A Modular Checker for Multithreaded Programs

  • Cormac Flanagan
  • Shaz Qadeer
  • Sanjit A. Seshia
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2404)


Designing multithreaded software systems is prone to errors due to the difficulty of reasoning about multiple interleaved threads of control operating on shared data. Static checking, with the potential to analyze the program’s behavior over all execution paths and for all thread interleavings, is a powerful debugging tool. We have built a scalable and expressive static checker called Calvin for multithreaded programs. To handle realistic programs, Calvin performs modular checking of each procedure called by a thread using specifications of other procedures and other threads. The checker leverages off existing sequential program verification techniques based on automatic theorem proving. To evaluate the checker, we have applied it to several real-world programs. Our experience indicates that Calvin has a moderate annotation overhead and can catch defects in multithreaded programs, including synchronization errors and violation of data invariants.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    M. Abadi and L. Lamport. Conjoining specifications. ACM TOPLAS, 17(3):507–534, 1995.CrossRefGoogle Scholar
  2. 2.
    A. Aiken and D. Gay. Barrier inference. In Proc. 25th POPL, pages 243–354, 1998.Google Scholar
  3. 3.
    K. Arnold and J. Gosling. The Java Programming Language. Addison-Wesley, 1996.Google Scholar
  4. 4.
    T. Ball, S. Chaki, and S. Rajamani. Parameterized verification of multithreaded software libraries. In TACAS, pages 158–173, 2001.Google Scholar
  5. 5.
    A. Birrell, J. Guttag, J. Horning, and R. Levin. Synchronization primitives for a multiprocessor: A formal specification. In Proc. 11th SOSP, pages 94–102, 1987.Google Scholar
  6. 6.
    C. Boyapati and M. Rinard. A parameterized type system for race-free Java programs. In Proc. OOPSLA, pages 56–69, 2001.Google Scholar
  7. 7.
    M. Dwyer, J. Hatcliff, R. Joehanes, S. Laubach, C. Pasareanu, Robby, W. Visser, and H. Zheng. Tool-supported program abstraction for finite-state verification. In Proc. 23rd ICSE, pages 177–187, 2001.Google Scholar
  8. 8.
    C. Flanagan and S. N. Freund. Type-based race detection for Java. In Proc. PLDI, pages 219–232, 2000.Google Scholar
  9. 9.
    C. Flanagan, S. N. Freund, and S. Qadeer. Thread-modular verification for shared-memory programs. In Proc. 11th ESOP, pages 262–277, 2002.Google Scholar
  10. 10.
    C. Flanagan, K. R. M. Leino, M. Lillibridge, C. Nelson, J. Saxe, and R. Stata. Extended static checking for Java. In Proc. PLDI, 2002.Google Scholar
  11. 11.
    C. Flanagan, S. Qadeer, and S. A. Seshia. A modular checker for multithreaded programs. Technical Note 2002-001, Compaq Systems Research Center, 2002.Google Scholar
  12. 12.
    C. Flanagan and J. B. Saxe. Avoiding exponential explosion: Generating compact verification conditions. In Proc. 28th POPL, pages 193–205, 2001.Google Scholar
  13. 13.
    A. Heydon and M. Najork. Mercator: A scalable, extensible web crawler. In Proc. 8th WWW Conf., pages 219–229, December 1999.Google Scholar
  14. 14.
    C. B. Jones. Tentative steps toward a development method for interfering programs. A CM TOPLAS, 5(4):596–619, 1983.MATHCrossRefGoogle Scholar
  15. 15.
    L. Lamport. Specifying concurrent program modules. ACM TOPLAS, 5(2):190–222, 1983.MATHCrossRefGoogle Scholar
  16. 16.
    K. R. M. Leino, J. B. Saxe, and R. Stata. Checking Java programs via guarded commands. Technical Note 1999-002, Compaq Systems Research Center, 1999.Google Scholar
  17. 17.
    B. Liskov and J. Guttag. Abstraction and Specification in Program Development. MIT Press, 1986.Google Scholar
  18. 18.
    C. G. Nelson. Techniques for program verification. Technical Report CSL-81-10, Xerox Palo Alto Research Center, 1981.Google Scholar
  19. 19.
    M. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. In Proc. 26th POPL, pages 105–118, 1999.Google Scholar
  20. 20.
    N. Sterling. WARLOCK — a static data race analysis tool. In USENIX Tech. Conf. Proc., pages 97–106, Winter 1993.Google Scholar
  21. 21.
    E. Yahav. Verifying safety properties of concurrent Java programs using 3-valued logic. In Proc. 28th POPL, pages 27–40, 2001.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Cormac Flanagan
    • 1
  • Shaz Qadeer
    • 1
  • Sanjit A. Seshia
    • 2
  1. 1.Compaq Systems Research CenterPalo Alto
  2. 2.School of Computer ScienceCarnegie Mellon UniversityPittsburgh

Personalised recommendations