Bounded Model Checking of Multi-threaded Software using SMT solvers

Bounded Model Chec king of Multi-threaded Software using SMT solver s Lucas Cordeiro Unive rsity of Southampton lcc08r@ecs.soton .ac.uk Bernd Fischer Unive rsity of Southampton b .fischer@e cs.soton.ac.uk ABSTRA CT The transition from single-core to m ulti-core processors has made m ulti-threaded soft w are an important sub ject in com- puter aided v erification. Here, we describe and ev aluate an extension of the ES BMC mod el c hec ker to supp ort the veri- fication of m ulti-threaded soft w are with shared v ariables and locks using b oun ded mo del c hecking (BMC) based on Sat- isfiabilit y Modu lo Theories (SMT). W e describ e three ap- proac hes to mod el chec k multi-threaded soft w are and our mod elling of the synchronization primitives of t h e Pthread library . In th e lazy approac h, we generate all possible in- terlea vings and call the BMC pro cedure on each of them individually , until we either find a bug, or hav e systemat- ically ex plored all interlea vings. In th e schedule recording approac h, w e encod e all p ossible interlea vings into one sin- gle formula and then exploit the high speed of the SMT solv ers. In the un derapproximatio n-widening approach, w e reduce the state space by abstracting the n umber of state v ariables and interlea vings from t he pro ofs of unsatisfiabil- it y generated b y the SMT solvers. In all three approac hes, w e u se partial-order reduction (POR) techniques to reduce the num b er of interle avings explored. Exp eriments show that our approac hes can analyze larger problems and sub- stanti ally reduce the v erification time compared to state-of- the-art techniques t hat combine classic POR metho ds with symbolic algorithms and others that implement the Counter- Example Guided A bstraction Refinement tec hnique. Categories and Subject Descriptors D.2.4 [ Soft w are/Program V erification ]: Mo del c heck- ing; F.3.1 [ Specifyi ng and V erifying and Re asoning about Prog rams ]: Mechanica l verification General T erms Computer-Aided V erification Permission to make dig ital or hard copies of all or part of this work for personal or cl assroom use is granted withou t fee provi ded tha t copies are not made or distribute d for profit or commercial advanta ge and that copies bear this notice and the full cita tion on the first page . T o cop y otherwise, to republi sh, to post on serv ers or t o redistr ibute to lists, requires prior spe cific permission and/or a fee. Copyri ght 200X A CM X-XXXXX-XX-X/XX/XX ...$10.00. Keyw ords F ormal S oft w are V erification, S A T Mo dulo Theories, Multi- core systems 1. INTR ODUCTION Em b edded compu ter systems are used in a wide range of sophisticated applicatio ns, such as mobile phones or set-top b o xes pro viding internet connectivity . The functionalit y de- manded in such app lications has increased significantly and an increasing number of functions are implemented in soft- w are rath er than hardware. Thus, multi-core pro cessors with scalable shared memory h ave become p opular in embedded systems. In turn, th e verification of the sof tw are desig n and the correctness of its multi-threaded implementations h as b ecome increasingly difficult. Bounded mod el chec king (BMC) has already b een su ccess- fully applied to verif y embedded soft wa re and discov er subtle errors in real d esigns [6]. BMC generates verification condi- tions (VCs) th at reflect t h e ex act path in which a statemen t is execu ted, the context in which a given fun ction is called, and the bit-accurate representatio n of t he expressions. Prov- ing the v alidit y of these VCs remains a ma jor p erformance b ottleneck in verifying embedded softw are, despite attempts to cop e with increasing system complexity by app lying SMT (Satisfiabilit y Mo dulo Theories) [5, 9, 13]. Recently , there ha ve b een attemp ts to ex tend BMC to the verificatio n of multi-threaded softw are [14, 17 , 18, 24]. The main challenge is th e state space ex plosion p roblem, as the num b er of interlea vings grows exponentially with the num ber of th reads and program statements. How ever, tw o imp ortant observ ations help us: (i) S MT-based BMC finds counter-examples very quickly [9] and (ii) SMT solver s pro- duce un satisfiable cores that all ow u s to remov e logic that is not relev ant to a given prop erty [20]. Gru mb erg et al. [16] realized that the un satisfiable cores generated by the solvers can also b e used to con trol th e number of allow ed interlea v- ings of th e given set of processes. They propose an alg orith- mic meth od based on Bo olean S atisfiabilit y (S A T) and BMC to mo d el chec k a multi-process system based on a series of under-approximated mo dels. How ev er, th is method do es not com bine classic partial-order reduction (POR ) metho ds with symbolic algorithms, whic h limits its u sefulness for analyz- ing and veri fying m ulti-threaded softw are. It has also not b een applied in con jun ction with SMT solvers. In our p rior work [9], we extended the enco dings from previous SMT-based b ounded mo del c heck ers [5, 13] to pro- vide more accurate supp ort for v ariables of finite bit width, bit-vector op erations, arrays, structures, unions and p oint- ers. Here, w e dev elop th ree approac hes to tackle comp lexity problems in model c hecking m ulti-threaded C soft w are. In the lazy approac h, w e extend the BMC pro cedure of single- threaded soft wa re to multi-threaded soft w are by wrapping it inside a straightforw ard generate-and-test loop, whic h gen- erates all p ossible interlea vings and calls the BMC pro ce- dure on each of th em individually . W e stop this lo op either when we find a bug, or hav e systematically ex plored all inter- lea vings. In the scheduling recording approach, we explore systematically the control-flow graph (CF G) of each thread and enco de all the p ossible execution paths in to one single form ula, which is then fed into th e bac k-end SMT solver. In our t h ird approac h, we extend th e under-approximation and widening (UW) algorithm prop osed in [16] with the pu r- p ose of add ressing the verification of real-world C co de using different bac kground theories and S MT solvers . W e also implemen t partial order reduction algorithms [3] in our t h ree approaches and prop ose a comprehensiv e SMT- based BMC procedu re to supp ort the chec king of multi- threaded programs that utilize the synchronization primi- tives of the POSI X Pthread Library [21]. T o ou r kn o wl- edge, this work marks th e first application of the UW algo- rithm com bined with POR techniques to mo del chec k non- trivial multi-threaded C soft w are. Exp eriments obtained with ESBMC sho w that ou r approac hes can analyze larger problems and substantiall y reduce the verification time com- pared to state-of-the-art techniques that com bine classic POR metho d s with symbolic algorithms and others th at imple- ment th e Coun ter-Example Guided Ab straction Refinement (CEGAR) technique. 2. BOUNDED MODEL CHECKING OF MUL TI-THREADED SOFTW ARE In BMC, the program to b e analyzed is mo delled as a state transition system, which is b u ilt by extracting its b ehaviour from the CF G. This graph is used as part of a tran slation process fro m program text to single static assignmen t (SS A) form. Eac h thread is mo delled as a CF G where n od es rep- resen t program statements and edges represent transitions. A state transition system M = ( S, R, S 0 ) is an abstract ma- chine that consists of a set of states S (where S 0 ⊆ S rep- resen ts the set of initial states) and transitions R b etw een states, i.e., for each γ ∈ R , γ ⊆ S × S . A state s ∈ S con- sists of the va lue of th e program counter p c and t he v alues of all program va riables. An initial state s 0 assigns the initial program location of the CF G to the p c . W e identify each transition γ = ( s i , s i +1 ) b etw een tw o states s i and s i +1 with a logical form ula γ ( s i , s i +1 ) that captures the constraints on the v alues of the program counter and the program va riables. As a ru nning example, we consider the C program in Fig- ure 1, whic h consists of tw o threads that are created using the Pthread library [21]. Note that our example contains a subtle bug (arra y low er boun d) in line 9, b ecause function nondet uint () might return n on-deterministically a negative integ er num b er and as a result the assert macro (line 10) fails. Figure 2 show s th e CF G representatio n of t he tw o threads T X and T Y . After creation, they are at the con- trol p oints T X 0 and T Y 0 respectively , and since x = = 2 (see line 3 of Figure 1), b oth tests x > 2 and x > 3 are false. If w e sc hedule T X first, it will not b e enabled, and we can transition to th e next state only b y switching t o T Y and ex- ecuting only the p rogram statement Y 1 (i.e., x = 3, see line 18) b efore terminating. If we contin ue exp loring the remain- ing interl eavings, we sc hedule T Y first, and the execution of Y 1 makes the test x > 2 in line 7 tru e, thus enabling T X to progress and transition through X 0 and X 1 , i.e., we ex- ecute program statemen ts x = 3, a [ i ] = ∗ (( int ∗ ) arg ), and asser t ( i > = 0 && i < N )). Note th at, as in [14] we do not model context switc hes inside the execution of ind ivid- ual statements, to av oid exp loring additional in terlea vings. This approach is safe as long as statements only read or write a single global vari able, bu t is an under-approximation to programs that contai n statemen ts invo lving multiple global v ariables. How ever, with the ben c hmarks that are pu blicly a v ailable, we h ave not encountered any problems in practice. 1 # i n c l u d e < p t h r e a d . h > 2 # d e f i n e N 1 0 3 i n t a [ N ] , i , j = 1 , x = 2 ; 4 i n t n o n d e t u i n t ( ) ; 5 v o i d ∗ Tx ( v o i d ∗ a r g ) 6 { 7 i f ( x > 2 ) 8 { 9 a [ i ] = ∗ ( ( i n t ∗ ) a r g ) ; / / X 0 10 a s s e r t ( i > = 0 & & i < N ) ; / / X 1 11 } 12 } 13 v o i d ∗ Ty ( v o i d ∗ a r g ) 14 { 15 i f ( x > 3 ) 16 a [ j ] = ∗ ( ( i n t ∗ ) a r g ) ; / / Y0 17 e l s e 18 x = 3 ; / / Y1 19 } 20 i n t m a i n ( ) 21 { 22 p t h r e a d t i d 1 , i d 2 ; 23 i n t a r g 1 = 1 0 , a r g 2 = 2 0 ; 24 i = n o n d e t u i n t ( ) ; 25 p t h r e a d c r e a t e (& i d 1 , N U L L , Tx , &a r g 1 ) ; 26 p t h r e a d c r e a t e (& i d 2 , N U L L , Ty , &a r g 2 ) ; 27 } Figure 1: A multi-threaded C program with violated property . Tx0: x>2 Tx1: a[i]=10; Tx2: assert(i>=0 && i3 Ty1: a[j]=20; Ty2: x=3; START_THREAD END_THREAD TRUE FALSE Figure 2: Contr ol-flow graph of tw o threads. F ormally , given a transition system M , a prop erty φ , and a b ound k , BMC unrolls the system k times and translates it into a v erification condition ψ suc h th at ψ is sa tisfiable iff φ has a counterexample of depth less than or equal to k . The mod el c hecking problem asso ciated with SMT-b ased BMC for c hecking linear-time temp oral logic (L TL) properties is then formulated by constructing the logical formula: ψ k = constr aints z }| { I ( s 0 ) ∧ n ^ j =1 k − 1 ^ i =0 γ j ( s i , s i +1 ) ∧ pr oper ty z }| { n ^ j =1 P j ( s k ) (1) where P j ( s k ) represents a L TL property φ in step k of thread j , I is the function for the set of initial states of M and γ j ( s i , s i +1 ) is the function of the t ransition relation of t hread j at time steps i and i + 1. Hen ce, the form ula V n j =1 V k − 1 i =0 γ j ( s i , s i +1 ) represents the set of all ex ecu tions of n threads up to the length k or less. P j ( s k ) is derived from th e prop erty b eing chec k ed and represents the condi- tion t hat it is violated by a b ounded execu tion of thread j of length k or less. Note that formula (1) enco des all allo w ed interl eavings of the given threads. 2.1 Lazy Appr oach Conceptually , t he simplest w a y to exten d a boun ded model chec k er for single-threaded softw are to the multi-threaded case is to wrap it inside a straigh tforw ard generate-and-test loop: we just need to generate all p ossible interlea vings and call the BMC pro cedure on eac h of them indiv idually , until w e either fin d an error, or hav e systematically explored all interl eavings. X0 X1 Y0 Y0 Y1 Y1 X0 X1 (b) (a) Y1 X0 X1 Y1 X0 X1 Figure 3: (a) A ll p ossi ble thread interleavings in Figure 2 (b) The actual thread interlea vings after using i nformation from the front -end. On the face of it, th is seems t o b e naive: the num ber of interl eavings can gro w very quickly (see Figure 3(a) for all p ossible in terlea vings in the running examp le), and w e need to invok e the model c hec ker several times, whic h might slo w dow n t h e verificatio n pro cess. How ever, there are several observ ations that make th is approac h worth while. First w e can obviously generate eac h interl eaving, mo del chec k it, and stop the generation when w e find th e first error. In p ractice, if the program contains any errors, they will be exhibited in a substantial fraction of the in terlea vings, if not all (exp erience of [23] for real appli- cations), so th at we on ly need to ex plore a small part of the searc h space. Second, w e ob viously do not need to gener- ate the source code of all p ossible in terlea vings. In stead, we keep in memory t he no des of all unexplored execution path s and exp and th em one p ath at a time. W e then construct t h e VCs for the chosen execution path according to form ula (1) and feed it into the SMT solv er to chec k for satisfiabilit y . Third, and most imp ortant, we can use information from the front-end to reduce both the num b er of in terlea vings to b e ex plored and t he size of the form ulas sent to t he SMT solv er. In particular, d uring the symbolic ex ecution w e ex- ploit which transitions are enabled in a giv en state to drive the exploration of t h e interle avings. In our running example, th e transitions from T X 0 to T X 1 and from T Y 0 to T Y 1 are disabled b ecause w e initially have x = 2. This rules out all interlea vings that start with ei- ther X 0 or Y 0 and only lea v es those that b ypass T X entirel y , or start with Y 1 . Assuming that we explore the thread T X first, in th e first iteration we thus build the VC s only for the program statement Y 1 . W e th en pass th e form ula (1) to the SMT solver and chec k its satisfiabilit y . If it is satis- fiable, we h a ve found a property violation and we can stop the pro cess. Here, how ev er, it is n ot satisfiable and we con- tinue to the next iteration by selecting an unexplored path. In t h e second iteration, we explore T Y first, and select p ro- gram statemen t Y 1 , and after that we explore T X and sele ct program statemen ts X 0 and X 1 . Again, w e pass the corre- sp on d ing version of form ula (1) to the SMT solver. Since this is now satisfiable, we can stop the exploration of the execution paths. In summary , we guide the symbolic execut ion b etw een the threads and systematically explore all th e p ossible execution paths in a lazy wa y . This app roac h can find bu gs fast, but as the fron t-end might inv ok e the SMT solver rep eatedly , once for each p ossi ble execut ion path , it can suffer p erfor- mance degradation, in particular for correct programs where w e need to explore all p ossible interlea vings. The inv ocation proced ure itself is slow and th e formula needs t o b e passed from front-end to back-end several times. Moreo ve r, ex e- cution paths that share the same p rogram statements will b e unnecessarily chec ked sev eral times. How ev er, as eac h form ula corresp onds t o one p ossible path only , its size is rel- ative ly small compared to t he schedule recording approach described in the next section and can thus b e han d led easily by the SMT solver without requiring too muc h memory . 2.2 Schedule Recording Appr oa ch State-of-the-art SMT solv ers are built on top of SA T solv ers to speed up the performance by exploiting the sup p ort for “conflict clauses” and non-chronologi cal bac ktracking [25]. In the sc hedule recording approac h we leverag e this and a void invoking th e SMT solver multiple times. W e use the symbolic execution engine as b efore to systematically ex- plore the interle avings, but n ow w e add schedule guards to record in which order th e scheduler has executed the pro- gram. W e th en en co de all execution paths in to one for- mula , which is finally fed into t he SMT solver. How ever, the num b er of t h reads and con text switches can grow very large q uickly , and easily “blo w-up” the solv er. Given this, there is a clea r trade-off b etw een usage of t ime and memory resources to mo del check m ulti-threaded soft w are. Figure 4 illustrates our schedule recording enco ding ap- plied to the example in Figure 2. Since con trol-flow tests cannot influence the state (as the front-end hoists side-effects out of the t ests), w e only n eed to add guards to effe ctive statement s , i.e., assignmen ts and assertions. Similarly , we only need to record effe ctive c ontex t switches (ECS), i.e., context switches to an effective statement. These are sho wn as dashed arrows in Figure 4. Finally , we define an ECS blo ck as a sequence of program statements that are executed with no intervening ECS, and giv e each b lo ck a num ber. Each effective program statement is then prefixed by a schedule guard ts i = j where i is the ECS b lock num b er and j is the th read identifier. Its in tuitive interpretation is that the guarded statement can only b e executed if thread j is sc hed- uled in the i -th ECS blo c k. The v alue of t s i is set by the SMT solver, and determines th e order in which the program statements are ex ecu ted. F or example, the guard at T Y 2 thus enco des that Y 1 can only b e executed if T Y runs in the first ECS blo ck. Note that schedule guards are only nec- essary but not sufficient conditions for the execution of a statement. F or example, T Y 1 has th e same guard as T Y 2 , but Y 0 cannot b e executed using any viable schedule. The guards can also b e combined conjunctively and disjunctively to enco de m ore inv olved sc hedules. F or ex amp le, the guard of both T X 1 and T X 2 corresponds to a sc hedule in whic h T Y ran b efore switching to T X . Tx0: x>2 Tx1: ts1==2 && ts2==1 -> a[i]=10; Tx2: ts1==2 && ts2==1 -> assert(i>=0 && i3 Ty1: ts1==2 -> a[j]=20; Ty2: ts1==2 -> x=3; START_THREAD END_THREAD TRUE FALSE ECS block 2 ECS block 1 control-flow effective context switch (ECS) Figure 4: Sc hedule enco di ng of the example in Fig- ure 2. The schedule guards are add ed by the front-end when pro- gram statements are executed symb olically and b ecome p art of the produced verification conditions. The thread selec- tion v aria ble is a free va riable t hat the SMT solver will try to in stantiate with all p ossible concrete va lues. The thread num ber v alue is a constant that correspon d s to the thread identifier. As an example, if the S MT solv er c hooses ts 1 = 2 and ts 2 = 1, then the program statement X 0 , X 1 , Y 0 , and Y 1 are all enabled in principle, but which ones are executed dep ends on the v alues of the con trol-flow tests x > 2 and x > 3. Note th at the ordering of statemen ts within a thread is of course still ensured b y the program order semantics, so that X 1 will not b e executed b efore X 0 . Consequently , all the combinations of the thread selection va riables will pro- duce only tw o differen t interle avings as follo ws: { Y 1 } and { Y 1 , X 0 , X 1 } (cf. Figure 3(b)). Give n this, w e can define a sc hedule S C H to determine whic h interlea vings will b e considered and enco d e the guards in formula (1) as: ψ k = constr aints z }| { I ( s 0 ) ∧ n ^ j =1 k − 1 ^ i =0 γ ′ j ( s i , s i +1 ) ∧ pr oper ty z }| { n ^ j =1 P j ( s k ) ∧ schedule z }| { k − 1 ^ i =0 S C H ( s i ) (2) where γ ′ j represents the mo dified t ransition relation incor- p orating the sc hedule guards added by the front-end and S C H ( s i ) represen ts a constraint on the schedule. If we d o not add any constraints , then V k − 1 i =0 S C H ( s i ) = tr ue and all p ossible interlea vings are considered. H o we ver, if we w ant to apply more aggressiv e POR techniques, w e can add con- strain ts to S C H in ord er to force t he remov al of interlea v ings that do n ot contribute to chec king a giv en prop erty . In our running example, we can add the constraint ts 1 = 2 and ts 2 = 1 to remov e the interlea v ing { Y 1 } (see Figure 3(b)), whic h does not contribute to chec k the assertion in line 10 of Figure 1. 2.3 UW Appr oa ch The core idea of the under-approximation and widening (UW) approac h is to consider a series of und er- approximatio ns of a giv en mo del by enco ding additional literals in to the verificatio n condition ψ and b y extracting the proof ob jects generated from an SMT solver [11]. W e d efine ψ ′ as an u n- derapproximated model of ψ , i.e., ψ ′ = ψ ∧ V i =0 n l i where l 1 , l 2 , . . . , l n are additional literals that guard the program statements of eac h thread. Similar to the sc hedule guards described in th e prev ious section, these literals also control the symbolic execution: a program statement is executed only if the literal and its correspondin g guard are enabled. Therefore, w e can see that if ψ is unsatisfiable, then ψ ′ is also unsatisfiable, i.e., t here is n o assignment to the literals l 1 , l 2 , . . . , l n that mak e ψ ′ satisfiable. Ho w ever, it is p ossible that ψ is satisfiable while ψ ′ is not, due to the add itional lit- erals. Th us, ψ ′ can b e th ought of as an underapproxima tion of ψ and each satisfying assignmen t of ψ ′ is also a satisfying assignmen t to ψ . These add itional literals then allow us t o guide the widening process according to the v ariables that participate in the pro of of u nsatisfiabilit y produ ced by the SMT solv er. In the formal d escription, w e rewrite form ula (1) as ψ k = constr aints z }| { I ( s 0 ) ∧ n ^ j =1 k − 1 ^ i =0 γ ′ j ( s i , s i +1 ) ∧ pr oper ty z }| { n ^ j =1 P j ( s k ) ∧ U W mo del z }| { ^ ∀ i ∈ T ^ ∀ j ∈ I l ij (3) where l ij ∈ L are literals that enco d e the program state- ments of each thread. W e denote the set of threads by T , the set of p rogram statements S , and the set of con trol lit- erals by L . In the example of Figure 2, T = { T X , T Y } , S = { X 0 , X 1 , Y 0 , Y 1 } , and L = { l X 0 , l Y 0 } . Note that t h e wa y that we enco de th e underapproximation differs from [16]. The authors in [16] enco de an un derapproximation using m × n control literals, where m is the number of control p oints that guard each program statement and n is the num- b er of pro cesses. In our enco ding, we use the same guards as in the sc hedule recording approac h as contro l literals, w e use l X 0 = ( ts 1 = 2) & & ( ts 2 = 1) and l Y 0 = ( ts 1 = 2). W e also u se information from the front-end (as describ ed in Sec- tion 2.1) to reduce substan tially the n umber of con trol liter- als required. If w e w ere to include a control literal for each statement as in [16], th en our solution might n ot scale in practice to large soft w are systems. The main d ifference b etw een th e schedule recording and the UW approaches is that schedule remains fixed and is b y default set t o true while th e UW model is up dated based on the information extracted from the pro of and is initially set to false. The widenin g pro cess then works as follo ws. Initially , eac h literal in L is set to b e false, b ecause w e aim to minimize the num b er of interlea vings. A t every state, w e only consider the th read with the smallest index that has enabled transitions and only expand those. In our running example, we first execute p rogram statement Y 1 b ecause th e tests x > 2 and x > 3 are false and consequently no other thread h as enabled transitions. As the global v ariable x is set initially to 2 ( line 3), at the first step we consider that only program statement Y 1 is expanded from th e ini- tial state and b uild form ula (3) by enco ding Y 1 statement as l Y 0 ⇒ ( x = 3). After that, we inv ok e the S MT solver to ex- tract th e unsatisfiable core and c heck t h at l Y 0 participated in the pro of of unsatisfiability . In the second iteration of our algorithm, w e remove l Y 0 from L in order to con tinue to t he next iteration so that l Y 0 can now b ecome either true or false (while the others must remain false ). Afterwards, we exe- cute symb olically program statemen ts X 0 ; X 1 ; Y 0 and build form ula ( 3). W e c heck that l X 0 participated in the pro of of unsatisfiabilit y . At the nex t iteration, we remov e l X 0 from L , execute sym b olically program statemen ts Y 0 ; X 0 ; X 1 and build formula (3). At this iteration, we hav e found a vio- lation of t h e prop erty and the UW p ro cedure terminates; otherwise th e pro cedure w ould contin ue until none of the additional literals in L p articipate in the pro of of unsatis- fiabilit y . It means th at th e pro cedure does not rely on the underapproximation itself and concludes that the prop erty holds. 2.4 Partial Order Reduction In the mo delling of multi-threaded soft w are, w e consider that any of the threads j ∈ T is able to m ake a transition and then w e have to comput e all states for which a th read j exists, (i.e., V n j =1 γ j ( s i , s i +1 )). The problem is that the num ber of states to be explored can gro w dramatically with the num b er of program statemen ts and threads. The pu r- p ose of the P artial-Order Reduction ( POR) technique [1, 8, 15, 22] is to reduce the num b er of states th at ha ve to b e explored. This is done in a w ay that if the prop erty holds on the red u ced mo del, it also h olds on the original mo del. In our SMT-based BMC framework, as threads communi- cate only through global va riables, w e apply partial order re- duction (POR) techniques at tw o levels in our algorithm. At the first level, we apply the v isible instruction analysis POR (VI-POR) [22], whic h remo ves the interl eavings of instruc- tions that do n ot affect the global v ariables, i.e., w e remov e transitions whic h are indep endent from transitions made by any other thread. An instruction is visi ble if it accesses a global v ariable, and it is invisible oth erwise. At the second leve l, w e app ly the read-write analysis POR (R W-POR ) [8] in which tw o (or more) indep endent interlea vings can b e Access Relations Read-read Read-write W rite-write Same v ariable Equiv alent Non-equiv alent Non-equiv alent Different v ariables Equiv alen t Equ iv alen t Equiv al ent T able 1: Read-write analysis of in terleavings equiv- alence b etw een v isible i nstructions. safely merged into one. In order to implement R W-POR , we compute th e sets of v ariables written ( W R j ) and read ( RD j ) by eac h of th e threads. If W R j ∩  S k 6 = t RD k ∪ W R k  = ∅ and RD j ∩ S k 6 = t W R k = ∅ , i.e., if the intersectio n b etw een the set of visible v ariables that are written and read by thread j and all other threads is empty , then w e only ex- plore the successors generated by executing j and all other transitions can b e safely ignored. There are six p ossible combinations of visible instructions of different threads, as sho wn in T able 1 . There are three particular situations t o consider when w e generate the inter- lea vings: (i) tw o read op erations will not mod ify the state, so t h ey will alwa ys generate equiv alent interlea vings, (ii) tw o program statemen ts access ing different v ariables are in- dep endent w.r.t. t h eir execution states, thus these t w o pro- gram statements alwa ys generate equiv alen t interlea vings with both ex ecution orders, (i i i) t w o instructions access- ing same v ariable (i.e., with read-write and write-write re- lations) will generate non-equiv alent interlea vings. In these cases, th e read-write relation actually causes read-write races and the write-write relation causes the write-write races. In summary , only t w o typ es of relations will generate n on- equiv alen t interlea vings, while all other four typ es of rela- tions generate equiv alen t interlea vings. Those redundant interl eavings are simply remov ed in our app roac h. Both PORs describ ed ab ov e wo rk b est in conjunction with an alias analysis. Ho w ever, at this p oint in our work, we do not hav e one implemented. W e thus assume t hat t h e actual thread parameters are not aliased to global v ariables or to eac h other. In addition, we do not remov e red u ndant interl eavings originating from p ointer aliasi ng. 3. MODELLING SYNCHR ONIZA TION PRIMITIVES IN PTHREAD This section presents our mo delling of the synchronization primitives of th e Pthread library [21]. W e assume that the library function implementations are correct and focus our effort only on verifying client programs that use them. W e thus provide an instrumented model of th e Pthread func- tions and use this to model c heck the clien t code. W e show, in our exp eriments, that our mo delling is able to detect in- correct use of the fun ctions and is also able to detect blo cking operations that can lead to global deadlo cks. 3.1 Modelling Mutex Locking Operations The Pthread library supp orts t w o functions to implement mutual exclusion b etw een th reads, pt hr ead mutex lock and pthr ead mutex unlock . The argument to these functions is a C data structure called mutex th at, in our mo d elling, has tw o states, “locked” and “unlo c ked” . The pthr e ad mutex l ock locks the mutex if it is unlo ck ed; otherwise it b lo cks t he current thread u ntil the mutex is released and can then b e lock ed successfully again. The pthr ead mutex unlock un- locks the mutex that was lo ck ed previously by th e same thread. Execution paths are considered to be blo ck ed on a m u- tex when the th read tries to lock a m utex that has already b een lo ck ed by other threads. Such blocking paths are also called non-wait-free paths. In order to model mutex oper- ations, we app ly the notion of w ait-free paths as prop osed initially in [24]. Ho w ever, in contrast to [24], our approach is able to mo del chec k multi-threaded p rograms t h at make use of mutexes, can h an d le more th an tw o threads, can detect deadlocks, and do es not require th e user to run the model chec k er twice in order t o det ect d ifferent typ es of bugs ( “reg- ular” and concurrency bu gs). T o explain ho w mutexes are en coded in our SMT-based BMC framew ork, we consider the example in Figure 5. In this example, b oth th reads T A and T B lock and u nlock th e same mutex m . The execution paths A 0 ; A 1 ; B 0 ; B 1 and B 0 ; B 1 ; A 0 ; A 1 are unblocked while the others are block ed paths. How ev er, instead of blocking th e execut ion paths starting with A 0 ; B 0 and B 0 ; A 0 , w e simple ignore the state of the mutex, so that we do not blo ck the remaining instru c- tions, and just lock it (agai n). In pthre ad mutex unl ock , w e simply c heck if the mutex is already lo ck ed and if so, we release the lo ck; otherwise, we ha ve detected an error. A0 A1 B0 B1 B0 A0 B0 A0 A1 B1 A1 B1 START_THREAD A0: lock(m) A1: unlock(m) END_THREAD START_THREAD B0: lock(m) B1: unlock(m) END_THREAD Figure 5: Execution paths blocking on a mut ex. This mod elling is su ffi cient to find bugs related to data races. Ho we ver, it is n ot able to detect deadlo cks. In order to d etect global d eadlock situations caused by the wrong use of the mutexes, w e need to lo ok in more detail at the p ossi ble states that a thread can b e in with our mo delling: (i) Join state: The thread is wa iting for th read termination; (ii) L o ck state: The thread is waiting for a mutex to b e unlo c ked; (iii ) Wait state: The thread is wai ting for a signal or broadcast to wak e up; (iv) Exit state: The thread has already ex ited ; (v) F r e e state : The t hread is n ot in any of the ab ov e four states and is free to execute its instructions. A th read is blocked if it is in one of the join , lo ck or wait states, and is supp osed to b e running if it is not in exit state. Global deadlock occu rs if there is no ru n ning thread in the free state, i.e., the num ber of blo ck ed th reads is equal to th e number of runn ing threads. In order to model deadlo ck, counts of b oth blocked threads and running threads are main tained with global v ariables. Figure 6 presents our mo delling of pthr ead mutex l ock to detect global deadlock with mutexes. W e defin e mutex lock f iel d and mutex count f ield as a C macro in lines 1 and 3 respectively . W e u se th e c ount field of th e pthr ea d m utex t data struc- ture to count the num b er of t hreads th at are in the lock state due to t h is mutex, and tr ds in r un to check th e global num ber of threads that are currently running. In itially , the mutex is u nlocked and we only lo ck it after the first call t o pthr ead mutex lock . In subsequent calls, we increase the 1 # d e f i n e m u t e x l o c k f i e l d ( a ) 2 ( ( a ) . d a t a . l o c k ) 3 # d e f i n e m u t e x c o u n t f i e l d ( a ) 4 ( ( a ) . d a t a . c o u n t ) 5 i n t p t h r e a d m u t e x l o c k ( p t h r e a d m u t e x t ∗ m u te x ) 6 { 7 s t a t i c B o o l u n l o c k e d = 1 ; 8 e x t e r n u ns i g n ed i n t t r d s i n r u n ; 9 i f ( ! d e a d l o c k ) 10 { 11 a t o m i c b e g i n ( ) ; 12 u n l o c k e d = ( m u t e x l o c k f i e l d ( ∗ m u t ex ) = = 0 ) ; 13 i f ( u n l o c k e d ) 14 m u t e x l o c k f i e l d ( ∗ m u t e x ) = 1 ; 15 e l s e 16 m u t e x c o u n t f i e l d ( ∗ m u t e x )+ + ; 17 a t o m i c e n d ( ) ; 18 19 a t o m i c b e g i n ( ) ; 20 i f ( ! u n l o c k e d ) 21 { 22 i f ( ! m u t e x l o c k f i e l d ( ∗ m ut ex ) ) 23 m u t e x c o u n t f i e l d ( ∗ m u te x ) − − ; 24 d e a d l o c k = ( m u t e x c o u n t f i e l d ( ∗ m u te x ) 25 < t r d s i n r u n ) ; 26 a s s e r t ( d e a d l o c k ) ; 27 } 28 a t o m i c e n d ( ) ; 29 } 30 r e t u r n 0 ; 31 } 32 i n t p t h r e a d m u t e x u n l o c k ( p t h r e a d m u t e x t ∗ m u t e x ) 33 { 34 a t o m i c b e g i n ( ) ; 35 a s s e r t ( m u t e x l o c k f i e l d ( ∗ mu te x ) ) ; 36 m u t e x l o c k f i e l d ( ∗ m ut ex ) = 0 ; 37 a t o m i c e n d ( ) ; 38 r e t u r n 0 ; 39 } Figure 6: Mo de lling mutex l o ck and unlo ck opera- tions to detect global deadlo ck. count field, allo w con text switches, c heck if the mutex was unlo c ked, and t h en assert count < tr ds in r un . If the as- sertion fails , a global deadlock w as detected (i.e., a thread is blo ck ed by a lock op eration on a mutex and the requ ired mutex never gets unlo ck ed by the thread that owns it, either b ecause the lo c king th read h as exited or b ecause it has been blocked by another op eration). If the assertion holds, we then eliminate this ex ecution as describ ed ab ov e. The mod- elling of the pt hre ad mutex unl ock , whic h is similar to [24], is shown at the b ottom of Figure 6. 3.2 Modelling Conditional W aiting In the Pthread library , we consider functions from con- ditional w aiting: pthr ead cond wa it , pthr ead cond sig nal , and pthr ead cond broa dcast . The arguments to the func- tion pthr e ad cond w ait are tw o data stru ctures called c ond and mutex where, in our mo delling, c ond has also tw o states, “lock ed” and “un lock ed” . The others functions hav e only the argument c ond . Our mo delling of the conditional w ait- ing operation also employs the notion of wait-free execution paths. The function pthr ea d cond w ait is used to blo ck the thread on a cond ition v ariable and the blo cked thread is a wa kened only if another t hread calls signal or broadcast. If t here are several th reads that are blocked on a condition v ariable, then t he pthr ead cond s ig nal call unblocks at least one of th em (bu t there is no guaran tee of which one will b e w oken up d ue to the sc heduling p olicy) while the function pthr ead cond broa dcast call unblocks all threads currently blocked on the sp ecified condition vari able. Figure 7 sho ws our mo delling for th e wait op eration prim- itive. W e consider that initially there is n o d eadlock ( see line 4) an d whenever a th read calls p thr ead cond wait , we atom- ically lock t h e condition v ariable c ond , assert t hat the mutex is currently locked, an d then rel ease the mutex so that other threads that access that mutex can make progress (i.e., wai t- free execution). A fterw ards, we allo w con text switches and w e then chec k whether t he number of threads in wait state (i.e., threads that are wai ting for a signal or broadcast t o w ake up) is less than the total num b er of t h e th reads that are currently running. 1 i n t p t h r e a d c o n d w a i t ( p t h r e a d c o n d t ∗ c o n d , 2 p t h r e a d m u t e x t ∗ m u te x ) 3 { 4 s t a t i c B o o l d e a d l o c k = 0 ; 5 e x t e r n u n s i g n e d i n t t r d s i n r u n ; 6 i f ( ! d e a d l o c k ) 7 { 8 a t o m i c b e g i n ( ) ; 9 c o n d l o c k f i e l d ( ∗ c o n d ) = 1 ; 10 a s s e r t ( m u t e x l o c k f i e l d ( ∗ mu t ex ) ) ; 11 m u t e x l o c k f i e l d ( ∗ m u t ex ) = 0 ; 12 c o n d n w a i t e r s f i e l d ( ∗ c o n d ) + + ; 13 a t o m i c e n d ( ) ; 14 a t o m i c b e g i n ( ) ; 15 i f ( c o n d l o c k f i e l d ( ∗ c o n d ) ) 16 { 17 d e a d l o c k = ( c o n d n w a i t e r s f i e l d ( ∗ c o n d ) < 18 t r d s i n r u n ) ; 19 a s s e r t ( d e a d l o c k ) ; 20 } 21 a s s u m e ( d e a d l o c k & & 22 c o n d l o c k f i e l d ( ∗ c o n d ) = = 0 ) ; 23 a t o m i c e n d ( ) ; 24 m u t e x l o c k f i e l d ( ∗ m u t ex ) = 1 ; 25 } 26 } 27 i n t p t h r e a d c o n d s i g n a l ( p t h r e a d c o n d t ∗ c o n d ) 28 { 29 a t o m i c b e g i n ( ) ; 30 c o n d l o c k f i e l d ( ∗ c o n d ) = 0 ; 31 c o n d n w a i t e r s f i e l d ( ∗ c o n d ) − − ; 32 a t o m i c e n d ( ) ; 33 r e t u r n 0 ; 34 } Figure 7: Mo dell ing conditional waiting and signal ope rations to detect global deadlo ck. In order to mo d el signal op erations, we simply release the condition v ariable and decrement the number of threads th at w ere lock ed d ue to the sp ecified condition vari able. The mod elling of the conditional signal op eration is shown in Figure 7 as w ell. In order to mo del broadcast op erations, we create an add i- tional gl obal v ariable called br oadcast id , whic h records the num ber of broadcast op erations that hav e execu ted and also gets incremented inside the function pthr ead cond broad cast . In the wait op eration th e thread firstly records the current br oadcast id and is then fo rced to mak e context switches to other threads. When the context is switc hed back to the current th read, an assertion chec ks if a broadcast operation has occurred by c hec king whether the current v alue of va ri- able br oad cast id is greater than the recorded br oadcas t id . The d eadlock is detected if there is no execution p ath with broadcast op erations. 4. EXPERIMENT AL EV ALU A TION W e ha ve implemented the lazy , sc hedule recording, and UW approac hes d escribed in Section 2 in our ESBMC 1 (Ef- ficient SMT-Based Bounded Model Chec ker) tool that sup- p orts the SMT logi cs QF AUFBV as w ell as QF AUFLIRA from the S MT-LIB [26]. In our ex p eriments, we hav e used ESBMC v1.3 t ogether with the SMT solv er Z3 [11]. The exp erimenta l eva luation of our work consists of tw o parts. In Section 4.1, we compare our approac hes against the Monotonic Pa rtial Ord er Red uction (MPOR) [18] and P eephole Partial O rd er Reduct ion (PPOR) [27] t h at are im- plemented in a SMT-based boun ded mod el c heck er u sing the Yices SMT solv er [12]. In S ection 4.2, we compare our approac hes against SA T ABS ve rsion 2.4 [7] connected to Ca- dence SMV [19], which is a state-of-the-art C model c hec ker and supp orts the verification of m ulti-threaded soft wa re with shared vari ables using the CEGAR tec hnique. All exp eri- ments were condu cted on an otherwise idle Intel Xeon 5160, 3GHz server with 4 GB of RAM running Linux OS. F or all b enchmarks, the time limit has b een set to 3600 seconds for eac h individual prop erty . All times given are wall clock time in seconds as measured by the unix time command through a single execution. 4.1 Comparison to MPOR and PPOR W e use the dining philosophers mo del to ev aluate our approac hes against MPOR and PPOR. S ince the b enc h- marks used in [18] are not av ailable, we re-implemented them as d escribed there. An implementation is a v ailable at users.ec s.soton.ac.u k/lcc08r/esb mc . Eac h philoso- pher has its own lo cal v ariables, and they communicate only through a global shared arra y of forks. This version guar- antees the absence of deadlocks. As in [18], we also c heck tw o prop erties: (i) wheth er all philosophers can eat simul- taneously (th is prop erty does not hold, i.e., the verification condition is un satisfiable) and (ii) whether all p hilosophers hav e eaten at least once (this prop erty holds, i.e., the verifi- cation condition is satisfiable). The authors in [18 ] run th eir exp eriments on a w orkstation with 2.8 GHz Xeon processor and 4GB of RAM memory running Linux OS. In order to make the results comparable, we scale th eir times in T able 2. W e give both original (in brack ets) and scaled t imings. T able 2 sho ws the d et ailed results of the comparison be- tw een MPOR, PPOR, and the three ESBMC approac hes. The fi rst column #L gives the number of lines of co de, while the second column #T rep orts the total number of th reads. The T ime column provides the time in seconds while the col- umn # I provides th e total num b er of generated interlea v ings and the column #IF the total number of failed interlea v ings. The column I ter gives the num b er of iterations t o p ro ve or dispro ve the prop erty in the UW approach. As w e can see in T able 2, our app roac hes perform equiv a- lentl y to MPOR to chec k the first prop erty of th e model until w e set the num b er of philosophers t o 5. If we contin ue in- creasing the num b er of p hilosophers, MPOR p erforms b etter 1 Av ailable at http://users.ecs .soton.ac.uk/lcc08r/e sbmc/ MPOR PPOR Lazy Sc hedule UW Mo dule # L #T Time Time Time #I/#IF Time Time Iter 1 din phil2 unsat 63 2 0.2 (0.2) 0.1 (0.1) 0.2 2/0 0.2 0.2 1 2 din phil3 unsat 63 3 0.8 (0.9) 1.0 (1.1) 0.5 6/0 0.4 0.5 1 3 din phil4 unsat 63 4 5.0 (5.3) 41.9 (44.9) 2 24/0 1.6 1.6 1 4 din phil5 unsat 63 5 21.4 (22 .9) 138.7 (148.6) 11.1 120/0 8.3 8.7 1 5 din phil6 unsat 63 6 48. 8 (52.3) 470.4 (504.4) 74 720/0 115.8 115.4 1 6 din phil7 unsat 63 7 150.8 (161.6) TO 574.1 5040/0 TO TO 0 7 din phil2 sat 63 2 0.1 (0.1) 0 .1 (0.1) 0.2 2/2 0.2 0.4 3 8 din phil3 sat 63 3 1.2 (1.3) 0 .3 (0.3) 0.2 6/6 0.5 1.6 4 9 din phil4 sat 63 4 8.9 (9.5) 3 .6 (3.8) 0.2 24/2 4 1.8 2 .6 5 10 din phil5 sat 63 5 88.4 (94.7) 57.6 (61 .7) 0.3 120/120 8.8 33 6 11 din phil6 sat 63 6 294.4 (315 .4) 2130.8 (2283) 0.3 720/720 105.6 105.2 1 12 din phil7 sat 63 7 1136 .8 (1218) TO 0.3 5040/504 0 TO TO 0 T able 2: Results of the comparison b etw een MPOR, PPOR, lazy , schedule, and UW ESBMC than our approaches. How ever, our three approaches p er- form b etter than PPOR to c heck the fi rst property . I n ad- dition, our lazy ESBMC scales significantly better than the other app roac hes t o chec k th e second property of the dining philosophers mo del, i.e., whether all philosophers hav e eaten at least once. W e also show in column #I/#IF that all inter- lea vings generated by our lazy ESBMC are satisfiable. Our UW and sc hedule ES BMC also p erforms b etter th an MPOR and PPOR unti l w e set the n umber of ph ilosophers to 6. In summary , our lazy app roac h outp erforms b oth MPOR and PPOR for t h ose b enchmarks th at generate satisfiable for- mula e and is still comparable to MPOR and PPOR when the generated formulae are un satisfiable. 4.2 Comparison to SA T ABS In order to eval uate our app roac hes against SA T ABS, we used a number of multi-threaded programs taken from stan- dard b enchmark suites (see T able 3). Programs 1-12 are an implementa tion of the dining philosophers as describ ed in Section 4.1. I n the d in ing p hilosophers implementation, we set the num b er of p hilosophers (threads) to 2 , 3 , . . . , 7 and compare the runtime p erformance of the th ree approaches against SA T ABS. The p rograms 13-22 are taken from t h e b enchmark suite of the INSPECT to ol [28]. This suite con- tains programs with tw o or more threads as well as mutex and condition syn chroniza tion primitives from the Pthread library . The programs 23 an d 24 are taken from the Helgrind b enchmark suite [2] and they conta in concurrency b ugs re- lated to lock and unlock operations. It is important to note that most of these benchmarks contain d ata depen d encies among the t hreads (i.e., t he threads access the global v ari- ables). T able 3 sho ws the detailed results of the comparison be- tw een UW, Lazy , and schedule ES BMC as w ell as SA T ABS. W e do not ru n the programs 19-22 with SA T ABS b ecause it d oes not supp ort th e condition sy nchronizati on primitiv e. It is also imp ortant to point out that the verificatio n t imes of the programs 1-12 in T able 3 differ from T able 2 b ecause instead of chec king a single p roperty , here we chec k prop- erties related to m utex op erations and array boun ds, whic h can b e automatically generated by b oth tools, SA T ABS and ESBMC. H ence, the column #P gives t h e number of prop- erties to b e verified for each multi-threaded C program. The Time column p ro vides th e t ime in seconds to chec k all prop- erties of a given program and F aile d indicates how many prop erties failed during the verification pro cess. Here, prop- erties can fail for tw o reasons: either due to a t ime out (TO) or due to memory out (MO). As we can see in T able 3, our lazy ESBMC approach p erforms significan tly b etter t han t he other approac hes on b enchmarks that contain bugs (i.e., the form ula sent to the SMT solver is sati sfiable). How ev er, if there is no bug in th e b enchmark, then our schedule ESBMC app roac h p erforms b etter than t he U W and lazy ESBMC, but not as goo d as SA T ABS for the d ining philosophers benchmark. This indi- cates that ou r S MT-based BMC pro cedures do not scale well for problems of increasing complexity , i.e., for a large num- b er of threads and data dep endencies among the threads. How ever, SA T ABS times out for programs 17 and 18, and provides false results for programs 7-12, 15, 23, an d 24, of whic h the last tw o contain d eadlocks d ue to the incorrect use of lo ck and unlo ck op erations. Based on that, we conclud e that SA T A BS do es not seem to explore all in terlea vings and also does not add additional c hec ks fo r detecting deadlocks, whic h explains th e b ett er scaling for th e d ining p hilosophers b enchmark. W e can see t hat our UW ESBMC algorithm outp erforms SA T ABS in most of the m ulti-threaded programs from T a- ble 3, except for the programs 5, 6, 10, 11, and 12. H o w- ever, in these p rograms SA T ABS provides false results as discussed ab ov e. In any case, it is imp ortant to note that when w e enabled the p roof generation feature of t h e SMT solv er to ex tract t he u nsatisfiable cores, we alwa ys observ ed memory o verhead and corresponding slo wdo wns, as also re- p orted p reviously in [10]. Add itionally , w e observed th at the p erformance of the UW ESBMC pro cedure can b e sig- nificantly improved if w e use heu ristics to up date the set of additional literals in L to b e used at the next iteration of the algorithm. How eve r, at this p oint in time, w e do not inv estigate further alternative wa y s of up dating the set L. W e set th e maximum size of t he unsatisfiable core to contai n 500 control litera ls since the SMT solver Z3 fai ls with a seg- mentatio n fault when th ere are th ousands of literals. This situation occurs only with the dining philosophers model when we set the num b er of ph ilosophers to 6 or more. W e rep orted this bu g to the Z3 d evelo p ers and t h ey were already a wa re of this problem. SA T ABS UW Sc hedule Lazy Time #P Time #P Time #P Time #P #I Mo dule #L #T T otal Pa ssed Violated F ailed T otal Pa ssed Violated F ailed Iter T otal Pa ssed Violated F ailed T otal Pa ssed Violated F ailed #I / #IF 1 din phil2 unsat 63 2 26 13 0 0 0. 3 28 0 0 1 0.2 28 0 0 0.3 28 0 0 2/0 2 din phil3 unsat 63 3 26 13 0 0 0. 6 28 0 0 1 0.5 28 0 0 0.7 28 0 0 6/0 3 din phil4 unsat 63 4 26 13 0 0 2. 3 28 0 0 1 1.7 28 0 0 2.7 28 0 0 24/0 4 din phil5 unsat 63 5 26.2 13 0 0 12.3 28 0 0 1 9.4 28 0 0 14 28 0 0 120/0 5 din phil6 unsat 63 6 26.4 13 0 0 14 2 28 0 0 1 123.8 28 0 0 91.7 28 0 0 720/0 6 di n phil7 unsat 63 7 27.1 13 0 0 TO 0 0 28 0 MO 0 0 28 719.2 28 0 0 5040/ 0 7 di n phil2 sat 63 2 30.1 18 0 0 0.5 28 1 0 3 0.3 28 1 0 0.2 28 1 0 2 /2 8 di n phil3 sat 63 3 28.4 18 0 0 2.2 28 1 0 4 0.7 28 1 0 0.2 28 1 0 6 /6 9 di n phil4 sat 63 4 28.4 18 0 0 3.05 28 1 0 5 2.4 28 1 0 0.2 28 1 0 24/24 10 din phil5 sat 63 5 28.6 18 0 0 4 2.5 28 1 0 6 1 4.4 28 1 0 0.3 28 1 0 120 /120 11 din phil6 sat 63 6 27.8 18 0 0 1 80 28 1 0 1 177.5 28 1 0 0.3 28 1 0 720/720 12 din phil7 sat 63 7 28.9 18 0 0 M O 28 1 0 0 MO 28 1 0 0.3 28 1 0 5040/5040 13 carter01 ok 58 2 25 2 0 0 0.3 4 0 0 1 0.3 4 0 0 0.3 4 0 0 2/0 14 lazy01 ok 48 3 3 1 0 0 0.2 4 0 0 1 0.2 4 0 0 0.3 4 0 0 6/0 15 phase01 ok 34 1 23 0 1 0 0.2 4 0 0 1 0.2 4 0 0 0.2 4 0 0 2/0 16 stateful01 ok 47 2 2 1 0 0 0.2 4 0 0 1 0.2 4 0 0 0.2 4 0 0 2/0 17 stateful06 ok 59 2 TO 0 0 2 0.2 5 0 0 1 0.2 5 0 0 0.2 5 0 0 2/0 18 stateful20 ok 61 3 TO 0 0 2 5.7 5 0 0 1 3.3 5 0 0 0.7 5 0 0 6 /6 19 sync01 ok 62 2 - - - - 0.2 4 0 0 1 0.3 4 0 0 0.3 4 0 0 2/0 20 sync01 bad 62 2 - - - - 0.3 3 1 0 1 0.3 3 1 0 0.3 3 1 0 2/1 21 sync02 ok 73 2 - - - - 0.3 4 0 0 1 0.3 4 0 0 0.3 4 0 0 2/0 22 sync02 bad 73 2 - - - - 0.3 3 1 0 1 0.3 3 1 0 0.3 3 1 0 2/1 23 tc10 rec lo ck bad 49 1 0.3 7 0 0 0.3 8 2 0 1 0.3 8 2 0 0.3 8 2 0 1/1 24 tc14 laog bad 45 5 20 17 0 0 T O 0 0 28 2 TO 0 0 28 0.8 10 18 0 120/1 20 T able 3: Results of the comparison b etw een SA T ABS, UW, schedule, and l azy ESB M C 5. RELA TED WORK SMT-based BMC is gaining p opu larit y in the formal veri- fication comm unity due to the adven t of sophisticated SMT solv ers built ov er efficient SA T solv ers [11]. Ganai and Gupta describe a verification framew ork for BMC whic h ex tracts high-level design information from an extended finite state mac hine (EFSM) and apply sev eral techniques to simplify the BMC problem [13]. How ever, the authors use only the theory of integ er and real arithmetic, which do es not re- flect precisely th e ANSI -C semantics. A rman d o et al. also prop ose a BMC app roac h u sing SMT solve rs for ANSI-C programs [5], but t hey only make use of linear arithmetic, arra ys, records and restricted bit-vectors arithmetic and, as a consequence, t heir SMT-CBMC prototype do es not ad- dress imp ortant constructs of the AN SI-C language. Qadeer and Rehof present a p ragmatic m eth od to discov er bugs in concurrent soft w are in which the program analysis is restricted to executions with a boun ded number of context switc hes [23]. How ev er, this metho d is incomplete since it considers the verification u p to a given fixed con text b oun d. In add ition, the authors d o not app ly it to realistic and large concurrent sof tw are b en chmarks and the integra tion of this context-bound ed mo d el c hec king algo rithm into the explicit state mod el chec k er ZING [4] is left for future w ork. R a- binovitz and Grumberg describ e an extension of CBMC to concurrent C progra ms [2 4], whic h translates C t h reads into SSA form and adds constraints for a b ound ed num b er of context-switc hes, as describ ed in [4]. This app roac h, how- ever, is limited to tw o threads and it requires additional constrain ts t o b ound the num b er of context switc hes and allo w ed interlea vings into the form ula to be sent to a SA T solv er. Ganai and Gupta describe a lazy metho d for mo delling multi-threaded concurren t systems using shared v ariables [14], but this metho d is restricted to tw o th reads. Gupta et al. [18] extend [14, 17] by sup p orting more t h an tw o threads and by combining dynamic partial order reduction with sym- b olic state space exploration. How ev er, this metho d is in- complete since it considers the concurrency seman tics up to the bound ed depth as in [4, 24]. Grumberg et al. p ropose an algorithmic metho d based on S A T and BMC to model chec k a multi-process system based on a series of under- approximated models [16]. This ap p roac h, how eve r, do es n ot integ rate partial order redu ction algorithms to reduce redun- dant interlea vings and it does not address the problem of mod el chec king real-w orld em b edded softw are in multi-core environmen ts. T o th e b est of our kn o wledge, there is no work that consid- ers a comprehensiv e SMT-based BMC form ulation to v erify multi-threaded soft w are using a set of under-app ro ximations and widening mo dels as well as the integration of partial order reduction algorithms into the UW framew ork. In con- trast to [14, 24], our method can h andle more th an tw o threads and can detect d eadlock caused b y the m utexes and conditions op erations. O ur main contribution is an algo- rithmic method an d corresp onding to ols to verify multi- threaded soft w are using SMT in order to combat the ver- ification complexity . 6. CONCLUSIONS AND FUTURE WORK Despite the large b od y of (theoretical) researc h in the ver- ification of concurrent systems, th ere are on ly few to ols t hat analyze multi-threaded programs with shared v ariables. In this w ork, we presented an extension of the ESBMC mo del chec k er to supp ort the verification of multi-threaded soft- w are with shared va riables, mutexes and conditions using an SMT-based BMC framew ork. W e also describ ed three approac hes UW, lazy and eager SMT-based BMC imple- mented with partial-order reduct ion meth o ds in which t h e final formula is well suited for using with th e SMT solvers. Our exp erimental results show that our UW ESBMC ap- proac h outp erforms the CEGAR approach implemented in the SA T ABS mo del chec ker. With the addition of deadlo ck detection in our modelling, w e can find bugs that other p re- vious app roac hes are not able to find. Moreo v er, our lazy ESBMC, which adds concurrency constrain ts lazily and in- crementa lly , is able to find bugs quickly in non- t rivial b ench- marks. In future, w e w ould like to explore in more dep t h the p artial-order reduction met h od s, confi gure ESBMC for compatibilit y with any given compiler to break statemen ts with multiple global v ariables, and inv estigate heuristics to up date th e set of additional literals in our UW ESBMC al- gorithm. Ac knowledgmen ts. W e thank D. Kr oening for the fruitful dis- cussions about the starting poi n t of this work and J. Rathk e for man y helpful discussions ab out multi-process systems. W e also thank S. Yiu for his w ork in his MSc Thesis [29] on model ch ec king concurren t programs with SA T. W e thank J. Colley , D. Nicole, R. Silv a, and R. Quigley for the ir commen ts on a draft v ersion. 7. REFERENCES [1] E. Clark e, O. Grumb erg, and D. Peled. Mo del Che cking . The MIT Press, Cam bridge, MA, 2000. [2] Helgrind: a thr e ad err or dete ctor . http://v algri nd.org/. [3] R . A lur et al. Partial-order reduction in sy mbolic state-space exploration. FMSD , 18(2):97–1 16, 2001. [4] T. A ndrews et al. Zing: Exploiting p rogram structure for mod el chec king concurrent soft w are. In CONC UR , pp. 1–15, 2004. [5] A . A rmando, J. Manto v ani, and L. Platania. Bounded mod el chec king of soft w are using SMT solvers instead of SA T solvers. Int. J. Softw. T o ols T e chnol. T r ansf. , pp. 69–83, 2009. [6] A . Biere. Bounded mo del checking. I n Handb o ok of Satisfiability , pp. 457–481. 2009. [7] E. Clark e, D. Kro ening, N. Sharygina, and K . Y ora v. SA T ABS: SA T-based predicate abstraction for ANSI- C. In T ACAS 2005 , LNCS 3440, pp . 570–574 , 2005. [8] B. Cook, D. Kro ening, and N . Sharygina. Symb olic mod el chec king for async hronous b oolean programs. In SPIN , pp. 75–90, 2005. [9] L. Cordeiro, B. Fischer, and J. Marques-S ilv a. SMT-based b ounded mo del chec king for em b edded ANSI- C softw are. In ASE , pp. 137–148 , 2009. [10] L. M. de Moura and N. Bjørner. Pro ofs and refutations, and z3. In LP AR , 2008. [11] L. M. de Moura and N. Bjørner. Z3: An efficient SMT solv er. In T A CAS , LNCS 4963, pp . 337–34 0, 2008. [12] B. Dutertre and M. L. d. The Yic es SMT solver . T ool pap er, http://yices .csl.sri.com/ do cumentation.sh tml . [13] M. K. Ganai and A. Gupta. Accelerating h igh-level b ounded mo del chec king. In ICCAD , p p. 794–801, 2006. [14] M. K. Ganai and A. Gupta. Efficient modeling of concurrent systems in BMC. In SPIN , LNCS 5156, pp. 114–133 , 2008. [15] P . Godefroid. Partial-or der Metho ds for the V erific ation of C oncurr ent Systems: An Appr o ach to the State- explosion Pr oblem . PhD thesis, 1995. [16] O. Grum b erg, F. Lerd a, O. Strichman, and M. Theobald. Pro of-guided underapproximation-widening fo r multi-process systems. In POPL , pp . 122–131 , 2005. [17] V. Kahlon, S. Sanka ranara yanan, and A. Gupta. Semantic red uction of thread interlea vings in concurrent programs. In T ACAS , LNCS 5505, pp. 124–138 , 2009. [18] V. Kahlon, C. W ang, and A. Gupta. Monotonic partial order redu ct ion: An optimal symbolic partial order reduction technique. In CA V , pp. 398–413, 2009. [19] K. McMilla n. The Cadenc e SMV Mo del C he cker . http://w ww.k enmcmil.com/sm v.html. [20] K. L. McMillan and N . Amla. A utomatic abstraction without counterexamples. In T A CAS , LNCS 2619, pp. 2–17, 2003. [21] F. Mueller. A library implemen tation of p osix threads under unix. In U SENI X , pp. 29–41, 1993. [22] D. P eled. All from one, one for all: on mo del c hecking using representati ves. In CA V , pp. 409–423, 1993. [23] S. Qadeer and J. Rehof. Context-bound ed model chec king of concurrent sof tw are. In T ACAS , LNCS 3440, pp. 93–107, 2005. [24] I. Rabinovitz and O. Grumberg. Bounded mo del chec king of concurrent programs. I n CA V , LNCS 3576, pp. 82–97, 2005. [25] J. P . Marques-Silv a and K. A. S ak alla h. Grasp - a new searc h algorithm for satisfiabilit y . In ICC AD , pp. 220–227 , 1996. [26] SMT-LIB. The Satisfiability Mo dulo The ories Libr ary . http://co mbination.cs. uiow a.edu/smtlib. [27] C. W ang, Z. Y ang, V. Kahlon, and A. Gupta. P eephole partial order redu ct ion. In T ACAS , pp. 382–396, 2008. [28] Y. Y ang. Insp e ct: A F r amework for Dynamic V erific ation of M ultithr e ade d C Pr o gr ams . http://w ww.cs.utah.edu/ ∼ yuyang/inspect/. [29] S. Yiu. Mo del Che cking Concurr ent Pr o gr am s with SA T . MSc thesis, S outhampton, 2009.