Thread-Modular Verification for Shared-Memory Programs

  • Cormac Flanagan
  • Stephen N. Freund
  • Shaz Qadeer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2305)


Ensuring the reliability of multithreaded software systems is difficult due to the interaction between threads. This paper describes the design and implementation of a static checker for such systems. To avoid considering all possible thread interleavings, the checker uses assumeguarantee reasoning, and relies on the programmer to specify an environment assumption that constrains the interaction between threads. Using this environment assumption, the checker reduces the verification of the original multithreaded program to the verification of several sequential programs, one for each thread. These sequential programs are subsequently analyzed using extended static checking techniques (based on verification conditions and automatic theorem proving). Experience indicates that the checker is capable of handling a range of synchronization disciplines. In addition, the required environment assumptions are simple and intuitive for common synchronization idioms.


Model Check Parallel Program Mutual Exclusion Java Program Sequential Program 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. AG96.
    K. Arnold and J. Gosling. The Java Programming Language. Addison-Wesley, 1996.Google Scholar
  2. AH96.
    R. Alur and T.A. Henzinger. Reactive modules. In Proceedings of the 11th Annual Symposium on Logic in Computer Science, pages 207–218. IEEE Computer Society Press, 1996.Google Scholar
  3. AHM+98.
    R. Alur, T.A. Henzinger, F.Y.C. Mang, S. Qadeer, S.K. Rajamani, and S. Tasiran. Mocha: Modularity in model checking. In A. Hu and M. Vardi, editors, CAV 98: Computer Aided Verification, LNCS 1427, pages 521–525. Springer-Verlag, 1998.CrossRefGoogle Scholar
  4. AL95.
    M. Abadi and L. Lamport. Conjoining specifications. ACM Transactions on Programming Languages and Systems, 17(3):507–534, 1995.CrossRefGoogle Scholar
  5. AMdB00.
    E. Abraham-Mumm and F. S. de Boer. Proof-outlines for threads in java. In CONCUR 2000: Theories of Concurrency, 2000.Google Scholar
  6. Ash75.
    E.A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110–135, January 1975.zbMATHMathSciNetGoogle Scholar
  7. BKP84.
    H. Barringer, R. Kuiper, and A. Pnueli. Now you may compose temporallogic specifications. In Proceedings of the 16th Annual Symposium on Theory of Computing, pages 51–63. ACM Press, 1984.Google Scholar
  8. CK95.
    P. Collette and E. Knapp. Logical foundations for compositional verification and development of concurrent programs in Unity. In Algebraic Methodology and Software Technology, LNCS 936, pages 353–367. Springer-Verlag, 1995.Google Scholar
  9. CM88.
    K.M. Chandy and J. Misra. Parallel Program Design: A Foundation. Addison-Wesley Publishing Company, 1988.Google Scholar
  10. DHJ+01.
    M. Dwyer, J. Hatcli., R. Joehanes, S. Laubach, C. Pasareanu, Robby, W. Visser, and H. Zheng. Tool-supported program abstraction for finitestate verification. In Proceedings of the 23rd International Conference on Software Engineering, 2001.Google Scholar
  11. Dij75.
    E.W. Dijkstra. Guarded commands, nondeterminacy, and formal derivation of programs. Communications of the ACM, 18(8):453–457, 1975.zbMATHCrossRefMathSciNetGoogle Scholar
  12. DLNS98.
    D. L. Detlefs, K. R. M. Leino, C. G. Nelson, and J. B. Saxe. Extended static checking. Research Report 159, Compaq Systems Research Center, December 1998.Google Scholar
  13. FA99.
    C. Flanagan and M. Abadi. Types for safe locking. In Proceedings of European Symposium on Programming, pages 91–108, March 1999.Google Scholar
  14. FF00.
    C. Flanagan and S.N. Freund. Type-based race detection for Java. In Proceedings of the SIGPLAN Conference on Programming Language Design and Implementation, pages 219–232, 2000.Google Scholar
  15. FF01.
    C. Flanagan and S.N. Freund. Detecting race conditions in large programs. In Workshop on Program Analysis for Software Tools and Engineering, pages 90–96, June 2001.Google Scholar
  16. FLL+02.
    C. Flanagan, K.R.M. Leino, M. Lillibridge, C.G. Nelson, J.B. Saxe, and R. Stata. Extended static checking for Java. Research Report 178, Compaq Systems Research Center, February 2002.Google Scholar
  17. FQS02.
    C. Flanagan, S. Qadeer, and S. Seshia. A modular checker for multithreaded programs. Technical Note 02-001, Compaq Systems Research Center, 2002.Google Scholar
  18. FS01.
    C. Flanagan and J.B. Saxe. Avoiding exponential explosion: Generating compact verification conditions. In Conference Record of the 28th Annual ACM Symposium on Principles of Programming Languages, pages 193–205. ACM, January 2001.Google Scholar
  19. Jon83a.
    C. B. Jones. Tentative steps toward a development method for interfering programs. ACM Transactions on Programming Languages and Systems, 5(4):596–619, 1983.zbMATHCrossRefGoogle Scholar
  20. Jon83b.
    C.B. Jones. Specification and design of (parallel) programs. In R. Mason, editor, Information Processing, pages 321–332. Elsevier Science Publishers B. V. (North-Holland), 1983.Google Scholar
  21. Jon89.
    B. Jonsson. On decomposing and refining specifications of distributed systems. In J.W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, Stepwise Refinement of Distributed Systems: Models, Formalisms, Correctness, Lecture Notes in Computer Science 430, pages 361–385. Springer-Verlag, 1989.Google Scholar
  22. Lam77.
    L. Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, SE-3(2):125–143, 1977.CrossRefMathSciNetGoogle Scholar
  23. Lam88.
    L. Lamport. Control predicates are better than dummy variables. ACM Transactions on Programming Languages and Systems, 10(2):267–281, April 1988.CrossRefGoogle Scholar
  24. Lam94.
    L. Lamport. The Temporal Logic of Actions. ACM Transactions on Programming Languages and Systems, 16(3):872–923, 1994.CrossRefGoogle Scholar
  25. LAS00.
    T. Lev-Ami and M. Sagiv. TVLA: A system for implementing static analyses. In Proceedings of the Static Analysis Symposium, pages 280–301, 2000.Google Scholar
  26. LSS99.
    K. R. M. Leino, J. B. Saxe, and R. Stata. Checking Java programs via guarded commands. In Bart Jacobs, Gary T. Leavens, Peter Müller, and Arnd Poetzsch-Heffter, editors, Formal Techniques for Java Programs, Technical Report 251. Fernuniversität Hagen, May 1999.Google Scholar
  27. MC81.
    J. Misra and K.M. Chandy. Proofs of networks of processes. IEEE Transactions on Software Engineering, SE-7(4):417–426, 1981.CrossRefMathSciNetGoogle Scholar
  28. McM97.
    K.L. McMillan. A compositional rule for hardware design refinement. In O. Grumberg, editor, CAV 97: Computer Aided Verification, Lecture Notes in Computer Science 1254, pages 24–35. Springer-Verlag, 1997.Google Scholar
  29. MM93.
    A. Mokkedem and D. Mery. On using a composition principle to design parallel programs. In Algebraic Methodology and Software Technology, pages 315–324, 1993.Google Scholar
  30. MP95.
    Z. Manna and A. Pnueli. Temporal Verification of Reactive Systems: Safety. Springer-Verlag, 1995.Google Scholar
  31. Nel81.
    C. G. Nelson. Techniques for program verification. Technical Report CSL-81-10, Xerox Palo Alto Research Center, 1981.Google Scholar
  32. OG76.
    S. Owicki and D. Gries. An axiomatic proof technique for parallel programs. Acta Informatica, 6(4):319–340, 1976.zbMATHCrossRefMathSciNetGoogle Scholar
  33. PDH99.
    C.S. Păsăreanu, M.B. Dwyer, and M. Huth. Assume-guarantee model checking of software: A comparative case study. In Theoretical and Practical Aspects of SPIN Model Checking, Lecture Notes in Computer Science 1680, 1999.Google Scholar
  34. SBN+97.
    S. Savage, M. Burrows, C.G. Nelson, P. Sobalvarro, and T.A. Anderson. Eraser: A dynamic data race detector for multithreaded programs. ACM Transactions on Computer Systems, 15(4):391–411, 1997.CrossRefGoogle Scholar
  35. SRW99.
    M. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. In Conference Record of the Twenty-Sixth ACM Symposium on Principles of Programming Languages, pages 105–118, 1999.Google Scholar
  36. Sta85.
    E.W. Stark. A proof technique for rely/guarantee properties. In Proceedings of the 5th Conference on Foundations of Software Technology and Theoretical Computer Science, Lecture Notes in Computer Science 206, pages 369–391. Springer-Verlag, 1985.Google Scholar
  37. Ste93.
    N. Sterling. WARLOCK — a static data race analysis tool. In USENIX Technical Conference Proceedings, pages 97–106, Winter 1993.Google Scholar
  38. TML97.
    C.A. Thekkath, T. Mann, and E.K. Lee. Frangipani: A scalable distributed file system. In Proceedings of the 16th ACM Symposium on Operating Systems Principles, pages 224–237, October 1997.Google Scholar
  39. Yah01.
    E. Yahav. Verifying safety properties of concurrent Java programs using 3-valued logic. In Proceedings of the 28th Symposium on Principles of Programming Languages, pages 27–40, January 2001.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Cormac Flanagan
    • 1
  • Stephen N. Freund
    • 1
  • Shaz Qadeer
    • 1
  1. 1.Compaq Systems Research CenterPalo Alto

Personalised recommendations