop
due to the exit statement is implicitly coded in “edge groups” associated withnodes. The use and implications of “edge groups” are described next.
3.2 Internal Choice and Potential Deadlock
Potential deadlock is among the most-important program properties that
reachability analysis techniques are used to detect. One may intuitively
expect that deadlock is manifested by a terminal node in a reachability
graph, but this is not always so. In particular, the deadlocks that result when
task T 1 of Figure 1 executes its loop body exactly once are represented by a
terminal node in the reachability graph constructed from the task flowgraph
model (nodes (3-10-1 2) and (2-10-13) in Figure 3), but are represented by
nonterminal nodes in the reachability graph (TICG) constructed from the TIG
model of the same program (nodes (2-5-6) and ( 1-4-7) in Figure 6). The TICG
folds together deadlocked states and nondeadlocked states, resulting in a
smaller state-space but a nontrivial procedure for checking for possible
deadlock at each reachability graph node. The difference is a direct conse-
ACM TransactIons on Software Engineering and Methodology, Vol. 4, No 2, Aprd 1995,
Reachablllty Analysm . 187
Task TA
if C then
accept X;
else
accept Y;
end if;
Task TA’
select
accept X;
or
accept Y;
end select;
Task TB
TA.X;
Fig. 11.. Potential deadlock: Ifversus Select, Tasks TA and TB candeadlock, butreplacmg TA
by TA’removes thepossibility of deadlock.
quence of the treatment of so-called’’internal choice,’’ i.e., arbitrary schedul-
ing and control-flow choices.
Silent Moues. ‘I’he most-common treatment of the internal branching
structure of a process is to model “silent moves” explicitly (e.g., the 7 action in
CCS or the q action in our general flowgraph model). The task flowgraph
model takes this approach, producing different graphs for Ada select and if
statements. Although the successor relation “skips over” these internal moves,
the commitment to particular control-flow paths is preserved in the model in
the form of multiple edges with identical labels leaving a node.
Edlge Groups or Acceptance Sets. The task interaction graph model pro-
duces flowgraphs with no silent moves (q actions in our flowgraph model).
However, the distinction between select and if is essential and must be
maintained (see Figure 11). In fact, the flowgraph model as described so far
does not preserve enough information about the branching structure of
programs to detect potentially deadlocked states. Additional information
must be associated with flowgraph nodes to preserve this information.
NO ndeterministic choices in TIGs are modeled by edge groups, associated
with flowgraph nodes. Edge groups carry essentially the same information as
refusals [Brookes et al. 1984] or acceptance sets [Hennessy 1988] in process
algebras. Each out-edge from a TIG node belongs to a single group. (For
purposes of deadlock checking in the simplified TIG model used in this article
we treat termination as an out-edge leading to the final region. In the full
TIG model, termination is actually represented by an edge to a TIG-node.) An
edg e that is not part of a select statement will form a singleton group. A
select statement with no delay or else alternative will be rep resented by an
edge group containing one TIG edge for each select alterna tive. As an
example, Figure 12 shows the TIGs for the task fragments of Figure 11. The
structure of the TIGs corresponding to tasks TA (if statement) and TA’ (selectstate ment) is the same. The difference between the representation of the two
tasks is in the edge-groups associated with the node n 1. For task TA (if
state ment) node nl is associated with two edge groups, e.g., El and E2,
ACM Transactions on Software Engineering and Methodology, Vol 4, No 2, April 1995
188 . Mauro Pezze et al
TA(TA’ ) TB
Fig. 12. The TIGs for tasks TA, TA’, and 273 of Figure 11.
each containing one edge, e.g., X = El, ~ = E2. For task TA’ (select state-
ment) node n 1 is associated with one edge group, e.g., E3 containing both
edges ~ and ~. Node n4 is associated with one edge group E containing edge
X; nodes n 2, n 3, n5 are associated with empty sets of edge groups.
There are two kinds of edge groups: blocking and non blocking.7 Any task
interaction that is not a select alternative is a blocking edge group. Edges
corresponding to alternatives of a select statement without an else or delay
alternative form a blocking edge group. In a select statement with a delay or
else alternative, all select alternatives with the exception of the delay or elsemake up a nonblocking edge group. The else or delay alternative produces
one or more blocking edge groups, depending on subsequent control-flow. In
Figure 12 all groups are blocking, since the corresponding Ada tasks do not
contain select statements with delay or else alternative.
An infinite wait cannot occur in a program execution state in which a select
delay or else alternative is possible. However, it is a consequence of the way
TIGs (and our corresponding labeled flowgraphs) are constructed from Ada
programs that a TIG node cannot have only out-edges belonging to nonblock-
ing edge groups. Only blocking edge groups need be considered for purposes
of checking individual TICG-nodes for potential deadlock, Since nonblocking
edge groups are irrelevant for this check, in the sequel “edge group” or
“group” will mean a blocking edge group.This leads to a straightforward characterization of potential deadlock
which can be detected by inspecting individual TICG-nodes. To keep the
discussion short, we omit consideration of task termination (which requires a
special case only because we have omitted an explicit TIG edge for termina-
tion in this presentation).
Let Q be a TICG-node, composed of TIG-nodes {ql, qk }. Each q, has one or
more blocking edge groups. A selection of edge groups k a tupk (g], . . . , gk )
where each g, is a blocking edge group in q,. Q represents a potential deadlockiff there is a selection of edge groups such that there is no edge in any g, with alabel from G (the set of noncommunicating actions) and no pair of edges in
groups g,, g~, i # j with matching labels q, : qj and q~ ~ qj.
7In Long and Clarke [1989], blocking edge groups are called one-edge groups, and nonblockmg
edge groups are called zero-edge groups. We have modified the terminology to make the
discussion clearer
ACM Transactions on Software Engineering and Methodology, Vol. 4, No 2. April 1995
Reachablllty Analysls . 189
This leads immediately to a simple algorithm for determining whether a
TICG-node represents a potential deadlock:
Pc]tential deadlock := true;Fc)r each possible selectlon of edge groups,
If any action IS possible with that choice,potential deadlock = false.
In the example of Figure 12 tasks TA and TB can deadlock. The TICG-node
( nl, n4) for tasks TA and TB is a deadlock node; in fact the group selection
{E2, E} does not contain any pair of edges with matching labels (edge ~, the
only edge in E2, does not match edge X, the only edge in E). On the
contrary, the TICG-node ( n 1, n4) for tasks TA’ and TB is not a deadlock
node; in fact the only possible group selection ({E3, E}) contains a pair of
edges with matching labels (edge ~ E E3, edge X = E).The simple enumeration of edge group combinations is exponential in the
numlber of tasks, since if each of n tasks has two edge groups, 2” combina-
tions will be enumerated. In the worst case, assuming P # NP, we cannot do
much better than the brute force enumeration above for determining whether
an individual TICG-node represents a potential deadlock. A proof is available
in Pezz& and Young [1995].
3,3 F>ractical Consequences of Representing Internal Choice
While determining whether a TICG-node represents a potential deadlock is
more complex than the 0(1) check for outgoing edges in the concurrency
graplh model, in practice the problem size is small. In our experience with a
reachability analysis tool using the TIG model [Young et al. 1995], the
execution time expended in this cheek has varied from insignificant (in the
case of examples with no external choice) to approximately 2/3 of total time
for reachability graph construction and analysis.
It is easy to see that this additional complexity in checking each node is
compensated by reduction in the number of nodes to be checked. The worst
case, brute force enumeration of all combinations of edge groups explores
exactly the number of combinations that would be represented as distinct
nodes in the task flowgraph model, so the lower bound on checking for
deadlock at a TICG-node is also a demonstration that the concurrency graph
constructed from task flowgraphs may be larger than a TICG by a factor
exponential in the size of the program being analyzed. (The typical difference
is much smaller but still significant.) The worst-case time complexity of
constructing and checking the reachability graph is unchanged. Since space
rather than time is usually the limiting factor in reachability analysis
[Corbett 1994; Holzmann 1991; Young et al. 1995], the advantage goes to the
TICG model.
Mcwe generally, this suggests a performance advantage for models in which
deadlocked program execution states may not be mapped onto “dea@ states
in the intuitive manner. For example, if we model the Ada tasking system
ACM TransactIons on Software En~neerlng and Methodoloeq, Vol. 4, No 2, Aprd 1995
190 . Mauro Pezze et al
with Petri nets, we may not wish all deadlocked execution states to be
represented by dead markings of a net. This somewhat counterintuitive
conclusion is explored further in the next section.
Treatment of nondeterminism also impinges on other aspects of a graph
model. We have so far modeled task initiation explicitly (albeit in a simplified
form) in the task flowgraph model, while omitting it from the TIG model. This
is not an arbitrary convention: the closure operation that removes q edges
from the labeled flowgraph, corresponding to the successor function for task
flowgraphs, cannot be applied to graphs with internal nondeterminism pre-
ceding the first visible action unless we consider the resulting labeled flow-
graph to have multiple initial nodes.
Experience. The cost of representing internal choice with silent moves is
high in the worst case, but how often and under what circumstances does the
representation of internal choice have a significant impact on the cost of
analyzing real concurrent programs? If a task has only external choice (an
Ada task acting as a monitor to protect a data structure, for example) then
there is no difference at all. There is a small difference in the case of only
internal choice. We should expect the impact to be greatest where internal
and external choice are combined, causing a multiplicative effect in represen-
tation of states. Experience applying analysis tools to the Chiron user inter-
face development system is consistent with this expectation.
The Chiron user interface development system [Keller et al. 1991; Taylor
and Johnson 1993] comprises roughly 105 source lines of code and required
approximately 10 labor-years of effort. Version 1.4 of Chiron is widely dis-
tributed and used and is supported by a professional staff, i.e., Chiron is not a
toy example and was not designed to demonstrate analysis techniques.
Concurrency is pervasive in the Chiron architecture. The major run-time
components of Chiron are divided into a server and multiple clients in
separate Unix processes, and both server and client are made up of several
lightweight processes, most of which are Ada tasks.
Portions of the run-time environment of Chiron have been analyzed with
two prototype tools from the Concurrency Analysis Tool Suite, or CATS. The
first of these analyses of version 1.0 of Chiron is reported in more detail in
Young et al. [19951; a second analysis of the same system was undertaken
with another prototype tool primarily to evaluate and refine a hierarchical
(compositional) approach to analysis. We will refer to the first prototype as
CATS/A and the second as CATS/P, Among the differences between the twotechniques is the representation of internal choice: CATS/A uses the TIG
model, and CATS/P uses a model with silent moves. Although other differ-
ences between CATS/A and CATS/l? make it impossible to compare directly
the impact of representation on overall performance, we can fairly compare
the sizes of the graph models produced for each individual task.
The client side of a run-time Chiron environment, as it exists with a single
client “artist,” consists of 8 Ada tasks. Of these, 5 tasks are either determinis-
tic or have only internal nondeterminism; the flowgraph models constructed
ACM TransactIons on Software Engmeermg and Methodology, Vol. 4, No 2, Aprd 1995
Reachability Analysis . 191
using the two tools differ by at most a few nodes and edges for these tasks.
The remaining 3 tasks contain select statements with guards: an Ada con-
struct that inherently mixes internal nondeterminism for evaluation of guards
with external nondeterminism in waiting on the open entries. Large differ-
ences in graph sizes occur in representing these tasks. In fact, if a syntax-
directed tran slation of guarded entries were applied straightforwardly,
elaboration of all possible combinations of 12 guarded entries would have
added 212 = 4096 nodes to the representation of one of the tasks, which
would have made analysis impossible. It was actually modeled using a
different approachg which cause d only a factor-of-four difference between the
two representations (26 nodes in the TIG model and 106 in the model with
silent moves). The remaining 2 tasks with guarded accepts are much smaller;
each is represented by 3 nodes in the TIG model and 6 nodes in the model
with silent moves.
3.4 Detecting Race Conditions
Parallel or unordered data accesses can be detected by determining which
regions of program code execute concurrently in the program execution states
corresponding to reachability graph nodes. In the original TIG model as
presented in Long and Clarke [1989], the TIG model has a small advantage
over the task flowgraph model, in that each TIG node corresponds to a region
of program source code with a single entry point. Race analysis can therefore
be performed at each TICG-node by examining the program regions repre-
sented by the constituent TIG-nodes. In the task flowgraph model, source
code regions must be identified with task flowgraph edges rather than nodes,
and race analysis therefore involves consideration of the flowgraph edges
traversed in reaching a concurrency flowgraph node. The cost of assuring
unique entry points for code regions in the TIG model is high [Young et al.
1995]; if the final duplication step in the TIG construction is omitted, then as
in the task flowgraph model code regions must be associated with TIG edges
rather than nodes. Data access operations can be summarized for program
regions (in either the task flowgraph model or the TIG model without
duplication) using dataflow analysis. An analysis similar to auail is per-
formed first on the flowgraph model to determine which edges introduce
regions in which accesses to shared variables occur and then on the reacha-
bility graph to determine which processes may perform accesses in each node.
The ILatter analysis may be performed “on-the-fly” during graph construction.
For sequences of actions that are intended to appear atomic with respect to
other sequences, a similar approach can be used to mark all nodes that occur
8The approach we typically take in modeling such tasks is to model some data values, whichexpands the graph model but reduces the degree of internal nondeterminism. The tool we appliedperforms this conversion automaticall~ for details the interested reader is referred to Yeh [ 1993]and Yeh and Young [1993].
ACM Transactions on Software Engineering and Methodology, Vol 4, No 2, April 1995.
192 . Mauro Pezze et al.
within the sequence, provided the beginning and end of each such sequence
can be unambiguously determined in source code. Consider the case of a
variable which is protected by a lock only for individual read and write
accesses; we may wish to detect any overlap between a read-modify-write
sequence in one task with reads or writes of the same variable in another
task. A slightly modified liue analysis suffices to determine the flowgraph
regions between a read access and an update. This generalizes to groups of
variables in the obvious way. It does not suffice for recognizing all potential
nondeterministic execution, but concurrent programs are typically intended
to exhibit some nondeterminism.
4. MATCHING RULES, LABELED FLOWGRAPHS, AND PETRI NETS
In this section, we relate the flowgraph models considered so far to Petri net
models, highlighting the difference in when communicating actions are
matched. It is well known that Petri nets are strictly more powerful than
finite-state machines, while safe nets are identical in power to finite-state
machines. Recall that the Petri nets used for analysis of Ada tasking pro-
grams, as for instance in the models of Shatz and Cheng [19881, Beaven et al.
[1991; 1992], and Mandrioli et al. [1985] (when restricted to a bounded
number of tasks) are safe nets. Safe nets and labeled flow graphs are
identical in power from a purely formal viewpoint, both being forms of
finite-state machines. A more-interesting question is how safe nets and
flowgraph models differ with respect to practical aspects such as the difficulty
of deriving a model from a program, the size of the model derived, and (most
critically) the size of the reachability graph obtained and the complexity of
analyzing it.
4.1 Label Matching and Separate Compllatlon
Synchronizing pairs of actions (call/accept) must be matched at some point
in either model. Petri net models match actions during construction of the net
model, which we can call a static matching rule, while flowgraph models
match labels (conceptually at least) during construction of the reachability
graph (a dynamic matching rule). Petri nets are generally larger than
corresponding flowgraph models, because each potential synchronization
(call\ accept or sendireceive pair) is represented by a separate transition.
However, this does not impact the size of the reachability graph, so its impact
on overall performance is small.
Label matching at model construction can have another impact in analysis
of programs: it essentially requires that the model be constructed in a single
step from a whole program text, whereas flowgraph models can be con-
structed individually for each task. One way to provide separate translation
to a net model is to derive flowgraph models and then to use the construction
given here to derive net models. Another approach based on considering nets
as terms in an algebra will be presented in the following section.
ACM Transactions on Software En~neermq and Methodology, VO1 4, NO 2, April 1995
Reachability Analysis . 193
4,2 l-ranslating Labeled Flowgraphs to Petri Nets
The IIabeled flowgraph model can be easily translated into a Petri net. Given a
set of labeled flowgraphs representing a program, we obtain a (safe) Petri net
by applying the following rules:g
Construction 4.2.1 (Labeled Flow Graph. to Petri Net)
(1) For each node of each labeled flowgraph, add a place to the Petri net.
(iSince places will be in bijection with flowgraph nodes, we will use thesame names for both in the sequel).
(2) For each edge nl S nz in the set of labeled flowgraphs such that x ● H (a
noncommunicating action), add a transition t to the Petri net such that
“f = {nl} and t“= {nz}.
(3) For each pair of edges in the set of labeled flowgraphs, nl ~ nz and
n~ 3 n, (a matching pair of communicating actions), add a transition t to
the net such that “t= {nl, n~} and t-= {rzz,n4}.
(4) If node n is an initial node then the corresponding place is marked with
one token in the initial marking. If node n is not an initial node then the
corresponding place is not marked in the initial marking.
The Petri net produced by this construction will have exactly the same
number of places as there are nodes in the flowgraph model, but since each
labeled flowgraph edge may participate in many matches, the number of net
transitions may be larger (possibly quadratic). This has no impact on the size
of the reachability graph; essentially some of the label matching that is done
in the labeled flowgraph model while building the reachability graph is just
moved into an earlier phase of the analysis, i.e., label matching is performed
while creating Petri net transitions for each possible communication.
The construction ensures that the resulting Petri net reachability graph is
isomorphic to the reachability graph of the flowgraph model. (The initial
marking corresponds to the initial node of the flowgraph reachability graph,
and at each step the set of enabled actions corresponds and produces corre-
sponding states.) The size of the reachability graph therefore has little to do
with the choice of modeling formalism; the nature of the translation from
program texts is more important.
We have seen earlier that treatment of internal choice can have a dramatic
effect on reachability graph size. Although in principle Petri net models can
mimic either flowgraph model, nearly all proposed Petri net models of Ada
tasking (to our knowledge) use conflicting transitions to represent internal
choice in a manner similar to v edges in labeled flowgraphs corresponding to
—‘A similar construction for translating TIGs to Petri nets has been independently developed and
analyzed by Dwyer et al, [1995] and Forester [1991].
ACM Transactions on Software Engineering and Methodology, Vol 4, No. 2, April 1995
194 . Mauro Pezze et al.
the task flowgraph model. 10 For instance, in the TOTAL toolset [Shatz et al.
1990] an unevaluated if construct is modeled as follows:
+ ;,
/o\i
-....$.,.I else
fhen .-”-”-’..,. ,,,”;, “--...part
part ~’ ‘-..... $.,,..,. ....-..”-.s........--””.. ‘>,,.,,., -....”......’
\/ o
This is even less efficient than the task flowgraph model, since the individ-
ual transition firings will be recorded in the reachability graph. On the other
hand, many extraneous transitions that occur in the translation may be
removed by net reductions.
If a net were constructed corresponding to the TIG model, a program
deadlock would not necessarily correspond to a dead state of the net. This is
not only counterintuitive but would also limit one of the primary advantages
of using nets, namely, the existence of a mature body of theory and tools for
analyzing nets. For instance, the theory of deadlock-preserving reductions of
Petri nets WOU1 d no longer be applicable. Nevertheless, given the possible
savings in reachabi ity graph size, such a model is not completely out of the
question. Consider for instance an analysis with the sole aim of determining
whether an unsafe state or sequence of events can occur (dangerous parallel
access to a resource, for instance). A net based on the TIG model (or a similar
transformation of a net model, perhaps after applying other reductions)
sacrifices no modeling accuracy for improved performance in such an analysis(see Figure 13 for an example).
4.3 Advantages and Disadvantages of Nets
We can summarize the advantages and disadvantages of net models with
regard to flowgraph models of tasking behavior as follows:
Mature Theory and Tools. Petri nets were among the first general models
of concurrency, and both a body of theory and a set of mature off-the-shelf
analysis tools have grown up around nets, No comparable set of general tools
ACM Transactions on Software Engineering and Methodology, Vol. 4, No. 2, April 1995.
Reachability Analysis . 195
Fig. 13, The Petri net for the TIG model
corresponding to the Ada program of Figure
1. Places are numbered according to the
numbers of the TIG-nodes of Figure 5. For
tbe sake of simplicity we used the labeled
flowgraph illustrated in Figure 10 corre-
sponding to the TIG of task T1. Transitions
are labeled with the corresponding synchro-
nization action. This net is simpler than the
1“net of Figure 7 that represents the same
program. The reachability graph obtained for
this net applying the “classical” Petri net
reachability algorithm is also smaller than
the graph for the Petri net of Figure 7 (it
comprises 4 states instead of 24 as the
reachability graph of Figure 8). Unfortu-
nately we cannot deduce deadlock properties
of the Ada program from the reachability
graph for this Petri net, but we can check for
safeness.
yet exists for flowgraph models, although many tools for particular flowgraph
models have been constructed. A body of theory for labeled flowgraph models,
based on algebraic theories of concurrency, is growing rapidly but is less
mature than net theory.
Internal Choice and Reachability Graph Size. Net theory and net-based
tools detect or preserve properties of Petri nets. If properties of the Petri net
do not reflect corresponding properties of the program under analysis, then
net reductions and analysis may be meaningless with respect to the original
program. Thus if one wishes to retain the advantages of net theory and tools,
a representation of internal choice with extra transitions (corresponding to a
silent-move model) is forced. This results in larger reachability graphs than
are obtained from flowgraph models that associate additional choice informa-
tion with nodes, like edge groups in the task interaction graph model.
Hierarchical Analysis. Reachability analysis of either net models or the
flowgraph models considered so far is limited to analysis of a small number of
tasks, due to explosive growth in the size of state-space. For practical
analysis of real programs, one must at least be able to isolate and indepen-
dently analyze small subsystems. Preferably one should be able to compose
analysis results in a way that avoids combinatorial explosion. The next
secticm considers hierarchical analysis, first in the case of flowgraph models
(which are already very close to an algebraic model of concurrency) and then
in the case of Petri nets.
5. COMPOSITIONALITY AND ALGEBRAIC REDUCTIONS
5.1 Compositionality and Flowgraph Models
The primary limitation of reachability analysis techniques is an exponential
growth of the state-space (reachability graph size) as the number of tasks
ACM Transactions on Software Engineering and Methodology, Vol 4, No, 2, Aprd 1995.
196 . Mauro Pezze et al.
Table I. Com~ositlonal Versus Global Reachability Analysis Dimng Philosophers
States Enumerated
Phdosouhers Global Compositional
3
4
5
6
7
8
9
102040
6080
100
12
33
98
302
941
2945
9237
29010
24
3852
66
8094
108
122262542
82211021382
increases. Theoretical results imply that the exponential complexity cannot
be avoided in the worst case [Apt 1983; Ladner 1979; Smolka 1984; Taylor
1983], regardless of the analysis technique applied. Although even a naive
implementation of reachability analysis can find synchronization flaws in
systems beyond the capacity of designers to understand fully, in its conven-
tional form reachability analysis is limited to systems or subsystems consist-
ing of a few tasks (typically less than 10).
Since a global reachability analysis of a large, complex system is practically
impossible, it is essential to analyze portions of the system independently.
A compositional approach that combines results hierarchically from individ-
ual portions is required for scaling up reachability analysis to practical
systems. Reductions to equivalent (in the algebra) graphs must be applied to
intermediate results to avoid or limit state-space explosion.
The importance of compositional analysis to scalability is illustrated inTable I by the number of states explored in a global reachability analysis of
the classical dining philosophers problem and a compositional analysis of the
same problem. The compositional analysis includes reduction after each
combination step. The tool used for this comparison is capable of modeling
only 10 philosophers in a global analysis, but by alternating composition with
reductions in a hierarchical analysis it easily completes an exhaustive analy-
sis of 100 philosophers in a few minutes.
Hierarchical analysis of real programs is more difficult than analyzing
simple, regular examples like the dining philosophers. Organization of sys-
tems to facilitate hierarchical analysis is discussed in Yeh and Young [1994]
where it is illustrated by application to Sanden’s remote-furnace example. In
that case, attempts to analyze the original design failed due to an explosion
in the state-space. Several iterations of attempted analysis and redesign were
required, in the course of which several errors in the original design were
uncovered. The original design consisted of 8 Ada tasks for a version with 2
furnaces; the revised d ecomposes the design further into 19 tasks, with a
ACM TransactIons on Software Engineering and Methodology, Vol 4, No 2, April 1995
Reachability Analysis .
global state-space of approximately 2 X 1016 states, but the largest
constructed in the hierarchical analysis has just 444 states.
A compositional approach is necessary but not sufficient for scalable
197
graph
analy-
sis. It would be a critical advantage if one model were more suitable than
another for decomposing large systems into subsystems for analysis or for
hierarchically and incrementally composing analysis results.
The labeled flowgraph model introduced in Section 3 is already very close
to a labeled transition system that can be interpreted as a term in a process
algebra. We describe the small modifications necessary to achieve an alge-
braic structure for hierarchical composition, including simplification of inter-
mediate results when analyzing larger systems. Petri nets require somewhat
more modification for hierarchical analysis, but category theory provides the
necessary formal tools. The underlying theory is developed elsewhere and
repeated here only insofar as it is necessary background for the reader. The
contribution of the current article is not in adding to this body of theory but
in showing the relation between nets and flowgraph models with respect to
how algebraic theory may be applied to achieve scalable analysis.
5.2 Algebraic Treatment of Labeled Flowgraphs
For hierarchical analysis, it is essential that the product of analysis be in a
form that can be used in a further step in the analysis. For instance, in
formal verification of programs, we require the specification of a subroutine
to be in a form that can be used as an assumption when verifflng higher-level
routines. For reachability analysis from a labeled flowgraph model, it is
desirable to be able to treat the reachability graph as a labeled flowgraph. In
other words, we require reachability graph construction to be an operation
that maps pairs or sets of labeled flowgraphs to labeled flowgraphs.
We can easily interpret a reachability graph as a labeled flowgraph by
labeling reachability graph edges. For instance we can consider the label for
an edge representing rendezvous on actions a and ti as [a], where [a] E Hsince the rendezvous cannot participate in further synchronization. However,
the reachability graph construction considered so far is inherently global.
Consider again the simple example program, and imagine that for some
reason we wish to analyze first tasks TO and T 1 before adding task T2; a
reachability graph constructed from TO and T 1 alone is shown in Figure
14.11 The result of composing this intermediate result with T2 is not the
same as analyzing TO, T 1, and T2 together in a single step. Further
composing the flowgraph of Figure 14 with the task flowgraph for task T 2
does not correctly model the possibility of rendezvous on entry Q. In fact, the
communication labels of the edges of the task flowgraph of task T 2 do not
match any label of the flowgraph of Figure 14. Although we can syntactically
“In Figure 14, nodes are labeled referring to the labels of state-nodes of the task flowgraphs of
Figure 2. Edges are labeled with silent actions i (corresponding to the initialization of a task)
and [ ~D] (corresponding to the rendezvous between the two tasks). In the sequel we omit labels on
nodes if the understandability of the figure is not compromised.
ACM Transactions on Software Engineering and Methodology, Vol. 4, No. 2, April 1995.
198 . Mauro Pezz~ et al.
<1,4> i <1,6>
Fig. 14. Nonassociative composition of o~m
tasks ‘2’0 and 2’1. Progress of task 2’0 is
shown in the horizontal direction and
progress of task T 1 in the vertical direc- 11i i
tlon. This graph results when the usual
reachability analysis construction is ap-
plied to the task flowgraph models of a <2, 6>[P] <3,6>
portion of the system; it is of no use in ,~e~ e
analyzing the global behavior of tasks 2’0, <2/4>
T 1, and T2 together.
‘k
interpret reachability graph construction as a binary operator, it is not
associative or commutative.
In algebraic models of concurrency, associativity and commutativity are
achieved by defining a parallel composition operator (corresponding to reach-
ability graph construction) in a manner that preserves not only the possible
communications of the tasks being combined but also their remaining poten-
tial for independent interactions with additional tasks (e.g., the remaining
potential for task T 1 to communicate with task T2). These additional labeled
edges are maintained until they are removed by an algebraic operation of
restriction. In terms of our labeled flowgraph model, elements of H (the
noncommunicating actions) are no longer treated specially.
Figure 15 shows the composition of the labeled flowgraphs TO and T 1
using an associative composition operation. Both possible synchronization
actions and nonsynchronization actions are explicitly modeled in the reacha-
bility graph.
The price paid for associativity is an additional growth in the size of
reachability graphs to represent the individual evolution of processes as well
as their cooperation. Fortunately, the algebraic approach also provides mech-
anisms for simplifying intermediate products without affecting the final
results. For instance, in the example of Figure 15 only the arcs labeled with
actions ~ can potentially interact with task T2. Arcs labeled with ~ can be
removed (corresponding to a restriction operation in the algebra), and arcs
labeled with noncommunicating actions (including the rendezvous [ P]) can
be relabeled with the silent action q (corresponding to an abstraction opera-
tion in the algebra). Restriction is illustrated in Figure 16. The resulting
graph can be reduced as shown in Figure 17 before composing the simplified
result with T2. Details of composition and reduction differ depending on the
particular algebraic system used; these steps correspond to an interpretation
of labeled flowgraphs as terms in the algebra ACPV [Baeten and van Glabeek
1987; Bergstra and Klop 1984] as implemented in the CATS/P analysis tool
[Yeh and Young 1991]. If one were to begin with the TIG model, CSP
[Brookes et al. 1984] rather than ACP would be an appropriate underlying
algebra, because edge groups carry the same information as refusals.
ACM Transactions on Software Engineering and Methodology, Vol. 4, No, 2, Aprd 1995
Reachability Analysis . 199
Fig. 15. Associative composition of 7’() and T1. In this reachability graph construction, the
potential for 2’0 and 7’1 to interact independently with their environment (i.e., to synchronizewith T2) has been preserved, at the cost of a larger reachability graph.
Fig. 1.6. Restriction. The actions P and ~ are not used by task T2
environment), so edges labeled with those actions can be removed.
(or by the program
Key features of process algebras that provide compositionality and incre-
mentality to flowgraph models are
(1) An equivalence relation or preorder: The equivalence relation provides
mathematical support for transformation and simplification of processes.
l[somorphism is a trivial equivalence that certainly preserves all proper-
ACM Transactions on Software Engmeermg and Methodology, Vol. 4, No. 2, April 1995.
200 . Mauro Pezze et al,
Fig. 17. Reduction. After restriction and abstraction, the reacha-
bdlty graph of TO together with T 1 can be reduced before
combining it with T 2. The graph shown here was produced
automatically by the CATS\P tool [Yeh 1993; Yeh and Young
199 I] using ACP~ as the underlying algebra and observation
equivalence as the basis for reduction. If CATS\P is directed to
reduce the graph using a refusals model (testing equivalence),
these three nodes are collapsed to one.
ties of interest but provides no opportunity for simplification. A coarser
equivalence relation is preferable but must be chosen carefully to pre-
serve properties of interest (e.g., language equivalence preserves safety
properties but not potential deadlock). The equivalence chosen must at
least be a congruence with respect to parallel composition. An equiva-
lence based on a preorder (one-to-many relation between specifications
and conforming implementations) provides the greatest opportunity for
automatic and user-guided simplification.
The equivalence relation depends on the representation program fea-
tures in the flowgraph model and particularly on the representation of
internal choice, For instance, in Figure 17 we used observation equiva-
lence to simplify reachability graphs obtained from a model with silent
moves. The same equivalence would not have preserved potential dead-
lock if it were applied to a reachability graph obtained from a model with
edge groups (in the TIG model) or acceptance sets.
(2) A composition operator associative with respect to the equivalence rela-
tion: The associativity of the composition operator ensures that the order
of compositions of subsystems does not affect the final result.
(3) Restriction and abstraction operations for removing unnecessary detail:
In analysis of programs, restriction and abstraction are closely related to
encapsulation. For instance, the CATS/P analysis tool automatically
applies restriction at each scope wall to remove potential actions thatbecome inaccessible outside a scope.
Several tools have been constructed for experimenting with process alge-
bras and verification of finite-state systems [Cleveland et al. 1990; 1991;
Fernandez 1988; Malhotra et al. 1990]. Although these typically provide a
variety of algebraic manipulations, they can be used to perform reachabilityanalysis as a series of composition and reduction steps.
A full discussion of methodologies for hierarchical design and analysis of
concurrent programs is beyond the scope of this article, but we will describe
briefly some of the pragmatic issues in composing and simplifying subsystem
representations. Hierarchical and incremental analysis depends heavily on
program design and user guidance. Abstraction, restriction, and simplifica-
tion can be applied not only at scope walls but also at other points where it
can be determined that all potential communications involving a particular
ACM TransactIons on Software Engineering and Methodology, VO1 4, No 2, April 1995
Reachability Analysis . 201
event have been accounted for (so that, for instance, we did not need a scope
wall to determine that action ~ could be restricted before composition with
task T2, which does not contain P actions). Even so, the choice of an order to
compose modules is critical. Composing ‘TO with T2, and then composing the
result with T 1, provides hardly any opportunity for simplification. Likewise,
a program with insufficient encapsulation of the synchronization structure of
subsystems is unlikely to gain much from a compositional analysis, while a
carefi~lly layered design with available service specifications at each layer or
module boundary stands to gain most [Yeh and Young 1994].
5.3 Compositlonality and Petri Nets
If a hierarchical, incremental analysis were possible with labeled flowgraph
models but not with Petri nets, it would be a strong factor weighing against
Petri net models for reachability analysis of concurrent programs. Labeled
flowgraphs can be interpreted as models of terms in a process algebra, which
means we have a sound semantic basis for decomposing programs into
manageable chunks and composing analysis results. With careful encapsula-
tion we may also analyze properties of larger systems than can be accommo-
dated in a global analysis. We desire similar mechanisms for decomposing net
models of concurrent programs and composing analysis results.
In this section we will show that safe Petri nets may be composed in a
manner similar to the associative composition of labeled flowgraphs. The
formal basis for this manipulation relies on category theory. It is documented
in Meseguer and Montanari [1990] and Winskel [1984; 1987] but is not
wide] y known outside the community of category theorists, We present the
basic concepts informally and with an emphasis on its potential practical
application for analysis of concurrent programs. Related issues that (to our
knowledge) have not yet been worked out satisfactorily in categorical Petri
net theory are also discussed.
5.4 Algebraic Treatment of Petri Nets
In Section 5.2 we identified three main features needed to control the
complexity of reachability analysis: an associative composition operator, an
equivalence relation that is a congruence with respect to composition (or a
preorder that permits substitution in one direction), and restriction and
abstraction operat ions for eliding internal details of encapsulated subsys-
tems. A composition ope rator, restriction, and a congruence (albeit overly
fine) are provided for safe nets in the framework of category theory by
Wins,kel [1984]. Recall that safe nets are sufficiently powerful to represent
the class of systems for which reachability analysis is useful, so an algebraic
treatment of a more-general class of nets is not required.
Net Product. We begin with a product operation on safe nets (Figure 18).
Informally, the product of two nets contains all the transitions of the original
nets with the same preset and postset and a new transition for each pair of
ACM Transactions on Software Engineering and Methodology, Vol 4, No 2, April 1995.
202 . Mauro Pezze et al
.( O-’)p*‘n- ‘
I
+
i + “&tl,t,> ,,&t2, _JTtl
[
I “ ‘“L.J ‘“””
PI \P3 *1 ‘<
(. ) (, _,) ( )P3
.— —
(a) (b)
Fig. 18, Net product of two simple nets. (a) the pair of nets to be composed, (b) the product net
with a new transition for every pam of transitions from the two nets.
transitions in the original nets with the union of the presets and the postsets
of the original transitions. The transitions of the original nets represent the
actions of the original nets that can take place independently, while the new
transitions represent all the possible synchronizations among the actions of
the original nets. The set of places of the product of two nets is the union of
the sets of places of the two component nets.
It is possible to verify that the net product operation preserves the reacha-
bility sets of the components—i.e., a marking M is reachable in NI OIVz if
and only if PI(M) is reachable in IVl and P2( M) is reachable in IVz ( PI and
P2 are projections of markings onto the set of places corresponding to theselected component).
The net product constitutes a mechanism for composing nets, but it is not
useful in this form: subsystems communicate only on matching actions and
not on every pair of actions as represented by the net product. We need a way
of defining the set of communication actions. In Winskel [ 1984] this is
accomplished with a net restriction operation that deletes a subset of transi-
tions from a net, written N \ S’ to indicate that the set S c T is deleted. In
particular, we can delete from the product of two nets the set of transitions
representing mismatched communication (e.g., rendezvous of a call to entry A
with an accept of entry B). The net composition operator can be obtained
from the net product by deleting all the actions resulting from composition of
noncommunicating actions.
More generally, net restriction can be used to delete transitions represent-
ing potential for further communication when it can be determined that no
such communication can take place, just as the restriction operator for
labeled flowgraphs (illustrated in Figure 16) deletes arcs representing com-
municating actions that will not be matched with any external program
component. The use of the net restriction operator for encapsulation is
illustrated in Figure 19.
In Section 4, in Construction 4.2.1, we formed transitions for pairs of
matching labels in the translation from labeled flowgraphs to Petri nets in
rule (3). ‘I’he net composition operation performs the same static matching on
ACM Transactions on Software Engineering and Methodology, Vol 4, No 2, Aprd 1995
Reachability Analysis . 203
(* )
(a)
, k--- ______ + )+,, . --
(b)
Fig. 19. Net composition of individual Petri net
models of tasks in the example Ada program ofFigure 1. The nets of (a) represent tasks TO and
T1 of the example program, with transition
labels taken directly from the correspondinglabeled flowgraph model. The net of (b) is thecomposition TO IIT 1 of the two nets in (a), with
the convention that labels on transitions repre-senting synchronization (x, ~ ) are written as[ x]. Extraneous transitions produced by the netproduct are not produced by the net composition
operation, The net is restricted in (c) to remove
actions P and F, which are not needed forcomposition with task 2“2.
~[Pl ‘C+”
(’-” ‘&.- ...____..#! -*–.—.-
(c)
nets with labeled transitions, so it is now possible to form a labeled net
representation of each individual Ada task, independently, and then to
combine them with the net composition operation. We modify the translation
from sets of labeled flowgraphs to Petri nets (Construction 4.2.1) to apply to
individual labeled flowgraphs as follows: rule (2) is now applied to every
labeled edge, regardless of whether the label is in H, and the net transition is
given the label of the flowgraph edge.
(2’) For each edge nl ~ nz in the labeled flowg-raph, add a transition t tothe Petri net such that “t = {nl} and t“= {n2}.
Rule (3) will not produce any transitions when the translation is applied to
a single labeled flowgraph. In Figure 19 we illustrate the composition of
labelled net representations of tasks TO and T 1 from the simple Ada programof Figure L
This removes one of the problems of Petri net models of programs, i.e., that
they do not support separate translation. However, we have not yet given an
effective mechanism for simplifying intermediate results in a hierarchical
ACM Transactions on Software Engmeermg and Methodology, Vol. 4, No. 2, April 1995.
204 . Mauro Pezzb et al.
analysis based on Petri nets, as illustrated in Figure 17 for an algebraic
interpretation of labeled flowgraphs. In the category theory treatments of
nets [Mesegaer and Montanari 1990; Winskel 1984; 1987], the equivalence
relation used is isomorphism of reachability graphs. Isomorphism is far too
fine an equivalence relation if one wishes to reduce intermediate analysis
results to combat state-space explosion effectively. Observation equivalence
and testing equivalence, which are appropriate for the labeled flowgraph
models considered in Section 3, treat the silent action q as not directly
observable and thereby produce smaller quotient graphs.
Other notions of equivalence between Petri nets have been proposed in
recent years, for instance, Autant [1991], Olderog [1989], and Stansifer
[1992], but these as yet do not provide a practical foundation for incremental
analysis (e.g., the bisimulation relation described in Autant et al. [1991] does
not address congruence with respect to composition of nets).
Suitable equivalences can be induced from the labeled flowgraph model.
Our translation of sets of labeled flowgraphs to nets preserves the reachabil-
ity graph of the labeled flowgraph model, as does the translation from
individual labeled flowgraphs to labeled nets with static matching performed
using a net composition operation. It is common to label each edge of a Petri
net reachability graph with the label of the transition that fired to produce
that edge, which gives us again a labeled flowgraph model that is identical to
the labeled flowgraph produced by reachability analysis of the original la-
beled flowgraph models of the same tasks. Equivalences used to reduce
labeled flowgraph models (e.g., taking the quotient with respect to observa-
tion equivalence) will have the same semantic properties as in the labeled
flowgraph model.
6. SUMMARY AND CONCLUSIONS
Software applied in critical applications requires high degrees of assurance of
various functional properties. Many critical applications involve task-level
concurrency; for such applications guarantees of freedom from deadlock and
race conditions are essential. Reachability analysis is no panacea, but it can
be a useful, practical technique for assessing such properties. Reachability
analysis techniques have been applied to problems ranging from communica-
tion protocols [Holzmann 1991] to SPMD parallel Fortran programs [Appelbe
1989] to user interface management systems [Taylor et al. 1992].
Reachability analysis can augment (but not replace) other formal and
informal techniques including program testing, Like other so-called “static”
analysis techniques, it provides strong assurance when successful but is
pessimistic in the sense of sometimes failing to accept a correct program.
Also, like other static analysis techniques, successful application depends
critically on program organization and often on maintaining a property
somewhat stronger than the property one actually seeks to ensure. One
advantage that it enjoys over program verification is the degree to which the
entire analysis process can be practically automated. On the other hand
complete verification addresses all functional properties, not just concur-
ACM Transactloms on Software Engmeenng and Methodology, Vol. 4, NcJ. 2, Apr]l 1995
Reachability Analysis . 205
rency. Program testing is not pessimistic and addresses a wide variety of
program properties but cannot provide as strong an assurance as reachability
analysis for critical properties of concurrent systems.
Unlike most common static analyses, reachability analysis can be spectacu-
larly expensive if applied without discipline. Issues of efficiency and scalabil-
ity have thus been a focus of this article. One thread of research in reachabil-
ity analysis, critical to practical application, concerns extracting models from
program source code.
We have considered representative graph models for reachability analysis
of concurrent programs. We have used models of Ada tasking from the
literature for reference, although for the most part the same principles should
hold for other classes of multithreaded, parallel, and distributed programs
with some form of two-party rendezvous synchronization. While the models
considered here by no means exhaust the possibilities, they do cover some
important dimensions of the design space, including representations of inter-
nal and external choice and static versus dynamic matching of synchronizing
events. In the interest of brevity and focus we have omitted important
variations and refinements, such as exploiting symmetry in systems with
many identical tasks [Helmbold and McDowell 1991; McDowell 1989].
The tradeoffs we have identified in choosing among various graph models
for leachability analysis have mostly to do with the size of reachability
graphs, since this is almost always the limiting factor in reachability analy-
sis. Different considerations may come to the fore when considering graph
models for other forms of concurrency analysis, such as those briefly reviewed
in Section 2.2. We do not expect one kind of analysis algorithm to dominate
others; basic theoretical results on the inherent complexity of concurrent
computation make that unlikely. Elucidation of design tradeoffs for particular
kinds of analysis may lead also to a better understanding of relations
between models used for different classes of techniques.
The power of the formal models considered in this article for analysis is less
important than the way critical features are treated in extracting a model
from source code. We have identified the representation of internal choice,
static versus dynamic matching, and encapsulation (modular or composi-
tional analysis) as important basic differences among models.
The representation of internal choice and its consequences are illustrated
by a comparison of Taylor’s reduced flowgraph model [Taylor 1983] to the
TIG model of Long and Clarke [1989]. We showed that associating extra
information with nodes to represent possible internal choice is the primary
source of the performance advantage of the TIG model.The primary advantage of Petri nets as a modeling formalism is a mature
body of theory and off-the-shelf tools. For instance, the PNut tools for Petri
net reachability analysis [Morgan and Razouk 1987] have been used as a
back-end analysis engine in the TOTAL tools for analyzing Ada programs
[Shatz et al. 1990], and the Caesar tools have been similarly applied for
analyzing LOTOS designs [Fernandez 1992]. The most-apparent difference
between a net and a flowgraph model is matching communicating actions
“statically” as transitions representing potential rendezvous. We have shown
ACM TransactIons on Software Engineering and Methodology, Vol. 4, No. 2, Aprd 1995
206 . Mauro Pezze et al,
that the choice of static or dynamic matching is independent of other,
more-essential features of an analysis model and that either flowgraph model
of Ada programs can be easily translated into ordinary safe Petri nets in a
manner that preserves the structure of their reachability graphs. A less-ap-
parent but more-fundamental characteristic is the representation of internal
choice in nets. If internal choice is treated as in the TIG model, then a
deadlocked program state need not correspond to a dead marking of the net
representation, rendering much of Petri net theory useless. So, although
either model could in principle be translated directly into nets, in practice all
extant Petri net models of Ada tasking represent internal choice essentially
as in Taylor’s reduced flowgraph model, because to do otherwise sacrifices the
above-mentioned advantages of Petri net models.
Reachability analysis of real concurrent programs depends critically on
modular structure to permit analysis of small groups of tasks in isolation.
The successful analysis of the user interface management system cited above
was due in part to its good modularization, in which the analysis could be
12 A model used for reachabilitysplit into two pieces for separate examination.
analysis should likewise support modularity and preferably in a manner that
permits incremental hierarchical composition of analysis results with reduc-
tions of intermediate results to battle combinatorial explosion. The burgeon-
ing field of process algebras provides a framework for composition and
reduction of flowgraph models, as we have illustrated in Section 5.1; experi-
ence in applying algebraic structure to analysis of Ada programs is reported
in Yeh [1993] and Yeh and Young [1991]. Category theory is beginning to lay
the groundwork for similar approaches to Petri net analysis; we have shown
in principle how nets can be used in an incremental analysis.
APPENDIX
A, MODELS FOR REACHABILITY ANALYSIS OF ADA PROGRAMS
In this appendix we describe models for reachability analysis of Ada pro-
grams: task flowgraphs, TIGs, and Petri nets. Here we refer only to a limited
set of the Ada task system. Some limitations are intrinsic to reachability
analysis; some others are introduced in this article to simplify the presenta-
tion.
If program objects can be indexed by variable expressions or referenced
through a chain of pointers, a static tool is usually incapable of determining
the particular identity of an object; thus, for instance, static-analysis algo-rithms cannot deal satisfactorily with arrays of records that include tasks as
members or tasks that are objects of access types (although a small number
of dynamically identified objects can be accommodated by parameterized
duplication of parts of the model). Additionally, static analysis requires some
12The “semer” side of the split, conslstmg of 8 tasks, and a “client” configuration, consisting of 12
tasks, were each analyzed in under 30 seconds CPU time on a Spare 2/470. A client configura-
tion with two concurrently active artists, although having only one more task, required shout 40
minutes (2426 seconds).
ACM TransactIons on Software En~neering and Methodology, Vol 4, No. 2, Aprd 1995
Reachability Analysls . 207
restrictions on dynamic task creation: since static analysis consists of build-
ing a finite representation of the state-space of the analyzed program, the
number of tasks comprising the program must have an upper bound.
Entry queues (FIFO service order) are not explicitly represented, to our
knowledge, in any of the models used for reachability analysis of Ada
programs. It can be shown that except for real-time properties, FIFO entry
queues are adequately (and much more cheaply) represented by a simple
fairness assumption [Shatz and Cheng 1988; Young 1988]. We also do not
discuss veriffing correct ordering of sequences of values communicated among
tasks. This can be accomplished in each of the models discussed here using a
methcjd described by Wolper [1986], but it is orthogonal to the issues consid-
ered here.
The other restrictions introduced in this article are only for simplifying the
presentation. They concern shared variables, task activation and termination,
and subprograms. None of these features are considered in this article,
although dealing with them does not increase the complexity of the problem.
Morecwer, decisions of whether and how to represent these aspects are
essentially independent of the graph model used for analysis.
A.1 Ti~sk Flowgraphs and Concurrency Graphs
Task flowgraphs were introduced by Taylor [1983]. The definitions below
follow those in Taylor [1983] but are stated in terms of a basic flowgraph
model to facilitate comparisons.
Definition A.1.l (Task Flowgraph). Given an Ada task A, a task flow-
graph is a flowgraph where each node corresponds to either a synchronizationactivity in A or a compound statement,13 and each edge corresponds to the
flow of control among the considered statements in task A. The starting node
is the node corresponding to the task-begin; the final nodes are the nodes
corresponding to possible terminations of task A.
Definition A.L2 (Concurrency Graph). Let p be a set of k task flow-graphs; a concurrency-node is a k-tuple of state-nodes, one state-node for
each task flowgraph in P. A concurrency graph is a reachability graph with
initial~ node ( nzo, ..., mh ) where m, is the initial node of flowgraph i and the
following successor function: the concurrency-node IV’ = ( ni,..., nj ) is a
successor of the concurrency-node ~ = ( nl, ..., ‘k) if and onlY ifi
(1) Vi, 1< i s k, either
(a) nj G succ(nl)
(b) nj = ni;
(2) there exists at least one nj, 1 s j s k, which represents application of
case la;
13Compound statements, like concZitZonal statements and loops, are explicitly modeled in the
task flowgraph only if their body contains statements that correspond to synchronization
activities.
ACM TransactIons on Software En~neenng and Methodology, Vol 4, No. 2, April 1995
208 . Mauro Pezze et al.
(3) adherence to the semantics of Ada is reflected in the selection of the
successors of concurrency-nodes; and
(4) the changes between the concurrency-state N’ and the concurrency-state
N are the minimum number required to satisfy conditions 2 and 3—i.e., if
the concurrency-state N’ is a successor of the concurrency-state N, then
there does not exist a successor S of N such that the set of components
for which S differs from N is a proper subset of the set of components for
which N‘ differs from N.
Condition (3) requires that the flow of control on the task flowgraphs
considered in building the concurrency graph follows the Ada semantics. The
definition is taken from Taylor [ 1983]; a more-formal definition that does not
refer to the Ada semantics is presented in Section 3. Condition (4) limits the
set of successors to the set of nodes reachable with at most one action:
concurrency states reachable from the concurrency node N with more than
one action performed concurrently do not belong to the set of immediate
successors of N; they can be reached from N through intermediate nodes.
(Such models are commonly called interleaving, versus step semantics, true
concurrency, and partial order models.)
A.2 Task Interact[on Graphs and Task Interaction Concurrency Graphs
Task interaction graphs (TIGs) and task interaction concurrency graphs
(TICGS) were introduced for reducing the size of task flowgraphs and concur-
rency graphs. TIGs are defined starting from a division of the statements of a
single task into regions called task regions.
Definition A.2. 1 (Task Region). Given an Ada task A, a task region is a
portion of code starting from the task-begin or from a statement that can
immediately follow the execution of an accept or an entry call, and it ends
with accept or entry calls or with the end statement of the task.
Task regions end and start with beginning or ending of synchronization
activities (entry call, accept, select, select-else, task-begin, task-end). (As with
the task flowgraph model, we consider only the case of rendezvous without
accept bodies to keep the examples as small as possible.)
Definition A.2.2 (Task Interaction Graph). Given an Ada task A, a task
interaction graph (TIG) is a flowgraph whose nodes correspond to the task
regions in A and whose edges represent task interactions, i.e., flow of controlbetween task regions; edges are labeled with the type of represented interac-
tion. The initial node is the task region corresponding to the begin statement,
and the final nodes are those regions in which the task-end statement
appears.
The TIG model as defined by Long and Clarke requires that each task
region begin with a single synchronization action—i.e., edges incident to a
TIG-node correspond to the same synchronization action. This simplifies
bookkeeping and improves the accuracy of analyses other than reachability
analysis (e.g., the dataflow analysis reported in Long and Clarke [1991]).
ACM TransactIons on Software Engineering and Methodology, Vol. 4, No, 2, Aprd 1995
Reachability Analysls . 209
Definition A.2.3 (Task Interaction Concurrency Graph (TICG)). Given a
set of k TIGs, a TICG-node is a k-tuple of TIG-nodes, one for each TIG. A
TICG is the reachability graph where the domain is TICG-nodes; the initial
node is (sl, ..., sk ) where s, is the initial node of TIG i and with the
following successor relation: a node N’ = ( nj,... , n~ ) is a successor of a node
N=(nl,... j nh ) iff there exists i and j such that for all 1 # i, j, nj = nl and
(1) (xL,, n}) is an edge in TIG,;
(2) (n), n;) is an edge in TIGJ;
(3) the labels associated with edges (( n,, nj )) and (( n~, n\ )) match—e.g., the
edge ((n,, n:)) belongs to task T. and is labeled with accept P and the
edge (( nj, nj )) belongs to task T~ and is labeled with T..P.
A.3 Petri Nets
Definition A.3. 1 (Petri Net). A Petri net is a 4-tuple (P, T, F, no) where,
P is a set of elements called places;
T is a set of elements, called transitions; P u T is nonempty, and P n 1’ kempty;
F c (P X T) U (T X P) is a flow relation between places and transitions;
an element of F is called an arc;~0: P -+ N is an assignment of natural numbers to places, called the
initiall marking. The number associated with a place p by the marking m o is
referred to as the number of tokens in place p.
Definition A.3.2 (Preset, Postset ). The set of places for which there exists
an arc leading to a transition t is called the preset of transition t and is
indicaltedby “t:“t= {x G PI (x, t) ~ F}.
The set of places to which there exists an arc from transition t is called the
postset of transition t and is indicated by t”:
t“={x~Pl(t, x) GF}.
The dynamic behavior of a system modeled by means of a Petri net can be
represented by the firing rule, which describes the effect of actions on the
marking of the net.
Definition A.3.3 (Firing Rule). Given a net N with marking m, a transi-
tion t is enabled if and only if V places p ● “t, m(p) > 1. The firing of a
transition t enabled in a marking m produces a new marking m‘ defined as
follow s:
(1) m’(p) = m(p) – 1, Vp =-t – t“,
(2) m’(p) = m(p) + 1, Vp = t“–“t,
(3) m’(p) = m(p), otherwise.
Definition A.3.4 (Petri Net Reachability Graph). A Petri net reachability
graph is the reachability graph where nodes are markings; the initial node is
the initial marking; and the successor relation is the Petri net firing rule.
ACM Transactions on Software Engineering and Methodology, Vol 4, No 2, Apr,l 1995.
210 . Mauro Pezzb et al
Definition A.3.5 (Safeness). A Petri net N = (P, T, F, mO ) is safe if and
only if for all reachable markings the number of tokens in each place is less
than or equal to 1.
ACKNOWLEDGMENTS
We are grateful to Wei Jen Yeh and David Levine for their work on analysis
tools and experiments discussed in this article. We also thank the anonymous
referees for their careful reading and many suggestions that improved the
article.
REFERENCES
APPELBE, B., SMITH, K., AND MCDOWELL, C. 1989, Start/pat: A parallel-programming toolkit.
IEEE Softw. 6, 4 (July), 29-38.
APT, K. R. 1983 A static analysis of CSP programs. In Proceedings of the Workshop on
Program Logic (Pittsburgh, Pa., June). Lecture Notes in Computer Science, vol. 164. Springer-
Verlag, New York. Published in 1984.
AUTANT, C., BELMESZi, Z., AND SCHNOEBELEN, P. 1991. Strong bisimilarity on nets revisited. In
PARLE ’91, Parallel Architectures and Languages Europe (Emdhoven, The Netherlands,
June). Lecture Notes in Computer Science, vol. 506. Springer-Verlag. Berlin, 295-312.
AVRUNIN, G. S., BUY, U. A., CORBETT, J. C., DILLON, L. K., AND WILEDEN, J. C. 1991. Automated
analysis of concurrent systems with the constrained expression toolset. IEEE Trans. SoftuJ.
Eng. 17, 11 (Nov.), 1204-1222.
A~TWJNIN, G, S., DILLON, L. K., WILEDEN, J. C., AND RIDDLE, W. E. 1986. Constrained expres-
sions: Adding analysis capabdlties to design methods for concurrent software systems. IEEE
Trans Softw. Eng. SE-12, 2 (F’eb ), 278-292.BAETZZN,J C. M, AND VAN GLABEEK, R. J, 1987, Another look at abstraction in process algebra.
In Proceedings of the 14th International Colloquz urn on Automata, Languages, and Program-
ming ( ICMLP) (Karlsruhe, Germany, July). Lecture Notes in Computer Science, vol. 267.
Springer-Verlag, Berlin, 84-94.
B~AVEN, M,, ELMORE, B., MARINESCU, D. C., AND STANSIFER, R. 1991 VERT-verification of
real-time programs. In Proceedings of the 15th Annual International Computer Software and
Applwation.s Conference (Sept.). IEEE Computer Society Press, Los Alamitos, Calif., 618-625.
BEAVEN, M., MARINESCU, D. C., AND STANSIFER, R. 1992 Modeling concurrent programs with
colored Petri nets. Tech. Rep. CRPDC-92-4, Center for Research in Parallel and Distributed
Computing, Dept of Computer Sciences, Univ of North Texas, Denton, Tex. Feb.
BERZXTRA, J. A. AND KLUP, J, W. 1984, Process algebra for synchronous communication. Infi
Contr. 60, 109-137.BROOKES, S. D., HOARE, C. A. R., AND ROSCOE, A. W. 1984. A theory of communicating
sequential processes. J ACM 31, 3 (July), 560–599.
BRMNT, R. E. Graph-based algorithms for boolean function manipulations. IEEE Trans. Com-
put. C-35, 8, 677–691.
BURC!H, ,J. R,, CLARKR, E. M., MGMILLAN, K. L., DILL, D. L., AND HWAN~, L. J. 1990. Symbolic
model checking: 10 20 states and beyond In proceedings of the 5th Annual SYmPosl urn on Log~c
in Computer Sctence (June). IEEE Computer Society Press, Los Alamitos, Calif.
CLARKE, E. M., EMERSON, E, A., .AND SISTLA, A. P 1986. Automatic verification of finite-state
concurrent systems using temporal logic. ACM Trans. Program. Lang. Syst. 8, 2 (Apr.),
244-263.
CL~AVELAND, R , PARROW, J., AND STEFFEN, B. 1990 A semantics-based verification tool for
finite-state systems. In Protocol Specification, Testing, and Verification, IX. North-Holland,
Amsterdam. 287-302.
CJ,E~VELAND, R., PARROW, J., AND STEFFEN, B. 1991. The concurrency workbench: A semantics
based tool for the verification of concurrent systems, In Proceedings of the Workshop on
ACM Transactions on Software Engmeermg and Methodology, Vol. 4, No, 2, April 1995
Reachability Analysis . 211
Automatic Ver@katLon Methods for Finite Sfute Machines (Feb.). Lecture Notes in Computer
Science, vol. 407, Springer-Verlag, New York, 24-37.
CORIMWT, J. C, 1994. An empirical evaluation ofthree methods fordeadlock analysis of Ada
tasking programs. In Proceedings of the 19941nternational Symposium on Software Testing
and .4nalysw ( ZSSTA) (Seattle, Wash., Aug.). ACM, New York, 204–215.
DWYER, M. AND CLARKE, L. 1994. Data flow analysis for verifying properties of concurrent
programs. In Proceedings of the 2nd ACM SIGSOFT Symposium on Foundations of Software
Engineering (New Orleans, La., Dec.). ACM, New York, 62–75.
DWYER, M., CLARRR, L., AND NIES, K. 1995. A compact Petri net representation for concurrent
programs. In Proceedings of the 17th International Conference on Softu,are Engineering (ICSE
17) (Seattle, Wash., Apr.) IEEE Computer Society Press, Los Alamitos, Calif. To be published,
ENDERS, R., FILKORN, T,, AND TAUBNER, D. 1991. Generating BDDs for symbolic model check-
ing in CCS. In Proceedings of the 3rd Workshop on Computer Azded VerLf6catLon. Lecture Notes
in Computer Science, vol. 531. Springer-Verlag, New York, 263–278.
FERNANDEZ, J.-C. 1988, Ald6baran: Un syst6me de v&-ification par ieduction de processus
communicants. Ph.D. thesis, Univ. de Grenoble, Grenoble, France.
FERNANDEZ, J.-C., GARAVEL, H., MOURNIER, L., RASSE, A., RODRIGUEZ, C., AND SIFAKIS, J. 1992,
A toolbox for the verification of LOTOS programs. In Proceedings of the 14th International
Con@-ence on Software Engineering (Melbourne, Australia). IEEE Computer Society Press,
Los Alamitos, Calif., 246-259.
FORESTER, K. 1991. TIG-based Petri nets for modeling Ada tasking. Master’s thesis, Dept. of
Computer and Information Science, Univ. of Massachusetts, Amherst, Mass. June, Available
as C(DINS Tech. Rep. 91–69.
HELMBOLD, D. P. AND MCDOWELL, C. E, 1991. Computing reachable states of parallel pro-
grams. In proceedings of the ACM\ONR Workshop OTLParallel and Distributed Debugging, B.
P. Miller and C. McDowell, Eds. ACM SZGPLAN Not. 26, 12, 76–84.
HENNESSY, M. 1988. Algebralc Theory of Processes MIT Press, Cambridge, Mass.
HOARE,, C. A. R. 1985. Communicating Sequential Processes. Prentice-Hall International, Lon-
don.
HOLZMANN, G. J. 1987. Automated protocol validation in Argos: Assertion proving and scatter
searching. IEEE Trans. SoftuI. Eng. SE-13, 6 (June), 683–696.
HOLZMANN, G, J. 1991. DesLgn and Valldatfon of Computer Protocols. Prentice-Hall, Engle-
woodl Cliffs, N.J.
KARP, R. M. AND MILLER, R. E. 1969. Parallel program schemata, J. Comput, Syst. SCZ. 3,
(May).
KELLEFL J. K., CAMERON, M., T.AYLOR, R. N., AND TROLTP, D. B. 1991. User interface develop-
ment and software environments: The Chiron- 1 system, In Proceedings of the 13th Interna-
tional Conference on Software Engineering (Austin, Tex., May). IEEE Computer Society Press,
Los Alamitos, Calif., 208-218.
LADNER, R. E. 1979. The complexity of problems in systems of communicating sequential
processes. In Proceechngs of the llth Annual ACM Symposium on Theory of Computing
(Atlanta, Ga., Apr.). ACM, New York, 214-223.
LONG, D. L. AND CL,ARKE, L. A. 1989. Task interaction graphs for concurrency analysis. In
Proceedings of the llth International Conference on Software Englneermg (Pittsburgh, Pa.,
May). 44-52.
LONG, D. L. AND CLARKE, L. A. 1991. Data flow analysis of concurrent systems that use the
rendezvous model of synchronization. In proceedings of the Symposium on Softu,are Testzng,
Analysis, and Verification (TAV4) (Victoria, British Columbia, Oct.). ACM Press, New York,
21-35.
MALHOR’rA, J., SMOLKA, S. A., GIACALONE, A., AND SHAPIRO, R. 1990, Winston—a tool for
hierarchical design and simulation of concurrent systems. In Spec@cat~on and Verification of
Concurrent S.vstems, C. Rattray, Ed. Sprmger-Verlag, New York, 140-152.
MANDRIOL1, D., ZICARI, R., GHEZZL, C., AND TLSATO, F. 1985. Modeling the Ada task system by
Petr] nets. Comput, Lang. 10, 1, 43-61.
ACM Transactions on Software Engineering and Methodology, Vol. 4, No. 2. April 1995
212 . Mauro Pezze et al,
lMASTICOL& S P, AND RYDER, B. G. 1990 Static infinite wait anomaly detection in polynomial
time. Tech Rep. LCSR-TR-141, Dept of Computer Science, Rutgers Univ., Piscataway, N.J.
Jan,
MMTICOLA, S. P. AND RYDER, B. G. 1991. A model of Ada programs for static deadlock
detection m polynomial time. In Proceedings of the ACM1ONR Workshop on Parallel and
Dlstrlbuted Debugging, B, P. Miller and C. McDowell, Eds. SIGPLAN Not. 26, 12, 97-107.
MCDOWELL, C. E. 1989. A practical algorithm for static analysis of parallel programs, J.
Parallel Dlstrib. Comput. 6, 515-536.
MESEGUER, J, AND MONrAN~RI, U. 1990, Petri nets are monoids, ln~. ContpzLt. 88, 105-155,
MILNER, R. 1980, A Calculus of Communzcchng Systems, Lecture Notes in Computer Science,
vol 92. Springer-Verlag, New York
M[LNM?, R. 1989 Communlcatmn and Concurrency. Prentice-Hall International, London.
MORASC’A. S, AND PEZZilj M, 1989, Vahdation of concurrent Ada programs using symbolic
execution. In ESEC ’89 2nd European Software Engineering Conference. Lecture Notes m
Computer Science, vol 387. Springer-Verlag, Berlin, 469-486,
MORGAN, E. T. AND RAZOUK, R, R. 1987. Interactive state-space analysls of concurrent systems.
IEEE Trans. Softu,. Eng. SE-13, 10 (Ott ), 1080-1091.
MURATA, T. 1989 Petri nets: Properties, analysis, and applications Proc IEEE 77, 4 (Apr.),
541-580.
OLDEROG, E.-R. 1989 Strong blsimilarity on nets: A new concept for comparing net semantics.
In Lecture Notes in Computer Science Vol. 222. Springer-Verlag, New York, 549-573.
P~T~RSON, J. 1989. Petri Net Theory and the Modellng of Systems. Prentice-Hall, Englewood
Chffs, N.J.
PIzzzk, M. AND YOUNG, M. 1995. Complexity of recognizing deadlocked states in the TIC model
of Ada tasking Tech Rep., Software Engineering Research Center, Dept. of Computer Science.
Purdue Umv,, West Lafayette, Ind. Also avadable as http:/\www,cs.purdue. edu/
people ]young,lpapers.
R~TEL, C , HALBWACHS, N , AND RAY~O~D, P 1991. Programming and verifying critical systems
by means of the synchronous data-flow language LUSTRE, In Proceedings of the ACM
SIGSOFT ’91 Conference on Software for CrLtLcal Systems (New Orleans, La., Dec ) ACM, New
York, 112-119.
REISIG, W. 1985 Petri Nets. EATCS Monographs on Theoretical Computer Science. Sprmger-
Verlag, New York,
SHATZ, S M AND CHEN~, W K. 1988 A Petri net framework for automated static analysis of
Ada tasking behavior J. Syst. Softw. 8, (Dec.), 343-359,
SHATZ, S. M., MAI, K., BLACK, C., ANI) Tu, S. 1990. Design and implementation of a Petri net
based toolkit for Ada tasking analysls. IEEE Trans. Parallel Distrib Syst. 1, 4 (Oct.), 424-441.
SHENKER, B., MURATA, T., AND SH.ATz, S. M. 1986. Use of Petri net mvariants to detect static
deadlocks in Ada programs. In Proceedings of the Fall Joint Computer Conference (Nov ) IEEE
Computer Society Press, Los Alamitos, Cahf., 1072–1081. See also IEEE Trans. Softw Eng
15, 3 (Mar), 314-326.
SNIOMW, S. A 1984. Analysls of commumcatmg finite state processes, Ph.D. thesis, Computer
Sclcnce Tech. Rep. CS-84-05., Dept of Computer Science, Brown Univ , Providence, R.I.
STANSIFER, R. 1992. Critical paths and bisimulation for colored Petri nets, Tech. Rep., Dept. of
Computer Sciences, Center for Research in Parallel and Distributed Computmg, Univ. of
North Texas, Denton, Tex.
SUNSHINE, C. A., Ed. 1986. CommunLcatmn Protocol Modeling. Artech House, Dedham, Mass
TAYLOR, R. N. 1983a. Complexity of analyzing the synchromzation structure of concurrent
programs, Acts In fornlatLca 19, 57-84,
TAYLOR, R. N. 1983b. A general-purpose algorlthm for analyzing concurrent programs, C’om-
mun. ACM 26, 5 (May), 362-376.
TAYLOR, R N. AND JOHNSON, G. F. 1993 Separations of concerns in the Chiron-1 user interface
development and management system. In Proceedings of the Conference on Human Factors m
Computer Systems (Amsterdam, Apr.). ACM, New York, 367-374
T~~LoR, R, N,, LEVINE, D, L., AND KELLY, C D 1992. Structural testing of concurrent pro-
grams. IEEE Trans. Softa,. Eng. 18, 3 (lMar.), 206–215,
ACM Transactions on Software Engineering and Methodolo.~, Vol 4, No 2, April 1995
Reachability Analysis . 213
WINSKKL, G. 1984. Anew definition ofmorphism on Petri nets, In STACS 84, Sy?nposwm of
Theoretical Aspects of Computer Science (Paris, Apr.). Lecture Notes in Computer Science, vol.
166. Spnnger-Verlag, Berlin, 140-150.
WINSKEL, G. 1987. Petri nets, algebras, morphism, and compositionality. Infi Comput. 72,
197-238.
WOLPEIR, P. 1986. Specifying interesting properties of programs in propositional temporal
logics. In Proceedings of the 13th ACM Symposium on Principles of Programming Languages
(St. Petersburg, Fla., Jan.). ACM, New York, 184-193.
YEH, W. J. 1993. Controlling state explosion in reachability analysis. Ph.D. thesis, Dept. of
Computer Science, Purdue Univ., West Lafayette, Ind. Dec.
YEH, W. J. AND YOUNG, M. 1991. Compositional reachability analysis using process algebra. In
proc,?edmgs of the Symposium on Software Testing, Analysts, and Verification (TAV4]
(Victoria, British Columbia, Oct.). ACM Press, New York, 49-59.YEH, W. J. AND YOUNG, M. 1993. Compositional reachability analysis of Ada programs using
process algebra. Tech. Rep., Dept. of Computer Science, Software Engineering ResearchCenter, Purdue Univ., West Lafayette, Ind. July.
YEH, W. J. AND YOUNG, M. 1994. Redesigning tasking structures of Ada programs for analysis:
A case study. Softw. Test. Veri~ Rel. 4, (Dec.), 223-253.
YOUNG,, M. 1988. How to leave out details: Error-preserving abstractions of state-space mod-
els. [n Proceedings of the 2nd Workshop on Software Testing, Verification, and Analy.ws
(Banff, Canada, July). IEEE Computer Society Press, Los Alamitos, Calif., 63-70YOUNG, M., TAYLOR, R. N., LEVINE, D. L., FORESTER,K., AND BRODBECK,D. 1995. A concurrency
analysis tool suite for Ada programs: Rationale, design, and preliminary experience. ACM
Trans. Soflw. Eng. Meth. 4, 1 (Jan.), 65-106.
Received November 1994; revised March 1995; accepted May 1995
ACM Transactions on Software Engineering and Methodology, Vol 4, No. 2, April 1995.