Races in Extended Input/Output Automata, Their Compositions and

Related Reactive Systems

Evgenii Vinarskii

, Natalia Kushik

, Nina Yevtushenko

, Jorge L

opez

and Djamal Zeghlache

SAMOVAR, T

ecom SudParis, Institut Polytechnique de Paris, Palaiseau, France

Ivanikov Institute for System Programming, Russian Academy of Sciences, Moscow, Russia

Airbus, Issy-Les-Moulineaux, France

{vinarskii.evgenii, natalia.kushik, djamal.zeghlache}@telecom-sudparis.eu, evtushenko@ispras.ru,

Keywords:

Distributed Reactive Systems, Races, Extended Input/Output Automata, Software Deﬁned Networking.

Abstract:

Reactive systems can be highly distributed and races in channels can have a direct impact on their functioning.

In order to detect such races, model-based testing is used and in this paper, we deﬁne races in the Extended

Input Output Automata (EIOA) which are related to races in a corresponding distributed system. We de-

ﬁne various race conditions in an EIOA modeling them by Linear Temporal Logic (LTL) formulas. As race

conditions can be resolved in the corresponding EIOA implementations, we also discuss how a generated

counterexample (if any) can be used for provoking a race in a distributed system implementation with the

given level of conﬁdence. Software Deﬁned Networking (SDN) framework serves as a relevant case study

along the paper.

1 INTRODUCTION

Distributed reactive systems are actively developing

nowadays and are becoming more and more adopted

in industrial environments and various application ar-

eas, such as for example, mobile networking (Silva

et al., 2021). These systems are composed of vari-

ous interacting components and thus, a particular at-

tention should be paid to the interoperability of these

components. Even if two components have been care-

fully veriﬁed up to some extent, it is still possible

that their composition can contain inconsistencies. It

is also possible that two or more wrongly conﬁg-

ured/developed components implement the entire sys-

tem in a reliable way (bugs can mask one another,

for example). In this work, we focus on the interac-

tions between two (or more) components of a reactive

system. In particular, considering a reactive system

shown in Fig. 1, we are interested in the interactions

between components C and S of the reactive system

and between C and its external applications where S

is an embedded component.

The main goal of the paper is the analysis and de-

tection of races in distributed reactive systems. Such

races can take place in the channels between the

interacting system components, or even in a given

component between some of its inputs and outputs,

Figure 1: Reactive system with embedded EIOAs.

at a designated state. Finally, several actions pro-

duced/accepted by the environment, can also com-

pete when sending/getting requests to/from the reac-

tive system.

One of the widely spread approaches for detect-

ing concurrency issues in distributed systems is to

establish the causality relationship between requests

as seen in PCatch (Li et al., 2023), or to construct

a happens-before (HB) graph, as proposed by (Liu

et al., 2017) in DCatch. A request e2 causally de-

pends on another request e1, denoted as e1 → e2, if

the execution of e2 is directly inﬂuenced by the ap-

pearance of e1. Li et al. (Li et al., 2022) have ex-

tended the application of the HB model to SDNs, im-

plementing the detection of race conditions in SPI-

DER. (Vinarskii et al., 2019) and (Vinarskii et al.,

2023) have explored a complementary domain, fo-

cusing on model checking and model-based testing

techniques for proactive SDN race detection, and pro-

vided a study on concurrency issues within an SDN

Vinarskii, E., Kushik, N., Yevtushenko, N., López, J. and Zeghlache, D.

Races in Extended Input/Output Automata, Their Compositions and Related Reactive Systems.

DOI: 10.5220/0012737900003687

In Proceedings of the 19th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE 2024), pages 727-734

ISBN: 978-989-758-696-5; ISSN: 2184-4895

727

implementation. Scheduling approach for races de-

tection has been studied in (Veeraraghavan et al.,

2011). However, these approaches do not guarantee

that races identiﬁed in the speciﬁcation will also ap-

pear in the implementation at hand. Moreover, to the

best of our knowledge, there remains a lack of studies

on developing a probabilistic model to predict race

occurrences in distributed reactive systems with the

given conﬁdence level. Such a model would bridge

the gap between concurrency issues in speciﬁcations

and those that actually occur in implementations.

To address these challenges, we employ EIOAs to

model the behavior of the system components and af-

terwards, their composition. We introduce the deﬁni-

tions of various types of races and use speciﬁc LTL

formulas (Baier and Katoen, 2008) to describe the

race-free system behavior. Various model checkers

such as Spin (Holzmann, 2003), Uppaal (Behrmann

et al., 2004), etc. can be utilized for verifying the

formulas against the EIOA composition, for which

counterexamples that violate LTL formulas present

potential races. However, identifying potential races

through model checking is only the ﬁrst step. We em-

phasize the importance of the second step of studying

the conditions for provoking races in an implementa-

tion at hand. The third step is to check whether the

above ﬁrst steps are helpful when testing races in real

reactive systems. Our work aims to reduce the gap be-

tween such speciﬁcation analysis and observable sys-

tem behavior, providing a more accurate study of race

conditions in reactive systems.

The main contributions of this work are: i) deﬁ-

nitions of input/output, input/input and output/output

races for EIOAs and their composition, ii) study of

the correlation between races in an EIOA and in a

corresponding distributed reactive system when the

probability message delay distribution in channels is

known, and iii) experimental evaluation of the corre-

lation between races in an SDN framework.

The structure of the paper is as follows. Section

2 presents the necessary background. Section 3 is

devoted to the description of our SDN case study.

Section 4 introduces the notions of input/output,

input/input and output/output races in EIOAs and

presents their modeling via LTL formulas. Section 5

contains a study of the probability to detect races for

an SDN framework, together with some experimental

results, while Section 6 concludes the paper.

2 BACKGROUND

In this paper, we consider races in Extended Finite

Input/Output Automata, EIOAs, for short. The def-

inition given below, is taken from (Vinarskii et al.,

2019). An EIOA A is a tuple (S,I,O,V,T, s

), where

S is a ﬁnite nonempty set of states with the desig-

nated initial state s

; I and O are ﬁnite input and

output alphabets, I ∩ O =

0; V is a ﬁnite, possibly

empty set of context variables with set D

of vec-

tors of context variables’ values if V ̸=

0; T is a set

of transitions. Inputs and outputs can be parameter-

ized, i.e., inputs and outputs of the EIOA are pairs

(input, vector of input parameters’ values) or (output,

vector of output parameters’ values) and D

) is

the set of vectors of input (output) parameters’ val-

ues if the set of parameters is not empty. A transi-

tion is a 6-tuple (s, a, P,v

′

) where s,s

′

∈ S are

initial and ﬁnal states of the transition; a ∈ I ∪ O;

P : D

× D

→ {True,False} is the transition pred-

icate; v

: D

× D

→ D

is the context update tran-

sition function; v

: D

× D

→ D

is the output up-

date function. Transition (s,a,P,v

′

) is executed

only when transition predicate P evaluates to true

and the vectors of context variables’ values and out-

put parameters’ values are updated according to func-

tions v

and v

after the transition execution. A trace

tr = a

.... .a

of EIOA A is a sequence of actions

generated by the sequence of transitions of A. The

set of traces generated by A is denoted as Traces(A).

Given a trace tr over an alphabet I ∪ O, subtrace tr|

(tr|

) of trace tr where only letters from I (O) are

retained is referred to as I-projection (O-projection)

of tr. We note that, the EIOA model can be more

complicated, for example, the set of states can have a

deﬁned subset of the ﬁnal states or non-observable ac-

tions can be considered, etc. Nevertheless, these cases

are not taken into account in this paper and we further

demonstrate that such simpliﬁcation is useful when

checking with respect to the race related properties.

As usual, we assume that when dealing with an

EIOA, no input is accepted and no output is produced

when a transition is executed. However, when both

an input and an output are deﬁned at a state, they

can ‘compete’ between themselves, i.e., what the ma-

chine does ﬁrst - accepts the input or produces the

output is nondeterministically decided. We hereafter

refer to such ‘competition’ as an input/output (or out-

put/input) race (a race between input and output ac-

tions). Likewise, at a given state of an EIOA two

(or more) inputs can be deﬁned, these inputs can also

compete to be accepted. In this case, we talk about

an input/input race. Similarly, if two (or more) out-

puts can be produced at the same state, then an out-

put/output race can take place.

As we mention in Section 1, usually, a reactive

system is organized as a collection of interacting com-

ponents. The composition operator is well deﬁned for

ENASE 2024 - 19th International Conference on Evaluation of Novel Approaches to Software Engineering

728

Figure 2: Topology of the SDN framework.

classical FSMs and automata, while there is no gen-

eral deﬁnition of the parallel dialogue-based compo-

sition operator for EIOAs. In this paper, we study a

special case of the binary composition operator when

one of the components is an embedded component

and has no context variables; moreover, there are no

inﬁnite external output sequences (oscillations) in the

composition. We also assume some limitations on

the context variables in another component: the set

of context vectors is ﬁnite. In this case, the compo-

sition can be derived based on a truncated successor

tree. The nodes of the tree are pairs of states of the

components, along with context vectors, while edges

are labeled with external and internal input and out-

put actions. The root of the tree is labeled by the

pair of initial states of the components and the initial

context vector. We then ‘hide’ internal actions cal-

culating parameters’ values by composing functions

via a corresponding path that is ﬁnite, as there are

no oscillations. In the same way, we collect func-

tions for context variables. Note that despite such

limitations for embedded components, this operator

allows to model the composition of controller-based

distributed systems, for example, the SDN controller

and switch composition.

For the race detection in EIOAs and their compo-

sitions, formal veriﬁcation can be used based on LTL

formulas. An LTL formula is a formula ϕ ::= a|ϕ

∧

|¬ϕ|Xϕ|ϕ

Uϕ

|Fϕ|Gϕ, where: a is an atomic

proposition, X denotes the ‘next’ operator, U denotes

the ‘until’ operator, F denotes the ‘eventually’ opera-

tor and G denotes the ‘globally’ operator. The condi-

tions when a path satisﬁes the LTL formula ϕ can be

found in (Baier and Katoen, 2008).

3 CASE STUDY

In this paper, we use an SDN framework as a relevant

case study (Fig. 2). Such framework allows to exper-

imentally evaluate the proposed methodology which

aims at detecting race conditions within the compo-

sition of EIOAs and provoking related concurrency

issues in reactive systems. Namely, as our case study,

we use the SDN framework that allows to dynami-

cally reconﬁgure the network by decoupling the con-

trol plane from the data plane and pushing ﬂow rules

by the controller to the switches’ ﬂow tables (forward-

ing devices) (McKeown et al., 2008). These ﬂow

rules are responsible for redirecting trafﬁc incoming

to switches on the data plane.

Since we are interested in detecting race condi-

tions affecting the data plane paths, we derive the

EIOAs to model the behavior of the SDN controller

(see Fig. 3), Open vSwitch (see Fig. 4), and their

composition (see Fig. 6). To construct these EIOAs,

we rely on the approach considered in (Vinarskii

et al., 2019) and refer to the ONOS project docu-

mentation (Berde et al., 2014), the OpenFlow spec-

iﬁcation (McKeown et al., 2008), and the REST API

guidelines (Koshibe et al., 2014). The inputs and out-

puts within these EIOAs are deﬁned with speciﬁc se-

mantics to accurately represent the interactions within

the SDN infrastructure.

• (?PF, id, τ): the controller receives from the en-

vironment a request for adding a ﬂow rule with the

identiﬁcation number id having the timeout equal

to τ seconds.

• (?GF, id): the controller receives from the envi-

ronment a request for retrieving information about

the ﬂow rule with the identiﬁcation number id.

• (?DF, id): the controller receives from the envi-

ronment a request for deleting the ﬂow rule with

the identiﬁcation number id.

• (!RF, id): the controller sends a message to the

environment with information about the ﬂow rule

with the identiﬁcation number id, i.e., (!RF, id) is

the response to (?GF, id).

• (!FD, id): the controller sends a message to the

environment of deleting a ﬂow rule with the iden-

tiﬁcation number id, i.e., (!FD, id) is the response

to (?DF, id).

• (!FE, id): the controller sends a message to the

environment of expiring a ﬂow rule with the iden-

tiﬁcation number id, i.e., (!FE, id) is the response

to (?PF, id, τ).

To distinguish the internal communication be-

tween the controller and the switch from the external

communication, we annotate these interactions with

the index

. The fragment of the EIOA C shown

in Fig. 3 models the behavior of the SDN controller.

Since we focus on the race detection related to the

conﬁgurations of a ﬂow table, EIOA C has the states

with the following semantics: c

is the initial state,

Races in Extended Input/Output Automata, Their Compositions and Related Reactive Systems

729

corresponds to the behavior of the controller after

receiving input (?PF, id, τ) (transition T1). At the

same time, EIOA C has the context variables ct, tt,

g f f lag and d f f lag with the following semantics:

ct is a Boolean array, which indicates the installed

ﬂow rules, tt is an integer array with the timeout val-

ues for the ﬂow rules. For every f low id the follow-

ing holds: if ct[ f low id] = T RUE and tt[ f low id] >

0, then after the execution of each transition the value

of tt[ f low id] is reduced by one unit.

T1: (?PF,id, τ)

ct[id] = 1

tt[id] = τ T2: (?GF,id)

T3: (!PF

,id, τ)

T4: (?F E

,id)

T5: (?PF,id, τ)

ct[id] = 1

tt[id] = τ

T6: (?GF,id)

T7:

i f ((ct[id] == 1)

&& (tt[id] == 0))

(!FE,id)

ct[id] = 0

T8: (!PF

,id, τ)

T9: (!GF

,id)

T10: (?PF,id, τ)

ct[id] = 1

tt[id] = τ

T11: (!GF

,id)

T12: (!PF

,id, τ)

Figure 3: EIOA C.

The fragment of EIOA S shown in Fig. 4 models

the behavior of the OpenVSwitch. Since the composi-

tion described in Section 2 requires that an embedded

EIOA does not have context variables, this EIOA has

only input/output parameters.

TS1: (!FE

,id)

TS2: (?PF

,id,τ)

TS3: (?GF,id)TS4: (?DF,id)

TS5: (!FE

,id)

TS6: (?PF

,id,τ)

TS7: (!RF

,id)

Figure 4: EIOA S.

The fragment of the composition is shown in

Fig. 5 where the controller communicates with the

environment that is represented by one or more ap-

plications via external actions (actions at the North-

bound interface) and with the switch via internal ac-

tions (actions at the Southbound interface); at the

same time, the switch communicates only with the

controller. These components communicate in the

following way:

• When the controller executes an external action,

the switch does not execute any actions. For ex-

ample, in Fig. 5, the controller moves from state

to state c

after receiving (?GF,id), while the

switch remains at state q

• When the controller and switch are ready to ex-

ecute the same internal action (possibly, with the

same parameter value), they both execute this ac-

tion and move to the next states. Here we notice

that if this internal action is an input (resp. output)

action in the controller, then this action is an out-

put (resp. input) action in the switch. For exam-

ple, in Fig. 5 when the controller sends (!GF

,id)

at state c

, it moves to state c

, while the switch

moves from state q

to state q

after receiving

(?GF

,id).

)

) (c

)

T1: (?PF,id, τ)

ct[id] = 1

tt[id] = τ T2: (?GF,id)

T3: (!PF

,id,τ)

T4: (?F E

,id)

T5: (?PF,id, τ)

ct[id] = 1

tt[id] = τ

T6: (?GF,id)

T7:

i f ((ct[id] == 1)&&

(tt[id] == 0))

(!FE,id)

ct[id] = 0

T8: (!PF

,id,τ)

T9: (!GF

,id)

T10:

(?PF,id,τ)

ct[id] = 1

tt[id] = τ

T11: (!GF

,id)

T12: (!PF

,id,τ)

Figure 5: EIOA C&S

ext

with internal actions.

After hiding internal actions (Barrett and Lafor-

tune, 1998), we obtain the composition of the con-

troller and the switch shown in Fig. 6. The pair of

states (c

) in Fig. 5 corresponds to the state s

Fig. 6, whereas the pair (c

) in Fig. 5 corresponds

to the state s

in Fig. 6.

Coming back to the topology shown in Fig. 2,

there are four hosts and four switches on the data

plane. The ﬂow table for switch s

has two dis-

T1: (?GF,id)

T2: (?PF,id, τ)

ct[id] = 1

tt[id] = τ

T3: (?GF,id)

T4: (?DF,id)

ct[id] == 0

T5: i f((ct[id] == 1) &&

(tt[id] == 0))

(!FE,id)

ct[id] = 0

T6: i f(gf f lag)

(!RF,id)

g f f l ag = 0

T7: i f(d f f lag)

(!FD,id)

d f f lag = 0

T8: (?PF,id, τ)

ct[id] = 1

tt[id] = τ

T9: i f(g f f lag) T10: i f(d f f lag) T11: (?PF, id, τ)

(!RF,id) (!FD,id) ct[id] = 1

g f f l ag = 0 d f f lag = 0 tt[id] = τ

T12: (?DF,id)

ct[id] == 0

T13: (?GF,id)

T14: i f((ct[id ] == 1)

&& (tt[id] == 0))

(!FE,id)

ct[id] = 0

T15: i f(g f f lag)

(!RF,id)

g f f l ag = 0

T16: (?PF,id, τ)

ct[id] = 1

tt[id] = τ

T17: (?GF,id)

T18: (?DF,id)

ct[id] == 0

T19: i f(d f f lag)

(!FD,id)

d f f lag = 0

T20: i f((ct[id ] == 1)&&(tt [id] == 0))

(!FE,id)

ct[id] = 0

Figure 6: EIOA C&S without internal actions.

ENASE 2024 - 19th International Conference on Evaluation of Novel Approaches to Software Engineering

730

tinct ﬂow rules: the ﬁrst rule redirects all the in-

coming trafﬁc from switch s

to s

with the time-

out of one second. The SDN controller pushes this

ﬂow rule to s

after getting an input (?PF

,1,1).

After one second the ﬁrst ﬂow rule expires and the

SDN controller will produce (!FE, 1). The second

rule has the timeout of two seconds redirecting all

the incoming trafﬁc from switch s

to s

. The SDN

controller pushes this ﬂow rule to s

after getting an

input (?PF

,2,2). The second ﬂow rule expires,

and (!FE,2) is produced. Due to unknown delays

in the internal input channel it can happen that even

if (?PF, 1, 1) arrives before (?PF,2,2) to the con-

troller, (?PF

,2,2) arrives before (?PF

,1,1) to the

switch. As a result, the second ﬂow rule can ex-

pire earlier than the ﬁrst one, i.e., output sequence

(!FE,2).(!FE,1) will be observed, instead of the ex-

pected (!FE, 1).(!FE,2). It is the output/output race

and some packets can be redirected to a longer path

→ s

→ h

instead of a shorter one

→ s

→ h

. Therefore, the concurrency be-

tween some inputs and outputs can inﬂuence the data

plane conﬁguration. The possibility of the above sit-

uation can be presented as a violation of the fol-

lowing LTL-formula: (?PF,1,1)&&X(?PF, 2,2) →

XX¬(¬(!FE,1)U(!FE,2))

, that means that if

(?PF, 1,1) precedes (?PF,2,2) then (!FE, 1) has to

be produced before (!FE,2).

4 RACES IN AN EIOA

In Section 2, we discussed the composition operator

for EIOAs, ensuring that the resulting compositions

remain within the class of EIOAs discussed in this

paper. The latter allows to deﬁne races for a single

EIOA and extend such races’ deﬁnitions for the com-

position of EIOAs.

Input/Output Races. These races can occur when

there exists a state of a corresponding EIOA where

both an input and an output are speciﬁed, i.e., at a

given state the decision of accepting an input or pro-

ducing an output is made nondeterministically by the

EIOA.

Deﬁnition 1. Given an EIOA A = (S, I,O,V, T,s

)

and a pair (i,o) ∈ I × O, A is i/o-race-sensitive if

there exists a trace β leading to a state s where input

i and output o are deﬁned, i.e., tr = β.o, tr

′

= β.i ∈

Traces(A). Otherwise, A is i/o-race-free.

As an example, we consider EIOA C&S shown

in Fig. 6 and input/output pair (?PF,0, 1)/(!FE, 0).

There can be more complex formulas which take into

account timeouts of the ﬂow rules.

EIOA C&S is (?PF, 0, 1)/(!FE,0)-race-sensitive

since (?PF,0,1) and (!FE,0) are deﬁned at state

, (?PF,0, 1).(?GF,0) brings C&S to state s

and traces tr

= (?PF,0, 1).(?GF,0).(?PF, 0,1)

and tr

= (?PF,0,1).(?GF,0).(!FE, 0) are both

in Traces(C&S). This race can occur if two si-

multaneous requests for adding rules are pushed

by both applications and a sudden expiration of

the ﬂow rule with id = 0 occurs before accept-

ing request (?PF,0, 1) for adding a ﬂow rule

from another application, i.e., (!FE,0) precedes

(?PF, 0,1). This situation can be presented as a

violation of LTL-formula Φ

in out

= G((?PF,0,1) →

X(¬(¬(?PF, 0, 1)U(!FE,0)))) (see Section 5).

Input/Input Races. We hereafter keep working with

the topology shown in Fig. 1, where two applications

submit their requests to the reactive system. These

requests can compete and thus, provoke input/input

races for the corresponding EIOA.

Deﬁnition 2. Given an EIOA A = (S, I,O,V, T,s

)

and two applications APP

, APP

, A is input/input

race-sensitive if there exist state s where inputs i

and

are deﬁned, β ∈ (I ∪ O)

∗

leading to state s, α, α

′

∈

(I ∪O)

∗

and traces tr = β.i

.α, tr

′

= β.i

.α

′

such

that tr,tr

′

∈ Traces(A) and tr|

̸= tr

′

Consider again EIOA C&S shown in Fig. 6,

inputs (?PF,0, 1) and (?DF,0) that are deﬁned at

state s

and sequence β = (?GF, 0) bringing C&S

to state s

. Suppose that (?PF, 0, 1) is pushed by

APP

, while (?DF,0) is pushed by APP

. Traces

tr = (?GF,0).(?PF,0,1).(?DF,0).(!FD, 0) and

′

= (?GF, 0).(?DF,0).(?PF, 0,1).(!FE, 0) are in

Traces(C&S). Since tr|

̸= tr

′

, C&S is input/input

race-sensitive. The following LTL-formula Φ

in in

((?DF, 0)&&X(?PF,0,1) || (?PF, 0, 1)&&X(?DF,0))

→ XX(¬(¬(!FD,0)U(!FE,0))) can be considered

for that matter, which means that if a trace starts

from (?PF,0,1).(?DF,0) or (?DF,0).(?PF,0, 1) then

(!FE,0) cannot appear before (!FD, 0).

Output/Output Races. Similarly to the input/input

races, output/output races for reactive systems can oc-

cur at a state of EIOA where both outputs are deﬁned

and can compete to be produced.

Deﬁnition 3. Given an EIOA A = (S,I, O,V,T, s

state s and outputs o

and o

deﬁned at state s, A

is output/output race-sensitive if there exist β ∈ (I ∪

∗

leading to state s and traces tr = β.o

, tr

′

β.o

such that tr,tr

′

∈ Traces(A).

Consider again EIOA C&S shown in Fig. 6 and

outputs (!FE,0) and (!FE, 1) deﬁned at state s

Trace (?PF,0,1).(?PF,1, 1) brings C&S to state s

and tr = (?PF,0,1).(?PF,1, 1).(!FE,0).(!FE,1) and

′

= (?PF,0, 1).(?PF,1,1).(!FE, 1).(!FE, 0) are in

Races in Extended Input/Output Automata, Their Compositions and Related Reactive Systems

731

Traces(C&S). The latter makes C&S output/output

race-sensitive (see (Vinarskii et al., 2019) for details).

This situation can be presented as a violation of LTL-

formula Φ

out out

= G(((?PF, 0, 1)&&X(?PF,1,1)) →

XX(¬(¬(!FE, 0)U(!FE,1)))).

In order to check that the EIOA (the composition

of EIOAs) satisﬁes LTL-formulas, various model-

checkers can be used. However, identifying a race

condition within an EIOA does not necessarily imply

its appearance in the related reactive system when a

counterexample is applied. This discrepancy can of-

ten be caused by the reactive system’s nondeterminis-

tic behavior, which may be inﬂuenced by the channel

timeouts. Consequently, we need to study the condi-

tions when a corresponding race can be provoked in

an implementation at hand, and we further show that

this can happen if we apply the corresponding coun-

terexample several times. In Section 5, we present an

estimation of the probability that a race condition oc-

curs in the reactive system when the counterexample

is applied an appropriate number of times.

5 FROM EIOA RACES TO RACES

IN REACTIVE SYSTEMS

In Section 4, we introduced the race deﬁnition for

an EIOA that in this paper, is considered as the for-

mal model (the speciﬁcation) of a reactive system (an

implementation at hand). As usual, the speciﬁcation

cannot describe all the aspects of the implementation

behavior, and thus, not all races in a reactive system

can be detected when using the composition of EIOAs

as its speciﬁcation. Moreover, the speciﬁcation de-

scribing the behavior of a reactive system does not

have timed variables, while for some implementation

an input/output race signiﬁcantly depends on message

delays in external and internal channels and the EIOA

model does not capture this issue. However, usually

the message delays in the channels are normally dis-

tributed (Sukhov et al., 2016) and therefore, for ini-

tiating a trace under interest it is needed to apply a

corresponding counterexample several times to the re-

active system at hand (if we want to observe the race

in the implementation). We calculate the number of

times to apply a counterexample by counting an in-

stant when the probability for observing every pos-

sible speciﬁcation trace for a given sequence of ap-

plied requests exceeds the given threshold. We further

show how this can be done for the SDN framework

from Section 3 in Fig. 7 and Fig. 8 when the message

delays in all channels have the normal distribution.

5.1 Estimating the Race Probability in

Distributed Reactive Systems

We consider the reactive system shown in Fig. 1,

there are four channels via which messages are

transmitted. Those are two external channels and

two internal channels. Let t

be random variables that specify the time that re-

quests from/to applications APP

and APP

spend

in the corresponding channel. We assume that

∈ N (µ, σ

), i.e., have the

normal distribution with the same parameters: the

mean µ and the variance σ.

Consider input/output pairs (i

) and (i

)

that can be executed at the same state s of the com-

position of EIOAs where input i

is pushed by APP

and i

is pushed by APP

. If i

and i

are pushed at the

same timestamp T then o

and i

and o

) start to

compete in the internal channel to/from the embedded

EIOA. Let inputs i

and i

be accepted by EIOA C at

time instances T

= T +t

and T

= T +t

corre-

spondingly while o

and o

are produced by C at time

instances T

= T

and T

= T

′

In the above formula, t

+ t

and t

′

+ t

′

are time

delays for messages to spend in internal channels. We

assume that the system behavior allows to accept in-

puts i

and i

in any order but the next input should be

applied later than the output to the previous input is

produced. The reason is as follows. Assume that be-

ing at state s EIOA C accepts i

earlier than i

, then C

moves to state s

′

. The expected behavior for C being

at state s

′

is to accept i

. However, due to (i

)-race

it can happen that output o

is produced earlier than

input i

arrives, denoted as o

≺ i

. In this case, after

producing o

the EIOA moves to state s

′′

that can dif-

fer from s

′

. Thus, (i

)-race affects the behavior of

the EIOA. Since o

≺ i

happens when T

< T

, the

probability Pr(o

≺ i

) = Pr(T

< T

). By deﬁni-

tion, T

= T

and T

= T +t

, and thus,

Pr(T

< T

) implies that Pr((T +t

) <

(T +t

)) = Pr((t

−t

) > 0). Since

random variables t

, t

and t

have the nor-

mal distribution with the same mean µ and variance

, (t

− t

) ∈ N (−2µ,4σ

). There-

fore, Pr((t

−t

) > 0) =

∞

−

(t+2µ)

2σ

and Pr(o

≺ i

) =

∞

−

(t+2µ)

2σ

dt.

ENASE 2024 - 19th International Conference on Evaluation of Novel Approaches to Software Engineering

732

5.2 Studying the Race Probability in the

SDN Framework

In order to conﬁrm that our approach can be applied

for studying real reactive systems, we performed ex-

perimental evaluation with the SDN framework. Sim-

ilar to (Vinarskii et al., 2019), experiments were per-

formed with the ONOS Controller and the Mininet

(de Oliveira et al., 2014) simulator, executed under a

virtual machine running on VirtualBox Version 5.1.34

for Ubuntu 16.04 LTS with 4GB of RAM, and a quad

AMD A6-7310 APU with AMD Radeon R4 Graph-

ics processor. Our experimental setup corresponds to

the topology in Fig. 2, i.e., the simulated network con-

tains the ONOS Controller and a single Open vSwitch

version v2.11.0 and two applications implemented as

Perl scripts. The goal of the experiments is (i) to de-

rive a distribution for the message delay in channels

and show that it can be approximated with the normal

distribution, and (ii) estimate the efﬁciency of the pro-

posed strategy for race detection in the composition of

the ONOS Controller and the Open vSwitch. All the

Perl and Python scripts utilized in the experimental

setup are accessible via (Vinarskii, 2024).

We ﬁrst evaluate the distribution of random vari-

able t = t

+ t

, assuming that t is

the continuous random variable deﬁned over inter-

val [0,∞). For this purpose, we consider the topol-

ogy with a single switch and two applications. At

the ﬁrst step we get the probability density func-

tion for installing a single message. For this rea-

son, one rule is pushed 1000 times in order to collect

the necessary statistical data; the results are shown in

Fig. 7. According to the distribution density function

shown in Fig. 7, the distribution can be approximated

with the normal distribution with mean µ

= 1.42

and variance σ

= 0.02, i.e., N (1.42,0.02). In or-

der to exclude the inﬂuence of the whole system in-

stallation on this distribution, we have got the evalu-

ation of the probability density function for installing

two messages. Similarly, according to the distribu-

tion density function shown in Fig. 8, this distribu-

tion can be also approximated with the normal distri-

bution N (1.67,0.04) with mean µ

= 1.67 and vari-

ance σ

= 0.04. The difference of these two dis-

tributions can be considered as the rough estimate

for the message delay in external and internal chan-

nels. This difference also is normal with parameters

µ = µ

− µ

= 0.25 and σ

= σ

+ σ

= 0.06, i.e.,

t ∈ N (µ,σ

) = N (0.25,0.06). Therefore, since t =

+ t

and t

are normally distributed, t

are also normally distributed with mean

and vari-

ance

, i.e., their distribution is approximated with

Figure 7: Time distribution for pushing one ﬂow rule.

Figure 8: Time distribution for pushing two ﬂow rules.

N (

), i.e., with mean

= 0.0625 and variance

= 0.0015.

Coming back to the SDN topology shown in

Fig. 2, consider the EIOA (see Fig. 6) which models

the SDN controller and switch s

composition. As-

sume that APP

deletes rules from the ﬂow table, i.e.,

it sends input ?DF to the composition. At the same

time, APP

inserts rules to the ﬂow table, i.e., it sends

input ?PF to the composition. Thus, the input/output

race occurs when output !FD is produced earlier than

input ?PF is obtained by the composition.

Consider sequences seq

=?DF

.!FD

(from

APP

) and seq

=?PF

.!FE

(from APP

) where j is

the index

of the ﬂow rule. The race condition in-

volves a conﬂict between output action !FD

of APP

and input action ?PF

of APP

. The race occurs if

input action ?PF

happens after output action !FD

The probability Pr(FD

≺ PF

) =

∞

−

(t+2µ)

2σ

dt =

{µ = 0.25,σ

= 0.06} ≈ 0.187. Thus, with the proba-

bility 1 −0.187 = 0.813 the race will not occur in the

experiment. Now we check how many times inputs

?DF

and ?PF

have to be applied in order to guaran-

tee that the race will be observed with the probability

of at least 0.99. Since 0.187

< 0.01, the race will

be detected with the probability of at least 0.99, if the

experiment is performed at least 23 times.

In order to provoke this race in the experimental

setup, we have run two applications simultaneously

In the experiments, as an index we use the priority of

the ﬂow rule.

Races in Extended Input/Output Automata, Their Compositions and Related Reactive Systems

733

23 times: seq

of APP

and seq

of APP

. In order to

distinguish between different runs, we have run ﬂow

rules with priority 40000 + i. If there are no races,

then as a result, we should get the empty ﬂow table of

the rules of switch s

. However, according to the per-

formed experiments, after observing sequences seq

and seq

23 times, the rule with the priority 40022 is

still in the table after the script execution. The results

clearly show that in this case, the probability thresh-

old 0.99 is sufﬁcient to observe the (?PF,!FD)-race.

6 CONCLUSIONS

In this paper, we considered concurrency issues in the

composition of EIOAs and reactive systems which

can be modeled by EIOAs. In particular, we in-

troduced the formal deﬁnitions of input/output, in-

put/input and output/output races that can occur in

the composition of EIOAs. We used a probabilistic

approach to establish the correlation between races in

the composition of EIOAs and their appearance in a

reactive system implementation. In order to check,

how practical is our approach, we performed an ex-

perimental evaluation with the SDN framework.

This paper opens a number of directions for future

work. Despite the fact that the proposed approach is

generic, experiments were only carried for the SDN

framework. The proposed approach relies on the LTL

based model checking solutions for describing and

detecting races in SDN; in the future, other formal

veriﬁcation techniques and their applicability to the

problem of interest can be investigated.

REFERENCES

Baier, C. and Katoen, J.-P. (2008). Principles of Model

Checking. The MIT Press.

Barrett, G. and Lafortune, S. (1998). Bisimulation, the su-

pervisory control problem and strong model matching

for ﬁnite state machines. Discrete Event Dynamic Sys-

tems: Theory & Applications, 8:377–429.

Behrmann, G., David, A., and Larsen, K. G. (2004). A

tutorial on uppaal. In International School on Formal

Methods for the Design of Computer, Communication,

and Software Systems, Bertinora, Italy, September 13-

18, 2004, pages 200–236.

Berde, P., Gerola, M., Hart, J., Higuchi, Y., Kobayashi, M.,

Koide, T., Lantz, B., O’Connor, B., Radoslavov, P.,

Snow, W., et al. (2014). Onos: towards an open, dis-

tributed sdn os. In Proceedings of the third workshop

on Hot topics in software deﬁned networking, pages

1–6.

de Oliveira, R. L. S., Schweitzer, C. M., Shinoda, A. A.,

and Prete, L. R. (2014). Using mininet for emulation

and prototyping software-deﬁned networks. In 2014

IEEE Colombian Conference on Communications and

Computing (COLCOM), pages 1–6.

Holzmann, G. (2003). The Spin model checker: primer and

reference manual. Addison-Wesley Professional.

Koshibe, A., O’Connor, B., Milkey, R., Vachuska, T.,

Hall, J., Gebert, S., Higuchi, Y., Li, J., Hart, J.,

Lantz, B., and Koti, S. P. (2014). ONOS - Appendix

B: REST API. https://wiki.onosproject.org/display/

ONOS/Appendix+B%3A+REST+API.

Li, A., Padhye, R., and Sekar, V. (2022). Spider: A prac-

tical fuzzing framework to uncover stateful perfor-

mance issues in sdn controllers. https://doi.org/10.

48550/arXiv.2209.04026.

Li, J., Zhang, Y., Lu, S., Gunawi, H. S., Gu, X., Huang, F.,

and Li, D. (2023). Performance bug analysis and de-

tection for distributed storage and computing systems.

ACM Trans. Storage, 19:1–33.

Liu, H., Li, G., Lukman, J. F., Li, J., Lu, S., Gunawi, H. S.,

and Tian, C. (2017). Dcatch: Automatically detecting

distributed concurrency bugs in cloud systems. In Pro-

ceedings of the Twenty-Second International Confer-

ence on Architectural Support for Programming Lan-

guages and Operating Systems, pages 677–691.

McKeown, N., Anderson, T., Balakrishnan, H., Parulkar,

G., Peterson, L., Rexford, J., Shenker, S., and Turner,

J. (2008). Openﬂow: enabling innovation in campus

networks. ACM SIGCOMM Computer Communica-

tion Review, 38:69–74.

Silva, R., Santos, D., Meneses, F., Corujo, D., and Aguiar,

R. L. (2021). A hybrid sdn solution for mobile net-

works. Computer Networks, 190:107958.

Sukhov, A. M., Astrakhantseva, M. A., Pervitsky, A. K.,

Boldyrev, S. S., and Bukatov, A. A. (2016). Generat-

ing a function for network delay. J. High Speed Net-

works, 22:321–333.

Veeraraghavan, K., Chen, P. M., Flinn, J., and

Narayanasamy, S. (2011). Detecting and surviving

data races using complementary schedules. In Pro-

ceedings of the 23rd ACM Symposium on Operating

Systems Principles 2011, pages 369–384.

Vinarskii, E. (2024). https://github.com/vinevg1996/races-

in-eioa-and-reactive-systems. https://github.com/

vinevg1996/Races-in-EIOA-and-reactive-systems.

Vinarskii, E. M., Kushik, N., Yevtushenko, N., L

opez, J.,

and Zeghlache, D. (2023). Timed transition tour for

race detection in distributed systems. In Proceedings

of the 18th International Conference on Evaluation of

Novel Approaches to Software Engineering, ENASE

2023, pages 613–620.

Vinarskii, E. M., L

opez, J., Kushik, N., Yevtushenko, N.,

and Zeghlache, D. (2019). A model checking based

approach for detecting SDN races. In Testing Soft-

ware and Systems - 31st IFIP WG 6.1 International

Conference, pages 194–211.

ENASE 2024 - 19th International Conference on Evaluation of Novel Approaches to Software Engineering

734