1
Guy Gueta Tel Aviv University
Cormac Flanagan University of California, Santa Cruz
Eran Yahav IBM Watson
Mooly Sagiv Tel Aviv University
Cartesian Partial-Order Reduction
2
Motivation
State space explosion is a big problem for model checkers One of the main causes is scheduling
nondeterminism
Example:
State space: 2n states naive model checker: 2n states
Partial-order reduction algorithms perform model checking by considering a
subset of the state space
Thread 1 x1 := 1
Thread n xn := 1
Thread 2 x2 := 1 . . .
3
Main Results
A new Dynamic POR algorithm Identifies dependencies during state-space
exploration Does not require a preliminary static analysis to
identify dependencies
Handles cyclic state spacesPreliminary experiments show significant
savingsParallelizable
Multiple processors often yield improved running times
4
Thread 1:0: nop1: x=12: y=13: …
Thread 2:0: y=21: nop2: x=23: …
x=0y=0PC1=0PC2=0
x=0y=0PC1=1PC2=0
x=0y=2PC1=0PC2=1
nop y=2
Use the next atomic instruction of each thread
Naïve Exploration
Explores the entire state space
5
Thread 1:0: nop1: x=12: y=13: …
Thread 2:0: y=21: nop2: x=23: …
x=0y=0PC1=0PC2=0
x=1y=0PC1=2PC2=0
x=2y=2PC1=0PC2=3
nop ; x=1;
y=2 ; nop ; x=2 ;
not necsesarily
atomic block
Try to use more than one atomic instruction of each thread
Our approach
Explores a subset of the state space
6
Independent Transitions
B and R are independent transitions if they commute: B ∘ R = R ∘ B
Examples: x := 1 and y := 3 are independent x++ and x++ are independent
Not Independent = Dependent
BR
R
s
B
7
Cartesian Vector
(P1 ,P2) is a Cartesian Vector from a state S if:
I. P1 and P2 are sequences of states and transitions that begin from state S
II. P1 is executed by thread 1 and P2 is executed by thread 2
III. If a transition from P1 is dependent with a transition from P2 then these transitions are the last transitions of P1 and P2
S1 S2 Sp1:t2t1
Thread1
S’4
S’1 S’
2 S’3 Sp2:t’
4t’1 t’
2 t’3
Thread2
8
Cartesian Vector - Example
x:=2 Q4
S1
b++ x:=1 S2 S0
c++ Q1
c++ Q2
c++ Q3 S0
p1:
p2:
b++ S3
The last transitions are dependent. Any other two transitions are independent.
Not a Cartesian Vector:x := 1 is not the last transition and is dependent with x := 2;
A Cartesian Vector:No dependent transitions at all
Can be extended for n≥2 threads
Thread1
Thread2
9
Cartesian Function
: States → CartesianVectors For SStates, (S) is a Cartesian Vector from S
Our algorithm uses a cartesian function to determine the progress from each state
10
Thread 1:0: nop1: x=12: y=13: …
Thread 2:0: y=21: nop2: x=23: …
x=0y=0PC1=0PC2=0
S0
(S0)=nop ; x=1 ;
y=2 ; nop ; x=2 ;
x=1y=0PC1=2PC2=0
S1
x=2y=2PC1=0PC2=3
S2
nop ; x=1 ;
y=2 ; nop ; x=2 ;
A cartesian function is given to the algorithm
11
Thread 1:0: nop1: x=12: y=13: …
Thread 2:0: y=21: nop2: x=23: …
x=0y=0PC1=0PC2=0
S0
(S1)=y=1 ;y=2 ;
x=1y=0PC1=2PC2=0
S1
x=2y=2PC1=0PC2=3
S2
x=1y=1PC1=3PC2=0
S3
x=1y=2PC1=2PC2=1
S4
nop ; x=1 ;
y=2 ; nop ; x=2 ;
y=1 ;
y=2 ;
12
Thread 1:0: nop1: x=12: y=13: …
Thread 2:0: y=21: nop2: x=23: …
x=0y=0PC1=0PC2=0
S0
(S4)=y=1 ;nop ; x=2 ;
x=1y=0PC1=2PC2=0
S1
x=2y=2PC1=0PC2=3
S2
x=1y=1PC1=3PC2=0
S3
x=1y=2PC1=2PC2=1
S4
x=1y=1PC1=3PC2=1
S5
x=2y=2PC1=2PC2=3
S6
nop ; x=1 ;
y=2 ; nop ; x=2 ;
y=1 ;
y=2 ;y=
1 ;
nop ; x=2 ;
13
Thread 1:0: nop1: x=12: y=13: …
Thread 2:0: y=21: nop2: x=23: …
x=0y=0PC1=0PC2=0
S0
(S4)=y=1 ;nop ; x=2 ;
x=1y=0PC1=2PC2=0
S1
x=2y=2PC1=0PC2=3
S2
x=1y=1PC1=3PC2=0
S3
x=1y=2PC1=2PC2=1
S4
x=1y=1PC1=3PC2=1
S5
x=2y=2PC1=2PC2=3
S6
nop ; x=1 ;
y=2 ; nop ; x=2 ;
y=1 ;
y=2 ;y=
1 ;
nop ; x=2 ;
14
Asserts
The algorithm detects all the assert violations for any given cartesian function
ExampleThread 1:0: nop1: x=12: y=13: …
Thread 2:0: y=21: nop2: x=23: assert(y=2)4: nop
3: …Violated in some executions
15
x=0y=0PC1=0PC2=0
S0
(S5)=???
nop; x=2 ; assert(y=2) ; nop ;
x=1y=0PC1=2PC2=0
S1
x=2y=2PC1=0PC2=3
S2
x=1y=1PC1=3PC2=0
S3
x=1y=2PC1=2PC2=1
S4
x=1y=1PC1=3PC2=1
S5
x=2y=2PC1=2PC2=3
S6
Thread 1:0: nop1: x=12: y=13: …
Thread 2:0: y=21: nop2: x=23: assert(y=2)4: nop
nop; x=2 ; assert(y=2) ; nop ;
y=1
AssertViolation
16
Calculating Cartesian Vectors
Input: a state SOutput: a Cartesian vector from SBasic Idea:
Start with a single transition in each sequence Extend the sequences as long as the vector is a Cartesian
vector
PP11: nop ;: nop ; x = 1 ;x = 1 ; y = 1;y = 1;
PP22: y = 2 ;: y = 2 ; nop ;nop ;
y=1; is dependent with y=2;
17
Identifying Dependencies
PP11: nop ;: nop ; x = 1 ;x = 1 ; y = 1;y = 1;
PP22: y = 2 ;: y = 2 ; nop ;nop ;
y is already affcted by P2
Affected Variables:
x
Affected Variables:
y Improvement: keep 2 sets for each sequence –
one for read variables and one for write variables
18
Infinite loops
Remember the states of each sequence and stop extending a sequence when a cycle is detected
Thread 1:0: x++1: x--2: goto 0
Thread 2:0: y++1: y--2: goto 0
S1 S2 S0P1:
S’1 S’2 S0P2:
x++
y++ y--
x--
goto 0
goto 0
19
Concurrent Exploration
In large portion of the execution time the algorithm calculates vectors
Calculate n>1 vectors in parallel Each vector on a different processor
20
x=0y=0PC1=0PC2=0
S0
x=1y=0PC1=2PC2=0
S1
x=2y=2PC1=0PC2=3
S2
x=1y=1PC1=3PC2=0
S3
x=1y=2PC1=2PC2=1
S4
x=1y=1PC1=3PC2=1
S5
x=2y=2PC1=2PC2=3
S6
Thread 1:0: nop1: x=12: y=13: …
Thread 2:0: y=21: nop2: x=23: assert(y=2)4: nop
3 Processors can calculate (S2), (S5), (S6) in parallel
3 Processors
21
Evaluation
7 (small) benchmarksMethods
Naive Exploration (no POR) SPIN’s POR Cartesian POR DPOR05 [Flanagan-Godefroid POPL05]
for 3 of the acyclic benchmarksCombination of DPOR05 and Sleep-Sets
22
Cartesian vs. Naïve(Transitions)
-50.00%
-30.00%
-10.00%
10.00%
30.00%
50.00%
70.00%
90.00%
Share
dPtr
Share
dArra
y
Robots
FileSys
tem
Inde
xer
Philos
opher
s
CMISP
erce
nta
ge
of
Sav
ing
23
Cartesian vs. Naïve (Stored States)
-50%
-30%
-10%
10%
30%
50%
70%
90%
Share
dPtr
Share
dArra
y
Robots
FileSys
tem
Inde
xer
Philos
opher
s
CMISP
erce
nta
ge
of
Sav
ing
24
Cartesian vs. Naïve (Execution Time)
-50.00%
-30.00%
-10.00%
10.00%
30.00%
50.00%
70.00%
90.00%
Pe
rce
nta
ge
of
Sa
vin
g
25
Indexer
26
SharedArray (2 threads)
1
10
100
1000
10000
100000
1000000
10000000
Nu
mb
er o
f T
ran
siti
on
s
28
Concurrent Exploration with 4 processors (Execution time)
-10.00%0.00%
10.00%20.00%30.00%40.00%50.00%60.00%70.00%
Share
dPtr
Share
dArra
y
Robots
(3 th
reads
)
FileSys
tem (1
7 thre
ads)
Inde
xer (
16 th
reads
)
Philos
opher
s (9
thre
ads)
CMIS
(N=12
8, 4
thre
ads)
Per
cen
tag
e o
f T
ime
Sav
ing
29
Thread 1:0: x++1: x++2: x++3: assert(yC)4: end
Thread 2:0: y++1: y++2: y++3: assert(xC)4: end
(0,0) (1,0)(0,1) (2,0) (3,0) (4,0)(0,4) (0,3) (0,2)
(1,1) (2,1)(1,2) (3,1) (4,1)(1,4) (1,3)
(2,2) (3,2)(2,3) (4,2)(2,4)
(3,3) (4,3)(3,4)
(4,4)
Cartesian versus Persistent-Sets
30
Thread 1:0: x++1: x++2: x++3: assert(yC)4: end
Thread 2:0: y++1: y++2: y++3: assert(xC)4: end
(0,0) (1,0)(0,1) (2,0) (3,0) (4,0)(0,4) (0,3) (0,2)
(1,1) (2,1)(1,2) (3,1) (4,1)(1,4) (1,3)
(2,2) (3,2)(2,3) (4,2)(2,4)
(3,3) (4,3)(3,4)
(4,4)
Cartesian versus Persistent-Sets
31
The End