Debugging Concurrent Programs

CHARLES E. MCDOWELL and DAVID P. HELMBOLD

Board of Studies in Computer and Information Sciences, University of California at Santa Cruz, Santa Cruz,
California 95064

The main problems associated with debugging concurrent programs are increased
complexity, the “probe effect,” nonrepeatability, and the lack of a synchronized global
clock. The probe effect refers to the fact that any attempt to observe the behavior of a
distributed system may change the behavior of that system. For some parallel programs,
different executions with the same data will result in different results even without any
attempt to observe the behavior. Even when the behavior can be observed, in many
systems the lack of a synchronized global clock makes the results of the observation
difficult to interpret. This paper discusses these and other problems related to debugging
concurrent programs and presents a survey of current techniques used in debugging
concurrent programs. Systems using three general techniques are described: traditional or
breakpoint style debuggers, event monitoring systems, and static analysis systems. In
addition, techniques for limiting, organizing, and displaying a large amount of data
produced by the debugging systems are discussed.

Categories and Subject Descriptors: A.1 [General Literature]: Introductory and Survey;
D.1.3 [Programming Techniques]: Concurrent Programming; D.2.4 [Software
Engineering]: Program Verification-assertion checkers; D.2.5 [Software
Engineering]: Testing and Debugging-debugging aids; diagnostics; monitors; symbolic
execution; tracing
Additional Key Words and Phrases: Distributed computing, event history,
nondeterminism, parallel processing, probe-effect, program replay, program visualization,
static analysis

INTRODUCTION programs even harder than debugging se-

quential programs. In the remainder of this
The interest in parallel programming has
section we will justify this claim and outline
grown dramatically in recent years. New
the basic approaches currently used for de-
languages, such as Ada’ and Modula II,
bugging parallel programs. In Sections l-4
have built-in features for concurrency.
we discuss each of these approaches in de-
Older languages, such as C and FORTRAN,
tail. We conclude with Section 5 and an
have been extended in a variety of ways in
appendix with tables that summarize the
order to support parallel programming
features of 35 systems designed for debug-
[Gehani and Roome 1985; Karp 19871.
ging parallel programs.
The added complexity of expressing
concurrency has made debugging parallel
Difficulty Debugging Concurrent Programs

‘Ada is a registered trademark of the U.S. Govern- The classic approach to debugging sequen-
ment (Ada Joint Program Office). tial programs involves repeatedly stopping

This work was supported in part by IBM grants SL87033 and SL88096.
Permission to copy without fee all or part of this material is granted provided that the copies are not made or
distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its
date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To
copy otherwise, or to republish, requires a fee and/or specific permission.
0 1989 ACM 0360-0300/89/1200-0593 $01.50

ACM Computing Surveys, Vol. 21, No. 4, December 1989

594 l C. E. McDowell and D. P. Helmbold
the program during execution, examining
the state, and then either continuing or
reexecuting in order to stop at an earlier
point in the execution. This style of debug-
ging is called cyclical debugging. Unfortu-
nately, parallel programs do not always
have reproducible behavior. Even when
they are run with the same inputs, their
results can be radically different. These
differences are caused by races, which occur
whenever two activities are allowed to pro-
gress in parallel. For example, one process
may attempt to write a memory location
while a second process is reading from that
memory cell. The second process’s behavior
may differ radically, depending on whether
its reads the new or old value.
The cyclical debugging approach often
fails for parallel programs because the un-
desirable behavior may not appear when
the program is reexecuted. If the undesira-
ble behavior occurs with very low probabil-
ity, the programmer may never be able to
recreate the error situation. In fact, any
attempt to gain more information about the
program may contribute to the difficulty of
reproducing the erroneous behavior. This
has been referred to as the “Heisenberg
Uncertainty” principle applied to software
[LeDoux and Parker 19851 or the “Probe
Effect” [Gait 19851. For programs that con-
tain races, any additional print or debug-
ging statements may modify a crucial race,
lowering the probability that the interest-
ing behavior occurs. This interference can
be disastrous when attempting to diagnose
an error in a parallel program.
The nondeterminism arising from races
is particularly difficult to deal with because
the programmer often has little or no con-
trol over it. The resolution of a race may
depend on each CPU’s load, the amount of
network traffic, and nondeterminism in the
communication medium (e.g., exponential
backoff protocols [Tannenbaum 1981, pp.
292-2951). It is this nondeterministic
behavior that tends to make understand-
ing, writing, and debugging parallel pro-
grams more difficult than their sequential
counterparts.
An additional problem found in distrib-
uted systems is that the concept of “global
state” can be misleading or even non-
ACM Computing Surveys, Vol. 21, No. 4, December 1989
existent [Lamport 19781. Without a syn-
chronized global clock, it may be difficult
to determine the precise order of events
occurring in distinct, concurrently execut-
ing processors.
Basic Approaches
Some researchers distinguish between
monitoring and traditional debugging
[Joyce et al. 19871. Monitoring is the pro-
cess of gathering information about a pro-
gram’s execution. Debugging, as defined in
the current ANSI/IEEE standard glossary
of software engineering terms, is “the pro-
cess of locating, analyzing, and correcting
suspected faults,” where a fault is defined
to be an accidental condition that causes a
program to fail to perform its required func-
tion. Since monitoring is often an effective
procedure for locating incorrect behavior,
it should be considered a debugging tool.
For the purposes of this survey, tech-
niques for debugging concurrent systems
have been organized into four groups:
(1) Traditional debugging techniques can
be applied with some success to parallel
programs. These are discussed in Sec-
tion 1.
(2) Event-based debuggers view the exe-
cution of a parallel program as a se-
quence (or several parallel sequences)
of events. The generation and analysis
of these sequences or event histories is
the subject of Section 2.
(3) Techniques for displaying the flow of
control and distributed data associated
with parallel programs are presented in
Section 3.
Static analysis techniques based on
(4)
dataflow analysis of parallel programs
are presented in Section 4. These tech-
niques allow some program errors to
be detected without executing the
program.
This survey covers a large number of
research and commercial projects designed
to help produce error-free concurrent soft-
ware. It focuses primarily on systems that
are directed toward isolating program er-
rors. A large body of work in formal pro-
gram verification and in program testing
 Debugging Concurrent Program
has been explicitly excluded from this sur-
vey. Most of the systems surveyed fall into
one of two general categories, traditional
parallel debuggers (or what are sometimes
called “breakpoint” debuggers) and event-
based debuggers. Of course, some systems
contain aspects of both classes. All of the
systems (or in some cases proposed sys-
tems) in these two general categories are
listed in the tables in Appendix A.
In addition to traditional parallel debug-
gers and event-based debuggers, some static
analysis systems are included. The static
analysis systems surveyed fall somewhere
between debugging and testing. The static
analysis systems are distinguished from
testing by not requiring program execution
and by generally checking for structural
faults instead of functional faults. That is,
the analysis tools have no knowledge of the
intended function of the program and sim-
ply identify program structures that are
generally indicative of an error. These
systems do not appear in the comparison
table in Appendix A but are discussed in
Section 4.
Each of the three types of systems sur-
veyed takes a different approach to the
debugging problem. The traditional parallel
debuggers are the easiest to build and there-
fore provide an immediate partial solution.
They provide some control over program
execution and provide state examination.
They are also severely limited by the probe
effect.
Event-based debuggers provide better
abstraction than that provided by tradi-
tional style debuggers. They also address
the probe effect by permitting deterministic
replay of nondeterministic programs. If it
is not possible to record event histories
continuously, however, the probe effect will
still be a problem. Also, event-based debug-
gers are generally research prototypes, ap-
plicable only to systems without shared
memory. A notable exception is instant
replay [LeBlanc and Mellor-Crummey
19871, which supports event tracing and
replay on the shared memory BBN Butter-
fly provided OS protocol routines are used
for all shared memory accesses.
Static analysis tools avoid the probe ef-
fect entirely by not executing the programs.
595
They have the potential of identifying a
large class of program errors that are par-
ticularly difficult to find using current dy-
namic techniques. These techniques have
been applied mostly to parallel versions of
FORTRAN that do not support recursion.
As with the event-based debuggers, static
analysis systems are still in the prototype
stage. The primary problem with most
static analysis algorithms is that their
worst-case computational complexity is
often exponential.
All three types of debugging systems have
made some progress in presenting the com-
plex concurrent program state and the ac-
companying massive amounts of data to
the user. Multiple windows is a useful
mechanism for interfacing with traditional
style debuggers for parallel systems. The
abstraction capabilities of event-based de-
buggers (see Section 2) have been used to
present interesting and potentially useful
views of system states graphically [Hough
and Cuny 19871.
1. EXTENDING TRADITIONAL DEBUGGING
TO PARALLEL PROGRAMS
The simplest type of debugger to imple-
ment for parallel systems is (or behaves
like) a collection of sequential debuggers,
one per parallel process. To date, all com-
mercially available debuggers for parallel
programs fit this description. The primary
differences lie in how the output from the
several sequential debuggers is displayed
and how the separate sequential debuggers
are controlled. We will call these collections
of sequential debuggers traditional parallel
debuggers.
The probe effect, discussed in the Intro-
duction, has gone mostly unaddressed by
traditional parallel debuggers. This makes
traditional parallel debuggers ineffective
against timing dependent errors. The probe
effect, however, does not always rear its
ugly head, allowing many program errors
to be isolated using traditional cyclic de-
bugging techniques. This can be attributed
to two factors. First, those errors in parallel
programs that are not timing dependent
would never be masked by the probe effect.
Second, even for timing related errors, the
ACM Computing Surveys, Vol. 21, No. 4, December 1989
596 . C. E. McDowell and D. P. Helmbold
effect of the probe may not disturb the
outcome of the critical races.
Another criticism of traditional parallel
debuggers is that they operate at too low a
level. For programs consisting of many con-
currently executing processes, the major
difficulty may be in understanding what is
happening at the interprocess level. Tradi-
tional debugging techniques work well for
viewing the behavior at the instruction
level or at the procedure level. In Section
2.4 some recent developments for viewing
program behavior at a more abstract level
are presented.
1.1 Coordinating Several Sequential
Debuggers
In addition to the sequential capabilities of
standard sequential debuggers, traditional
parallel debuggers should be able to do the
following:
1. direct any sequential debugger com-
mand to a specific task,
2. direct any sequential debugger com-
mand to an arbitrary set of tasks,
3. differentiate the terminal output from
the different tasks.
The most primitive debugger for parallel
programs would be nothing more than a
sequential debugger capable of attaching to
any single process in a parallel program.
All that would then be necessary is to pro-
vide the user with multiple real or virtual
terminals from which to execute the mul-
tiple copies of the debugger. Today’s mul-
tiple window workstations make this more
practical than it might have been a few
years ago. With a window manager [Schei-
fler and Gettys 1986; Sun Microsystems
19861 points 1 and 3 could be satisfied by
selecting the desired window. Satisfying
point 2 could be achieved simply by repeat-
ing the desired command in each of the
desired windows. This approach, however,
would become fairly unwieldy for more
than a few processes. Furthermore, the time
lapse between sending the command to the
first and last processes in the set could
aggravate the probe effect. This is particu-
larly true for commands such as “stop” and
“continue.”
ACM Computing Surveys, Vol. 21, No. 4, December 1989
The Sun Microsystems’ dbxtool is an ex-
ample of applying a set of sequential de-
buggers to concurrent programs without
any explicit coordination. It is capable of
attaching to an existing UNIX’ process,
making it possible to debug a system of
communicating UNIX processes by attach-
ing a separate copy of dbxtool to each pro-
cess. (The UNIX process may not contain
process creation calls such as “fork,” and
the executable image being debugged can-
not be shared.)
An alternative to relying on a window
manager to direct commands to the proper
sequential debugger is to control all of the
debuggers from a single terminal or window
[Sequent Corp. 19861. Commands are then
directed at a specific process using a com-
mand parameter or by defaulting to a
specific “current” process. For example,
“continue Pl” would continue process Pl,
and “continue” without a parameter would
continue the “current” process. The “cur-
rent” process can be changed at any time.
The use of a single control window also
permits the commands to be sent to all
processes. For example, “continue all”
would continue all currently suspended
processes. In general, all processes will not
receive the command at the same instant.
The commands will, however, arrive at
times that differ by an amount approxi-
mating the communication delay in the
system. If all processes could be instanta-
neously stopped (and started) then, in the
absence of timeouts, “stop all” breakpoints
would not cause any probe effect. This is,
of course, impossible, but anything that can
be done to minimize the time difference
for receipt of stop signals should reduce
the probe effect. In addition to reducing
the probe effect, broadcasting a single
command to a set of processes is a useful
feature.
The “current” task notion is generalized
in Griffin [1987] and Intel Corp. [1987] to
a current set of processes that all receive
any process-related commands. In Griffin
[ 19871, processes can be added to or re-
moved from the set simply by pointing to a
symbol for the process in a special window.
* UNIX is a trademark of AT&T Bell Laboratories.
 Debugging Concurrent Programs
This could be generalized to permit arbi-
trary groupings of processes. For instance,
it might be desirable to alternate com-
mands between two disjoint sets of pro-
cesses. With only a single “current” set and
no overlap between the desired sets, this
would require as many commands from the
user as would be required with no support
for process grouping. It would, however,
still reduce the probe effect. It appears that
the macro capability of Intel Corp. [1987]
combined with their “context” command
for specifying the current set of pro-
cesses would support this toggling back and
forth between disjoint sets of processes.
1.2 Breakpoints
The ability to set breakpoints is possibly
the most important feature of a sequential
debugger. (Since tracing is equivalent to
setting a breakpoint that, when encoun-
tered, prints some information and auto-
matically continues, the discussion in this
section will refer only to breakpoints.) Tra-
ditional parallel debuggers generally sup-
port the same types of breakpoints as those
found in sequential debuggers. These
breakpoints include stop at a source state-
ment, stop on the occurrence of an excep-
tion or some user detectable event, stop
when a specific variable is accessed, and
stop when some conditional expression is
satisfied [Seidner and Tindall 19831. Un-
like sequential debuggers, there are two
possible actions to take when a breakpoint
is encountered. Either all of the processes
in the parallel program can be stopped im-
mediately or only the process encountering
the breakpoint can be stopped. The former
can be difficult to achieve within a suffi-
ciently small interval of time, and the latter
can have a serious impact on systems that
contain such things as timeouts. Assuming
message passing is the communication
mechanism, an algorithm to stop all pro-
cesses in a consistent state is presented in
Miller and Choi [1988a].
Using breakpoints to debug systems with
explicit time-dependent operations (such as
timeouts) can be especially difficult. Some
systems have attempted to deal with such
explicit race conditions by supporting a
l 597
notion of logical time that stops when any
process reaches a breakpoint [Cooper 1987;
DiMaio et al. 19851. In systems that sus-
pend only the selected process, other pro-
cesses will continue to execute until they
encounter some explicitly time-dependent
operation. In that case, the logical clock is
the one used for time in the time-dependent
operation. For example, if a breakpoint is
encountered, no timeouts will expire until
the suspended process is continued. In sys-
tems that stop all processes upon encoun-
tering a breakpoint, logical time is stopped
so that all of the suspended processes can
be continued with minimal impact. This
will certainly not eliminate the probe effect,
but it can permit some traditional style
debugging in the presence of such explicitly
time-dependent operations.
The domain of expressions or predicates
used to describe a breakpoint is larger for
parallel programs than for sequential pro-
grams. These predicate expressions may
involve both process state and events. An
event can be loosely defined as any atomic
action visible beyond the scope of a single
process.
Predicates involving global state in an
executing parallel program can be a prob-
lem. This results from the lack of global
clock in most systems. For example, an
expression such as “process A never modi-
fies variable X while process B is modifying
variable X” may appear to be true due to
the delay in communicating this informa-
tion to the debugger, when in fact concur-
rent modification has occurred. The use of
events and some notion of consistent global
time can be used to address this (see Sec-
tion 2). Possibly more important is that it
may not be possible to stop the desired
processes after detecting that the predicate
is satisfied yet before the state has changed.
The distinction between events and
global states is admittedly vague in general
but is usually well defined for any particular
system. For example, an event-based pred-
icate might be “process A sends a message,”
and a global state-based predicate might be
“the message buffer contains a message
from process A.” This could even be repre-
sented as a collection of program counter-
based breakpoints, one immediately follow-
ing each send statement in process A. In
ACM Computing Surveys, Vol. 21, No. 4, December 1989
 598 l C. E. McDowell and D. P. Helmbold
systems that deal with event-based predi-
cates, there must be some language for de-
scribing events. The language may be as
simple as naming one of a finite set of
events such as “taskstart” or “sendmes-
sage”; or it may support relatively powerful
abstractions such as those described in Sec-
tion 2. Table A.4 summarizes the break-
point capabilities of the systems surveyed.
1.3 OS Support for Parallel Debuggers
Parallel debuggers that support global
state-based breakpoints and event-based
breakpoints place greater demands on the
operating system than sequential debug-
gers. This is just one more step in the
evolution of debuggers. Early debuggers
only needed the ability to examine core
memory and the saved values of CPU reg-
isters after the program terminated. Next
was added the ability to set breakpoints.
The operating system provided a means of
modifying the executable image and of
passing control to the debugger when the
breakpoint instruction was encountered.
Most operating systems also pass control
to the debugger for most program excep-
tions. Some hardware architectures now
also include a special trace mode to facili-
tate single stepping. The final feature that
is provided is a mechanism for passing con-
trol to the debugger when a specific memory
location is accessed. To summarize, a state-
of-the-art sequential debugger may need
the following capabilities to be provided by
the operating system or hardware:
l the ability to read or write a register or
memory location,
l the ability to set and trap breakpoints,
l the ability to trap program exceptions,
l the ability to single step a program,
l the ability to trap memory accesses.
Traditional parallel debuggers that go
beyond being simply a collection of sequen-
tial debuggers acting together may require
more of the underlying operating system.
Debuggers that fit the traditional cyclic
debugging paradigm, using breakpoints and
tracing, require one or more of the following
ACM Computing Surveys, Vol. 21, No. 4, December 1989
facilities:
l the ability to trap on any interprocess
communication (IPC),
l the ability to modify/insert/delete IPC
messages,
l the ability to control the clock used for
timeouts.
Several approaches have been taken to
provide these capabilities. Some debugging
systems modify the program source in order
to provide the necessary hooks for the de-
bugger at run time. This avoids the need
for modifying the operating system at the
expense of slower performance and re-
stricted capability. A second approach is to
provide an alternative set of system rou-
tines. This permits the debugger to inter-
vene in any interaction between the user
and system. The final approach is actually
to modify the operating system to provide
the necessary hooks. At some point it may
become cost effective to implement more of
the debugging hooks directly in the ma-
chine architecture. The interface entry in
Table A.2 summarizes where the hooks
were placed for the systems surveyed.
2. EVENT HISTORIES
Since the various debuggers surveyed were
designed for different environments, it is
only natural that they do not agree on the
definition of “event.” For example, in the
DISDEB system events are memory ac-
cesses, in Radar each message send or re-
ceive is an event, in Instant Replay an
event is the access of an object, and in
YODA events represent Ada tasking activ-
ity. In some systems, such as TSL and
EDL, events can be defined by the pro-
grammer. In systems with explicit inter-
process communication, events can be
divided into two classes: those representing
inter-process communication activity and
those representing activity internal to a
single process. This distinction does not
seem to hold for shared memory systems,
since each memory access is a potential
interprocess communication.
Some systems merely display the events
as they occur (see Appendix A). A more
 Debugging Concurrent Programs 599

powerful approach is to record an event any single process. This permits the
history containing all of the events gener- use of a sequential debugger on a pro-
ated by the program. The history can then cess without reexecuting the entire
be examined by the user after the program program.
has completed. Since the event history is
often very large, some debuggers provide Browsing requires only minimal infor-
facilities to browse or query the history. mation about each event. Simply recording
Event histories can also be used to guide the kinds of events executed by a process
the program’s execution, allowing the re- can help isolate an error. Of course, if more
production of erroneous computations. If information is recorded, then more infor-
the history is complete enough, a single mation will be available to the programmer.
process can be debugged in isolation with One problem with browsing event histo-
the history providing the needed commu- ries is that the histories frequently contain
nication. Finally, some systems can auto- enormous numbers of events, making it
matically check the history for suspicious difficult to locate the events of interest.
behavior or transform the lower level his- Some systems allow selective recording of
tory of events into more meaningful high- information, and others include powerful
level events. mechanisms for examining the event his-
tory (see Section 2.2).
2.1 Recording Event Histories To replay an execution requires enough
information so that the next event in which
A common approach is for the debugger to
do as little as possible, mainly recording each process participates can be deter-
mined. LeBlanc and Mellor-Crummey
information, at run time. By limiting the
debugger’s activity, the probe effect should [1987] describe a method that reduces the
be reduced. The recorded information can amount of information needed for replay
then be analyzed following the program’s compared with previous methods that re-
execution. corded the complete contents of all mes-
sages. Their ideas work because the
program generates the contents of the mes-
2.1.1 Which Information to Record
sages during the reexecution.
The amount of information that must be Simulating the rest of the program so
recorded for each event depends upon how that a single process can be debugged in
the event history is going to be used. Three isolation requires that all events visible to
general levels of use that require increasing the process be recorded. This includes both
amounts of detail to be recorded for each the contents of messages and the values
event are the following: written to shared memory. Note that reex-
ecuting a single process requires more in-
(1) Browsing-The event history is exam- formation than reexecuting the entire
ined possibly through the use of spe- system.
cialized tools. Examination methods If the interesting portion of the execution
range from text editors to “movies” can be identified, then the amount of infor-
showing the state changes caused by mation required for replay can be consid-
events [Hough and Cuny 1987; erably reduced. Instead of recording the
Le Blanc and Robbins 19851. entire history, the debugger can take a
(2) Replay-The debugger uses the event snapshot of the program’s state and keep
history to control a reexecution of the only that part of the history that follows
program. This permits the use of con- the snapshot. It may, however, be difficult
ventional debugging techniques, such to obtain accurate snapshots in distributed
as breakpoints, state examination, and systems efficiently (see Chandy and
single stepping, without changing the Lamport [1985] for one method). This tech-
behavior of the program. nique may work best for simulating a single
(3) Simulation-The event history can be process, since only that process’s state
used to simulate the environment of needs to be recorded.

ACM Computing Surveys, Vol. 21, No. 4, December 1989

600 . C. E. McDowell and D. P. Helmbold
2.1.2 How the History Gets Recorded
In addition to the amount of information
recorded in an event history, some atten-
tion must be given to how the recording is
done and the resulting impact on perfor-
mance and the probe effect. In the systems
surveyed, the methods used to generate the
event history varied from inserting appro-
priate statements in the original source
program to monitoring the buses passively.
An intermediate method of recording event
histories is to provide modified system rou-
tines. These modified routines record the
history in addition to performing their nor-
mal system functions. In some cases such
as LeBlanc and Mellor-Crummey [1987] it
is the user’s responsibility to insert system
calls that record the event information. In
others it is only necessary to link the pro-
gram using special monitoring versions (see
the interface entry in Table A.2).
With the exception of the bus monitor-
ing, all other recording methods resulted in
possible changes in timing and hence are
potentially susceptible to the probe effect.
In some papers (see the probe effect in
Table A-2) it was argued that the perfor-
mance impact of monitoring was suffi-
ciently small to justify leaving the recording
permanently enabled. In other papers it
was argued that the perturbations caused
by the monitoring software were suffi-
ciently small to avoid the probe effect in
most cases.
2.1.3 Linear Versus Partially Ordered Event
Histories
An issue that arises in distributed systems
is whether the event history should be par-
tially or linearly (i.e., totally) ordered. On
the one hand, a linearly ordered history is
simpler to understand and can be easier to
work with. On the other hand, a linear
stream is often misleading since it implies
an ordering between every pair of events-
even when the events are completely unre-
lated. A partial ordering on the events is
necessary to reflect the behavior of a dis-
tributed system accurately.
One way to represent the partial order
(used by Instant Replay [LeBlanc and
Mellor-Crummey 19871) is to record a sep-
ACM Computing Surveys, Vol. 21, No. 4, December 1989
arate history tape for each process. Al-
though each history tape is a linear stream,
together they (with the program) represent
the partial ordering of the events in
the computation. The Traveler debugger
[Manning 19871 for Acore (a LISP-like lan-
guage) keeps a history tape (“lifeline” in
their terminology) for each object in the
program. In addition, the Traveler system
records the partial order by explicitly link-
ing each action to the child actions it causes
(or parent action it allows to continue).
A general technique for obtaining the
partial order involves associating each
event with a vector of “logical timestamps”
[Fidge 1988; Haban and Weisel19881. The
order (or absence thereof) between two
events can be easily determined by com-
paring the vectors of timestamps associated
with the events.
2.2 Browsing Event Histories
Many systems recognize the need for facil-
ities that help interpret massive event his-
tories. Graphical techniques such as time-
process diagrams and animation are dis-
cussed in Section 3. A simple feature found
in many systems is filtering, whereby the
events that the programmer feels are un-
important are automatically discarded,
usually based on process or kind of event
(see Table A.@. Two systems go further,
storing the event history in a database for
easy examination.
The YODA system for Ada tasking pro-
grams [LeDoux and Parker 19851 stores the
event history as Prolog facts. Prolog pred-
icates define the common temporal rela-
tionships such as during, before, and after.
The user is able to define and store addi-
tional predicates (either temporal or non-
temporal). Existential queries, such as
“which tasks updated variable X before
task T,” are used to retrieve information
from the history. Note that the YODA
system stores when (using a global event
counter) and to what values variables are
updated, as well as the explicit intertask
communications.
In [Snodgrass 19841, the events are
captured in a relational database. In addi-
tion to the event relations, the database
 Debugging Concurrent Programs
contains interval relations indicating be-
havior with duration. Time is kept in mi-
croseconds, presumably using a global
clock. TQuel, a version of Quel augmented
with temporal constructs, is used to build
new relations from those in the event his-
tory. The user queries the history by build-
ing and printing the appropriate relation.
2.3 Replaying Event Histories
Several of the debugging systems allow a
program to be reexecuted under the control
of an event history (see Table A.5). We call
this capability replay. If the history cor-
rectly reflects the interprocess communi-
cation of the original execution, then the
replay produces the same results. Although
replay helps solve the reproducibility prob-
lems, it is useful only if additional infor-
mation is gained.
One way to gain information is to replay
the program in “debug mode,” with a tra-
ditional sequential debugger attached to
each process. This allows the internal state
of the processes to be examined, giving the
programmer significantly more informa-
tion than a stream of IPC events. Some
systems allow a single suspect process to be
replayed in isolation, with the remainder of
the program simulated by the event history.
This approach reduces the parallel debug-
ging problem to that of debugging a single
sequential process, once the faulty process
is identified.
Another way of gaining information is to
execute a modified program under the con-
trol of an event history. The event history
can control the new program as long as
its behavior is compatible with the old
[Curtis and Wittie 1982; LeBlanc and
Mellor-Crummey 19871. This facility al-
lows the programmer to add additional
debugging statements or experiment with
modified algorithms. Another advantage of
this feature is that corrected programs can
be tested against the same input and his-
tory that caused the previous version to
fail.
The added synchronization involved dur-
ing replay can dramatically slow down a
parallel program. The Instant Replay sys-
tem [LeBlanc and Mellor-Crummey 19871
reported some of the best results in this
l 601
regard. On one example (gaussian elimina-
tion of a 400 X 400 matrix on up to 64
processors) they report that (with tuned
monitoring) the overhead involved in col-
lecting the event history amounts to less
than 1 percent. Furthermore, there was no
additional decrease in performance when
the execution was replayed.
Replaying real-time systems has several
additional problems. The external I/O and
interrupts must be recorded in addition to
the communications between the processes.
Since real-time systems generally have a
strong time dependency, it may be impor-
tant to simulate time during the replay. If
behavior due to the absence of communi-
cation, such as timeouts, takes place, then
faithfully reproducing such behavior re-
quires that additional events appear in the
history.
2.4 Checking and Transforming
the Event History
Several debugging systems compare the
event history generated by the program
with a set of predicates. These systems are
more than browsers since the analysis is
done at run time. In addition, the violation
of a predicate can trigger additional debug-
ging action. Because the analysis is done at
run time, all of the predicates to be tested
must be written before the program starts
executing. This disadvantage can be re-
duced if the event history is recorded so
that the execution can be replayed.
The DISDEB system [Lazzerini and
Prete 19861relies on programmable debug-
ging aids that eavesdrop on bus traffic,
avoiding the probe effect. Although this
system contains several interesting fea-
tures, it has a very low-level interface. An
event definition is of the form “process P
with certain permissions accessesmemory
location X reading/writing value V.” The
memory location is mandatory, and the
value may be a range. If part of the event
definition is omitted, then that part is
treated as “don’t care.” DISDEB allows
state to be stored in two ways. First,
counters and timers can be defined and
used; second, event definitions can be en-
abled and disabled. Once a suitable set of
events has been defined, it can be used to
ACM Computing Surveys, Vol. 21, No. 4, December 1989
602 l C. E. McDowell and D. P. Helmbold
trigger debugging actions; for example,
“when El occurs, display counter C and
stop process N.” Other potential actions
include starting and stopping traces
of memory locations and manipulating
timers.
A similar approach is taken by the
HARD system for Ada tasking programs
[Di Maio et al. 19851. There the predicates
and debugging actions are encoded in spe-
cial Ada tasks called D tasks. Manually
inserted calls to the D tasks enable them
to obtain information about the program’s
execution. Based on this information, they
can call routines that display or modify the
program state. All of the Ada facilities can
be used inside of a D task, so the program-
mer can use a familiar high-level language
to control the debugging process.
Rather than using the stream of events
to control debugging activity, the following
systems automatically check specifications
for the program. Although this requires
that the programmer learn an additional
language, it can complement a formal spec-
ification/verification approach to program
development. Most of these systems have
their own way of specifying complex event
formulas, usually based on the sequential
and parallel composition of events.
The IDD system [Harter et al. 19851 uses
an interval logic specification of the pro-
gram. This specification is checked against
the program’s behavior. When a specifica-
tion is violated, the program is stopped for
inspection. Temporal logic views the com-
putation as a sequence of states. The main
operators are “always” and “eventually,”
meaning that the following predicate on the
state is either always true or eventually
becomes true. Interval logic adds expressi-
bility by restricting the temporal operators
to portions of the computation.
The ECSP debugger [Baiardi et al. 19861
can check behavior specifications that
completely describe the allowable commu-
nication behavior of the processes. The
specifications can refer to various commu-
nication activity and can contain assertions
on the process’s state. One of the constructs
in their language causes control to be re-
turned to the user (presumably so that the
process can be examined). The ordering of
events and checking of specifications in
ACM Computing Surveys, Vol. 21, No. 4, December 1989
this system is simplified by the restriction
that each specification can only refer to
events from a single process.
The TSL system [Helmbold and Luck-
ham 1985a] automatically checks specifi-
cations against the events generated by an
Ada tasking program. Each TSL specifica-
tion is of the form “when this occurs then
that occurs before something else,” where
each of the three parts is an event formula.
TSL contains placeholders allowing a sin-
gle specification to constrain multiple
tasks. Additional abstraction is gained by
using macros for event subformulas. An
important contribution of the TSL system
is its use of Ada semantics to guarantee
that, even in distributed systems, certain
pairs of events appear in the history in the
correct order.
The Event Description Language (EDL)
takes a slightly different approach [Bates
and Wileden 19831. Instead of checking
specifications against the event history, it
provides a method for defining multiple
levels of abstract events from the primitive
events generated by the program. Each
high-level event is defined by an event for-
mula over lower level events. There is one
clause that constrains the values associated
with the lower level events and another that
determines the values associated with the
higher level event. The Belvedere system
uses EDL to help control its display (see
Section 3.3).
All of these specification methods have
simplifying restrictions. In EDL, an accu-
rate global clock is assumed, the event
recognizer is a potential bottleneck, and
some ambiguity arises when a low-level
event can be used in multiple higher level
events (see, however, Bates [1988]). The
TSL specification checker requires a lin-
early ordered stream of events and is also
a bottleneck in the current application. In
the IDD system, events are restricted to
broadcasts on a shared medium (such as an
Ethernet). A tree structure method for eval-
uating the IDD interval logic expressions is
briefly described. The ECSP assertion
checker is for a hierarchical fork-join
method of parallelism. Its main disadvan-
tages are that each specification deals only
with the activity of one process and all
processes must be completely specified.

3. GRAPHICS
Sequential programs lend themselves rea-
sonably well to being debugged with a single
sequential output device. There is only one
thread of execution that can accurately be
displayed as sequential text. Also, the data
are logically stored in one place and can be
displayed when desired. Parallel programs
are different in these two areas. In parallel
programs, there are multiple threads of
control and the data may be logically as
well as physically distributed. An impor-
tant goal of research into parallel debugging
systems is to find ways of presenting the
distributed data and control of parallel pro-
grams to users in a manner that aids in
comprehension.
Four basic techniques for displaying de-
bugging information are as follows:
(1) Textual presentation of the data, which
may involve color, highlighting, or a
display of control flow information.
Time may not progress monotonically
from the top of the screen to the
bottom.
(2) Time-process diagrams that present the
execution of the program in a two-
dimensional display with time on one
axis and individual processes on the
other axis. The points in the display
are labeled to indicate the activity of
the specified process at the specified
time.
(3) Animation of the program execution,
whereby both dimensions of the display
are spatial dimensions. The display
corresponds to a single instant in time,
or snapshot of the program state. These
snapshots can be displayed one after
another, animating the program’s exe-
cution. The actual format of a single
frame can take many forms as dis-
cussed below.
(4) Multiple windows, whose use permits
several simultaneous views of the pro-
gram being debugged. This frequently
involves using one window per process.
Each of these approaches will be discussed
below with examples taken from the sur-
veyed papers.
Debugging Concurrent Programs 603
proc Simple = reply(request(A) + request(B)
+ request(C));
proc A = reply(request(X) + request(Y));
proc B = reply(b);
proc C = reply(c);
proc X = reply(r);
proc Y = reply(y);
Figure 1. A stylized transaction program.
3.1 Text Windows
A simple text presentation of the debugging
information is the most common type of
display. All of the systems make use of
some simple text displays. For a traditional
parallel debugger, this may be the only type
of data display (see Section 1.1). In an
event-based system, a sequential display of
the events as seen by a particular process
can be useful. The Traveler [Manning
19871, which is an object-based system, can
display a “lifeline” that is a sequential list
of processes in the order that they accessed
a particular shared object.
It is not always necessary for time to
progress monotonically from the top of a
sequential text display to the bottom. In
Traveler events are displayed in their
causal order instead of in their temporal
order. Traveler is used to debug message
passing programs. In their model, all mes-
sages come in pairs, with a request and a
reply. All requests block until a reply is
received, and the programming model is
such that making one request may result in
many more nested requests before a reply
is sent. Also, one process may send several
requests concurrently. The Traveler dis-
play presents these nested request-reply
pairs, which they call transactions, in such
a way as to emphasize the nested structure.
Requests sent concurrently will be dis-
played paired with their responses and
nested within the send-receive pair that
caused them to occur. Figure 1 gives a styl-
ized example program using requests and
replies. “Request(A)” sends a message to
request a response from process A. “Re-
ply(x)” sends the reply “x”. Figure 2 gives
a possible sequential ordering of the events
for a partial execution of the request “re-
quest(Simple)“. Figure 3 gives the nested
transaction display for the same partial
execution.
ACM Computing Surveys, Vol. 21, No. 4, December 1989
604 . C. E. McDowell and D. P. Helmbold
request(Simple)
request(A )
reauest(B)
re&estiXj
Figure 2. A sequential display. request(C)
request(Y)
reply(y) Figure 4. A simple time-process diagram.
reply(c)

In Griffin [ 19871 time-process diagrams

request(Simple)
are used without enhancement to display
request(A)
request(X) the activity of this shared memory-based
[no response] system. It has the advantage that it can be
request(Y) presented on a simple text screen (see Fig-
Figure 3. A nested display. reply(y) ure 5). This system is actually a uniproces-
[no response]
Iequest(B) sor simulation of a multiprocessor, and this
[no response] is evident in the display. The unit of time
request(C) is the occurrence of an event. A single char-
reply(c) acter is used to represent each of the pos-
[no response]
sible events in which a process may engage.
Because this is a uniprocessor, each column
will have one event character and all other
For large programs, all transactions and active processors will have a “.” in that
their subtransactions might not fit on the column. The last character other than “.”
display simultaneously. To handle this, the in a row corresponds to the last event in
user may selectively open and close trans- which the process engaged. This can be
actions. When a transaction is closed, all thought of as the process’s current state.
of its subtransactions are hidden. For The display can be scrolled forward or
example, in Figure 3, if the transaction backward in time. The last non “.” in each
for “request(A)” were closed, then “re- row that was scrolled off to the left is
quest(X)“, “request(Y)“, and their corre- maintained in the leftmost column. The
sponding response lines would not be display contains additional text that pro-
shown. As the computation advances, vides additional information about the
the various “ [no response] ” entries will current (rightmost column) state. This in-
be filled in. cludes such things as which signal a process
is waiting for and which signals have been
3.2 Time-Process Diagrams posted. (To avoid confusion with our
broader use of the word event, we use signal
A time-process diagram is a two-dimen- here where the mtdbx system [Griffin
sional representation of the state of a par- 19871 uses event.)
allel system over time. One axis represents In [Harter et al. 19851 the message-pass-
time, and the other axis represents the ing system, Idd, there is heavier use of
processes. Each point in the display gives graphics. Instead of placing one character
some information regarding the state of the at each point in the display, two points
corresponding process at the corresponding in the display are connected by a line to
time. For example, a simple time-process indicate the transmission and receipt of
diagram for a hypothetical system is shown a message (see Figure 6). To aid in compre-
in Figure 4. Each row describes the events hension of a potentially very cluttered dis-
in which a process engages, and each col- play, the user can magnijl or scroll to see
umn describes the state of the system at a only a selected portion of the display. The
particular instant in time. At time 1, pro- display option allows the user to rearrange
cess 1 engages in event A; at time 2, process the rows so that related processes can be
2 engages in event B and process 3 engages placed close together. The user may also
in event C; and so on. select various filters to be used in displaying

ACM Computing Surveys, Vol. 21, No. 4, December 1989

 Debugging Concurrent Programs l 605

1 STRRT] 1 STOP 11 CONT 11 QUIT 1 Display Rate Chm~l: tOI O-10

MRIN -...............................
TRSK 1 i? : : : . SC- . . . . I...(-)(-..I.( . . . .
TRSK2 . R. . . : : : : : : . SP. UJ.. . . . . . . . . . . . . . . . .
TRSK3 . . R.. SI . . . I. : : . . 1 -I(. . . . . -1. (. -I(-
TRSK4.. . R.. -SPUl.. . . . . . ::. . . . . . . . . . . . . . . . .

TASK ID STATUS TASK IO STATUS LOCK STRTUS OWNER

0 MAIN running 3 3 running 1 off
1 lockwait on 2 4 4 eventwait on 4 2 on 3
t 2 eventwait on 3

Figure 5. The mtdbx time-process diagram.

Display Filter

w Time in MS (Freers) Time in MS

< <oo

Figure 6. The Idd time-process diagram. Used with permission [Harter 198510 1985 IEEE.

subsets of the messages that fall within the message. Figure 7 shows process histories
time-process space currently being dis- for three processes and the corresponding
played. Similar displays are included in concurrency map. The horizontal lines
PPUTT [Fowler et al. 19881 in which the (partially obscured by the boxes) corre-
emphasis is on the programmer noticing spond to logical time divisions. An event
irregularities in the patterns of communi- may have occurred during any time division
cation. touched by the box containing the event.
For many of the variations on time- Time-process displays appear to have a
process diagrams a global clock is required. definite place in viewing the activity of
At least one system [Stone 19881, however, parallel systems. They do have their limi-
uses a type of time-process display without tations. As the number of processes be-
needing a global clock. This display is called comes large, the display may become too
a concurrency map. Instead of displaying cluttered with information to be useful.
exactly when events occurred based on a This can be addressed to a degree with
global clock, events are arranged to show filtering and such features as the display
only the order in which they occurred. This and magnify options described above for
order is derived from the time dependencies Idd. In the next section, we present an
in the program. For example, the receipt of alternative display that gives a much dif-
a message must follow the sending of a ferent view of the system.

ACM Computing Surveys, Vol. 21, No. 4, December 1989

 PROCESSA PROCEiS B PROCEiS C
I II: Compute Cl: Compute

Compute Compute Computo “I

Send Ml Rocelve Ml Receive Mz
Compute Compute Compute
Send I42 Send MI Receive MI
COJllpUtO Computa Compute
Send I43 Roaivo M3 Send M!5
Compute Computa Compute
Recoivo H5 ... ...

...
Compute

I
Process Histories

/ /+fc;I: Compute t

Figure 7. Process histories and a concurrency map.

 Debugging Concurrent Programs
3.3 Animation
An alternative to time-process displays is
to place each process (or selected portions
of distributed data) at a different point in
a two-dimensional display and have the
entire display represent the system at a
single instant in time. As time advances,
the display changes and these changes can
be played in sequence to give a type of
animated movie. This movie displays the
evolution of the state of the system. The
placement of the processes (or data) in the
two-dimensional display could be arbitrary,
be under user control, or correspond to the
underlying structure of the program (or
data) being represented.
In Belvedere [Hough and Cuny 19871,
the placement of processes is very impor-
tant and is specified by the user. The basic
animation elements are depicted in Fig-
ure 8. This system animates primitive
events and user defined events specified
using EDL. To further help organize the
display, the user may request that events
be displayed from different perspectives:
that of a processor, a channel or a data
item. For example, when viewed from the
perspective of a single processor, the events
will be displayed in the order that they
appeared to that processor. Examples of
this can be found in Hough and Cuny
[1987] and in Figure 8. Figure 8 is a snap-
shot of message traffic animation during a
traveling salesman program. Activity is de-
picted by highlighting the appropriate ports
(small boxes) and channels (lines). A port
is highlighted during a receive and a chan-
nel during a send. Arrowheads indicate di-
rection for sends, with multiple arrowheads
indicating more than one message in the
buffer.
The Radar [LeBlanc and Robbins 19851
system also uses animation of messages.In
Radar, the user can control how long each
time frame is displayed. Also, at any time,
the user can have the contents of any mes-
sage displayed.
Voyeur [Socha 19881 is a prototype sys-
tem for the construction of application spe-
cific “views” of parallel programs. Its input
is a sequence of events generated from user-
inserted instrumentation code. The user
l 607
Figure 8. Animation using Belvedere. Used with per-
mission of Hough and Cuny [1988].
can use existing views or build new ones.
Four views have been constructed and are
described in Socha et al. [1988]: icon view,
vector view, trace view, and linked-list
view.
In the icon view, the events indicate
where in a two-dimensional picture a par-
ticular icon should be drawn and when to
start a new animation frame. By observing
the position of the icons within a single
frame and their change in position from
frame to frame, several errors have been
detected. The vector view is a variation of
this where instead of drawing icons, vectors
are drawn.
The trace view provides a small box (win-
dow) for each process. Connections to other
processors are shown as lines to other
boxes. Values local to the process are then
displayed inside the box. The linked-list
view is a variation of the trace view that
displays a linked-list data structure from
the program. The nodes are drawn as boxes,
with the actual data values displayed. The
boxes are then connected to show the actual
link structure.
The emphasis in Voyeur is the ability to
provide an easy method for programmers
to animate their parallel programs for the
purpose of uncovering errors.
ACM Computing Surveys, Vol. 21, No. 4, December 1989
608 . C. E. McDowell and D. P. Helmbold
3.4 Animation Versus Time Process
It should come as no surprise that neither
animation nor time-process diagrams alone
is sufficient to detect all of the errors in
parallel programs easily. Animation is good
for observing the instantaneous state of the
system. By only displaying a single instant
of time, more state information can be dis-
played simultaneously. This may mean
more information per process or more pro-
cesses. Patterns of concurrent behavior can
also be viewed (e.g., all processes except one
are sending messages to their neighbor).
Animation, however, does not clearly show
patterns of behavior that occur across time.
This is addressed to some degree in Belve-
dere by the use of high-level abstract events
that may encompass an interval of time.
Time-process diagrams can display pat-
terns of behavior over time. This can be
especially helpful in finding performance
bugs. The trade-off is that only a very small
amount of information can be displayed for
each process at any point in time. In mtdbx
[Griffin 19871 only a single character is
displayed for the entire state of a process.
In PPUTT a process is either waiting, run-
ning, sending, or receiving.
It appears that the ideal debugger for
complex concurrent systems would support
both animation and time-process displays.
Two pieces of evidence to support this
claim are the following:
The animation systems find some errors
by noticing changes from one frame to
the next (the passage of time), and
The time-process displays generally pro-
vide some mechanism for displaying de-
tailed system state for a particular
instant in time.
One
._. approach to combining the two
would be simultaneously to present a time-
process diagram in one window of a graphic
workstation and an animation in another.
The time-process display would guide the
programmer to the important point in time,
and the animation display would present
detailed information about the state of the
program in a comprehensible way. An al-
ternative method of displaying both time
and the detail found in animation frames
ACM Computing Surveys, Vol. 21, No. 4, December 1989
would be to display several animation
frames simultaneously. Using the abstrac-
tion of Belvedere, it might even be useful
to display several different perspectives in
different windows simultaneously. It may
be that the flexibility of a system like
Voyeur will be necessary because no single
view is sufficient for the many different
types of errors that must be addressed.
4. STATIC ANALYSIS FOR DEBUGGING
PARALLEL PROGRAMS
When the probe effect renders the tech-
niques in Sections 1 and 2 useless, what
options are left to a programmer to debug
a parallel program? Some researchers are
pursuing static analysis techniques for de-
tecting certain classes of anomalies in par-
allel programs. This is distinct from formal
proof of correctness, because no attempt is
made to prove conformance with a written
specification. Instead, an attempt is made
to give assurance that the program can-
not enter certain predefined states that
generally indicate errors.
Static analysis is being used to detect two
classes of errors in parallel programs: syn-
chronization errors and data-usage errors.
Synchronization errors include such things
as deadlock and wait forever. Data-usage
errors include the usual sequential data-
usage errors, such as reading an uninitial-
ized variable, and parallel data-usage errors
typified by two processes simultaneously
updating a shared variable.
There appear to be two related but dis-
tinct areas being investigated. One is apply-
ing dataflow analysis techniques, similar to
those used by optimizing and vectorizing
compilers, to determine data-usage prop-
erties in parallel programs. The other is
answering the question,
Is it possible for two statements Sl and S2
in a parallel program to execute in parallel?
These two areas are discussed in the re-
mainder of this section. Some closely re-
lated work on combining static analysis
with dynamic debugging and a system de-
signed to aid in the development of parallel
algorithms are presented at the end of
Section 4.
 Debugging Concurrent Programs
4.1 Dataflow Analysis of Parallel Programs
Probably the most frequently referenced
work on dataflow analysis of parallel pro-
grams is that of Taylor and Osterweil
[ 19801. Their algorithms generate four
data-usage sets for each node of a program
flow graph: gen, kill, live, and avail. These
correspond to the sets by the same names
used in the global dataflow analysis of op-
timizing compilers [Fosdick and Osterweil
1976; Hecht and Ullman 19751. The origi-
nal algorithms used to compute live and
avail have been extended to pass data-usage
information across edges in the flow graph
corresponding to synchronization opera-
tions. By reinterpreting the meaning of gen
and kill, it is possible to use the modified
data-usage sets to arrive at algorithms to
detect anomalies in parallel programs.
The algorithms in Taylor and Osterweil
[1980] assume a simple process synchroni-
zation model. One process may cause an-
other process to begin execution with the
statement “schedule X” and wait for the
completion of another process with “wait
X”. Their model does not permit a process
to execute (be scheduled) in parallel with
itself. This would correspond to a recursive
process invocation. Recursion is also not
allowed within any single process. They
present algorithms based on their modified
data-usage sets that operate on a represen-
tation of the program called a Process
Augmented Flowgraph (PAF). This is con-
structed by taking the flowgraphs of the
individual processes and connecting them
with edges to indicate process synchroni-
zation constraints. For example, there
would be an edge connecting the “schedule
X” statement in one process with the initial
statement in process X. Their algorithms
can detect the following:
(1) a reference to an uninitialized variable,
(2) a variable that is referenced while being
defined in parallel,
(3) a definition of a variable that is never
referenced,
(4) a variable that may have an indeter-
minate value,
(5) a process waiting for the completion of
an unscheduled process,
l 609
(6) a process waiting for the completion of
another process that is guaranteed to
have already completed, and
(7) a process that is scheduled to execute
in parallel with itself.
In addition to not permitting recursion,
the algorithm for item (2) assumes the exis-
tence of an algorithm for determining if
two statements can execute in parallel.
This is the subject of Section 4.2. Also, it
is recognized that it is impossible to “create
a fixed static procedure capable of con-
structing the PAF of any program written
in a language which allows run-time deter-
mination of tasks to be scheduled and
waited for.”
The difficulty of using dataflow to ana-
lyze parallel programs is clearly shown in
Callahan and Subhlok [1988]. They present
an algorithm for determining which data
dependencies present in a sequential exe-
cution of a program are preserved in a
parallel execution of the program. They
then show that determining if all data de-
pendencies are maintained is Co-NP-hard
using only the information found in their
verison of the PAF which they call the
synchronized control flow graph. They also
present approximations that execute in
polynomial time on programs written using
a simple programming model. Two notable
limitations of the model are that no syn-
chronization operations are permitted
within loops and all synchronization is
done with event variables that cannot be
cleared.
4.2 Parallel (i, j)
A Boolean function parallel (i, j), which
returns true if it is possible for program
points “i” and “j ” to execute in parallel,
can be used to detect parallel access errors.
These occur when a variable is being read
and written in parallel or when two pro-
cesses can simultaneously write to the same
variable. If the program can be represented
as a Petri net [Peterson 19771, then this
function can be implemented by examining
the reachable states for the net. Unfortu-
nately, the number of reachable states in a
bounded Petri net grows exponentially with
the number of places (nodes) in the net.
ACM Computing Surveys, Vol. 21, No. 4, December 1989
610 l C. E. McDowell and D. P. Helmbold
An algorithm similar to computing the
reachable states in a Petri net applied to
Ada programs is presented by Taylor
[1983]. Like the Petri net algorithm, the
number of states generated by Taylor’s al-
gorithm can increase exponentially with
the number of parallel tasks in the Ada
program.
An algorithm presented in McDowell
[ 19891 computes parallel (i, j ) for programs
written in FORTRAN with extensions to
support explicit parallelism. Whereas the
simple language in Taylor and Osterweil
[1980] explicitly prohibits the execution of
a process with itself, the algorithm in
McDowell [1989] uses the fact that many
parallel numerical applications are ex-
pressed as collections of identical tasks ex-
ecuting in parallel on shared data. The
result is that many fewer states are gener-
ated. This algorithm is being used in a
prototype debugging tool [Appelbe and
McDowell 19851.
A somewhat different approach to com-
puting parallel (i, j ) was taken in Bristow
et al. [1979a]. Their algorithms operate on
the same PAF representation of a program
described in Section 4.1. They can build
PAFs for the real language HAL/S. Al-
though more powerful than the simple lan-
guage used in Taylor and Osterweil [ 19801,
HAL/S is still nonrecursive and con-
tains relatively simple synchronization
operators.
Instead of computing a single function,
parallel (i, j), they compute eleven func-
tions which they call execution sequence
sets. Included are three execution sequence
sets: concurrent, always-concurrent, and
possibly-concurrent. The sets are computed
for each node in the PAF. The set concur-
rent for node N contains all nodes M such
that on all execution paths on which both
M and N occur, they occur with no forced
ordering. The set always-concurrent is a
subset of concurrent that satisfies the ad-
ditional restriction that all program exe-
cution paths containing N also contain M.
Node M is in the set possibly-concurrent
for node N if there is some execution path
in which both M and N occur with no forced
ordering between the two. For use in the
anomaly detection algorithms of Taylor
ACM Computing Surveys, Vol. 21, No. 4, December 1989
and Osterweil [ 19801, if a node M is in any
of the above three execution sets at node
N, then the nodes N and M would be as-
sumed to execute in parallel. The result of
this could be a potentially large number of
extraneous anomaly reports corresponding
to infeasible paths.
The three functions are actually repre-
sented as execution sequence sets attached
to each node of the PAF. The algorithms
for computing the execution sequence sets
are very similar to the dataflow analysis
algorithms mentioned in Section 4.1. The
details of the algorithms can be found in
Bristow et al. [ 1979131.For the nonrecursive
language HAL/S, the execution sequence
sets can all be computed in polynomial
time.
The result of applying the analysis men-
tioned above is an anomaly report. It should
be possible to provide the user with suffi-
cient information to determine what source
statements are involved in the anomaly.
There are, however, two problems related
to presenting the anomaly report. One
problem is that the anomaly report may
contain many anomalies that are the result
of infeasible paths and do not correspond
to a real error in the program. Some prog-
ress in removing infeasible paths from
static analysis of sequential programs has
been reported [Werner 19881. There is,
however, nothing in the literature concern-
ing the removal of infeasible paths from
static analysis of concurrent programs.
The second problem with presenting the
anomaly report is presenting the informa-
tion in such a way that the user under-
stands how the erroneous concurrent state
could arise. It may not be sufficient to
report that variable X is modified concur-
rently by a process executing line 100 and
another process executing line 200. If the
user cannot understand how lines 100 and
200 can execute in parallel, then it may be
difficult to determine how to resolve the
problem. Furthermore, the user may simply
decide (erroneously) that this situation
could never arise and that the anomaly
report should be ignored.
The approach taken in Applebe and
McDowell [1988] allows the user to exam-
ine not only the concurrency state causing
 Debugging Concurrent
the anomaly report but also the concur-
rency states that led up to that state. A
multiwindow user interface is provided that
displays an anomalous concurrency state
along with a description of the anomaly
[McDowell 19881. The concurrency state is
represented by displaying a small portion
of the source for each concurrent task in a
separate window. The user may then dis-
play any previous or successor concurrency
state to determine how the situation arose.
This is somewhat like performing a coarse
forward or backward simulation.
4.3 Combining Static Analysis with
Dynamic Debugging
Taylor [1984] describes several ways in
which static analysis could be productively
combined with dynamic analysis. One ap-
proach would be to use the information
from static analysis to help develop test
data for use in conjunction with a dynamic
debugger. Conversely, information from dy-
namic monitoring could be used to guide
partial static analysis when complete static
analysis would generate too many states. If
subparts of a program could be shown to be
free of errors using static analysis, then
those portions of the program would not
need monitoring. This could reduce the
overhead associated with monitoring. If
run-time assertion testing is included in the
program, then the static analyzer could as-
sume that the assertions are true, reducing
the number of states that must be exam-
ined. A related technique is the use of sym-
bolic execution to reduce the state space of
a static analysis tool by eliminating infeas-
ible paths [Young and Taylor 19861.
A somewhat different combined use of
static and dynamic techniques is described
in Allen and Padua [ 19871, Miller and Choi
[1988b], and Stone [1989]. Each of these
systems applies static analysis to a dynam-
ically generated trace in order to identify
parallel access anomalies that they call
races. If a particular trace can be shown to
be free of races, then the program is free of
races for the given input. This does not
mean that the program is free of races in
general. For example, a race condition
could be present in a conditionally executed
Programs l 611
block that is not executed with the given
input. The analysis performed to identify
races can also be used to help with break-
point debugging. If the critical point in each
process involved in a race can be identified,
then a breakpoint can be placed just before
that point in each process. This will stop
the system in the state necessary to induce
the race and permit close examination. In
addition, by selectively continuing the
processes, alternative race outcomes can be
explored.
4.4 Static Analysis in the Development
Process
In addition to analyzing parallel programs
statically, and debugging them with run
time debuggers and monitors, there is the
possibility of eliminating the errors in pro-
grams before they occur. Here we would
like to present some current work that
seeks to aid in the development of parallel
programs that are free of the kinds of errors
outlined at the beginning of Section 4.
Automatic vectorizing compilers are the
predecessors of the work presented here.
They represent a very restricted form of
parallel programs that are free of parallel
bugs, assuming, of course, that the compi-
lers are correct. This work has been ex-
tended most notably by Banerjee et al.
[ 19791 to permit parallel execution of a wide
range of loops. Again, assuming that both
the sequential programs and the compilers
are correct, the parallel programs that re-
sult will also be correct.
In addition to the fully automatic tech-
niques of Banerjee et al., researchers at
Rice University are working on a system
called PTOOL [Allen et al. 19861. PTOOL
performs interprocess dataflow analysis to
determine when a loop can be parallelized.
It does this only for loops selected by the
programmer. It interacts with the program-
mer for three reasons. First, the amount of
time to perform the analysis for all loops
and all combinations of loops is prohibitive.
It is assumed that the programmer under-
stands the overall structure of the program
and knows which sections are most suitable
for parallelization. Second, the programmer
can make a judgment about the typical
ACM Computing Surveys, Vol. 21, No. 4, December 1989
612 l C. E. McDowell and D. P. Helmbold
values of certain variables at run time that
affect the decision of whether to parallelize
a particular loop. This is particularly im-
portant when the overhead for parallel ex-
ecution is relatively high. Finally, by
interacting with the programmer, PTOOL
can provide information that might permit
the programmer to change the program
slightly, thereby allowing an important
loop to be parallelized. In a fully automatic
system the compiler would have to reject
the loop as a candidate, possibly missing
an important opportunity for parallel
speedup.
By using automatic or semiautomatic
techniques based on correctness preserving
transformations, it is possible to debug a
sequential version of a program using con-
ventional debugging tools and then trans-
form it into an equivalent parallel version.
5. CONCLUSION
Having completed the survey, the question
remains, What progress has been made and
where is more work needed? Because of the
diversity of applications, languages, and
systems, no single approach can satisfy all
parallel debugging needs. The following
paragraphs summarize what has been
achieved and speculate on possible research
directions.
The deficiencies of both static and dy-
namic techniques have been discussed in
this paper. One promising approach that
alleviates some of these deficiencies is the
creation of a toolkit that integrates both
approaches (see Section 4.3).
As the saying goes, “A picture is worth a
thousand words.” With program activities
distributed across both space and time,
simple sequential displays of program ac-
tivity are inadequate. The time-process dia-
grams (see Section 3.2) give a compact view
of the event history, whereas the animation
diagrams (see Section 3.3) give a more
detailed view of a single instant in time.
Both representations are valuable, and the
use of multiwindow workstations makes it
possible to have both.
The appropriateness of each of these dia-
grams needs further research. For example,
ACM Computing Surveys, Vol. 21, No. 4, December 1989
a major problem with the animation dia-
grams is the placement of the symbols rep-
resenting the processes. Hough and Cuny
[1987] make it clear that proper placement
can be very important in comprehension of
the display (see Figure 8).
In addition to the problem of placement
is the problem of too much information-
even for a picture. A possible solution is a
language for abstracting low-level events
into higher level events for display. Event
description languages can also be used
to filter out irrelevant events, reducing
the amount of information that must be
displayed.
One prominent feature of several systems
is modularity [Joyce et al. 1987; Victor
19771. By carefully designing a modular
system, the addition or modification of var-
ious features can be managed easily. An
event-based system might have modules for
low-level event monitoring, filtering, and
recording of events (from the low-level
event modules), display of recorded events,
analysis of recorded events, and controlled
reexecution of the program. In traditional
parallel debuggers as described in Section
1, there may be separate modules for inter-
acting with the low-level machine and for
interacting with the user. “Plug compati-
ble” modules are advantageous because
they allow experimentation with different
debugger functions.
A well-defined interface (or hierarchy of
interfaces) between the user and the low-
level machine isolates most components
from changes in any one part of the system.
The user modules become machine inde-
pendent; the low-level machine modules
become user interface and language
independent; and possibly some user in-
terface modules may become language
independent.
The probe effect is possibly the most
significant difference between debugging
parallel programs and sequential programs.
The most obvious solution to the problem
of the probe effect is to have the probes
permanently in place. This does not help
with breakpoint debugging, but it solves
the problem for event-based debugging
using monitoring and event histories. The
 Debugging Concurrent
problem with this solution is the perfor-
mance penalty for having software probes
permanently enabled. The use of hardware
assistance for high-level debugging was
proposed in Gentleman and Hoeksma
[ 19831, and systems using hardware moni-
toring for multiprocessors are described in
Lazzerini and Prete [ 19861and Rubin et al.
[1988].
Before hardware designers will dedicate
precious silicon to “hooks” for parallel de-
buggers, it will be necessary to identify just
what hooks are useful. Having specified the
hooks, a cost-benefit analysis could deter-
mine which low-level debugging elements
should be implemented in hardware. Most
uniprocessors today have hardware hooks
for breakpointing and single stepping. It
seems only natural that hooks for parallel
debugging be added to parallel systems.
Event histories may be the most natural
abstraction of distributed systems. A vari-
ety of tools and methods for examining
them have been developed. For small and
simple parallel programs, it may suffice to
print the events as they occur. In larger
systems, it may be preferable to save the
event history for later examination. An
alternative to examining the event history
manually is to check the event history
against a set of specifications as it is gen-
erated. Although this approach incurs a
large overhead, it may be the only effective
way to monitor large continually executing
systems. Ideally, specifications from the
program’s design phase would be used to
detect errors. In current systems, the pro-
grammer must write the specifications
for checking the event history. This is
usually done as part of a testing phase and
is not directly connected to any design
specification.
The event specification languages we
have seen [Baiardi et al. 1986; Harter et al.
1985; Helmbold and Luckham 1985b] can
all express simple constraints on the event
stream. It is unreasonable, however, to ex-
pect the programmer to specify completely
the intended behavior of a program with
these languages. Much work needs to be
done before we know what kinds of asser-
tions are most useful and the best languages
Programs 613
for expressing them. Furthermore, the issue
of integrating design specifications with
run-time checking has not been addressed.
A variation of the specification approach
is taken by EDL [Bates and Wileden 19831.
They do not check the event history against
specifications but instead transform it into
a higher level history. This approach may
help bridge the gap between low-level com-
munication primitives and the more ab-
stract communication mechanisms used in
the program. EDL has been successfully
used to control the presentation of graphic
data in the Belvedere system [Hough and
Cuny 19871.
We have seen some attempts at software
solutions to the probe effect. These involve
some mechanism for the debugger to ma-
nipulate the logical passage of time. In none
of the systems surveyed was this completely
successful; real-time events do not lend
themselves well to manipulations of logical
time. Although appearing unsolvable in
general, software solutions might be attain-
able for some systems such as message-
passing systems without timeouts. It
certainly appears that designers of new
parallel languages and synchronization
constructs should keep the probe effect in
mind.
Perhaps the best way to avoid the bugs
associated with current parallel constructs
is to design languages for parallel machines
that make such errors impossible. Dataflow
and functional languages are one example
of systems that attempt to “define away the
problem.” Still other examples can be found
in declarative languages such as Prolog
or higher level languages as described in
Goldberg [ 19861. A somewhat less radical
approach is the use of tools for automati-
cally detecting parallelism. These may be
fully automatic or require some user inter-
action. In either case, such systems would
ensure that the parallel program produces
exactly the same results as the sequential
version.
ACKNOWLEDGMENTS
We would like to thank Anil Sahai who contributed
to an early version of this survey. We would also like
to thank the referees for their comments.
ACM Computing Surveys, Vol. 21, No. 4, December 1989
 614 l C. E. McDowell and D. P. Helmbold
APPENDIX A. SUMMARY TABLES Hardware Hardware configuration
debugger uses or re-
The tables in this appendix present brief quires
descriptions of the systems surveyed in a
form that permits quick comparisons. To Status Completeness of debugger
make it possible to place as much infor- implementation
mation as possible in each summary table, partial Prototype missing major
we use one- or two-word descriptors in features
the tables. Informal explanations of the
descriptors are given before the tables. production Production version avail-
able
A.1 General Characteristics Part 1 prototype Complete in-house system
O.S. Operating system debug-
ger runs under n/s Not specified

Table A.l. General Characteristics Part 1

System OS. Hardware Status
Agora [For881 Agora LAN prototype
Amoeba [Els88] Amoeba n/s prototype
belvedere [HC87] simple sim emulator partial
BUGNET [CW82] MICROS MICRONET partial
CBUG [Gai85] UNIX any UNIX prototype
cdbg [Int87] iPSC iPSC prototype
dbxtool [AM861 UNIX(Sun) Sun production
defence n/s uniprocessor partial
DISDEB yiE; Mara Mara prototype
EDL [BW83] VMT UMass VMT UMass partial
HARD [ MCR85] UNIX any UNIX prototype
IDD [HHK85] UNIX network(Sun) partial
Instant [LM87] Chrysalis BBN butterfly prototype
Jade [ JLSU87] Jipc vax/Sun prototype
MAD [RRZ88] n/s mimd sh. bus prototype
Meglos [GK86] UNIX MC68000 production
mtdbx [Gri87] UNIX/COS Sun/Gray prototype
Multibug [CP86] n/s multi-macro-proc prototype
Parasight [AG88] Mach/Umax Multimax prototype
pdbx [Se@61 Dynix Sequent production
Pilgram [Coo871 Mayflower Cambridge DCS partial
PPD [MC88b] n/s n/s partial
RADAR [LR85] n/s PERQ prototype
Recap PLW n/s n/s proposed
Traveler [Man871 Apiary emulator prototype
TSL [HL85b] any any prototype
Voyeur [SBN88] n/s n/s prototype
YODA [LP85] n/s n/s prototype
[AP87] Cedar n/s partial
[BDV86] MuTEAM MuTEAM partial
[GB85] PathPascal n/s partial
[GGKSI] n/s n/s prototype
[GKY88] any any prototype
UNIX any UNIX prototype
Medusa/StarOS Cm* prototype

ACM Computing Surveys, Vol. 21, No. 4, December 1989

 Debugging Concurrent Programs l 615

A.2 General Characteristics Part 2 Global Clock Whether debugger re-

quires a global clock
Interface How the debugger hooks assumed Debugger assumes the
into the program existence of an accurate
hardware Additional hardware is global clock
used instead of a soft- self-timed Debugger simulates its
ware interface own global time
manual Calls to the debugger are uniprocessor Debugger is for a single
manually inserted by the processor system or
programmer simulation
object Compiler modifies the ob- Languages Languages the debugger
ject code supports
oper sys Debugger interacts with Model The model of communica-
the normal operating tion
system block-send Message passing with
source Automatic insertion of blocking sends
source code statements gmem A bank of global memory
calling the debugger equidistant from all
Probe Effect How the debugger ad- processors
dresses the Probe Effect hybrid Has both shared memory
fast calls Fast monitoring opera- and message passing
tions minimize the effect lmem The shared memory is lo-
on program timing cated at the processors
leave in Leave the debugger in the messages Message passing
system rndzv Ada rendezvous
logical time Logical time hides the WC Remote procedure call
effects of debugging
operations n/s Not specified

Table A.2. General Characteristics Part 2

System Interface Probe Effect Global Clock Languages Model
Agora [For881 oper sys leave in self-timed n/s lmem
Amoeba [Els88] object n/s none n/s messages
belvedere [HC87] object logical time uniprocessor Simple Simon messages
BUGNET [CWSZ] object n/s self-timed Modula2 messages
CBUG [Gai85] source fast calls none C 23-m
cdbg [I&37] oper sys n/s none C, Ftn messages
dbxtool [AM861 oper sys n/s none C, Pscl, Ftn messages
defence [~;UJ object n/s uniprocessor Cont. Euclid monitors
DISDEB hardware none’ none any gmem + lmem
EDL [BW83] n/s n/s assumed n/s n/s
HARD [MCR85] source logical time assumed Ada rndzv + gmem
IDD [HHK85] object n/s none C, ModulaQ messages
Instant [LM87] object leave in none several gmem
Jade [ JLSU87] object n/s none several block-send
MAD [RRZ88] man + hard leave in assumed PARC(C) gmem
Meglos GK861 y-c; n/s none C messages
mtdbx [Gri87] logical time uniprocessor f77 + Cray gmem
Multibug [CP86] oper sys n/s none low level messages
Parasight [AGW oper sys fast calls none C gmem

’ DISDEB uses additional hardware to eavesdrop on the network traffic. This allows the DISDEB debuggers
to run transparently, without disturbing the program’s timing.
(continued)

ACM Computing Surveys, Vol. 21, No. 4, December 1989

616 l C. E. McDowell and D. P. Helmbold
Table A.2. (Continued)
System Interface Probe Effect Global Clock Languages Model
pdbx Bw861 oper sys n/s none C, P, F + dynix gmem
Pilgram [Coo871 object logical time none Cont. Clu WC
PPD [MC88b] object n/s none C gmem
RADAR [LR85] object n/s none Pronet messages
Recap [PL88] object n/s none n/s hybrid
Traveler [Man871 oper sys n/s uniprocessor Acore(lisp) messages
TSL [HL85b] source n/s none Ada rndzv
Voyeur [SBN88] manual n/s assumed several hybrid
YODA [LP85] source n/s assumed Ada rndzv + gmem
[AP87] oper sys n/s none FORTRAN gmem
[BDV86] object logical time none ECSP messages
[GB85] oper sys n/s none Path Pascal gmem
[GGK84] oper sys none none n/s messages
[GKY88] source fast calls none Occam, NIL messages
[MMSSG] oper sys fast calls none C messages
[Sno84] object n/s assumed n/s hybrid

A.3 User Interface windows, win Processes are dis-

played in separate
Exam/Mod State Capabilities for ex- windows
amining/modifying
the program’s state Exam Event
global, glb Global state can be History How user examines
examined a recorded event
ipc Communication state history
can be examined browser Using an
local Local states can be editor/browser
examined ( law-we > Using queries in the
+ Modification of state indicated language
is also possible replay Only examination
sequent (Plans to) interface is to replay the
with a sequential history
debugger scroll tp Scrollable time-
Rename Objects Whether program process diagrams
objects are given Event Lang What language (if
special names dur- any) is used to
ing debugging express patterns
no No objects can be of events
given names
procs Only processes can Control Sched Whether user can
be given names control scheduling
Most objects can be of the program
yes
given names hist History guides to
Graphics Whether debugger scheduling
uses graphics select, se1 Can select which
commun Animated view of process to run next
interprocess sus/cont, SC Can suspend or con-
communications tinue individual
Time-process processes
diagrams can
be displayed n/s Not specified

ACM Computing Surveys, Vol. 21, No. 4, December 1989

 Debugging Concurrent Programs l 617
Table A.3. User Interface
Examine
Exam/Mod Rename Event Event Control
System State Objects Graphics History Lang Sched
Agora [For881 local no windows replay none sus/cont
Amoeba [El9881 local+ no none replay reg. exp. sus/cont
belvedere [HC87] ipc no commun replay EDL hist
BUGNET [CWSZ] local, ipc no none replay none sus/cont
CBUG [Gai85] local, ipc no windows none none sus/cont
cdbg [Int87] local+ yes none none none sus/cont
dbxtool [AM861 local+ no windows none none sus/cont
defence [Web831 local+ no none none none sus/cont
DISDEB [LP86] global+ no none none sus/cont
EDL [BW83] n/s no none replay ;DL none
HARD [MCR85] glb+, ipc+ no none none Adad sus/cont
IDD [HHK85] local, ipc no tP scroll tp int. log. SC,hist
Instant [LM87] sequent no tP” replay none hist
Jade [ JLSU87] sequent yes tp, commun browser none sel, hist
MAD [RRZ88] global no tP browser path rules n/s
Meglos [GK86] local+ no none none none sus/cont
mtdbx [Gri87] global+ no tp, win scroll tp none SC,sel, hist
Multibug [CP86] local+ yes none none none sus/cont
Parasight [AG88] local+ no none none none sus/cont
pdbx L%W local+ no windows none none sus/cont
Pilgram [Coo871 global+ no none none none sus/cont
PPD [MC88b] local, ipc no b replay none sus/cont
RADAR [ LR85] ipc no commun replay none none
Recap [PL88] sequent no none replay none hist
Traveler [Man871 n/s no windows browser none select
TSL [HL85b] sequent yes none browser TSL select
Voyeur [SBN88] global yes programmable browser none none
YODA [LP85] ipc no none prolog none none
[AP87] n/s no none none none none
[BDV86] sequent no none none BS none
[GB85] global+ no win, commun replay yes, n/s sus/cont
[GGK84] local+ no none scroll tp yes, n/s sus/cont
[GKY88] glb+, ipc+ no windows browser temp. logic SC, select
[MMS86] n/s no none browser none none
[Sno84] local no none TQuel TQuel none
“In Fowler et al. [1988] a toolkit by the same authors includes process time diagrams that require a global
clock. The process time diagrams are not presented in the 1987 paper.
b PPD generates and displays dynamic dependence graphs.
’ DISDEB allows complex events to be built out of very low-level machine code like events using a low-level
language. For example, the language can only refer to physical addresses rather than using identifiers from the
source code.
d There is a facility for calling the debugger from special tasks. These tasks can be used to implement arbitrarily
complex breakpoints.

A.4 Breakpoints local Breakpoints can

be set on local
State Breakpoints Types of state
state-based stmt Breakpoints
breakpoints can be set at
supported a source
global Breakpoints can statement
be set on global Event Breakpoints Types of
(and local) event-based
state breakpoints

ACM Computing Surveys, Vol. 21, No. 4, December 1989

618 . C. E. McDowell and D. P. Helmbold

mult. ( language) Breakpoints on during program

conjunction, execution
disjunction, or Breakpoint Effect What is halted
repetition of when a break-
events point is reached
seq. ( language ) Breakpoints on either Either one pro-
complex cess or the
sequence entire program
of events may be halted
process One process is
single Breakpoints on halted
the occurrence program The entire pro-
of single events gram is halted
Modify Breakpoints Whether break-
points can be n/a Not applicable
added/disabled n/s Not specified

Table A.4. Breakpoints

State Event Modify Breakpoint
System Breakpoints Breakpoints Breakpoints Effect
Agora [For881 local single yes -.
Amoeba [El&] local + stmt seq(reg. expr.) yes either
belvedere [HC87] no none no n/a
BUGNET n/s single yes either
CBUG ME; stmt none yes process
cdbg [I&37] local + stmt single yes process
dbxtool [AM861 local + stmt none yes process
defence [Web831 local + stmt none yes program
DISDEB [LP86] no multiple no either
EDL [BW83] no none n/a n/a
HARD [MCR85] local + stmt multiple remove process
IDD [HHK85] global seq n/s program
Instant [LM87] local + stmt none yes program
Jade [JLSU87] no single yes
MAD [ RRZ88] n/s n/s n/a n/a
Meglos [GK86] local single yes either
mtdbx [Gri87] local + stmt none yes either
Multibug [CP86] local + stmt single yes process
Parasight [AG88] stmt none yes process
pdbx Pw861 local + stmt none yes process
Pilgram [Coo871 stmt none 3-s process
PPD [MC88b] stmt + local none yes program
RADAR none n/a n/a
Recap EEli; gal + stmt n/s yes process
Traveler [Man871 no no (planned) n/a n/a
TSL [HLSW] no seq(TSL) no process
Voyeur [SBN88] n/s n/s n/s n/s
YODA [LP85] no none n/a n/a
[AP87] n/a n/a n/a n/a
[BDV86] local seq(BS) no process
[GB85] -2 yes process
[GGKM] $a1 + global seq yes either
[GKY88] stmt + global single no program
[MMS86] no none n/a n/a
[ Sno84] no none n/a n/a

ACM Computing Surveys, Vol. 21, No. 4, December 1989

 Debugging Concurrent Programs l 619
A.5 Event Monitoring history Using predicates on the
history of events
Event Type What is an event (language > Specified language
ipc Every (explicit) interpro- describes “interesting”
cess communication events
sh mem Shared memory references local Local state
stmt Each statement execution process Specifying important
History Kind of event history process(es)
recorded Replay How complete are the
buffer Last n events are stored in replay facilities
a buffer commun Communication state can
chk pt All events since the last be deduced
checkpoint are saved complete Entire state (including
complete All events are recorded and local vars) is available
preserved Ordering How are event histories
sparse Some events are kept; ordered
others are not linear All events are forced into a
Filtering How the information linear history
recorded (or replayed) partial “Concurrent” events are
can be reduced not ordered
event Using predicates on single
events n/a Not applicable
global Global state n/s Not specified

Table AS. Event Monitoring

System Event Type History Filtering Replay Ordering
Agora [For881 sh mem chk. pt. n/s complete partial
Amoeba [Els88] ipc chk. pt. history complete partial
belvedere [HC87] ipc complete none commun partial
BUGNET [CW82] ipc chk. pt. proc, event complete linear
CBUG [Gai85] ipc none none none n/a
cdbg [Int87] ipc none n/a n/a n/a
dbxtool [AM861 stmt none none none n/a
defence [Web831 stmt none n/a n/a n/a
DISDEB [LP86] ipc, sh mem none a none linear
EDL [BW83] n/s complete EDL commun linear
HARD [MCR85] stmt none none none partial
IDD [HHK85] ipc buffer proc, event none linear
Instant [LM87] sh mem complete none complete partial
Jade [JLSU87] ipc complete proc, event complete linear
MAD stmt sparse history none linear
Meglos [gEEi; sh mem none none none partial
mtdbx [Gri87] ipc complete none complete linear
Multibug [CP86] ipc none n/a n/a n/a
Parasight [AG88] stmt none none none n/a
pdbx [SeqW stmt none none none n/a
Pilgram [Coo871 stmt none none none n/a
PPD [MC88b] sh mem complete none none partial
RADAR [ LR85] ipc complete none complete partial
Recap [PL88] ipc, sh mem chk. pt. process complete partial

’ DISDEB allows complex events to be built out of very low-level machine code like events using a low-level
language. For example, the language can only refer to physical addresses rather than using identifiers from the
source code.
’ Filtering is done by transactions. The nested function calls can be hidden, giving a clearer picture of the high-
level activity (see Section 3.1).
(continued)

ACM Computing Surveys, Vol. 21, No. 4, December 1989

620 . C. E. McDowell and D. P. Helmbold
Tadle AS. (Continued)
System Event Type History Filtering Replay Ordering
Traveler [Man871 ipc complete b none partial
TSL [HL85b] ipc complete TSL (planned) linear
Voyeur [SBN88] stmt complete n/s none linear
YODA [LP85] ipc, sh mem complete none none linear
[AP87] ipc, sh mem sparse none none partial
[BDV86] ipc none n/a n/a n/a
[GB85] ipc complete n/s commun partial
[GGK84] n/s complete suggested complete partial
[GKY88] ipc, stmt complete history complete linear
[MMS86] ipc complete event none linear
[Sno84] stmt sparse event none linear

REFERENCES anomaly detection in HAL/S programs. Tech.

[ABKP86] ALLEN, R., BAUMGARTNER, D., KEN-
NEDY, K., AND PORTERFIELD, A. 1986. Ptool: A
semiautomatic parallel programming assistant.
In Proceedings of the International Conference on
Parallel Processing. IEEE, pp. 164-170.
[AG88] ARAL, Z., AND GERTNER, I. 1988. High-level
debugging in parasight. In Proceedings of Work-
shop on Parallel and Distributed Debugging.
ACM, pp. 151-162.
[AM851 APPELBE, W. F., AND MCDOWELL, C. E. 1985.
Anomaly reporting: A tool for debugging and
developing parallel numerical algorithms. In Pro-
ceedings of the 1st International Conference on
Supercomputing Systems. IEEE, pp. 386-391.
[AM861 ADAMS, E., AND MUCHNICK, S. S. 1986.
Dbxtook A window-based symbolic debugger for
sun workstations. Softw. Pratt. Exper. 16,7,653-
669.
[AM881 APPELBE, W. F., AND MCDOWELL, C. E. 1988.
Developing multitasking applications programs.
In Proceedings of Hawaii International Confer-
ence on System Sciences. IEEE, pp. 94-101.
[AP87] ALLEN, T. R., AND PADUA, D. A. 1987.
Debugging FORTRAN on a shared memory
machine. In Proceedings of the International Con-
ference on Parallel Processing. Penn State
University, pp. 721-727.
[Bat881 BATES, P. 1988. Debugging heterogeneous
distributed systems using event-based models of
behavior. In Proceedings of Workshop on Parallel
and Distributed Debugging. ACM, pp. 11-22.
[BCKT79] BANERJEE, U., CHEN, S., KUCK, D. J.,
AND TOWLE, R. A. 1979. Time and parallel pro-
cessor bounds for fortran-like loops. IEEE Trans.
Comput. 28,9 (Sept.), 660-670.
[BDER79a] BRISTOW, G., DRAY, C., EDWARDS, B.,
AND RIDDLE, W. 1979. Anomaly detection in
concurrent programs. In Proceedings of the 4th
International Conference on Software Engineer-
ing. IEEE.
[BDER79b] BRISTOW, G., DREY, C., EDWARDS, B.,
AND RIDDLE, W. 1979. Design of a system for
Rep. CU-CS-151-79. Univ. of Colorado at Boul-
der.
BDV86] BAIARDI, F., DEFRANCESCO, N., AND
VAGLINI, G. 1986. Development of a debugger
for a concurrent language. IEEE Trans. Softw.
Eng. SE-12,4 (Apr.), 547-553.
BW83] BATES, P. C., AND WILEDEN, J. C. 1983.
High-level debugging of distributed systems: The
behavioral abstraction approach. J. Syst. Softw.
3, 255-264. Also COINS Tech. Rep. #83-29.
[CL851 CHANDY, K. M., AND LAMPORT, L. 1985.
Distributed snapshots: Determining global states
of distributed systems. ACM Trans. Comput.
Syst. 3, 1 (Feb.), 63-75.
[Coo871 COOPER, R. 1987. Pilgram: A debugger for
distributed systems. In Proceedings of the 7th
International Conference on Distributed Comput-
ing Systems. IEEE, pp. 458-465.
[CP86] CORSINI, P., AND PRETE, C. A. 1986.
Multibug: Interactive debugging in distributed
systems. IEEE Micro 6, 3, 26-33.
[CS881 CALLAHAN, D., AND SUBHLOK, J. 1988.
Static analysis of low-level synchronization. In
Proceedings of Workshop on Parallel and Distrib-
uted Debugging. ACM, pp. 100-111.
[CW82] CURTIS, R. S., AND WITTIE, L. D. 1982.
BugNet: A debugging system for parallel pro-
gramming environments. In Proceedings of the
3rd International Conference on Distributed Com-
puting Systems. ACM, pp. 394-399.
[Els88] ELSHOFF, I. J. P. 1988. A distributed debug-
ger for amoeba. In Proceedings of Workshop on
Parallel and Distributed Debugging. ACM, pp.
l-10.
[Fid88] FIDGE, C. J. 1988. Partial orders for parallel
debugging. In Proceedings of Workshop on
Parallel and Distributed Debugging. ACM, pp.
183-194.
[FLM88] FOWLER, R. J., LEBLANC, T. J., AND
MELLOR-CRUMMEY, J. M. 1988. An integrated
approach to parallel program debugging and per-
formance analysis on large-scale multiprocessors.
In Proceedings of Workshop on Parallel and Dis-
tributed Debugging. ACM, pp. 163-173.

ACM Computing Surveys, Vol. 21, No. 4, December 1989

 Debugging Concurrent Programs
[F076] FOSDICK,L. D., AND OSTERWEIL,L. J. 1976.
Data flow analysis in software reliability. ACM
Comput. Surv. 8 (Sept.), 305-330.
[For881 FORIN, A. 1988. Debugging of heteroge-
neous parallel systems. In Proceedings of Work-
shop on Parallel and Distributed Debucminp.
-- -
AC-M, pp. 130-140.
[Gai85] GAIT, J. 1985. A debugger for concurrent
programs. Softw. Pratt. Exper. 15,6, 539-554.
[GB85] GARCIA, M. E., AND BERMAN, W. J. 1985.
An approach to concurrent systems debugging. In
Proceedings of the 5th International Conference
on Distributed Computing Systems. IEEE, pp.
507-514.
[GGK84] GARCIA-M• LINA, H., GERMANO, F., JR.,
AND KOHLER, W. H. 1984. Debugging a distrib-
uted computing system. IEEE Trans. Softw. Eng.
SE-IO, 2 (Mar.), 210-219.
[GH83] GENTLEMAN, W. M., AND HOEKSMA, H.
1983. Hardware assisted high level debugging.
SZGPLAN Notices 18,8 (August), 140-144.
[GK86] GAGLIANELLO, R. D., AND KATSEFF, H. P.
1986. The meglos user interface. In Proceedings
of Full Joint Computer Conference. ACM, pp.
169-177.
[GKY88] GOLDSZMIDT, G., KATZ, S., AND YEMINI,
S. 1988. Interactive blackbox debugging for con-
current languages. In Proceedings >? %‘ork.shop
on Parallel and Distributed Debu,&ng. ACM,
pp. 271-282.
[Go1861 GOLDBERG,A. T. 1986. Knowledge-based
programming: A survey of program design and
construction techniques. IEEE Trans. Softw.
Eng. SE-12,4 (Apr.), 752-768.
[GR85] GEHANI, N. H., AND ROOME, W. D. 1985.
Concurrent C. Tech. Rep., AT&T Bell Labora-
tories.
[Gri87] GRIFFIN,J. 1987. Parallel debugging system
user’s guide. Tech. Rep., Los Alamos National
Laboratory.
[HC87] HOUGH, A. A., AND CUNY, J. 1987.
Belvedere: Prototype of a pattern-oriented debug-
ger for highly parallel computation. In Proceed-
ings of the International Conference on Parallel
Processing. Penn State University, pp. 735-738.
[HHK85] HARTER, P. K., JR., HEIMBIGNER, D. M.,
AND KING, R. 1985. IDD: An interactive distrib-
uted debugger. In Proceedings of the 5th Znter-
national Conference on Distributed Computing
Systems. IEEE, pp. 498-506.
[HL85a] HELMBOLD, D., AND LUCKHAM, D. 1985.
Debugging ada tasking programs. IEEE Softw. 2,
2, 47-57.
[HL85b] HELMBOLD, D., AND LUCKHAM, D. 1985.
TSL: Task Sequencing Language. In Ada In Use,
Proceedings of the Ada International Conference.
ACM, Cambridge University Press.
[HU75] HECHT, M. S., AND ULLMAN, J. D. 1975. A
simple algorithm for global data flow analysis
problems. SIAM J. Comput. 4,519-532.
621
[HW88] HABAN, D., AND WEIGEL, W. 1988. Global
events and global breakpoints in distributed sys-
tems. In Proceedings of Hawaii Znternational Con-
ference on System Sciences. IEEE, pp. 166-175.
[Int87] INTEL CORP.1987. iPSC Concurrent Debug-
ger Manual.
[JLSU87] JOYCE, J., LOMOW, G., SLIND, K., AND
UNGER, B. 1987. Monitoring distributed sys-
tems. ACM Trans. Comput. Syst. 5, 2 (May),
121-150.
[Kar87] KARP, A. H. 1987. Programming for paral-
lelism. Computer 20, 5, 43-57.
[Lam781 LAMPORT, L. 1978. Time, clocks, and the
ordering of events in a distributed system.
Commun. ACM 21,7,558-565.
[LM87] LEBLANC, T. J., AND MELLOR-CRUMMEY,
J. M. 1987. Debugging parallel programs with
instant replay. IEEE Trans. Comput. C-36, 4
(Apr.), 471-482.
[LP85] LEDOUX, C. H., AND PARKER,D. S., JR. 1985.
Saving traces for ada debugging. In Ada In Use,
Proceedings of the Ada International Conference.
ACM, Cambridge University Press, pp. 97-108.
[LP86] LAZZERINI, B., AND PRETE, C. A. 1986.
Disdeb: An interactive high-level debugging sys-
tem for a multi-microprocessor system. Micropro-
cess. Microprogram. 18, 401-408.
[LR85] LEBLANC, R. J., AND ROBBINS, A. D. 1985.
Event-driven monitoring of distributed programs.
In Proceedings of the 5th International Conference
on Distributed Computing Systems. IEEE, pp.
515-522.
[Man871 MANNING, C. R. 1987. Traveler: The api-
ary observatory. In Proceedings of European
Conference on Object Oriented Programming.
pp. 97-105.
[MC88a] MILLER, B. P., AND CHOI, J.-D. 1988a.
Breakpoints and halting in distributed systems.
In Proceedings of International Conference on
Distributed Computing Systems. IEEE.
[MC88b] MILLER, B. P., AND CHOI, J.-D. 1988. A
mechanism for efficient debugging of parallel pro-
grams. In Proceedings of Workshop on Parallel
and Distributed Debugging. ACM, pp. 141-150.
[McD88] MCDOWELL, C. E. 1988. Viewing anoma-
lous states in parallel programs. In Proceedings
of the Znternutionul Conference on Parallel Pro-
cessing. Penn State University, pp. 54-57.
[McD89] MCDOWELL, C. E. 1989. A practical algo-
rithm for static analysis of parallel programs.
Journal of Parallel and Distributed Computing 6,
3 (June), 515-536.
[MCR85] DI MAIO, A., CERI, S., AND REGHIZZI, S.
C. 1985. Execution monitoring and debugging
tool for ada using relational algebra. In Ada In
Use, Proceedings of the Ada International Confer-
ence. ACM, Cambridge University Press.
[MMS86] MILLER, B. D., MACRANDER, C., AND
SECHREST, S. 1986. A distributed programs
monitor for Berkeley UNIX. Softw. Pruct. Exper.
16,2,183-200.
ACM ComputingSurveys,Vol. 21,No. 4, December1989
622 l C. E. McDowell and D. P. Helmbold
[Pet771 PETERSON, J. L. 1977. Petri nets. ACM
Comput. Surv. 9, 3 (Sept.), 223-252.
[PL88] PAN, D. Z., AND LINTON, M. A. 1988.
Supporting reverse execution of parallel pro-
[Sto88] STONE, J. M. 1988. A graphical represen-
tation of concurrent processes. In Proceedings of
Workshop on Paralleiand Distributed Debugging.
ACM. Published as SZGPLAN Notices 24.1 (Jan- I

arams. In Proceedings of Workshop on Parallel uary 1989). pp. 226-235.

and Distributed Debugging. ACM. Published [Sun861 SUN MICROSYSTEMS. 1986. NeWS Prelim-
as SZGPLAN Notices 24, 1 (January 1989). pp. inary Technical Overview.
124-129. [Tan811 TANENBAUM, A. S. 1981. Computer Net-
lRRZ881 RUBIN, R. V., RUDOLPH, L., AND ZERNIK, works. Prentice-Hall, Englewood Cliffs, N.J.
D. i988. Debugging parallel programs in paral- [Tay83] TAYLOR, R. N. 1983. A general-purpose
lel. In Proceedings of Workshop on Parallel and algorithm for analyzing concurrent programs.
Distributed Debugging. ACM. Published as SZG- CACM 26,5,362-376.
PLAN Notices 24, 1 (January 1989). pp. 216-225. [Tay84] TAYLOR, R. N. 1984. Debugging real-time
lSBN881 SOCHA, D., BAILEY, M. L., AND NOTKIN, D. software in a host-target environment. Tech. Rep.
1988. Voyeur: Graphical views of parallel pro- 212, Univ. of California at Irvine.
mams. In Proceedings of Workshop on Parallel [TO801 TAYLOR, R. N., AND OSTERWEIL, L. J. 1980.
and Distributed Deb&g&. ACM. -Published as Anomaly detection in concurrent software by
SZGPLAN Notices 24, 1 (January 1989). pp. static data flow analysis. IEEE Trans. Softw.
206-215. Eng. SE-6,3 (May), 265-278.
[Seq86] SEQUENT CORP. 1986. Dynix Pdbx Parallel [Vic77] VICTOR, K. E. 1977. The design and imple-
Debugger User’s Manual. mentation of DAD, a multiprocess, multima-
chine, multilanguage interactive debugger. In
[SG86] SCHEIFLER, R. W., AND GETTYS, J. 1986. Proceedings of Hawaii International Conference
The X window system. ACM Trans. Graph. 5, 2 on System Sciences. IEEE, pp. 196-199.
(Apr.). [Web831 WEBER, J. C. 1983. Interactive debugging
[Sno84] SNODGRASS, R. 1984. Monitoring in a soft- of concurrent programs. SZGPLAN Notices 18,8,
ware development environment: a relational 112-113.
approach. In Proceedings of the Software [Wer88] WERNER, L. L. 1988. Fault detection in
Engineering Symposium on Practical Software production programs by means of data usage
Development Environments. SIGPLAN, ACM analysis. Ph.D. dissertation UCSD.
SIGSOFT. [YT86] YOUNG, M., AND TAYLOR, R. N. 1986.
[ST831 SEIDNER, R., AND TINDALL, N. 1983. Combining static concurrency analysis with sym-
Interactive debug requirements. SZGPLAN No- bolic execution. In Proceedings of Workshop on
tices 9-22. Software Testing. pp. 10-178.

Received July 1988; final revision accepted January 1989.

ACM Computing Surveys, Vol. 21, No. 4, December 1989