Data Flow Analysis for Verifying Properties of Concurrent Programs �

Matthew B� Dwyer

Lori A� Clarke

Department of Computer Science

University of Massachusetts

Amherst� MA �����

Abstract

In this paper we present an approach� based on data�ow analysis� that can provide cost�e�ective analysis ofconcurrent programs with respect to explicitly statedcorrectness properties� Using this approach� a developerspeci�es a property of a concurrent program as a patternof selected program events and asks the analysis to ver�ify that all or no program executions satisfy the givenproperty� We have developed a family of polynomial�time� conservative data �ow analysis algorithms thatsupport reasoning about these questions� To overcomethe traditional inaccuracies of static analysis� we havealso developed a range of techniques for improving theaccuracy of the analysis results� One strength of our ap�proach is the �exibility allowed in choosing and combin�ing these techniques so as to increase accuracy withoutmaking analysis time impractical�

We have implemented a prototype toolset that au�tomates the analysis for programs with explicit taskingand rendezvous style communication� We present pre�liminary experimental results using this toolset�

� Introduction

The application of distributed and concurrent pro�gramming technology has moved from special purposedatabase and operating systems into the programmingmainstream� Developers applying this technology tocomplex problems require cost�e�ective analysis tech�niques to gain con�dence in the quality of their concur�

��This work was sponsoredby the AdvancedResearchProjects

Agency under Grant � MDA�������J������

rent software� In this paper� we present an approach�based on data �ow analysis� that has the potential toprovide cost�e�ective analysis of concurrent programswith respect to explicitly stated correctness properties�

Although our approach is applicable to a wide rangeof concurrency and communication models� in this pa�per we restrict our discussion to programs with explicittasking and rendezvous communication and illustrateour approach using Ada tasking programs� Using ourapproach� developers de�ne a set of program events thatthey want to reason about and specify properties of con�current programs as patterns of those program events�They ask the analysis to verify that all or no programexecutions satisfy the given property� We have devel�oped a family of polynomial�time� conservative data �owanalysis algorithms whose results can be used to addresssuch questions�

To overcome the traditional inaccuracies of staticanalysis� we have developed a range of techniques forimproving the accuracy of the results� Prior to analy�sis� re�nements to the �ow graph representation of theprogram� based on program and property speci�c in�formation� increase the e�ciency and accuracy of thesubsequent analysis� During analysis� enforcement offeasibility constraints� which are based on the programbeing analyzed and the programming language in whichit is written� improves the accuracy of the results� Onestrength of our approach is the �exibility allowed inchoosing and combining these techniques� thus provid�ing a means of controlling the tradeo� between accu�racy of the analysis results and the execution time ofthe analysis� This results in an analysis approach thatcan provide high accuracy without making analysis timeimpractical�

Section � describes related work and discusses simi�larities and di�erences between prior research and ourapproach� We provide a high level overview of the ba�sic analysis approach and state some theoretical resultsin Section �� Following that� we describe techniques

for improving the accuracy and e�ciency of the basicapproach in Section � We discuss a prototype imple�mentation of our analysis approach and present initialexperimental results in Section �� We conclude in Sec�tion � with a discussion of what we have learned aboutour analysis approach and plans for future work�

� Related Work

There is a large body of research into automated tech�niques for reasoning about the behavior of concurrentprograms�

State reachability approaches have been success�fully applied to analyzing concurrent programs Hol���SMBT��� YTL����� Complexity results for reachabil�ity analysis Tay��� imply that� in general� the sizeof the program state space and consequently the costof analysis increases exponentially with program size�To address the need for scaling reachability analy�sis to large programs� researchers have investigatedthree techniques� reducing the state space based onthe property being analyzed DBDS��� GW�� Val����building and analyzing the state space compositionally CPS��� YY��� and using a symbolic representation ofthe state space BCM����� Although� in general� thecosts of these techniques exhibit exponential growth�each has been successful in verifying properties of ex�ample programs�

An alternate analysis approach is to reason using nec�essary or su�cient conditions about a speci�ed property�Necessary conditions of this form can be used to rea�son about whether all or no program executions satisfya property �� In contrast� su�cient conditions of thisform can be used to reason about whether some pro�gram execution satis�es a property� Researchers haveused linear programming techniques to encode necessary ABC��� and su�cient MSS��� conditions� Although�in the worst case� the cost of the linear programmingtechnique is exponential� it has been successfully ap�plied to a number of examples and allows for practicalanalysis of very large versions of those examples�

Data �ow analyses have traditionally been based onsimilar necessary or su�cient conditions� Conceptually�data �ow analysis involves a �x point computation overa �ow graph of a pre�de�ned relation� which encodesthe analysis question� In theory the class of relationsthat can be computed is very large� polynomial�timealgorithms exist for a smaller but very useful class ofrelations MR���� For data �ow analysis of sequentialprograms� the �ow graph is often reducible and special�ized algorithms can be applied that improve the execu�tion time of analysis�

Data �ow analysis of concurrent programs requires

�The question do all executions satisfy the property� is the

dual of is it false that no executions satisfy the negation of the

property��

that inter�task communication be represented� Earlymodel checking approaches CES��� are essentially data�ow analyses that use the program data and controlstate reachability graph as a �ow graph� performancesu�ered from the impractical size of this graph� how�ever� More typically� data �ow analyses either repre�sent potential communication with edges in the �owgraph CKS��� GS��� MR�� or label nodes representingcommunication statements so that they can be matchedduring analysis CK��� Mer���� The former approach isappropriate if we view the �ow graph as a repositoryof information about possible program executions thatis re�ned over time by a variety of analyses MR����although the resulting �ow graphs are invariably irre�ducible� Our approach also employs a �ow graph thatrepresents communication explicitly�

Masticola and Ryder MR�� describe an analysis ap�proach for checking deadlock freedom in Ada taskingprograms that uses data �ow analyses MR��� to im�prove the accuracy of the analysis results� These data�ow analyses are in the spirit of the re�nements de�scribed in Section �� Our approach di�ers from thatof Masticola and Ryder in that we advocate selective ap�plication of a more comprehensive set of re�nements� donot iteratively apply all re�nements until convergence�further improve accuracy through the use of feasibilityconstraints� and support analysis of a rich class of prop�erties as opposed to just deadlock�

Olender and Osterweil OO��� developed an analysisfor sequential programs� based on necessary conditions�that uses a simple version of the state propagation al�gorithm described in Section ���� In addition to theincrease in complexity associated with the analysis ofconcurrent programs� our approach incorporates a va�riety of mechanisms to increase the accuracy of statepropagation analysis� We note that our analysis is ap�plicable to sequential programs without modi�cation�

A number of analyses represent programs and prop�erties of interest as formal automata GW�� Kur���OO���� At a high level� the set of executable programpaths are represented as strings accepted by a programautomaton and the set of program paths that satisfy theproperty are strings accepted by a property automaton�One approach to verifying properties in this context isto test if the language of the program automata is con�tained in the language of the property automata� Thecomplexity of such a test varies with the power of the au�tomata used� The state propagation analysis describedin Section ��� is a polynomial�time� conservative testto determine language containment for �nite state au�tomata�

A number of formalisms have been developed to ex�press properties of programs� such as temporal log�ics Pnu��� and regular expression based formalisms

ABC��� Kur��� OO���� Unfortunately� reasoning us�ing the most general of these formalisms can be inef�

�

Figure � Architecture of Analysis Approach

�cient� Since a large� practical class of properties� in�cluding safety and bounded liveness� are captured bythe much simpler theory of regular expressions and ��nite automata� we will analyze properties in this lessgeneral but more practical setting�

� Overview

In this section� we describe our �ow graph represen�tation for concurrent programs� the formalism for ex�pressing program properties� and the basic analysis al�gorithm�

Figure provides a high level view of the compo�nents and information �ow in our analysis approach�For the basic version of our analysis the bold compo�nents and arrows in the �gure are relevant� the dashedcomponents and arrows can be ignored� The programtranslator constructs a trace �ow graph �TFG� from theAda source code for a program� or part of a program�After specifying the desired property as a quanti�ed reg�ular expression �QRE�� the QRE translator constructsa property automaton �PA� that represents the prop�erty� The generic state propagation data �ow analysisalgorithm is instantiated for the PA and applied to theTFG� The results of state propagation analysis indicatewhether the program satis�es the speci�ed property�

To reduce the cost of analysis or increase its accuracy�re�nements can be applied to the TFG or feasibility con�straints can be incorporated into the PA by the productbuilder� Such improvements are optional and are thusdepicted by dashed lines in Figure �

��� Program Representation

The trace �ow graph is a conservative representationof executable program event traces� which are stringsover the set of program events� A TFG can be thoughtof as an automaton that accepts event strings� Since it isconservative� it is guaranteed to accept all event strings

task body T� is

begin

x �� TRUE� �� EVENT �a�

T��E�� �� EVENT �b�

end T��

task body T� is

begin

accept E�� �� EVENT �b�

x �� FALSE� �� EVENT �c�

end T��

Figure �� Ada tasks for example

that correspond to program executions� As with most�ow graph representations� it may also accept eventstrings that do not correspond to program executions�

In this paper we describe TFGs in terms of Ada lan�guage constructs and illustrate with examples of Adaprograms� Figure � is a simple Ada tasking programthat consists of two tasks and a single task communica�tion� used to order the de�nitions of the boolean variablex�

Users describe an alphabet of program events� denotedby �� such that each symbol corresponds to the exe�cution of some program event� such as a reference toa variable or execution of an entry call� All programevent alphabets contain the � symbol that correspondsto the program executing an event that is not of inter�est� A number of mechanisms for de�ning this alphabetare possible� such as using a �xed set of events� speci�fying the set of program entities of interest � e�g�� vari�ables� functions� task entries� and generating the set ofevents related to those entities� or introducing programcomments that de�ne events� For expediency� we useprogram comments to de�ne events of interest as illus�trated by the �� EVENT �symbol� comments in Figure�� Note that for a calling event� say b� we represent a

corresponding accept statement with a b symbol�TFGs are constructed from a set of control �ow

graphs �CFG�s that represent the tasks of the program�Formally� a TFG is �N�E� S� T� L� P � where N is theset of nodes� E consists of � kinds of directed edgesrepresenting control �ow� communication and poten�

�

Figure �� Trace Flow Graph for example

tial program event ordering information� S � N is theunique start node� T � N is the unique terminal node�L � E � � maps an edge to an event symbol� andP � E � E maps communication and ordering edgesto an associated partner edge� The semantics of edgekinds and the edge partner mapping is discussed below�For the example in Figure � the CFGs for the tasks andthe initial� unre�ned TFG constructed from them areillustrated in Figure ��

Nodes TFG nodes represent control states of individ�ual tasks in the program� There is a TFG node for eachnode in the set of CFGs for the tasks in the program�In Figure � we number TFG nodes for identi�cationpurposes� Nodes f����g correspond to control states oftask T�� where node is the start and node � the ter�minal state� Nodes f����g correspond to control statesof task T�� where node is the start and node � theterminal state� We add two additional nodes start andend that represent the start and end states of the pro�gram� The outgoing TFG edges from a node representthe program events that can be executed when a task isin the state represented by the node�

Edges An edge is labeled by a symbol from the pro�gram event alphabet� For our example the alphabet is

fa� b� b� cg� Although not illustrated in Figure �� multi�ple TFG edges can be labeled with the same symbol�

We represent program events that are local to a taskas a TFG control �ow �CF� edge whose source and des�tination represent control states in the same task� Theseare analogous to CFG edges� In the unre�ned TFG ofFigure �� the solid edge ����� labeled by a� represents

the execution of x �� TRUE in task T�� and is derivedfrom edge ���� of the CFG for T�� We also add � labelededges from�to� the start�end� node to�from� the nodescorresponding to the enter�exit� nodes of each CFG�

Like some other �ow graphs for concurrent programs�TFGs represent task communication with explicit edges�We extract the set of potential communications from theCFGs by matching the labels on CFG edges� for exam�

ple b and b� We are interested in capturing the fact thatthe TFG nodes that follow a communication have twopredecessors� one in the same task as the node� whichis represented by a CFG edge� and the other in anothertask with a matching communication statement� Weintroduce a communication �COM� edge to capture thecommunication predecessor in the other task� To illus�trate� in the unre�ned TFG in Figure � the predecessorsof node � are node �� by way of the control �ow edge�and node � by way of the� dashed� communication edge�Similarly� node � has a pair of incoming control �ow andcommunication edges� Control �ow edges that representAda entry call and accept statements may have multipleassociated communication edges� Each communicationedge� however� has a single control �ow edge associatedwith it� we refer to that control �ow edge as the commu�nication partner� A communication edge is annotatedwith the identity of its partner� We note that acceptstatements with bodies are modeled as separate startand end communications�

Unlike other concurrent �ow graph representations�TFGs capture the potential interleaving of asyn�chronously executing program events� We representpairs of edges that may interleave execution order by

introducing additional edges into the TFG� For eachnon�� labeled control �ow or communication edge ex�iting a TFG node we add a may immediately precede�MIP� edge from that node to all nodes in other tasks�We refer to the control �ow or communication edge as�sociated with a MIP edge as a MIP partner and anno�tate the MIP edge with the identity of its partner� Thesemantics of a MIP edge are that the event labelingits partner may immediately precede execution of anyevent initiated from the destination node of the MIPedge� To illustrate� consider the unre�ned TFG in Fig�ure �� Nodes start� � and � have no exiting MIP edgesbecause all of their exiting edges are labeled � � Nodeend has no exiting edges of any kind� Node has asingle exiting control �ow edge ���� labeled by a� Weadd� bold� MIP edges ���� ����� ���� to represent thepossibility that event a may immediately precede events

b exiting node � c exiting node �� and � exiting node�� The MIP edges leaving node � are constructed anal�ogously� �

In constructing a TFG from a collection of CFGsfor an Ada program we make use of the fact that ren�dezvous communication requires that two tasks synchro�nize to communicate� Therefore� communication eventsbetween the tasks cannot execute asynchronously withrespect to any of the other events in the two tasks� Thus�if we have a communication edge we need not add anyMIP edges for that edge� In our example� all edges exit�ing node � represent communication with task T� so weneed not include MIP edges for them� node is treatedanalogously� We note that if we had non�communicationrelated control �ow edges exiting node �� then we wouldintroduce MIP edges for only those control �ow edges�

It is clear from this simple example that the TFGoverestimates the executable event orderings of the pro�gram� In Section � we discuss how to eliminate someunexecutable orderings� Finally� we note that there arepotentially many MIP edges in a TFG� this is not sur�prising since the number of pairs of asynchronously ex�ecuting program statements can be large�

We state two important results on the size and struc�ture of TFGs� they are irreducible graphs and jEj �

O�jN j��� There have been a number of data �ow algo�rithms developed that are applicable only to reduciblegraphs that are thus not applicable to TFGs� The com�plexity of data �ow algorithms is often expressed interms of the number of �ow graph nodes� under the as�sumption that the number of edges is at most the squareof the number of nodes� TFGs violate this assumptionand� therefore� we must evaluate the complexity of data�ow algorithms in this light�

�Although not illustrated by the example in this paper� to moreaccurately model a program� TFGs can be constructed that usemultiple CF edges to represent a single program statement and

that duplicate and specialize portions of the TFG that representAda accept bodies�

Figure � Property Automaton for Response Property

For simplicity� in the remainder of the paper we treatthe symbols representing call and accept statements for

the same entry as identical� That is� b and b will nowbe treated as b in our example�

��� Property Representation

To specify properties� we use a part of the Ce�cil formalism OO��� called quanti�ed regular expres�sions� QREs have three components� a property alpha�bet �property� a quanti�er Q� and a regular expressionR� Syntactically� QREs look like f�propertygQR� where�property � �� Q � f�� �g� and R is a regular expressionover �property� The alphabet is a set of symbols repre�senting distinct program events� The quanti�er deter�mines whether we test if the pattern described by R isexhibited on all program executions or on no programexecution� The regular expressions in this formalismare standard and include concatenation �a� b�� disjunc�tion �ajb�� Kleene closure �a�� and di�erence �fa� bg�b�of symbols and sets of symbols from �property �

We have been able to specify a number of useful prop�erties in a stylized form of QREs over two classes ofsub�expressions� intervals that exclude a set of events�of the form ��property � fa� bg��� and required events�of the form a� The idea of intervals that require andexclude events is derived from Corbett�s ��starless ex�pressions Cor���� Data races� mutual exclusion� generalforms of invariance� response and precedence propertieshave been speci�ed with this form of QRE�

As an example consider an event based formulationof a response property� If we have events a� b� and c�we can specify �after an a event occurs� eventually a c

event will occur� asfa� b� cg�

property � a��� a� property � c��� c� property � a����

Using standard techniques we can construct from theregular expression of a QRE a �nite automaton thatwe call a property automaton �PA�� A property automa�ton accepts all event strings over the property alphabetthat correspond to the property of interest� Formally� aPA is �TPA��� �� SPA� APA� where TPA is the set of au�tomaton states� � is the alphabet� � � TPA � � � TPAis the state transition function� SPA � TPA is the startstate� and APA � TPA are the accepting states� Fig�ure illustrates the PA for the response QRE describedabove� Many PAs contain a non�accepting state thathas no exiting� non self�loop transitions� Such statesrepresent the fact that a string leading to that state has

�

Input� TFG and a PA

Output� the States relation

Algorithm�

�� Statesstart node of TFG� SPAall other States values �

�� initialize worklist to exit edges of start node

� while worklist is not empty

�� dequeue next edge from worklist

�� compute current states for sources� of edge

� for each current state� s�

�� Statesdestination of edge�� �s� Ledge��

�� add edges whose source has new States

values to worklist

Figure �� State Propagation Algorithm

violated the property in such a way that no extensionof the string can possibly satisfy the property� we callthese states trap states�

��� State Propagation Analysis

One approach to analyzing properties speci�ed asQREs is to submit each TFG event trace to the PAand check if the PA accepts it� This is impractical be�cause the number of TFG event traces is� in general�in�nite� Our analysis collapses event traces that lead tothe same PA state into a single value and thus greatlyreduces the amount of work required to analyze QREs�This can be implemented by a data �ow analysis algo�rithm� We use a standard iterative worklist algorithm Hec��� with modi�cations to enforce conditions relatedto the semantics of TFG edges� The main data struc�tures are a worklist of TFG edges and States� the setof PA states for each TFG node� Figure � gives a highlevel description of the algorithm� In step � we con�sider separately communication edges and their part�ners� control �ow edges� MIP edges that have control�ow edges as partners� and MIP edges that have com�munication edges as partners� For communication edgeswe use the fact that two statements can successfully ren�dezvous only if they are reached simultaneously on thesame program execution� In our model this correspondsto having the same event trace lead to the source nodesof the communication edges for a given rendezvous� Thealgorithm enforces this condition by only propagatingPA states that are common to the source nodes of acommunication pair across a communication edge�

This simple version of the state propagation algo�rithm has a worst case bound on its running time of

O�jTPAj�jEj� or equivalently O�jTPAj

�jN j

��� We note

that the value of States for each TFG node moves mono�tonically up the PA state powerset lattice as the algo�rithm progresses� We have developed a slightly morecomplicated version of the algorithm that� for negligiblecost� keeps track of the state values considered for eachTFG edge� For this algorithm we can bound the num�

ber of calls to � by jEjjTPAj� The bound on the runningtime of this more complicated algorithm is O�jTPAjjEj�

or equivalently O�jTPAjjN j���

��� Results of State Propagation

Complete program executions correspond to eventtraces that start at the entering node of the TFG andend in states that correspond to a termination state foreach task in the program� We capture this informationby intersecting the States values for the TFG nodes thatcorrespond to termination states for each task� This isa conservative estimate of the PA states that can bereached by complete executions of the concurrent pro�gram�

Analysis of a QRE that speci�es the � quanti�er re�quires a test for language containment� If the intersec�tion of States values for task termination nodes is asubset of the accepting PA states� then all executableprogram traces satisfy the property� we say that the lan�guage containment test is true� If the result is false� how�ever� we say it is inconclusive because the TFG trace�s�that did not satisfy the property may or may not befeasible�

Analysis of a QRE that speci�es the � quanti�er re�quires a test for non�empty language intersection� Ifthe intersection of States values for task terminationnodes contains no accepting PA state� then there existsno executable program trace that satis�es the property�we say that the non�empty language intersection testis false� If the result is true� however� we say it is in�conclusive because the TFG trace�s� that satis�ed theproperty may or may not be feasible�

While inconclusive results are insu�cient for verify�ing properties of programs they can provide useful anal�ysis information� In particular� post�processing of theStates values may be able to determine the feasibilityof the traces in question�

� Increasing E�ciency and Accuracy

Cost�e�ective data �ow analysis requires that test�ing of necessary conditions encoded in the analysis ise�cient and that the conditions are strong enough toprovide conclusive results in most cases�

The worst case time complexity bounds of our statepropagation algorithms indicate that the e�ciency ofstate propagation analysis is strongly dependent on thenumber of edges and nodes in the TFG� We introduceTFG re�nements into the basic analysis illustrated inFigure to reduce the number of edges and nodes suchthat analysis of the resulting TFG is more e�cient with�out sacri�cing accuracy�

The structure of the TFG enforces some� but not all�event ordering constraints of the program� The statepropagation algorithm enforces constraints on task syn�chronization at communication and program termina�

�

tion states� There are three major sources of inaccuracyin the TFG representation� unexecutable control �owpaths� unexecutable communication between matchingstatements� and unexecutable orderings of asynchronousprogram events� We introduce TFG re�nements intothe basic analysis illustrated in Figure to eliminatesources of inaccuracy that are independent of particu�lar TFG paths� We introduce feasibility constraints anda mechanism for combining them with the property au�tomaton into the basic analysis illustrated in Figure to eliminate sources of inaccuracy that depend on par�ticular TFG paths�

��� Re�nements

There are two goals in re�ning the TFG� reducingits size and eliminating behaviors that are never exe�cuted� Reducing the size of the TFG will reduce thecost of performing state propagation� Eliminating unex�ecutable behaviors strengthens the conditions encodedin the TFG and consequently improves the accuracy ofstate propagation� We have developed re�nements thatreason about a variety of program information� Manyre�nements only consider a subset of the TFG edges�For example� in the description of communication inter�vals that follows we do not need to consider MIP edges�Therefore the cost of performing re�nements is only de�pendent on the size of the relevant parts of the TFG�We describe two of our re�nements�

Alphabet Re�nement For state propagation of agiven property to be correct� the TFG need only repre�sent the set of events in the property alphabet and theordering relationships between those events� We canperform alphabet re�nement of a TFG for a given prop�erty by relabeling with � the edges in the TFG that donot have labels in the property alphabet� The result�ing TFG can be further transformed to eliminate edgesand nodes that do not add to the set of traces overthe reduced event alphabet� These transformations areaccomplished through application of a partition re�ne�ment algorithm whose running time is bounded by alow�order polynomial in the number of TFG nodes� Wewill see in Section � that this simple re�nement can havea great e�ect on the size of the TFG and on the cost ofstate propagation analysis�

Communication Interval Re�nement Many pro�grams contain critical sections� transaction like struc�tures� regions of mutual exclusion� protocols for acquir�ing and releasing resources� etc� We have developedcommunication interval re�nement to eliminate behav�iors from the TFG that can never be executed basedon the semantics of these kinds of program structures�A communication interval consists of a pair of execu�tion regions in distinct tasks that are bounded by acommon pair of statically recognizable communication

events� called the start and end events of the interval�We consider the start and end of the program as implicitcommunication events� Intuitively� an interval consistsof regions of statements in two tasks such that if one taskis executing in the region associated with the interval�then the other task must be executing in its associatedregion� We can represent an interval as a set of TFGnodes such that each node lies between the start andend events in each of the tasks involved in the interval�For the unre�ned TFG in Figure � there are two com�munication intervals involving tasks T� and T�� Interval has the start of the program as its start event and b

as its end event� and consists of nodes and � in taskT� and node in task T�� Interval � has b as its startevent and the end of the program as its end event� andconsists of node � in task T� and nodes � and � in taskT��

Events in di�erent tasks that lie in disjoint intervalscan never be immediate predecessors of each other be�cause there is always an intervening event� the start orend event of the interval� We can� therefore� eliminateMIP edges that cross the boundaries of intervals� There�ned TFG in Figure � illustrates the results of ap�plying communication interval re�nement to the unre��ned TFG� The MIP edges ����� ����� ���� and �����

all cross interval boundaries �� The cost of perform�ing communication interval re�nement is dominated bythe cost of computing control �ow dominator and post�dominator relations for the control �ow graph of eachtask and considering each pair of communicating tasks�both of these are bounded by a low�order polynomial inthe number of TFG nodes� We will see in Section � thatthis re�nement can have a great e�ect on the size of theTFG and the cost and accuracy of state propagationanalysis� We note that communication interval re�ne�ment can be viewed as a generalization of Masticola andRyder�s critical section analysis MR����

Figure � illustrates the working of the state prop�agation algorithm in Figure �� with the communica�tion interval re�ned TFG from Figure � and the PAfrom Figure � The rows are presented in the orderthat they are taken o� of the worklist in line of thealgorithm� Note that the computation of the currentsource States value is dependent on the edge kind�For communication edges we intersect the States val�ues for the source COM edge and its partner� Notealso that when considering a MIP edge we use thelabel of its partner edge in evaluating �� Since theQRE for this property uses a � quanti�er we check thatStates��� � States��� � f�� �g� f�g � f� �g � APA toverify that the response property holds on all executionsof the example program�

�For this simple example� there are other ordering re�nementsthat can determine the unexecutability of these edges�

�

Edge from Edge Edge Current Current Line � of Stateworklist kind Partner Source States Dest States Propagation Algorithm

start��� CF � f�g � States�� � � ��� �� f�gstart��� CF � f�g � States�� � � ��� �� f�g���� CF � f�g � States�� � � ��� a� f�g���� MIP ���� f�g f�g States�� f�g � ��� a� f���g���� COM ���� f���g � f�g f�g � States�� � � ��� b� f�g���� COM ���� f�g � f���g f�g � States�� � � ��� b� f�g��end� CF � f�g � Statesend� � � ��� �� f�g���� CF � f�g � States�� � � ��� c� f�g���� MIP ���� f�g f�g States�� f�g � ��� c� f���g��end� CF � f�g f�g Statesend� f�g� ��� �� f���g

Figure �� Example Operation of State Propagation Algorithm

��� Feasibility Constraints

In contrast to re�nements� feasibility constraints�FC� attempt to improve the accuracy of state prop�agation with respect to particular TFG paths� Con�ceptually� a feasibility constraint represents a necessarycondition that must be satis�ed for a path through theTFG to correspond to a program execution� We havedeveloped feasibility constraints that encode necessaryconditions related to the ordering of events local to atask� the ordering of events that are global to the entireprogram� the relative number of occurrences of relatedprogram events in the entire program� and the values ofprogram variables� Each of these can be encoded as a�nite automaton� and a collection of these can be com�bined by the product builder� as described below� toenforce the conjunction of the necessary conditions ofthe constraints during state propagation analysis� Wewill see in Section � that this can have a great e�ecton the accuracy of state propagation analysis� We il�lustrate the approach by discussing the local task eventordering constraint�

Task Automata The presence of MIP edges in theTFG introduces paths that may violate event orderingsencoded as control �ow edges in the TFG� The re�ne�ments of the previous section help improve the precisionof the TFG by eliminating unnecessary MIP edges� Wehave developed a technique for enforcing the control �oworderings for a single task during state propagation byencoding the state and state transitions of an individ�ual task as a �nite automaton� called a task automaton�TA�� During state propagation� the TA restricts theanalysis to consider only TFG paths that correspond tothe set of legal event sequences for the modeled task�

A TA is constructed from the control �ow graph for atask� where the enter and exit nodes of the CFG deter�mines the start and accept states of the TA� In general�symbols in the TFG alphabet do not uniquely label TFGedges� Keeping track of task state in the TA requiresthat we know when relevant control �ow edges in the

Figure �� CFG and TA for task T of example

TFG are considered rather than the symbols that la�bel the edges� Thus� the alphabet of the TA is a set ofunique edge identi�ers for the control �ow edges of themodeled task� We add a non�accepting violation stateto represent that a path in the TFG violates the order�ing of events in this task� We add transitions from allTA states to the violation state for all symbols in theTA alphabet for which the state has no exiting transi�tion� Figure � illustrates the CFG and TA for task T�

of the example in Figure �� Each edge in the task CFGhas a corresponding transition in the TA� thus symbole� identi�es control �ow edge ���� and e� identi�es thecontrol �ow edge ������ There are four states� viola�tion v and one for each node of T��s control �ow graph�Finally� the state associated with the end node of thetask CFG� for this example state �� is the only acceptingstate�

We note that to enforce the conditions encoded in aTA during state propagation� the TFG alphabet mustinclude the symbols of the TA alphabet� This typicallyinvolves converting the TFG to use unique edge iden�ti�ers as edge labels and replacing PA transitions oneach symbol with a transition for each edge in the TFGthat is labeled by such a symbol� In the example� forinstance� we would replace transitions on a with transi�tions on e��

Product Builder Given a PA and feasibility con�straints encoded as �nite automata we can use standardautomata theory to construct a product automaton�which we call a constrained property automaton �CPA��As we introduce more feasibility constraints� the num�

�

ber of states and the size of the alphabet of this productautomaton grows rapidly� with a negative impact on theperformance of state propagation� To combat this wehave developed techniques reduce the number of statesand number of symbols in the alphabet of the CPA�

One such technique reduces the size of the CPA al�phabet by recognizing that rather than using the cross�product of the PA and FC alphabets� we can use uniqueidenti�ers for the control �ow and communication edgesof the TFG� Prior to state propagation� we can easilytransform the TFG labels� PA transition symbols� andFC transition symbols to this common edge alphabet�This can signi�cantly reduce the complexity of �� theCPA transition function�

We have developed a technique that collapses collec�tions of equivalent CPA states into a single state� Asmentioned above� the CPA enforces the conjunction ofthe necessary conditions encoded in the FCs� If any ofthe individual conditions of the FCs is violated then theconjunction is violated� Therefore� we can collapse allCPA states that represent a violation state in any of theFC automata into a single violation state without losingaccuracy�

CPA states that are unreachable do not contribute tothe time performance of state propagation but they dorequire unnecessary space to represent �� When tran�sitions in multiple FC automata or the PA share a la�bel� the CPA may contain states that are unreachable�These states are easily detected and removed from theCPA�

A �nal improvement to the CPA does not reduce itssize but it does improve the accuracy of analysis� Weapply re�nement information to increase the accuracy ofthe CPA that are built from one or more TA by directingtransitions on edges that are unexecutable at a given TAstate to the violation state�

These techniques resulted in a dramatic reduction inthe size of the CPAs used in state propagation for theexamples in Section ��

Interpreting the results of state propagation of aCPA� as opposed to a PA� has one slight di�erence fromthe description in Section ��� When comparing the ter�minal TFG States values to the CPA accept states� weignore the CPA violation state� This removes any con�tribution to state propagation of TFG paths that violateany of the conditions enforced by the FCs encoded inthe CPA�

� Empirical Evaluation

The two main goals of our empirical evaluation are todemonstrate the feasibility of the analysis approach andto provide feedback on the e�ectiveness of the analysiscomponents� As discussed in Section ��� in the worstcase the number of TFG edges is cubic in the numberof nodes� One goal is to assess whether this bound is

approached in practice� In addition� we want to validatethat accurate analysis results can be obtained withoutexcessive use of feasibility constraints� Note that if weuse a TA for each task in the program� then state prop�agation of the resulting CPA will be as accurate� and ascostly� as global reachability analysis�

Although detailed characterization of the executionperformance of our analysis was not an explicit goal ofthis evaluation� we are able to present some preliminarydata on the execution performance of state propagationanalysis�

Prototype Implementation

We have developed prototype implementations of anumber of components of the analysis architecture asdepicted in Figure � In particular� the program trans�lator and a simple version of the state propagation al�gorithm are fully automated� and detection of commu�nication intervals is partially automated� We have wellde�ned algorithms for all the other components� includ�ing an algorithm for constructing an automaton thatenforces constraints based on variable access called avariable automaton �VA�� The algorithms that are notautomated were applied manually for the experimentsdiscussed in this section�

Empirical Results

We consider three examples� the simple examplein Figure �� the controller task from a readers�writersproblem ABC���� and a simple protocol Cor���� Wemeasure the cost of executing the state propagation al�gorithm� described in Section ���� in terms of the num�ber of TFG edges taken o� of the worklist and the num�ber of calls to �� the CPA transition function� Figure� summarizes data for the experiments discussed below�� The experiments included communication intervalre�nement �CI�� alphabet re�nement �A�� variable au�tomata �VA�� task automata �TA� and re�nement ofthe CPA based on communication intervals �CPAR��The analysis results indicate that either all executionssatisfy the property� no executions satisfy the property�or the results are inconclusive�

Example Experiment We analyzed � � and � �properties on TFGs representing the simple example in�troduced in Section �� We attempted to verify the re�sponse property described in Section ��� and illustratedin Figure � For this simple example there is a sin�gle executable program trace over the alphabet fa� b� cg�namely abc� We attempted to verify that all the exe�cution traces represented in the TFG exhibit this loneexecutable trace� We also attempted to verify that twounexecutable traces were exhibited by no trace in the

�Some of the QREs are too large to �t in the table and areincluded in the text with reference numbers�

�

� Program Tasks Re�nements QRE Result TFG CPA State PropagationConstraints Nodes Edges States Edges � Evals

� example � fa�b�cg�ac inc � �� � �� ��� example � fa�b�cg�abac no � �� � �� ��� example � Figure � all � �� � �� ��� example � fa�b�cg�abc all � �� � �� ��� example � CI fa�b�cg�ac no � �� � �� ��� example � CI fa�b�cg�abac no � �� � �� ��� example � CI Figure � all � �� � �� ��� example � CI fa�b�cg�abc all � �� � �� ��� control � QRE � inc �� �� � �� ����� control � A QRE � inc � � � �� ���� control � A�VA QRE � all �� �� � �� ���� protocol � � CI QRE � inc �� �� � ��� ����� protocol � � CI�TA QRE � inc �� �� � ��� ����� protocol � � CI�TA�CPAR QRE � all �� �� � ��� ����� protocol � � CI�TA�CPAR QRE � all �� ��� � ��� ����� protocol � � CI�TA�CPAR QRE � all �� ��� � ��� ������ protocol � �� CI�TA�CPAR QRE � all �� ��� � ���� ������ protocol � �� CI�TA�CPAR QRE � with m � no �� ��� � ���� ������ protocol � �� CI�TA�CPAR QRE � with m � no �� ��� �� ���� ������� protocol � �� CI�TA�CPAR QRE � with m � no �� ��� �� ���� ������� protocol � �� CI�TA�CPAR QRE � with m � no �� ��� �� ���� �����

Figure �� Data for Experiments

TFG� We performed state propagation analysis on thetwo versions of the TFG illustrated in Figure ��

The data in Figure � for experiments through � in�dicates that in all cases analysis of the re�ned TFG wasconsiderably less costly than for the unre�ned TFG� Forthe property fa�b�cg�ac� analysis of the unre�ned TFGwas inconclusive� communication interval re�nement ofthe TFG improved the accuracy of the analysis resultsso that the property could be veri�ed�

Controller Experiment Many programs encodestate information in variables that is crucial to the suc�cess of static analysis� The controller task from thereaders�writers example enforces the order in which itaccepts entry calls on its entries by setting and testingthe state of two local variables� The code for this exam�ple is given in appendix A with communication eventsand variable access events indicated�

We speci�ed the property that every bW � represent�ing a communication over the Start Write entry� is fol�lowed by an eW � representing a communication overthe Stop Write entry� without an intervening bW asthe QRE��� fbW� eW� bR� eRg�

� bW ��bW � � fbW� eWg��� eW � � bW ����

The PA for this QRE has � states including a trap state�We analyzed this property for three TFGs for this task�an unre�ned TFG representing all communication state�ments and variable accesses� a TFG re�ned to have analphabet of just the communication events� and a TFGre�ned to have an alphabet of communication eventsand accesses to the WriterPresent boolean variable�

As mentioned in Section �� the alphabet re�nementhas no e�ect on the accuracy of analysis results� butit did have an appreciable impact on the cost of anal�ysis� Unfortunately� the results were still inconclusive�Increasing the TFG alphabet and incorporating a VAprovided su�cient accuracy to verify the property�

Experiments � through illustrate how the com�bination of TFG re�nement and feasibility constraintscan provide increased accuracy while decreasing the ex�ecution cost of the state propagation algorithm� Theseexperiments also illustrate how our analysis approachsupports reasoning about tasks and groups of tasks in�dependent of the rest of the program�

Protocol Experiment The code for the protocol ex�ample with � clients is given in appendix A� The prop�erty that every header from client � h� was followedby a packet from client � p� without any interveningheader sent was speci�ed as the QRE��� fh�� p�� � � � � hn� png�

� h���h�� � fp�� h�� h�� � � � � hng��� p�� � h�����

Where there are n clients� each with unique h and p

events� The PA for this QRE has � states including atrap state�

We analyzed this property for three TFGs represent�ing a � client version of the protocol program� The �rstTFG has an alphabet of communication events and wasre�ned by communication intervals� The second incor�porated a TA for Client� into the CPA� resulting in �additional states� This required converting the TFG tothe appropriate edge alphabet� The �nal version of the� client program applied the results of communication

�

interval re�nement to the CPA� This introduces no newCPA states� although it does change a number of tran�sitions� The TFG for all of these experiments was thesame size but only the communication interval re�nedCPA version provided su�cient accuracy to verify theproperty�

Experiments � through illustrate that accuracycan be gained by using feasibility constraints while de�creasing execution cost� In contrast to the the controllerexample� re�nements were not solely responsible for thedecrease in execution cost� The ability of the CPAproduct building algorithm to add constraints withoutgreatly increasing the number of states in the CPA wasan important factor in keeping analysis cost low�

We conducted experiments to get a sense of how anal�ysis cost scales with the size of the TFG and CPA� InFigure �� experiments through � are identical exceptfor increasing the number of clients� We note that theLockManager task scales in complexity with additionalclients� All of these experiments successfully veri�ed theproperty described above� In Figure �� experiments �through � are identical except for increasing the num�ber of CPA states� We attempted to show that the QRE�� fh�� p�� � � � � hn� png�

� h���h�� � fp�� h�� h�� � � � � hng���p�� � h����m�h�

was satis�ed by no program execution� where m is a pa�rameter used to increase the size of the CPA� All of theseexperiments successfully veri�ed the property describedabove�

Experimental Observations

Although the limited data presented here is insuf��cient for drawing statistically valid conclusions aboutthe rate of growth of state propagation analysis� we notea number of trends in the data� For all of the experi�ments in this section the number of TFG edges is consid�erably less than the square of the number of nodes� Forthe protocol example with increasing numbers of clients�the measures of execution cost for the state propagationalgorithm appears to grow as the square of the num�ber of nodes and linearly in the number of edges� Thenumber of edges taken o� the worklist appears to growlinearly with the number of CPA states and the � evalua�tions appears to be grow faster than linear but less thanquadratic in the number of CPA states� This last pointis due to the fact that the state propagation algorithmcurrently implemented in our prototype is the simpleversion described in Section ���� Using the more e��cient algorithm will reduce this cost� Thus� it appearsthat the bounds on the number of edges in the TFG andthe bound on execution time of the state propagation al�gorithm are not indicative of the practical performanceof the analysis�

� Conclusion

We have presented an analysis approach based onpolynomial�time data �ow analysis algorithms that ana�lyze whether a concurrent program satis�es an explicitlystated correctness property�

Our initial prototype implementation and algorithmshave provided valuable information on the contributionsof re�nements and feasibility constraints to the e��ciency and accuracy of state propagation analysis� Forexample� communication interval re�nements have beengeneralized from their initial incarnation based on feed�back from our experiments� The accuracy of the statepropagation algorithm was improved by enforcing tasksynchronization at communication points� In addition�the set of TFG edges that need to be considered dur�ing state propagation has been reduced without loss ofinformation� Also� we developed a faster version of thestate propagation algorithm� and the CPA constructionalgorithm has been improved from its initial incarna�tion by adding violation state collapsing and dead stateelimination�

In contrast to most of the methods described in Sec�tion �� our analysis approach is based on algorithmswith low�order polynomial bounds on the running time�Our preliminary empirical evaluations suggests that ac�curacy su�cient for verifying correctness properties ofconcurrent programs may be obtained in an analysiswhose cost is bounded by a low�order polynomial in thesize of the program� Although our results are prelim�inary� the accuracy and e�ciency of state propagationanalysis for the examples presented in this paper areencouraging�

A rich class of properties speci�ed as patterns of pro�gram events is supported� Speci�cation of some globalproperties however� such as deadlock� can require verylarge PAs and the cost of analysis may be impracticalfor these properties� One of our goals is to study a num�ber of properties of concurrent programs to understandhow the cost�e�ectiveness of our analysis varies with theproperty under analysis�

One of the strengths of our approach is its �exibility�Users have the ability to control the tradeo� between ac�curacy of the analysis results and the execution time ofthe analysis� The analysis architecture allows for a widevariety of TFG re�nements and feasibility constraints tobe incorporated into the analysis� One of our goals isto study the relative e�ectiveness of existing and newre�nement strategies with respect to increasing the ac�curacy of analysis results and decreasing analysis cost�While this paper describes FCs only as �nite automata�recent work has extended the analysis algorithms andarchitecture to allow a more general class of data �owproblems to be solved in conjunction with state prop�agation to eliminate unexecutable program traces fromconsideration� We intend to use this increased �exibility

to explore a wider range of tradeo�s between analysiscost and accuracy than was previously possible�

Programs can scale in a number of dimensions� suchas the number of tasks� complexity of control and datastructures� and communication structures� The exam�ples considered in this paper are relatively simple� Weare in the process of fully automating all of the analysiscomponents� Using these tools we plan on performinga number of case studies of large� complex concurrentprograms to investigate the extent to which our analysiscan be applied to realistic software analysis problems�

It has been suggested that no single analysis tech�nique is suitable for analysis of all properties of allconcurrent programs� We intend to compare the cost�e�ectiveness of our analysis approach with a number ofexisting analysis techniques� This comparison will becarried out by attempting to characterize the e�ective�ness of these analyses on programs and properties foundin the literature� In this way we hope to contribute to anunderstanding of the relative strengths and weaknessesof each analysis technique so that ultimately softwaredevelopers will be able to choose the most appropriatetechnique for the analysis problem at hand�

Acknowledgments� The authors would like to thank

Jay Corbett� Lee Osterweil� Michal Young and the anony�

mous reviewers for interesting observations and useful feed�

back�

References

ABC��� G�S� Avrunin� U�A� Buy� J�C� Corbett� L�K�Dillon� and J�C� Wileden� Automated anal�ysis of concurrent systems with the con�strained expression toolset� IEEE Transac�tions on Software Engineering� ����������� November ���

BCM���� J�R� Burch� E�M� Clarke� K�L� McMillan�D�L� Dill� and L�J� Hwang� Symbolic modelchecking � ��� states and beyond� In Pro�ceedings of the Fifth Annual IEEE Sympo�sium on Logic in Computer Science� pages������ ����

CES��� E�M� Clarke� E�A� Emerson� and A�P� Sistla�Automatic veri�cation of �nite�state con�current systems using temporal logic spec�i�cations� ACM Transactions on Program�ming Languages and Systems� �����������April ����

CK��� S�C� Cheung and J� Kramer� Tractable�ow analysis for anomaly detection in dis�tributed programs� In Proceedings of the �thEuropean Software Engineering Conference�pages �������� Germany� ���� published

in Lecture Notes in Computer Science ����Springer�Verlag�

CKS��� D� Callahan� K� Kennedy� and J� Subhlok�Analysis of event synchronization in a par�allel programming tool� In Proceedings ofthe Second ACM SIGPLAN Symposion onPrinciples and Practice of Parallel Program�ming� pages ����� March ����

Cor��� J�C� Corbett� Verifying general safety andliveness properties with integer program�ming� In Computer Aided Veri�cation��th International Workshop� pages ��������Canada� July ���� published in LectureNotes in Computer Science ���� Springer�Verlag�

CPS��� R� Cleaveland� J� Parrow� and B� Ste�en�The concurrency workbench� A semanticsbased tool for the veri�cation of concurrentsystems� ACM Transactions on Program�ming Languages and Systems� ����������January ����

DBDS��� S� Duri� U� Buy� R� Devarapalli� and S�M�Shatz� Using state space methods for dead�lock analysis in Ada tasking� In Proceed�ings of the �� International Symposiumon Software Testing and Analysis� pages ����� July ���� published in ACM SoftwareEngineering Notes� �����

GS��� D� Grunwald and H� Srinivasan� E�cientcomputation of precedence information inparallel programs� In Sixth Annual Work�shop on Languages and Compilers for Par�allel Computing� Portland� OR� aug ����

GW�� P� Godefroid and P� Wolper� Using partialorders for the e�cient veri�cation of dead�lock freedom and safety properties� In Pro�ceedings of the Third Workshop on Com�puter Aided Veri�cation� pages �����July ���

Hec��� M�S� Hecht� Flow Analysis of Com�puter Programs� The Computer Sci�ence Library Programming Language Series�North�Holland� ����

Hol��� G�J� Holzmann� An improved reachabilityanalysis technique� Software Practice andExperience� ���������� February ����

Kur��� R�P� Kurshan� Modeling concurrent pro�cesses� In Computers and Communications�volume � of Proceedings of Symposia in Ap�plied Mathematics� pages ����� ����

�

Mer��� N� Mercouro�� An algorithm for analyzingcommunicating processes� In Proceedings ofMathematical Foundation of ProgrammingSemantics ��� Pittsburgh� PA� March ����published in Lecture Notes in Computer Sci�ence � � Springer�Verlag�

MR��� T�J� Marlowe and B�G� Ryder� Propertiesof data �ow frameworks� Acta Informatica��������� ����

MR�� S�P� Masticola and B�G� Ryder� A modelof Ada programs for static deadlock detec�tion in polynomial time� In Proceedings ofthe ACM�ONR Workshop on Parallel andDistributed Debugging� pages ����� May��� published in ACM SIGPLAN Notices�������

MR��� S�P� Masticola and B�G� Ryder� Non�concurrency analysis� In Proceedings of the�th ACM SIGPLAN Symposium on Princi�ples and Practice of Parallel Programming�pages ������ May ���� published inACM SIGPLAN Notices� ������

MSS��� T� Murata� B� Schenker� and S�M� Shatz�Detection of Ada static deadlocks usingPetri net invariants� IEEE Transactionson Software Engineering� �����������March ����

OO��� K�M� Olender and L�J� Osterweil� Ce�cil� A sequencing constraint languagefor automatic static analysis generation�IEEE Transactions on Software Engineer�ing� ������������� March ����

OO��� K�M� Olender and L�J� Osterweil� Interpro�cedural static analysis of sequencing con�straints� ACM Transactions on SoftwareEngineering and Methodology� ��������January ����

Pnu��� A� Pnueli� Applications of temporal logic tothe speci�cation and veri�cation of reactivesystems� a survey of curent trends� In Cur�rent Trends in Concurrency� volume ���pages ������ ���� published in LectureNotes in Computer Science ���� Springer�Verlag�

SMBT��� S�M� Shatz� K� Mai� C� Black� and S� Tu�Design and implementation of a Petri netbased toolkit for Ada tasking analysis� IEEETransactions on Parallel and DistributedSystems� ������ October ����

Tay��� R�N� Taylor� Complexity of analyzing thesynchronization structure of concurrent pro�grams� Acta Informatica� ������� ����

Val��� A� Valmari� A stubborn attack on stateexplosion� In Computer Aided Veri�cation��� volume � of DIMACS Series in DiscreteMathematics and Theoretical Computer Sci�ence� pages ���� Providence� RI� ����American Mathematical Society�

YTL���� M� Young� R�N� Taylor� D�L� Levine�K� Forester� and D� Brodbeck� A concur�rency analysis tool suite� Rationale� design�and preliminary experience� SERC Tech�nical Report TR����P� Purdue University�October ����

YY�� W�J� Yeh and M� Young� Compositionalreachability analysis using process algebra�In Proceedings of the ACM SIGSOFT Sym�posium on Testing� Analysis and Veri�ca�tion� pages ����� Victoria� Canada� Octo�ber ��� ACM Press�

A Code for examples

The code for the version of the read�write control taskthat supports � active readers and where Done is aglobal variable is as follows�

task body Read Write Control is

ActiveReaders � Natural range �����

WriterPresent � BOOLEAN �� FALSE� �� EVENT �WP � F�

ErrorFlag � BOOLEAN �� FALSE�

begin

accept Start Write� �� EVENT �bW�

accept Stop Write� �� EVENT �eW�

loop

select when not WriterPresent ��

accept Start Read� �� EVENT �bR�

�� EVENT �not WP��ActiveReaders �� ActiveReaders���

or accept Stop Read� �� EVENT �eR�

if WriterPresent and ActiveReaders � � then

ErrorFlag �� TRUE�

end if�

ActiveReaders �� ActiveReaders���

or when ActiveReaders � � and not WriterPresent ��

accept Start Write� �� EVENT �bW�

�� EVENT �not WP��WriterPresent �� TRUE� �� EVENT �WP � T�

or accept Stop Write� �� EVENT �eW�

if WriterPresent and ActiveReaders � � then

ErrorFlag �� True�

end if�

WriterPresent �� FALSE� �� EVENT �WP � F�

end select�

�

if Done and not WriterPresent� and

ActiveReaders � �� then

�� EVENT �notWP��exit�

end if�

end loop�

end Read Write Control�

The code for the � client version of the protocol pro�gram where Done is a global variable is as follows�

task body LockManager is

begin

loop

exit when Done�

select

accept Acquire��

accept Release��

or

accept Acquire��

accept Release��

end select�

end loop�

end LockManager�

task body Channel is

begin

loop

exit when Done�

select

accept Headerh � in INTEGER��

or

accept Packetp � in INTEGER��

end select�

end loop�

end Channel�

task body Client� is

h� p � INTEGER �� ��

begin

loop

exit when Done�

LockManager�Acquire��

Channel�Headerh�� �� EVENT �h��Channel�Packetp�� �� EVENT �p��LockManager�Release��

end loop�

end Client��

task body Client� is

h� p � INTEGER �� ��

begin

loop

exit when Done�

LockManager�Acquire��

Channel�Headerh�� �� EVENT �h��Channel�Packetp�� �� EVENT �p��LockManager�Release��

end loop�

end Client��