CS294-32: Dynamic Partial Order Reduction Koushik Sen UC Berkeley

CS294-32: Dynamic Partial Order Reduction

Koushik SenUC Berkeley

Exponential Blowupt1:

if (x==100)a = 1 else a = 2

t2:

if (y==9) a = 3

else a = 4

Scheduler choice: thread

switch

Conditional statement

Computation tree for a

single thread

Computation tree for two

threads

Solution All paths in the tree are not important

for statement reachability Many paths are equivalent to each other Prune equivalent paths => Partial Order

Reduction Generate inputs along with Partial

Order Reduction

Equivalent Paths

t1:

x = 3

t2:

y = 2

Initially x = 0 and y = 0

x=3

y=2

One partial order

x=3

y=2

Same partial order

Different linear order => Different Path =>

Equivalent Path

x=0, y=0 x=0, y=0

Independent transitions

B and R are independent transitions if1. they commute: B ∘ R = R ∘ B2. neither enables nor disables the other

BR

RB

s

Example: x = 3 and y = 2 are independent

Existing Approaches Static Partial Order Reduction

Valmari 91, Peled 93, Godefroid 96, SPIN model checkerby Holzmann, Verisoft

Limitation Results in a large dependent relation Pointers -> Whether two pointers point to the

same location is determined conservatively (May point-to)

Results in over-approximation of the dependency relation

Limited POR

Example: static partial-order reductionGlobal Vars

lock m int i1,i2 int x=0 int n=100 char[] a

Thread 2 lock(m) i2 := x++ unlock(m)

for( ;i2<n; i2+=2) a[i2] := ‘r’

Thread 1 lock(m) i1 := x++ unlock(m)

for( ;i1<n; i1+=2) a[i1] := ‘b’

Static analysis gives i1, i2 are thread-local x is protected by m but a[i1] and a[i2] may alias

Static POR gives O(n2) explored states and transitions but only two possible terminating states

may-alias (according to static analysis)never alias (in practice)

Dynamic partial-order reduction Static POR relies on static analysis

to yield approximate information about run-time behavior

pointers => coarse information => limited POR => path explosion

Dynamic POR while model checker executes the program,

it sees exactly which threads access which locations

use to simultaneously reduce the path space while model-checking

Focus on Race-Detection and Flipping Algorithm and Concolic Testing: jCUTE

Race-Detection and Flipping Algorithm is a simplified form of DPOR Proof of correctness in the presence of

inputs and conditionals

Event (t,l,a)

If thread t executes the statement labeled l and the access type is a

a 2 {w,r,l,u,?} An execution path is a sequence of

events

Sequential Relation e = (t,l,a) and e’ = (t’,l’,a’) e C e’

e = e', or t=t’ and e appears before e' in , or t t’, t created the thread t’, and e appears before

e'' in , where e'' is the fork event on t creating the thread t’, or

there exists an event e'' in such that e C e'' and e'' C e'.

2: fork(8)

e2

t1

t0

3: y=2

e3

4: lock(m)

e4

1: x=1

e1

5: x=3

e5

6: unlock(m)

e6

8: lock(m)

e9

9: x=4

e10

10: unlock(m)

e11

11: y=5

e12

7: halt

e7

12: halt

e13e8

Causal Relation (Happens-Before Relation) e = (t,l,a) and e’ = (t’,l’,a’) e ¹ e’

e C e’, or e appears before e' in and both access a shared

memory location m and one of the accesses is update (write, lock acquire, release), or

there exists an event e'' in such that e ¹ e'' and e'' ¹ e'.

¹ is a partial order relation

2: fork(8)

e2

t1

t0

3: y=2

e3

4: lock(m)

e4

1: x=1

e1

5: x=3

e5

6: unlock(m)

e6

8: lock(m)

e9

9: x=4

e10

10: unlock(m)

e11

11: y=5

e12

7: halt

e7

12: halt

e13e8

Equivalent Paths Definition: Two execution paths are

equivalent if they are linearizations of the same partial order

Proposition: Exploration of one linear order of each partial order is sufficient for statement reachability

Race Relation Not so strict

definition (see paper for the strict definition)

e = (t,l,a) and e’ = (t’,l’,a’)

e l e’ e ¹ e’ Not (e C e’ or e’ C e) There exists no e1 such

that e ¹ e1 and e1 ¹ e’ Where e1 is not equal

to e or e’

x := 1

y := 2

y := 3

x := 4

Partial Order

1. Events in race relation can be permuted by changing schedule

2. What happens if we have locks? (see paper)

DPOR (Race-detection and flipping) ExampleThread t1:

1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Execution 1


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ }

{ }

{ }

{ }

Execution 1

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ }

{ }

{ }

Race

Execution 1

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ }

Race

Execution 1

Backtrack Here

{ }

{ }

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ }

Race

Execution 1

Backtrack Here

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ }

{ }

{ }

Execution 2

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1 ,t2}

{ t1}

{ }

{ }

Execution 2

Race

Racex := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1 ,t2}

{ t1}

{ }

{ }

Execution 2

Race

Race

Cannot Backtrack Here

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1 ,t2}

{ t1}

{ }

{ }

Execution 2

Race

Race

Backtrack Here

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

Execution 2

Race

Race

Backtrack Here

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ }

{ }

{ }

Execution 3

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ t2}

{ }

{ }

Execution 3

Race

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ t2}

{ }

{ }

Execution 3

Race

Backtrack Here

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ t2}

Execution 3

Race

Backtrack Here

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ t2}

{ }

{ }

Execution 4

x := 1

y := 2

y := 3

x := 4

Partial Order


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1,t2}

{ t1,t2}

{ }

{ }

Execution 4

Race

Race



Done!

x := 1

y := 2

y := 3

x := 4

Partial Order

DPOR (POPL 05) ExampleThread t1:

1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ }

Race

Execution 1

{ }

{ }

x := 1

y := 2

y := 3

x := 4

Partial Order

Persistent

{ t2}

{ }

{ }

{ }


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1 ,t2}

{ t1}

{ }

{ }

Execution 2

x := 1

y := 2

y := 3

x := 4

Partial Order

Persistent

{ t1 ,t2}

{ t2}

{ }

{ }


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ t2}

{ }

{ }

Execution 3

x := 1

y := 2

y := 3

x := 4

Partial Order

Persistent

{ t2}

{ t1}

{ }

{ }


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Execution 4

x := 1

y := 2

y := 3

x := 4

Partial Order

Postponed

{ t1,t2}

{ t1,t2}

{ }

{ }

Persistent

{ t1,t2}

{ t1,t2}

{ }

{ }

DPOR ProblemThread t1:

1: x := 12: x := 2

Thread t2:

1: y := 12: x := 3

• DPOR (both approaches) explores all 6 execution paths => No reduction

• Example in the POPL 05 paper has error

• Think about it

• Need Sleep Set to obtain reduction

Sleep Set Example


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Execution 1


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ }

{ }

{ }

{ }

Execution 1

x := 1

y := 2

y := 3

x := 4

Partial Order

Delayed

{ }

{ }

{ }

{ }


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ }

{ }

{ }

Race

Execution 1

x := 1

y := 2

y := 3

x := 4

Partial Order

Delayed

{ }

{ }

{ }

{ }


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ }

Race

Execution 1

{ }

{ }

x := 1

y := 2

y := 3

x := 4

Partial Order

Delayed

{ }

{ }

{ }

{ }

Backtrack Here


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ }

Race

Execution 1

x := 1

y := 2

y := 3

x := 4

Partial Order

Delayed

{ }

{ }

{ }

{ }

Backtrack Here


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ }

{ }

{ }

Execution 2

x := 1

y := 2

y := 3

x := 4

Partial Order

Delayed

{ }

{ t1 }

{ t1 }

{ }


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ t1}

{ }

{ }

Execution 2

Race

Racex := 1

y := 2

y := 3

x := 4

Partial Order

Delayed

{ }

{ t1 }

{ t1 }

{ }

X


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ t1}

{ }

{ }

Execution 2

Race

Racex := 1

y := 2

y := 3

x := 4

Partial Order

{ }

{ t1 }

{ t1 }

{ }

Nothing to Backtrack Here

Delayed

X

Delayed


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ t1}

{ }

{ }

Execution 2

Race

Racex := 1

y := 2

y := 3

x := 4

Partial Order

{ }

{ t1 }

{ t1 }

{ }

Backtrack Here

X


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

Execution 2

Race

Racex := 1

y := 2

y := 3

x := 4

Partial Order

Delayed

{ }

{ t1 }

{ t1 }

{ }

Backtrack Here

X


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ }

{ }

{ }

Execution 3

x := 1

y := 2

y := 3

x := 4

Partial Order

Delayed

{ t1 }

{ }

{ }

{ t1 }


1: x := 12: y := 2

Thread t2:

1: y := 32: x := 4

x := 1

y := 2

y := 3

x := 4

Postponed

{ t1}

{ }

{ }

{ }

Execution 3

Race

x := 1

y := 2

y := 3

x := 4

Partial Order

X

Delayed

{ t1 }

{ }

{ }

{ t1 }

jCUTE Key Observation: Concolic execution is ideal

for testing concurrent programs with complex data inputs Use symbolic execution to generate new inputs Use concrete execution to perform partial order

reduction ?



reduction Explore “Interesting” thread schedules or total

orders Where to perform context switches?

How to perform context switches?

?



reduction Explore “Interesting” thread schedules or total

orders Where to perform context switches?

Detect data race and lock race How to perform context switches?

Hijack the scheduler using semaphores Insert semaphores through

instrumentation

?

jCUTE Examplez = input();

Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

Concrete State

x 0, z 17 x 0, z z0

Symbolic State

Path Constraint + Postponed

Set{ }


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

x :=3

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 3, z 17 x 3, z z0

{ }

{ }


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

x :=3

x :=2

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 3, z 17 x 3, z z0

x 2, z 17 x 2, z z0

{ t1 }

{ }

{ }


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

x :=3

x :=2

2*z+1 ==x

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 3, z 17 x 3, z z0

x 2, z 17 x 2, z z0

x 2, z 17 x 2, z z0

{ t1 }

{ }

{ }

2*z0+1!=2


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

x :=3

x :=2

2*z+1 ==x

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 3, z 17 x 3, z z0

x 2, z 17 x 2, z z0

x 2, z 17 x 2, z z0

{ t1 }

{ }

{ }

2*z0+1!=2

Backtrack Here

Solve: 2*z0+1=2

No Solution


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

x :=3

x :=2

2*z+1 ==x

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 3, z 17 x 3, z z0

x 2, z 17 x 2, z z0

x 2, z 17 x 2, z z0

{ t1 }

Backtrack Here


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set{ t1 }


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

x :=2

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 2, z 17 x 2, z z0

{ t1 }

{ }


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

x :=2

2*z+1 ==x

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 2, z 17 x 2, z z0

x 2, z 17 x 2, z z0

{ t1 }

{ }

{ }

2*z0+1!=2


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

x :=3

x :=2

2*z+1 ==x

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 2, z 17 x 2, z z0

x 2, z 17 x 2, z z0

x 3, z 17 x 3, z z0

{ t1 }

{ t2}

{ }

2*z0+1!=2


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

x :=3

x :=2

2*z+1 ==x

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 2, z 17 x 2, z z0

x 2, z 17 x 2, z z0

x 3, z 17 x 3, z z0

{ t1 }

{ t2}

{ }

2*z0+1!=2

Backtrack Here

Solve: 2*z0+1=2

No Solution


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

x :=3

x :=2

2*z+1 ==x

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 2, z 17 x 2, z z0

x 2, z 17 x 2, z z0

x 3, z 17 x 3, z z0

{ t1 }

{ t2}

Backtrack Here


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set{ t1 }

{ t2}


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

x :=2

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 2, z 17 x 2, z z0

{ t1 }

{ t2}


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR; x :=

3

x :=2

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 2, z 17 x 2, z z0

x 3, z 17 x 3, z z0

{ t1 ,t2}

{ t2}

{ }


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR; x :=

3

x :=2

2*z+1 ==x

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 2, z 17 x 2, z z0

x 3, z 17 x 3, z z0

x 3, z 17 x 3, z z0

{ }

2*z0+1!=3

{ t1 ,t2}

{ t1 ,t2}


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR; x :=

3

x :=2

2*z+1 ==x

Concrete State

x 0, z 17 x 0, z z0

Symbolic State


Set

x 2, z 17 x 2, z z0

x 3, z 17 x 3, z z0

x 3, z 17 x 3, z z0

{ }

2*z0+1!=3

Backtrack Here

Solve: 2*z0+1=3

Solution: z = 1

{ t1 ,t2}

{ t1 ,t2}


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR;

Concrete State

x 0, z 1 x 0, z z0

Symbolic State


Set

{ }

{ t1 ,t2}

{ t1 ,t2}


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR; x :=

3

x :=2

2*z+1 ==x

Concrete State

x 0, z 1 x 0, z z0

Symbolic State


Set

x 2, z 1 x 2, z z0

x 3, z 1 x 3, z z0

x 3, z 1 x 3, z z0

{ }

2*z0+1=3

{ t1 ,t2}

{ t1 ,t2}

ERROR

{ }


Thread t1:

1: x := 3

Thread t2:

1: x := 22: if (2*z + 1 == x)3: ERROR; x :=

3

x :=2

2*z+1 ==x

Concrete State

x 0, z 1 x 0, z z0

Symbolic State


Set

x 2, z 1 x 2, z z0

x 3, z 1 x 3, z z0

x 3, z 1 x 3, z z0

{ }

2*z0+1=3

{ t1 ,t2}

{ t1 ,t2}

ERROR

{ }

Nothing to Backtrack

Race DetectionDynamic Vector Clock Algorithm [FSE’03,TACAS’04] Vector clock V : Threads ! Nat Vi be vector clock for each thread ti. Vx

a and Vxw vector clocks for each shared variable x.

Algorithm:1. if ei

k is a shared memory access, then Vi[i] Ã Vi[i] + 1

2. if eik is a read of a variable x then

Vi Ã max{Vi,Vxw}

Vxa Ã max{Vx

a,Vi}

3. if eik is a write of a variable x then

Vxw Ã Vx

a Ã Vi Ã max{Vxa,Vi}

Lemma: For any two events e ¹ e’ iff Ve · Ve’

Race Flipping: Hijack Thread Scheduler Ensure that only one thread is

executing Create a tester thread (tsched) Associate a semaphore sem(t) with

each thread t Before any shared memory access by t

release control to the tester threadV(sem(tsched)); P(sem(t));

Tester thread schedules a thread t V(sem(t)); P(sem(tsched));

jCUTE jCUTE can test multi-threaded Java

programs URL:

http://osl.cs.uiuc.edu/~ksen/cute/ Next generation testing tools

Combines Testing and Model-Checking jCUTE supports generation of JUnit test

cases The tools also support replay of a buggy

execution

http://osl.cs.uiuc.edu/~ksen/cute/

Sun Microsystem’s JDK 1.4 Library java.util package provides thread-safe data-structure classes LinkedList, ArrayList,

HashSet, TeeMap, etc. Widely used Found previously

undocumented concurrency related problems Data race, Infinite Loop,

Uncaught Exceptions, and Deadlocks

List l1 = Collections.synchronizedList(new LinkedList());

List l2 = Collections.synchronizedList(new LinkedList());

l1.add(null); l2.add(null);// Create two threads // let thread 1 runl1.clear(); // let thread 2 runl2.containsAll(l1) ;

NameRuntime

in seconds# of

Paths# of

Threads% Branch Coverage

# of FunctionsTested

# of Bugs Found data races+

deadlocks+ infinite loops+

exceptions

Vector 5519 20000 5 76.38 16 1+9+0+2

ArrayList 6811 20000 5 75.00 16 3+9+0+3

LinkedList 4401 11523 5 82.05 15 3+3+1+1

LinkedHashSet

7303 20000 5 67.39 20 3+9+0+2

TreeSet 7333 20000 5 54.93 26 4+9+0+2

HashSet 7449 20000 5 69.56 20 19+9+0+2

Sun Microsystem’s JDK 1.4 Library

Honeywell’s DEOS real-time scheduling kernel Operating system developed for use in small

business aircraft jCUTE found the subtle time-partitioning error in

< 1 minute Java Pathfinder from NASA Ames ran out of

memory on the original program Had to test manually created abstraction Took 11 minutes to discover the same error in the

abstraction

Documents

CS294-32: Dynamic Partial Order Reduction Koushik Sen UC Berkeley