Concurrent Software Fine-Coarse-Grained

Automatic Modeling Method for Algorithm

Error Detection

Tao Sun(&), Jing Zhang, and Wenjie Zhong

College of Computer Science, Inner Mongolia University,

Hohhot, Inner Mongolia, China
[email protected], [email protected],
[email protected]

Abstract. Concurrent software state space explodes, which makes algorithm

error detection difficult. This paper proposes a fine-coarse-grained automatic
modeling method. Based on the JAVA concurrent program, we generate the
HCPN (Hierarchical Coloured Petri Net) fine-coarse-grained model that in
accordance with the behavior of the source program automatically. The goal is
to detect the algorithm errors in the program through the model checking
technology. We complete the modeling of interactive, property-related and
specific structure statements through fine-grained method and complete the
modeling of other statements through coarse-grained method. Avoid the state
space explosion effectively under the premise of retaining the interaction
behavior and the property-related behavior execution path. This paper verifies
the effect of fine-coarse-grained automatic modeling method by comparing and
analyzing the experimental results.

Keywords: HCPN
Concurrent software
Coarse-grained modeling

Algorithm error detection

1 Introduction

Software defect detection is an indispensable part in software development. The con-

current behavior in concurrent software has led the execution of program become more
complicate, and increased the difficulty of algorithm error detection. Software model
checking [1] is a technology for detecting defects in a program. The main idea is to
convert the source program into a model, then search the counter-example that not
satisfied this property in the full state space of model. If a counter-example is found,
there is a defect in source program. Due to the model checking technology needs to be
performed in a finite state space, so the state space explosion problem has always been
an important part of the research in the field of model detection.
Currently, most software model checkers are implemented through the method of
Abstract-Verification-Abstract Refinement, such as SLAM [2], MAGIC [3], and
BLAST [4], etc. These tools are used to verify the safety properties of C/C++ program.
They convert the source program into a smaller abstract model by using the predicate
abstraction technique, and then search a counter-example by verify the abstract model.
© Springer Nature Switzerland AG 2020
S. Wen et al. (Eds.): ICA3PP 2019, LNCS 11945, pp. 615–623, 2020.
https://doi.org/10.1007/978-3-030-38961-1_52
616 T. Sun et al.

Abstract technique reduces the size of model and state space effectively, but the
abstract model lacks partial information relative to the source program, which may lead
to some invalid counterexamples. In this case, the abstract part of the model needs to be
refined to eliminate invalid counterexamples, and then verify the model whether sat-
isfies the properties again. The above three tools reduce the state space in different
degrees through abstraction technology, but the invalid counter-example caused by
abstraction still need to perform multiple abstraction and verification operations on the
program, which requires a lot of time and resources.
Literature [5] proposed the fine-grained automatic modeling method based on
HCPN (Hierarchical Coloured Petri Net). HCPN is a high-level Petri net. It realized
hierarchical model on the basis of CPN (Coloured Petri Net), which can describe the
complex systems with call relationships more efficiently. This method is different from
the above tools, it does not use the abstraction, and that is, the execution of each
statement in the program remains in the model. So the modeling and verification
process only needs to be done once and does not lead to invalid counter-examples.
However, this method lead to too many transitions in the model, and the state space is
too large that need to be simplified for carry out model checking.
Only the property-related parts in the HCPN model are concerned when performs
model checking. This paper proposes the fine-coarse-grained automatic modeling
method. Use the fine-grained modeling method retains the execution path of the
interactive statements and the property-related statements related to model checking;
use the coarse-grained modeling method reduces the generation of the information
about other unrelated statements. Thereby reducing the size of the model and state
space and ensuring that model checking results is not affected. Finally, the HCPN
model is verified to determine if there is a corresponding algorithm error in the pro-
gram. We divide the fine-coarse-grained automatic modeling method into two parts:
Source program labeling and storage and Construct model. They are detailed in
Sects. 2 and 3 respectively.

2 Source Program Labeling and Storage

The fine-coarse-grained modeling methods are based on HCPN, so the definitions of

CPN and HCPN are given here:
Definition
P 1. A non-hierarchical Coloured Petri Net is a nine-tuple CPN = (P, T, A,
, V, C, G, E, I) [6]. P
P: set of places; T: set of transitions; A: set of arcs; : set of colour sets; V: set of
variables; C: colour set function (assigns colour sets to places); G: guard function
(assigns guards to transitions); E: arc expression function (assigns arc expressions to
arcs); I: initialisation function (assigns initial markings to places).
Definition 2. A hierarchical Coloured Petri Net Module is a four-tuple HCPN = (CPN,
Tsub, Pport, PT) [7].P
CPN = (P, T, A, , V, C, G, E, I) is a non-hierarchical Coloured Petri Net.
 Concurrent Software Fine-Coarse-Grained Automatic Modeling Method 617

Tsub  T is a set of substitution transitions. Each substitution transition designates

a subpage that gives more precise and detailed description of the activity represented by
the substituted transition.
Ports are the interface at which the subpage is plugged into the upper level.
PT: Pport ! {IN, OUT, I/O} is a port type function that assigns a port type to each
port place. The surrounding places of a substitution transition are called socket places
represented by Psock (t).
The algorithm error in this paper means the property descriptions that can be
expressed by the ASK_CTL property formula. We assume that the program contains
the following statements: order statements (assignments, inputs, etc.), branch state-
ments, loop statements, object-oriented and multi-threading. Meanwhile, the JAVA
program has been passed the compiler, because compile-time errors are not included in
the algorithm errors defined in this article. We want to convert the source program to a
model that is as small as possible and does not affect model checking. Therefore, we
label the source program to find out the relevant statements that need to be retained, and
the remaining statements are coarse-grained modeling to reduce the useless informa-
tion. At the same time, it is necessary to ensure the logical relationship in the model as
same as the source program. So we use the class table and the statement binary tree to
store the logical relationship between the classes and the statements respectively. The
source program needs to be processed in the following three steps:
Label Program: In this article, we use the ASK_CTL formula to describe property,
ASK_CTL consist of the information of place or transition in HCPN model and the
temporal operators. In order to perform model checking successfully, the places and
transitions involved in ASK_CTL formula must exist in the model. These places and
transitions correspond to some statements (these statements are called property-related
statement, the rest of the statements are called property-unrelated statement) in the
program. We need to find these property-related statements in order to construct a small
model accurately without deleting the necessary places and transitions.
Construct Class Table: The information stored in the class table is divided into three
categories: member variable Var; member function Fun (function declaration) and
static variable Svar. Construct class tables have two advantages. Firstly, class table
record the corresponding model fragment after the conversion of functions or variables.
If the function or static variable is called multiple times, the model fragment generated
by the first time is recorded in the class table, and it can be read directly from the class
table without re-conversion when the next call. Secondly, class table can be used to
distinguish homonymous functions in different classes. Homonymous functions are
converted into different model fragments and recorded in different class tables. When
calling homonymous functions in different classes, reading the corresponding class
tables.
Construct Statement Binary Tree: In addition to using the class table to store the
member information of the class, we also use the statement binary tree to store the
statements in the function. Each function corresponds to a statement binary tree, and
the left and right children of the statement binary tree respectively representing the
nested relationship and the non-nested relationship between the statements, which can
618 T. Sun et al.

facilitate the conversion process. We need to set the Type and the conversion gran-
ularity of each node during construct the statement binary tree. Type is statement type,
for example, if, else, declarations, etc. Conversion granularity is divided into two
types: fine and coarse. The granularity setting principles are as follows:
(1) For property-related statement, it must be set to fine-grained.
(2) Nodes are set to fine-grained which corresponding the statements that include
inter-process interaction or object-oriented, such as shared variables, creating
objects, etc. Coarse-grained conversion converts multiple statements into a
complex arc expression, while HCPN only supports partial type statements, and
the rest of the statements need to be represented by model elements (fine-grained
conversion).
(3) Node n1 with coarse-grained, then the granularity of the node n2 in its left subtree
must be coarse-grained. If n2 is fine-grained, then the node n1 should be reset to
fine-grained.
(4) Node n1 with fine-grained and n1 corresponds to a branch statement, then the
node corresponding to a statement that matching this branch statement should be
set to fine-grained. The setting of rule (3), (4) is because the coarse-grained
modeling is converted in units of multiple lines of statement (code segments), that
is, all the statement in the code segment must be coarse-grained.

3 Construct Model

We consider the execution of the statement in program to be the ignition of the

transition in the model. That is to say, the value of the variable before/after the exe-
cution of a line of statement (or a statement segment) in the program corresponds to the
value of the variable before/after the ignition of a certain transition in the model, and
the statement (or a statement segment) can be converted into an model fragment (or an
arc expression of the arc that connecting the transition and place). The difference is
that, each variable is allocated a storage space in the program, but in HCPN model,
there is no memory for storing variables. So the value of a variable is stored by a token
in HCPN, and the circulation of token is treated as a transmission of a variable value.
The color set of the place is determined by the declared variable.
The construction process is: preorder traversal the statement binary tree and judge
the granularity of the node. If it is fine-grained, use the fine-grained modeling method,
the conversion unit is a single statement; if it is coarse-grained, the coarse-grained
modeling method is used, and the conversion unit is multiple statements (code seg-
ment). In general, there are four structures in the program: ① branch ② loop ③ order
(Ordinary) ④ order (Object-oriented). There are multiple types of statements in each
structure. Type ① ② ③ can use both coarse-grained and fine-grained modeling
methods, while type ④ can only use fine-grained modeling methods due to its par-
ticularity (Sect. 2).
Fine-Grained Conversion: Fine-grained modeling method have been described in
literature [5], and briefly introduced here. The conversion unit of fine-grained is a single
 Concurrent Software Fine-Coarse-Grained Automatic Modeling Method 619

statement; each statement is converted into different model fragments, and finally
connected according to the relationship between the statements to form a complete
structure. As shown in Fig. 1, (a) is a branch structure, output transitions (T1, …, Tn)
of place (P1) are used to represent N branches. For the loop structure, we can use the
ring structure in (b) to represent. The two output transitions T1, T3 after place P1
represent entering loop and exiting loop respectively. Other statements except branch
and loop statements are order statements. Such as multi-threading and function calls
statements, Fig. 1(c), (d) are the model fragments of them respectively.

Fig. 1. Model fragments

Coarse-Grained Conversion: Coarse-grained modeling converts in units of a code

segment. The code segment contains the combination of the above-mentioned struc-
tures (order (ordinary), branch and loop). When modeling, each structure is converted
into a function, the order in which the function is called is the order of execution in the
code segment. The result of the function call is consistent with the result of the code
segment execution. Finally, the code segment is converted into a function expression.
As shown in Fig. 1(e), Fun is the function expression, and the expression as an arc
expression for an arc connecting the transition T1 and the place P2 in the model. Since
the color set of the place must be indicated at each place, the color set of the place is
determined according to the arc expression of the arc that connected the place. If the arc
expression is a function, the color set at that place is the composition of the variable
returned by the function. If the arc expression only passes the variable, the color set of
the place is constructed by the variable in the arc expression.
To facilitate understanding, we present the definition of “NEXT” here. During
conversion, NEXT is used to construct the function. Whether the function will generate
the next calling function or generate a variable tuple that returns the current value is
determined by the NEXT of a statement:
Definition 3. NEXT: NEXT is used to describe the next step that needs to be per-
formed after a certain statement in the code segment is executed. It can be a tuple
consisting of multiple variables or a function. When it is a tuple, means that it needs to
return the current value of variables. When it is a function, means that the next step is to
executing the next structure.
620 T. Sun et al.

In coarse-grained conversion, multiple statements are converted into a complex arc

expression. The algorithm for building the complex arc expressions is given in Fig. 2.
In a statement binary tree, the left child of the node indicates nested, so we judges
whether the statement has a nested by judging whether the node has a left child or not.
If there is a nest, create a new function and call it. If there is no nested, research NEXT
as the next step of this statement. cfun represents the function currently being con-
verted, addExp adds the type and expression of the current statement to cfun, indicates
that the statement is recorded in the function being converted. Function order_con-
version (Fig. 2 right) is used to process order structure, use different conversion
methods depending on the type of statement. According to whether there are other
structures after an order structures, we divided into two types of the end flag of order
structures, indicating that the current function is processed. The algorithm handles the
two flags differently.

Fig. 2. Algorithm of arc expression construction

CPN Tools Standard Model File: The information such as place, transition and arc
generated during the conversion are recorded in the corresponding table. When con-
verted to an XML file, the information is read from the table and converted into
corresponding tags in the XML file. The XML file can be opened with the CPN Tools.
Model checker takes the HCPN model and the ASK_CTL formula as inputs. If the
output is true, the model satisfies the property, and the program does not have the
 Concurrent Software Fine-Coarse-Grained Automatic Modeling Method 621

algorithm error; If the output is false, the model does not satisfy the property, there is an
algorithm error in the program.

4 Application

In this section, we compare the fine-grained and the fine-coarse-grained modeling

method with an example of Producer & Consumer. The JAVA program is shown in
Fig. 3.

Fig. 3. Producer & Consumer

There are two threads (Producer, Consumer) in this program. The products pro-
duced are put into a buffer (variable count), and the Consumers take the products from
the buffer. The property to be verification is the number of products produced by
Producer is equal to the sum of the number of products consumed by Consumer and the
number of products remaining in the buffer (sum(Consumer) + count = sum(Pro-
ducer)). Firstly, we model the program using the fine-coarse-grained modeling method,
and we get a fine-coarse-grained model that including 32 places and 22 transitions. It
has 110444 states pace nodes. Then we using the fine-grained modeling method in
literature [5] to model the program, and obtain the fine-grained model that includes 40
places and 28 transitions. It has 154630 states pace nodes. The state space reduction
rate of fine-coarse-grained method is 28.58% compared with the fine-grained method.
Finally, we use CPN Tools own tool to verify the two models. The results are shown in
Fig. 4(a), (b) are the model checking result of fine-coarse-grained model and fine-
grained model respectively, and the results of are the same (both true), indicate that the
program satisfies the property.
622 T. Sun et al.

Fig. 4. Result of model checking.

5 Conclusion

Algorithm error detection of concurrent software is difficult. Convert the program to a

model and perform model checking in model can detect the algorithm error in program.
Base on the state space explosion problem in fine-grained modeling methods, this paper
proposes a fine-coarse-grained automatic modeling method for algorithm error detec-
tion. Reduce the scale of state space of the model without affecting the results of the
model test. The experiment shows that use fine-coarse-grained modeling method is
significantly reduced the size of model and state space than use fine-grained modeling
method, and improves the efficiency of model checking. We would like to research the
model checking method in the future. For example, generate state space on-the-fly and
search it by heuristic method, thereby improving the efficiency of model checking.

Acknowledgement. This work was supported by National Natural Science Foundation of China
under Grant No. 61562064 and No. 61661041.

References
1. Holzmann, G.J., Smith, M.H.: Software model checking. In: Wu, J., Chanson, S.T., Gao, Q.
(eds.) Formal Methods for Protocol Engineering and Distributed Systems. IAICT, vol. 28,
pp. 481–497. Springer, Boston, MA (1999). https://doi.org/10.1007/978-0-387-35578-8_28
2. Ball, T., Levin, V., Rajamani, S.K.: A decade of software model checking with SLAM.
Commun. ACM 54(7), 68–76 (2011)
3. Chaki, S., Clarke, E.M., Groce, A., Jha, S., Veith, H.: Modular verification of software
components in C. IEEE Trans. Softw. Eng. 30(6), 388–402 (2004)
4. Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: The software model checker BLAST:
applications to software engineering. Int. J. Softw. Tools Technol. Transf. 9(5), 505–525
(2007)
5. Sun, T., Liu, Y.Y.: A hierarchical CPN model automatically generating method aiming at
multithreading program algorithm error detection. In: 17th IEEE International Symposium
on Parallel and Distributed Processing with Applications. IEEE, Melbourne (2018)
6. Jensen, K., Kristensen, L.M.: Coloured Petri Nets: Modelling and Validation of Concurrent
Systems. Springer, Heidelberg (2009). https://doi.org/10.1007/b95112
 Concurrent Software Fine-Coarse-Grained Automatic Modeling Method 623

7. Jensen, K., Kristensen, L.M.: Formal definition of hierarchical coloured petri nets. In:
Jensen, K., Kristensen, L.M. (eds.) Coloured Petri Nets, pp. 127–149. Springer, Heidelberg
(2009). https://doi.org/10.1007/b95112_6
8. Huang, W., Hong, M., Yang, Q.H., et al.: C/C++ program memory leaked detection based
on bounded model checking. Appl. Res. Comput. 33(06), 1762–1766 (2016)
9. Wei, O., Shi, Y.F., Xu, B.F., Huang, Z.Q., Chen, Z.: Abstract modeling formalisms in
software model checking. J. Comp. Res. Dev. 52(7), 1580–1603 (2015)
10. Fehnker, A., Huuck, R.: Model checking driven static analysis for the real world: designing
and tuning large scale bug detection. Innov. Syst. Softw. Eng. 9(1), 45–56 (2013)
11. Wang, B., Wu, T.W., Hu, P.P.: Research on software defect classification and analysis.
Comput. Sci. 40(9), 16–20 (2013)