Scheduling Constraint Based Abstraction Refinement for Multi-Threaded
  Program Verification by Yin, Liangze et al.
1Scheduling Constraint Based Abstraction Refinement for
Multi-Threaded Program Verification
LIANGZE YIN, School of Computer, National University of Defense Technology, China
WEI DONG, School of Computer, National University of Defense Technology, China
WANWEI LIU, School of Computer, National University of Defense Technology, China
JI WANG, School of Computer, National University of Defense Technology, China
Bounded model checking is among the most ecient techniques for the automatic verication of concurrent
programs. However, encoding all possible interleavings oen requires a huge and complex formula, which
signicantly limits the salability. is paper proposes a novel and ecient abstraction renement method
for multi-threaded program verication. Observing that the huge formula is usually dominated by the exact
encoding of the scheduling constraint, this paper proposes a scheduling constraint based abstraction renement
method, which avoids the huge and complex encoding of BMC. In addition, to obtain an eective renement,
we have devised two graph-based algorithms over event order graph for counterexample validation and
renement generation, which can always obtain a small yet eective renement constraint. Enhanced by
two constraint-based algorithms for counterexample validation and renement generation, we have proved
that our method is sound and complete w.r.t. the given loop unwinding depth. Experimental results on
SV-COMP 2017 benchmarks indicate that our method is promising and signicantly outperforms the existing
state-of-the-art tools.
CCS Concepts: •Soware and its engineering→ Soware verication and validation;
Additional Key Words and Phrases: Multi-readed Program, Bounded Model Checking, Scheduling Constraint,
Event Order Graph
ACM Reference format:
Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang. 2016. Scheduling Constraint Based Abstraction Renement
for Multi-readed Program Verication. 1, 1, Article 1 (January 2016), 26 pages.
DOI: 10.1145/nnnnnnn.nnnnnnn
1 INTRODUCTION
Facilitated by the popularization of multi-core architectures, concurrent programs are becoming
popular to take full advantage of the available computing resources. However, due to the nonde-
terministic thread interleavings, traditional approaches such as testing and simulation are hard
to guarantee the correctness of such programs. Automatic program verication has become an
important complementary to traditional approaches. Given that most of the errors can be detected
with small loop unwinding depths, bounded model checking (BMC) has been proven to be one
of the most ecient techniques for the automatic verication of concurrent programs [6, 33].
However, due to the complex inter-thread communication, a huge encoding is usually required to
oer an exact description of the concurrent behavior, which greatly limits the scalability of BMC
for concurrent programs.
is paper focuses on multi-threaded programs based on shared variables and sequential consis-
tency (SC) [2]. For these programs, we have observed that the scheduling constraint, which denes
is work has been submied to the IEEE for possible publication. Copyright may be transferred without notice, aer
which this version may no longer be accessible.
2016. XXXX-XXXX/2016/1-ART1 $15.00
DOI: 10.1145/nnnnnnn.nnnnnnn
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
ar
X
iv
:1
70
8.
08
32
3v
2 
 [c
s.P
L]
  3
 A
pr
 20
18
1:2 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
that “for any pair 〈w, r 〉 s.t. r reads the value of a variable v wrien by w , there should be no other
write of v between them,” signicantly contributes to the complexity of the behavior encoding. In
the existing work of BMC, to encode the scheduling constraint, each access of a shared variable is
associated with a “clock variable”. e scheduling constraint is then encoded into a complicated
logic formula over the state and clock variables, the size of which is cubic in the number of shared
memory accesses [3].
Inspired by this observation, this paper proposes a novel method for multi-threaded program
verication which performs abstraction renement by weakening and strengthening the scheduling
constraint. It initially ignores the scheduling constraint and then obtains an over-approximation
abstraction of the original program (w.r.t. the given loop unwinding depth). If the property is
safe on the abstraction, then it also holds on the original program. Otherwise, a counterexample
is obtained and the abstraction is rened if the counterexample is infeasible. N. Sinha and C.
Wang also performed abstraction renement to deal with the overhead of an exact encoding of
the concurrent behavior [35]. However, their abstraction model was performed by restricting the
sets of read events and read-write links, while we consider all read events and read-write links but
ignore the scheduling constraint.
e eciency of our method depends on the number of iterations required to verify the property
and the sizes of the constraints added during the renement process. Another innovation of this
paper is that, to verify the property with a small number of small problems, we have devised
two graph-based algorithms over event order graph (EOG) for counterexample validation and
renement generation, s.t. an eective renement constraint can be obtained in each renement
iteration. Whenever an abstraction counterexample is determined to be infeasible, we can always
obtain a set of “core kernel reasons” of the infeasibility, which can usually be encoded into simple
constraints and reduce a large amount of space. In our experiments, most of the programs can be
veried within dozens of renement iterations. Meanwhile, the increased size of the abstraction
during the renement process can usually be ignored compared with that of the initial abstraction.
Our graph-based EOG validation method is eective in practice. Given an infeasible EOG, it can
usually identify the infeasibility with rare exceptions. If it is not sure whether an EOG is feasible or
not, we explore a constraint-based EOG validation process to further validate its feasibility. If an
infeasibility is returned, we explore a constraint-based renement generation process to rene the
abstraction. Enhanced by these two constraint-based processes, we have proved that our method is
sound and complete w.r.t the given loop unwinding depth.
We have implemented the proposed method on top of CBMC and applied it to the benchmarks
in the concurrency track of SV-COMP 2017 [36]. e experimental results demonstrate that our
method drastically improves the verication performance. Without the scheduling constraint, the
formula size reduces to 1/8 on average, whereas the number of CNF clauses increased during the
renement process can usually be ignored compared with that of the abstraction. Moreover, our
tool has successfully veried all these examples within 1550 seconds and 43 GB of memory. By
contrast, Lazy-CSeq-Abs — a leading tool for concurrent program verication — spended 9820
seconds and 104 GB memory to achieve the same score. Our tool has won the gold medal in the
concurrency track of SV-COMP 2017 [36] (Warning: It will violate our anonymity).
e contributions of this paper are listed as follows.
(1) is paper presents a scheduling constraint based abstraction renement method for multi-
threaded program verication, which avoids the huge and complex constraint to encode
the concurrent behavior.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification1:3
(2) is paper presents two graph-based algorithms over event order graph for counterexam-
ple validation and renement generation, which can always obtain a small yet eective
renement constraint in practice.
(3) To ensure the soundness, we have enhanced our method by two constraint-based algorithms
for counterexample validation and renement generation. In this manner, a both ecient
and sound method for multi-threaded program verication is obtained.
(4) We have implemented our method on top of CBMC. e evaluation on the SV-COMP
2017 benchmarks indicates that our method is promising and signicantly outperforms the
existing state-of-the-art tools.
e rest of this paper is organized as follows. Section 2 introduces the preliminaries. Section 3
outlines and illustrates our proposed method by presenting a running example. Sections 4 and 5
present our EOG-based counterexample validation and renement generation algorithms, respec-
tively. Section 6 discusses the soundness and eciency of our method. Section 7 provides the
experimental results. Section 8 reviews the related work, and Section 9 concludes the paper.
2 PRELIMINARIES
2.1 Multi-Threaded Program
A multi-threaded program P consists of N ≥ 1 concurrent threads Pi (1 ≤ i ≤ N ). It contains a
set of variables which are partitioned into shared variables and local variables. Each thread Pi can
read/write both the shared variables and its local variables. We focus on programs based on Preads,
one of the most popular libraries for multi-threaded programming. It uses pthread create(&t,
&attrib, &f, &args) to create a new thread t, and pthread join(t, & return) to suspend
the current thread until thread t terminates 1.
In this paper, we assume each variable access is atomic. We also assume that each statement t of a
multi-threaded program is either 1) a global statement that contains only one shared variable access
(it may further contain multiple local variable accesses) or 2) a local statement that only operates
on local variables. A statement with multiple shared variable accesses can always be translated to a
sequence of global statements. By dening the expressions suitably and using source-to-source
transformations, we can model all statements using global and local statements.
We also assume that all functions are inlined and all loops are unwound by a limited depth (it is
a basic proviso in BMC). We also omit the discussion on modeling the sophisticated C language
data elements, such as pointers, structures, arrays, and heaps, etc., because they are irrelative with
the concurrency and we deal with them in the same way as CBMC does. e discussion on Pread
primitives, such as pthread mutex lock and pthread mutex unlock, etc., are also omied in this
paper. In CBMC, they are implemented by shared variables and we deal with them in the same
way as CBMC does.
Given a multi-threaded program, we write V for the set of shared variables. An event e is a
read/write access to a shared variable. We use E to denote all of them. Each global statement
corresponds to an event, i.e., the event contained in the global statement. Each e ∈ E is associated
with an element var(e) ∈ V, a type type(e), and a literal guard(e), which represent the accessed
variable, the type of access, and the guard condition literal, respectively. type(e) can be either rr
(i.e., “read”) or ww (i.e., “write”). Any event e with var(e) = v and type(e) = rr (resp. type(e) = ww)
is called a read (resp. a write) of v . To express the execution orders of dierent events, we also
associate each event with an unique natural number clk(e). clk(e1) < clk(e2) represents that e1
executes before e2.
1More information about Preads can be found at hps://computing.llnl.gov/tutorials/pthreads/
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:4 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
e program P determines a partial order ≺0P⊂ E × E. Intuitively, e1 ≺0P e2 (or we write
(e1, e2) ∈≺0P ) indicates that “e1 should happen before e2 according to the program order of P”.
According to the program order, e1 ≺0P e2 holds in the following three cases.
• For any two events e1 and e2 of the same thread, if e1 must happen before e2 according to
the sequential semantics, then we have e1 ≺0P e2.• If pthread create() is used to create a new thread t at some point p of the current thread,
then for any event e1 of the current thread before p and e2 of the thread t, we have e1 ≺0P e2.• If pthread join(t) is used to suspend the current thread at some point p, then for any
event e1 of the thread t and e2 of the current thread aer p, we have e1 ≺0P e2.
A read-write link (e1, e2) represents that “e2 reads the value wrien by e1”. erefore, type(e1) =
ww, type(e2) = rr, var(e1) = var(e2), and the value of e2 is equal to that of e1. In addition, there
should be no other “write” of var(e1) happening between them. Given a read-write link λ := (e1, e2),
we denote by sel(λ) the read-write link literal (a boolean variable) that represents the link.
2.2 Bounded Model Checking
Bounded model checking [7] is one of the most applicable techniques to alleviate the state space
explosion problem in concurrent program verication. Given that most of the errors can be
detected with small loop unwinding depths, the unwinding depth for those loops and recursions is
limited [33]. Instead of explicitly enumerating all thread interleavings, BMC employs a symbolic
representation to encode the verication problem, which is then solved by a SAT/SMT solver. If a
positive answer is given, then a satisfying assignment corresponding to a feasible counterexample
is acquired. Otherwise, the program is proven safe w.r.t. the given loop unwinding depth.
In BMC, the monolithic encoding of a multi-threaded program is usually represented as α :=
ϕinit ∧ρ∧ζ ∧ξ , where ϕinit is the initial states, ρ encodes each thread in isolation, ζ formulates that
“each read of a variable v may read the result of any write of v”, and ξ formulates the scheduling
constraint, which denes that “for any pair 〈w, r 〉 s.t. r reads the value of a variable v wrien by w ,
there should be no other write of v between them” [3].
3 METHOD OVERVIEW AND ILLUSTRATION
3.1 Method Overview
e performance of BMC is usually decided by that of the constraint solving, the performance
of which depends signicantly on the size of the constraint problem. Hence, an important way
to improve the performance of BMC is to reduce the size of the constraint problem. In BMC of
multi-threaded programs, we have observed that the monolithic encoding α is usually dominated
by the scheduling constraint ξ . To reduce the constraint problem size, we propose to ignore the
scheduling constraint in the constraint solving process. An abstraction of the monolithic encoding
is then obtained, which is dened as follows.
Denition 3.1. Given a multi-threaded program, the abstraction ignoring the scheduling con-
straint can be formulated as φ0 := ϕinit ∧ ρ ∧ ζ , where ϕinit is the initial states, ρ encodes each
thread in isolation, and ζ formulates that “each read of a variable v may read the result of any write
of v”.
e scheduling constraint ξ denes a set of order requirements among the events. All of them
should be satised for any concrete execution of a multi-threaded program. Hence, whenever
a counterexample pi of the abstraction is obtained, further validation is required to determine
whether pi satises all the order requirements dened in ξ . If that is true, pi is feasible. Otherwise,
pi is infeasible. In other words, it may not correspond to a concrete execution. In this case, we
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification1:5
Multi-Threaded 
C Program
Abstraction 
Model
Graph-based 
EOG Validation
Constraint-based 
EOG Validation
Constraint-based 
Refinement
Graph-based 
Refinement
[SAT]
[UNSAT]
[Infeasible] [Infeasible]
[Not Sure]
[Feasible]
Proof True Counterexample
Abstraction
Refinement Constraint i
0
Error states err
Fig. 1. An overview of our method
continually search the rest of the abstraction space for another new counterexample, until a feasible
counterexample is found or all counterexamples of the abstraction have been determined to be
infeasible.
Fig. 1 presents an overview of our method. Given a multi-threaded C program, we rst add the
abstraction φ0 and the error states ϕerr to the abstraction model. If it is unsatisable, then the
property is proven safe w.r.t. the given loop unwinding depth. Otherwise, a counterexample of
the abstraction is provided. Given that the scheduling constraint is ignored in the abstraction, this
counterexample may be infeasible and further validation is required. In our method, the feasibility
of an abstraction counterexample is determined via validating the feasibility of its corresponding
event order graph (EOG). An intuitive method for EOG validation is constraint solving. If the EOG is
infeasible, then the abstraction is rened by exploring the unsatisable core. However, this method
is not eective for renement generation (cf. Section 5). To obtain an eective renement, we
have devised two graph-based algorithms over EOG for EOG validation and renement generation,
in which a small yet eective renement can always be obtained if the EOG is determined to
be infeasible. However, this method is not complete. It can only give an infeasible answer (cf.
Section 4). To make our method both ecient and sound, we rst adopt the graph-based EOG
validation method. If the EOG is determined to be infeasible, the graph-based renement process is
performed to obtain an eective renement constraint. Otherwise, we employ the constraint-based
validation process to further validate the EOG. Our experiments demonstrate that our graph-based
EOG validation method is eective in practice. It can always identify the infeasibility of an infeasible
EOG with rare exceptions. Actually, the constraint-based renement generation process (the dashed
part of Fig. 1) has never been invoked on SV-COMP 2017 benchmarks.
3.2 Method Illustration
We provide a running example to illustrate our method. e program involves three threads,
namely, main, thr1, and thr2, as shown in Fig. 2(a). In this example, the set of shared variables
V := {x ,y,m,n}, which are initialized to {1, 1, 0, 0}, respectively. e main thread creates threads
thr1 and thr2, and then waits until these two threads terminate. We aempt to verify that it is
impossible for bothm and n to be 1 aer the exit of thr1 and thr2. is program oers a modular
proof to this property.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:6 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
int x = 1, y = 1, m = 0, n = 0;
void* thr1(void * arg) {
x = y + 1;
m = y;
x = 0;
}
void* thr2(void * arg) {
y = x + 1;
n = x;
y = 0;
}
void main() {
pthread_t t1, t2;
pthread_create(&t1, 0, thr1, 0);
pthread_create(&t2, 0, thr2, 0);
pthread_join(t1, 0);
pthread_join(t2, 0);
assert (!(m == 1 && n == 1));
}
int x1 = 1, y1 = 1, m1 = 0, n1 = 0;
void* thr1(void * arg) {
x2 = y2 + 1;
m2 = y3;
x3 = 0;
}
void* thr2(void * arg) {
y4 = x4 + 1;
n2 = x5;
y5 = 0;
}
void main() {
pthread_t t1, t2;
pthread_create(&t1, 0, thr1, 0);
pthread_create(&t2, 0, thr2, 0);
pthread_join(t1, 0);
pthread_join(t2, 0);
assert (!(m3 == 1 && n3 == 1));
}
(a) The original program (b) The SSA statements of the program
Fig. 2. A three-thread program
Initial abstraction. We use ϕinit and ϕerr to denote the initial and error states, respectively, while
ρmain , ρthr1, and ρthr2 denote the transition relationships of these three threads, respectively, and
ρ is the conjunction of those transition relationships of all threads.
To encode the program, as shown in Fig. 2(b), we convert the original program into a set of static
single assignment (SSA) statements, in which the program variables are renamed s.t. each variable
is assigned only once. Particularly, each “read” of any shared variable also has a unique name.
en ϕinit , ϕerr , and ρ are dened as follows. Note that the transition relationship of each thread
(such as ρmain , ρthr1, and ρthr2) encodes that thread in isolation, i.e., it doesn’t consider the thread
communications.
ϕinit := (x1 = 1) ∧ (y1 = 1) ∧ (m1 = 0) ∧ (n1 = 0)
ϕerr := (m3 = 1) ∧ (n3 = 1)
ρthr1 := (x2 = y2 + 1) ∧ (m2 = y3) ∧ (x3 = 0)
ρthr2 := (y4 = x4 + 1) ∧ (n2 = x5) ∧ (y5 = 0)
ρmain := true
ρ := ρthr1 ∧ ρthr2 ∧ ρmain
To encode ζ , we must identify the behavior of every “read” event. Consider the shared variable
x for example. ere are ve read/write accesses to the variable x . For each access, as shown in
Fig. 2(b), we rename x to a unique name in the SSA statements, i.e., x1, x2, · · · , x5. We denote by exi
(1 ≤ i ≤ 5) the event corresponding to xi . en {ex1 , ex2 , ex3 } and {ex4 , ex5 } are the sets of “writes”
and “reads” of x , respectively. We use a read-write link literal sv,i, j to indicate that evj reads the
value wrien by evi (v ∈ V). e encoding ψxi (i = 4, 5), dened below, indicates that the value
of xi can take any value of x1, x2, and x3. Given that the variable xi can not take several dierent
values simultaneously, the formula sx,4,1 ∨ sx,4,2 ∨ sx,4,3 represents that, among these three literals,
there is one and only one true literal. We denote by ζx the conjunction ofψx4 andψx5 . It formulates
the possible behaviors of all “reads” of x .
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification1:7
ψx4 := (sx,4,1 ⇒ (x4 = x1))∧
(sx,4,2 ⇒ (x4 = x2))∧
(sx,4,3 ⇒ (x4 = x3))∧
(sx,4,1 ∨ sx,4,2 ∨ sx,4,3)
ψx5 := (sx,5,1 ⇒ (x5 = x1))∧
(sx,5,2 ⇒ (x5 = x2))∧
(sx,5,3 ⇒ (x5 = x3))∧
(sx,5,1 ∨ sx,5,2 ∨ sx,5,3)
ζx := ψx4 ∧ψx5
Similarly, we obtain the corresponding formulas of ζy , ζm , and ζn . Let ζ := ζx ∧ ζy ∧ ζm ∧ ζn .
e initial abstraction can then be formulated as follows.
φ0 := ϕinit ∧ ρ ∧ ζ (1)
Constraint solving of the rst round. Using φ0 ∧ ϕerr as input to a constraint solver will return
SAT and yield a counterexample pi0, which is a set of assignments to the variables in φ0 ∧ ϕerr .
Counterexample validation of the rst round. Given that the scheduling constraint is excluded
from the abstraction, such a counterexample may be infeasible. In our method, a counterexample
pi is validated via validating its corresponding EOG (cf. Section 4), which captures all the order
requirements among the events of pi . We rst employ the graph-based EOG validation method to
determine its feasibility.
Fig. 3 shows the EOG corresponding to pi0. In gures that describe EOGs, the white and gray
nodes denote “writes” and “reads” occurring in the corresponding counterexample, respectively. A
solid arrow with a triangular head from e1 to e2 represents a program order, which requires that
e1 should happen before e2. A dashed arrow from e1 to e2 represents a read-write link (e1, e2). It
requires that 1) e1 should happen before e2, and 2) no “write” of var(e1) can happen between them.
A solid arrow with a hollow head from e1 to e2 represents a derived order, which is derived from
existing order requirements. It also requires that e1 should happen before e2. For brevity, in these
gures, we use the subscripts of an event as labels, that is, we usevi to represent the event evi . Now
the question is: Is there any total order of all these nodes that satises all these order requirements?
is is not a trivial problem. However, if there exists some cycle in the graph, then the answer
must be “no”, and the counterexample is infeasible.
Given a counterexample pi and two events e1 and e2, we use e1 ≺pi e2 to represent that e1 should
happen before e2 in pi . By applying our graph-based EOG validation algorithm (cf. Section 4),
we can deduce two derived orders ey3 ≺pi0 ey4 and ex5 ≺pi0 ex2 , which are denoted by h1 and h2
respectively 2. Fig. 3 shows two cycles, including C1 : ex2 ≺pi0 ey3 ≺pi0 ey4 ≺pi0 ex5 ≺pi0 ex2 and
C2 : ex2 ≺pi0 ex4 ≺pi0 ey4 ≺pi0 ex5 ≺pi0 ex2 . erefore, pi0 is infeasible.
Renement of the rst time. To prune more search space rather than just one counterexample,
we should nd the “kernel reasons” that make the counterexample infeasible. According to our
graph-based kernel reason analysis algorithm (cf. Section 5), the derived orders h1 and h2 are caused
by r1 and r3, respectively (according to Rule 3). h1 is derived as follows. According to the order
requirements of r1, we have that y1 ≺pi0 y3, and no “write” of y can be executed between y1 and y3.
According to the program orders, we have y1 ≺pi0 y4. Hence, we can deduce that y3 ≺pi0 y4. Given
that the guard conditions for all these events are true, as long as r1 holds in the counterexample,
we may obtain the derived order h1. Hence, the reason of h1 is r1. Similarly, we can obtain that the
2We can deduce more orders from the EOG, but we only list h1 and h2, because they will be used later.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:8 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
1x
1y
1m
1n
2m
2n
2y
2x
3y
3m
3x
4y
5x
3n
4x
5y
1x
1y
1m
1n
3m
3n
2y
2x
3y
2m
3x
4y
5x
2n
4x
5y
1r
1h 2h
2r
3r
4r
5r 6r
1x
1y
1m
1n
3m
3n
2y
2x
3y
2m
3x
4y
5x
2n
4x
5y
1r
1h
2r
3r
4r
5r 6r
1x
1y
1m
1n
3m
3n
2y
2x
3y
2m
3x
4y
5x
2n
4x
5y
1r
1h2r
3r
4r
5r 6r
Fig. 3. EOG of counterexample pi0.
reason of h2 is r3. Given that the guard conditions for all these events are true, the reason for any
program order is TRUE. And according to Section 5, the reason for any read-write link is itself.
A kernel reason of a cycleC is a conjunction of those kernel reasons for those orders constructing
C . We can obtain that C1 is caused by r1 ∧ r3, and C2 is caused by r3 ∧ r4. Given that r1, r3, and
r4 are represented by read-write link literals sy,3,1, sx,5,1, and sx,4,2, respectively, we obtain that
the kernel reason of C1 is {sy,3,1, sx,5,1}, and the kernel reason of C2 is {sx,5,1, sx,4,2}. We hence use
κ0 := ¬(sy,3,1 ∧ sx,5,1) ∧ ¬(sx,5,1 ∧ sx,4,2) as the renement constraint, which contains only two
simple CNF clauses.
Second constraint solving. Let φ1 := φ0 ∧ κ0. When using φ1 ∧ ϕerr as input, the constraint solver
retur s SAT again, and produces a new counterexample pi1.
Second counterexample validation. By applying our graph-based EOG validation algorithm, the
EOG corresponding to pi1 has two cycles. Hence, pi1 is also infeasible.
Renement, the second time. Again, we apply our graph-based kernel reason analysis algorithm.
e renement constraint is formulated as κ1 := ¬(sx,4,3∧sx,5,1)∧¬(sy,2,4∧sx,4,3)∧¬(sy,4,3∧sx,4,3),
which contains three simple CNF clauses. Here, one of these two cycles has two dierent kernel
reasons.
ird constraint solving. Same as before, let φ2 := φ1 ∧ κ1. When using φ2 ∧ ϕerr as input to a
constraint solver, we get another counterexample pi2.
ird counterexample validation. By applying our graph-based EOG validation algorithm, the
EOG corresponding to pi2 also has two cycles. Hence, pi2 is also infeasible.
Renement, the third time. By applying our graph-based kernel reason analysis algorithm, we
obtain a new renement constraint κ2 := ¬(sy,3,1 ∧ sy,2,5) ∧ ¬(sx,5,2 ∧ sy,2,5), which contains two
simple CNF clauses.
Constraint solving, the fourth time. Letφ3 := φ2∧κ2. When usingφ3∧ϕerr as input, the constraint
solver returns UNSAT this time, which indicates that the property is safe.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification1:9
Given that the serial of constraint solving queries are incremental, they can be solved in an
incremental manner. From this example, we can observe that:
(1) Without the scheduling constraint, the size of the abstraction is much smaller than that
of the monolithic encoding. In this example, excluding the 3049 CNF clauses encoding
the pthread create and pthread join function calls, the monolithic encoding contains
10214 CNF clauses, while the abstraction φ0 contains only 1018 CNF clauses.
(2) With our graph-based renement generation method, the verication problem can usu-
ally be solved with a small number of renement iterations. In this example, only three
renements are required to verify the property.
(3) With our graph-based renement generation method, the number of clauses increased
during the renement process can usually be ignored compared with that of the abstraction.
In this example, only 7 simple CNF clauses are added during the renement process, while
the initial abstraction contains 4067 CNF clauses.
(4) Our graph-based EOG validation method is eective to identify the infeasibility in practice.
In this example, all the four abstractions are infeasible. All of them can be detected by our
graph-based EOG validation process. e constraint-based EOG validation and renement
processes have never been invoked.
4 EOG-BASED COUNTEREXAMPLE VALIDATION
4.1 Counterexample and Event Order Graph
Denition 4.1. A counterexample pi of an abstraction φi , or a counterexample pi for short, is a set
of assignments to the variables in φi ∧ ϕerr , where ϕerr is the error states.
A counterexample pi is an execution of the abstraction that falsies the property. It denes a
trace for each thread and the read-write relationship among the “reads” and “writes” occurring in
pi . Given that the scheduling constraint is ignored in the abstraction, the counterexample may not
be feasible, i.e., it may not correspond to any concrete execution. Note that the execution order of
those statements from dierent threads is not dened. If the counterexample is feasible, it may
correspond to multiple concrete executions.
Given a counterexample pi , we use Epi ⊆ E to denote the set of events occurring in pi . We dene
a partial order ≺pi⊆ Epi ×Epi . Intuitively, e1 ≺pi e2 represents that “e1 should happen before e2 in pi ”,
i.e., clk(e1) < clk(e2). We also use ≺0pi to denote the restriction of ≺0P on pi . In this case, ≺0pi ⊆≺0P , and
we have ≺0pi ⊆≺pi . We also focus on the partial order pi , which is called the read-from relationship
of pi . e1pi e2 (or we write (e1, e2) ∈ pi ) represents that “(e1, e2) is a read-write link in pi ”. According
to this denition, we obtain pi ⊆≺pi . An element in ≺0pi (resp. in pi ) is called a program order
(resp. read-from order) of pi .
A counterexample pi denes a quadruple 〈s0,pi ,Tpi ,Epi ,pi 〉, where s0,pi is the initial states, Tpi is
the set of statements contained in pi , Epi is the set of events occurring in pi , and pi ⊆ Epi × Epi is
the read-from relationship that links each “read” r ∈ Epi to a “write” w ∈ Epi s.t. r reads the value
wrien by w . Note that ≺0pi is the restriction of ≺0P to Epi . Table 1 lists the set of notations we use
for a counterexample pi .
Denition 4.2. A counterexample pi is feasible if a concrete execution τ of the original program
can be constructed from pi .
To validate a counterexample pi , we dene a concrete execution of a multi-threaded program as
follows.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:10 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
Table 1. Notations for a counterexample pi
Notation Meaning
s0,pi e initial states of pi .
Tpi e set of statements contained in pi
Epi e set of events occurring in pi .
e1 ≺pi e2 e1 should happen before e2 in pi .
e1≺0pi e2 e1 ≺pi e2 according to the program order.
e1pi e2 e2 reads the value wrien by e1.
Denition 4.3. Let s0 be an initial state of P , Λ := t0 · · · tn be a statement sequence, and s t→ s ′
indicate that s ′ is the successor of s by t . e tuple (s0,Λ) denes a concrete execution of P i there
exists a state sequence s0 · · · sn+1 s.t. si ti→ si+1 for all 0 ≤ i ≤ n.
According to Denition 4.3, to validate a counterexample pi , one should nd a statement sequence
of Tpi that denes a concrete execution. Note that for a concrete execution τ , the events occurring
in τ must satisfy the following order requirements: 1) for each program order (e1, e2), we have e1
happens before e2; and 2) for each read-write link (e1, e2), we have e1 happens before e2, and no
write of var(e1) happens between e1 and e2. Given that those local statements do not aect other
threads, the crucial issue to construct a concrete execution is to nd a total order <pi over Epi s.t.
<pi obeys all the above order requirements. To address this problem, we introduce the event order
graph (EOG) notion to capture all order requirements of a counterexample.
Denition 4.4. Given a counterexample pi , the event order graph (EOG)Gpi is a triple 〈Epi ,≺0pi ,pi 〉,
where the nodes are the events in Epi , and the edges are the orders dened in ≺0pi and pi . Each
node corresponds to either a “read” or a “write” of pi , and each edge corresponds to either a program
order or a read-from order of pi . For each edge corresponding to a program order (e1, e2) ∈ ≺0pi , it
requires that clk(e1) < clk(e2); and for each edge corresponding to a read-from order (e1, e2) ∈ pi ,
it requires that clk(e1) < clk(e2) and ∀e3 ∈ Epi , ((var(e3) = var(e1)) ∧ (type(e3) = ww)) ⇒ (clk(e3) <
clk(e1) ∨ clk(e2) < clk(e3)).
Denition 4.5. An EOG Gpi is feasible i there exists a total order <pi over Epi s.t. <pi obeys all
the order requirements dened in Gpi .
Theorem 4.6. A counterexample pi is feasible i the corresponding EOG Gpi is feasible.
Proof. Suciency. If pi is feasible, then we can construct a concrete execution τ from pi .
Suppose that the statement sequence of τ is Λ. We order all the events in Epi as the execution
order of those corresponding global statements in Λ, and obtain a total order <pi over Epi , which is
consistent with ≺0pi and pi . erefore, Gpi is feasible.
Necessity. We try to construct a concrete execution τ from pi . If Gpi is feasible, then there must
exist a total order <pi over Epi that is consistent with ≺0pi and pi . To obtain a statement sequence
Λ of Tpi , we rst order all the global statements in Tpi as the order of those corresponding events in
<pi , and obtain a total order <д of all the global statements. en we “place” the local statements in
Tpi into <д . Specically, we rst give a total order t0 · · · tn of all local statements according to the
program order. Aerward, we insert the local statements into <д according to this order and obtain
a statement sequence Λ. For each local statement ti , suppose that among all its predecessors of
global statements (according to the program order), tдi is lastly scheduled in <д , then ti is scheduled
aer both ti−1 and tдi . For instance, if ti−1 is scheduled before t
д
i , then ti is scheduled aer t
д
i .
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification1:11
(a) (b) (c)
(a) (b) (c)
Fig. 4. Three EOG examples
(a) (b) (c)
(a) (b) (c)
Fig. 5. Derived orders deduced by applying Rule 2 to the three EOGs shown in Fig. 4.
Otherwise, ti is scheduled aer ti−1. Given that <pi is both consistent with ≺0pi and pi , the tuple
(s0,pi ,Λ) is a concrete execution. erefore, pi is feasible. 
Now we ask, how can we validate the feasibility of an EOG? An intuitive way is to exactly encode
all the order requirements dened in Denition 4.4 into a constraint. e EOG is feasible i the
constraint is satisable. However, as we will justify later (cf. Section 5 and 7), constraint solving is
not eective enough for renement generation.
4.2 Graph-Based EOG Validation
According to Denition 4.5, any edge (e1, e2) of an EOG Gpi requires that e1 ≺pi e2. Hence, an
EOG must be infeasible if it contains some cycles. Note that a read-from order (e1, e2) ∈ pi
further requires that no other write of var(e1) could happen between e1 and e2. Some implicit order
requirements deducible from the EOG must exist. We call them derived orders of the EOG. For each
derived order (e1, e2), it also requires that clk(e1) < clk(e2), i.e., e1 ≺pi e2.
Consider the EOG shown in Fig. 4(a), where {ex0 , ex2 } and {ex1 } are the “writes” and “reads” of x ,
respectively. ex0≺0pi ex1 , and ex2pi ex1 . We deduce that ex0 ≺pi ex2 because ex0≺0pi ex1 and ex2pi ex1 ,
of which the laer implies that no “write” of x can happen between ex2 and ex1 .
Based on this observation, we can deduce as many derived orders as possible rst, and add them
to ≺pi . If some cycle exists in ≺pi , then the EOG must be infeasible. To this end, we propose the
following three rules to produce derived orders. We initially obtain ≺pi := ≺0pi ∪pi .
Rule 1. e1 ≺pi e2, e2 ≺pi e3
e1 ≺pi e3 .
Rule 1 only reects the transitivity of ≺pi .
Rule 2. e1pi e2, e3 ≺pi e2, type(e3) = ww, var(e3) = var(e1)
e3 ≺pi e1 .
Given that e1pi e2, type(e3) = ww, and var(e3) = var(e2), then either clk(e3) < clk(e1) or clk(e2) <
clk(e3). Given that e3 ≺pi e2 holds, then clk(e3) < clk(e2) can be obtained. erefore, we have
clk(e3) < clk(e1), which implies e3 ≺pi e1.
Similarly, we propose the following deductive rule:
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:12 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
m1
w1
x1
n3
w5
x2
w3
y3
n2
y2
w4
x3
m2
n1
w2
y1
m3
w6
P0 P1
P2 P3
P4 P5
Fig. 6. The “buerfly” example
Rule 3. e1pi e2, e1 ≺pi e3, type(e3) = ww, var(e3) = var(e1)
e2 ≺pi e3 .
According to these three rules, for the three EOGs presented in Fig. 4, we can deduce ex0 ≺pi ex2 ,
ex0 ≺pi ex3 , and ex0 ≺pi ex2 , respectively. We add these terms to the corresponding EOGs as shown
in Fig. 5.
When a derived order (e1, e2) is added to ≺pi , some new orders may be propagated via Rules 1 to
3. We repeat this process until we reach a xpoint, i.e., no derived order can be deduced any more.
If some cycle exists in ≺pi , then the EOG is infeasible.
Now a conjecture is that, an EOG is feasible if it contains no cycle. Such a conjecture holds for
almost all examples in our experiments. However, this conjecture may still be false for some special
examples. Consider the “buery” example in Fig. 6 that involves six threads {P0, P1, · · · , P5} and
ve shared variables {m,n,x ,y,w}. No derived order can be deduced, and no cycle exists in the
EOG. However, no total order of Epi can satisfy all the order requirements dened in the EOG, and
the EOG is infeasible.
Our graph-based EOG validation method is shown in Algorithm 1. It repeatedly applies Rules 1
to 3 to deduce new derived orders, until a xpoint is reached. If there exists some conict event e
s.t. e ≺pi e , then the EOG must be infeasible. Otherwise, it is not sure whether the EOG is feasible
or not.
We now prove the correctness of this algorithm.
Theorem 4.7. If Algorithm 1 concludes that Gpi is infeasible, then Gpi must be infeasible.
Proof. If Algorithm 1 concludes that Gpi is infeasible, then there must exist some conict event
e s.t. e ≺pi e . Suppose that Gpi is feasible. en according to Denition 4.5, there must exist a total
order <pi s.t. <pi obeys all order requirements dened in Gpi . According to Rules 1 to 3, we have
<pi also obeys all the derived orders deduced in Algorithm 1. Hence, clk(e) < clk(e) in <pi , which
is impossible for a total order.
erefore, the theorem is proved. 
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification1:13
Input: An EOG Gpi = 〈Epi ,≺0pi ,pi 〉
Output: Infeasible: Gpi is infeasible; Not-Sure: not sure whether Gpi is feasible or not
repeat
if there exist (e1, e2), (e2, e3) ∈≺pi and (e1, e3) <≺pi then
≺pi=≺pi ∪(e1, e3);
end
if there exists (e1, e2) ∈ pi exists (e3, e2) ∈≺pi and (e3, e1) <≺pi then
if type(e3) = ww and var(e3) = var(e1) then
≺pi :=≺pi ∪(e3, e1);
end
end
if there exists (e1, e2) ∈ pi exists (e1, e3) ∈≺pi and (e2, e3) <≺pi then
if type(e3) = ww and var(e3) = var(e1) then
≺pi :=≺pi ∪(e2, e3);
end
end
until ≺pi reaches a xpoint;
if e ≺pi e for some e then
return Infeasible;
end
return Not-Sure;
Algorithm 1: Graph-based EOG validation
4.3 Constraint-Based EOG Validation
If the graph-based EOG validation method is not sure whether an EOG is feasible or not, we employ
a constraint solver to further determine feasibility of the EOG. e method is that, we exactly
encode all the order requirements dened in Denition 4.4 into a constraint. e EOG is feasible i
the constraint is satisable. If a SAT is returned, then it generates a total order of all the events
which satises all the order requirements of the EOG as a byproduct. Otherwise, both the EOG and
the counterexample are infeasible and an unsatisable core is generated as a byproduct.
5 KERNEL REASON BASED REFINEMENT GENERATION
If a counterexample is determined to be infeasible, one should add some constraints to the abstraction
to prevent this counterexample from appearing again in the future search. e most intuitive way
to address this problem is to add the negation of this counterexample to the abstraction. However,
such a manner excludes only one counterexample in each renement. To prune more search space,
a beer idea is to analyze the kernel reasons that make the counterexample infeasible, and then
adds the negation of these kernel reasons to the next abstraction. Given that a counterexample is
validated via validating its corresponding EOG, we analyze the kernel reasons that make an EOG
infeasible, s.t. a large amount of space can be pruned in each renement iteration.
5.1 Representation of Kernel Reasons
Given a counterexample pi , the corresponding EOGGpi := 〈Epi ,≺0pi ,pi 〉 is determined by the values
of the following two kinds of literals: 1) e values of those guard condition literals for the events
in E. ey determine both Epi and ≺0pi . Epi is the set of events appeared in pi . ≺0pi is the restriction of
≺0P to Epi . 2) e values of those read-write link literals which dene the read-from relationship pi .
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:14 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
Let Gpi and Spi denote the sets of true guard condition literals and true read-write link literals in
pi , respectively. If Gpi is infeasible, then the infeasibility could be deduced by the conjunction of
all literals in Gpi ∪ Spi . e infeasibility can oen be deduced by a subset of Gpi ∪ Spi . erefore,
the kernel reasons that make a counterexample pi infeasible could be represented by the minimal
subsets ofGpi ∪Spi that could deduce the infeasibility. Finding the minimal subsets not only reduces
the constraint size but also prunes more search space.
5.2 Constraint-Based Kernel Reason Analysis
If the infeasibility is identied by the constraint-based EOG validation process, the constraint solver
can return an unsatisable core as a byproduct. Modern constraint solvers, such as MiniSat2, allow
their users to take a set of literals as assumptions. When an UNSAT is returned, the constraint
solver generates a subset of the assumption literals as an unsatisable core. Based on this idea,
we take all literals in Gpi ∪ Spi as assumption literals. Whenever the EOG is determined to be
infeasible, the constraint solver generates a subset of Gpi ∪ Spi that can still deduce the infeasibility.
Suppose that it is {`1, `2, · · · , `n}. Let ϖ := `1 ∧ `2 ∧ · · · ∧ `n . e renement constraint can then
be formulated as follows.
κ := ¬ϖ (2)
If the constraint that exactly encodes all order requirements of an EOG is unsatisable, it may
have a large number of unsatisable cores. To prune as much search space as possible, one should
obtain all of them. However, generating all unsatisable cores is usually time consuming. Most
constraint solvers generate only one unsatisable core each time, and it may not be the shortest one,
which signicantly limits the pruned search space in each renement. Hence, constraint solving is
not a good choice for our renement generation.
5.3 Graph-Based Kernel Reason Analysis
is section presents our graph-based kernel reason analysis method. Compared with the constraint-
based method, it usually obtains a much more eective renement. It can eciently obtain all
kernel reasons that make an EOG infeasible. In addition, the obtained “core kernel reasons” are
always the shortest ones. Hence, it can usually prune much more search space in each iteration.
In Algorithm 1, if an infeasibility is determined, then there must exist some conict event e s.t.
e ≺pi e . A conict event can usually be aributed to several kernel reasons, and there are usually
many conict events. To prune more search space, one should nd all kernel reasons of all conict
events.
We dene “a kernel reason of an order λ ∈≺pi ” to be “the minimal subset of Gpi ∪ Spi that
can deduce λ”. When a derived order λ is deduced, if the kernel reasons of all existing orders
(including existing derived orders) are given, then we can obtain a set of kernel reasons of λ upon
its production. Note that a derived order λ may be deduced for multiple times. Whenever it is
deduced, we can obtain new kernel reasons of λ. Based on this observation, we initialize the kernel
reasons of every order λ to ∅. e kernel reasons of an order λ are then updated once λ is added
(we add the orders in ≺0pi and pi into the graph one by one) or deduced. In this manner, we obtain
the kernel reasons of each order λ ∈≺pi when Algorithm 1 terminates.
We then discuss how to update the kernel reasons of an order λ ∈≺pi when λ is added or deduced.
We hypothesize that the kernel reasons of all existing orders are given. We denote by o(λ) and O(λ)
a kernel reason and the set of kernel reasons of λ, respectively.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification1:15
• If λ := (e1, e2) is added because λ ∈ ≺0pi , then e1 ≺pi e2 i both e1, e2 ∈ Epi , i.e., the guard con-
dition literals for both e1 and e2 are true. erefore,O(λ) := O(λ)∪{{guard(e1), guard(e2)}},
where guard(e) is the guard condition literal of e .
• If λ := (e1, e2) is added because λ ∈ pi , λ holds i e2 reads the value wrien by e1,
which already indicates that both guard(e1) and guard(e2) are true. erefore, O(λ) :=
O(λ) ∪ {{sel(λ)}}, where sel(λ) is the read-write link literal of λ.
• If λ is a derived order deduced from λ1 and λ2, then λ ∈≺pi i both λ1 and λ2 belong to ≺pi .
erefore, O(λ) := O(λ) ∪ {o1 ∪ o2 | oi ∈ O(λi )}. Note that λ may be deduced for multiple
times. We incrementally update O(λ) whenever λ is deduced.
A kernel reason o ∈ O(λ) is considered redundant if some kernel reason o′ ∈ O(λ) exists s.t.
o′ ⊆ o. Such kernel reasons are immediately eliminated from O(λ), and the remaining reasons are
called core kernel reasons of λ. Using this strategy, we maintain only the set of core kernel reasons
in our algorithm. is set is dynamically updated during the running of the algorithm.
In this manner, we obtain the set of core kernel reasons of any order λ ∈≺pi when Algorithm 1
terminates. Let A denote the set of conict events. e kernel reasons that make pi infeasible
(denoted by O(pi )) can be expressed as follows.
O(pi ) :=
⋃
e ∈A
O(e ≺pi e) (3)
Again, we eliminate those redundant kernel reasons from O(pi ), and maintain only those core
kernel reasons. In our experiments, hundreds or even thousands of kernel reasons may be observed,
but only several or dozens of them are considered core ones.
Suppose that o := {`1, `2, · · · , `m} where each `i is a literal, we dene the following:
ϖo := `1 ∧ `2 ∧ · · · ∧ `m (4)
Suppose that O(pi ) := {o1,o2, · · · ,on}, then the renement constraint is formulated as follows.
κ :=
n∧
i=1
¬ϖoi (5)
Algorithm 2 demonstrates our graph-based renement generation method. We rst add all the
program orders into ≺pi , and update their kernel reasons according to the kernel reason updating
method we have discussed. Adding a read-from order or a derived order to ≺pi may propagate a
large number of new orders. Whenever a read-from order λ ∈ pi is added to ≺pi , we denote by D
the set of orders that will be added to ≺pi before another read-from order is added. Adding each
order λ′ ∈ D to ≺pi may propagate a set of derived orders, which are denoted by B. Whenever an
order λ′′ ∈ B is deduced, we update its kernel reasons and add it to D if it is not contained in ≺pi .
In this manner, once all read-from orders have been added to ≺pi , we obtain all derived orders and
the kernel reasons of all orders in ≺pi . We then compute the renement constraint according to
equation (3), (4) and (5).
From the above discussion, the graph-based renement generation method has the following
advantages:
(1) It can detect all kernel reasons that make pi infeasible, leading to a large amount of search
space pruned in each iteration.
(2) It maintains a minimal subset of core kernel reasons, thereby making the renement
constraint small and manageable.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:16 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
Input: An EOG Gpi := 〈Epi ,≺0pi ,pi 〉.
Output: A renement constraint κ.
≺pi := ≺0pi , and update O(λ) for each λ ∈ ≺0pi ;
foreach λ ∈ pi do
Update O(λ), and let D := {λ};
foreach λ′ ∈ D do
≺pi :=≺pi ∪{λ′};
Let B be the set of propagated orders due to λ′;
foreach λ′′ ∈ B do
Update O(λ′′);
if λ′′ <≺pi then
D := D ∪ {λ′′};
end
end
end
end
Compute κ according to equation (3), (4) and (5);
return κ;
Algorithm 2: Graph-based renement generation.
5.4 Correctness of the Graph-Based Kernel Reason Analysis
We prove the correctness of our graph-based renement generation method, that is, the renement
constraint obtained in equation (5) should be true in any feasible counterexample, i.e., it will not
eliminate any feasible counterexample from the abstraction.
Theorem 5.1. Given a counterexample pi and a kernel reason o(λ) obtained according to our graph-
based kernel reason analysis method, we have o(λ) |= λ. at is, for any other counterexample pi ′, we
also have λ ∈≺pi ′ if pi ′ |= ϖo(λ).
Proof. We prove this theorem by induction.
Inductive Base: If o(λ) is obtained because λ ∈ ≺0pi or λ ∈ pi , then the conclusion can be
immediately inferred from the denition.
Inductive Step: If o(λ) is obtained via Rule 1, 2, or 3, then two orders λ1 and λ2 must exist, such
that o(λ) = o(λ1) ∪ o(λ2). Given that ϖo(λ) holds w.r.t. pi ′, ϖo(λ1) and ϖo(λ2) are also true w.r.t. pi ′. By
applying the induction hypothesis, we obtain λ1, λ2 ∈≺pi ′ . According to the same rule, we deduce
that λ ∈≺pi ′ . 
Theorem 5.2. Given a kernel reason o ∈ O(pi ) of an infeasible counterexample pi , for any feasible
counterexample pi ′, we have pi ′ |= ¬ϖo .
Proof. Given that o is a kernel reason that makes pi infeasible, according to equation (3), there
must exist a corresponding order λ := (e, e) ∈≺pi . Suppose that pi ′ |= ϖo . en according to
eorem 5.1, we have λ := (e, e) ∈≺pi ′ . It indicates that pi ′ is infeasible, which is contradict with
that pi ′ is feasible. Hence, we must have pi ′ |= ¬ϖo . 
Theorem 5.3. Given a renement constraint κ obtained in some iteration, for any feasible coun-
terexample pi ′, we have pi ′ |= κ.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification1:17
Proof. Suppose that κ :=
∧n
i=1 ¬ϖoi , and the corresponding counterexample is pi . According to
eorem 5.2, for any i (1 ≤ i ≤ n), we have pi ′ |= ¬ϖoi . Hence, pi ′ |= κ. 
6 SOUNDNESS AND EFFICIENCY
6.1 Soundness and Completeness
We prove the soundness and completeness of our method (shown in Fig. 1) via three theorems.
Theorem 6.1. If our method concludes that the property is safe, then it must be safe w.r.t. the given
loop unwinding depth.
Proof. To prove this theorem, we prove that α ∧ ϕerr |= φ0 ∧ ∧ni=0κi ∧ ϕerr , where α is the
monolithic encoding, φ0 is the initial abstraction, κi is the i-th renement constraint, and ϕerr
is the error states. According to the denition of α and φ0 (cf. Denition 3.1), we can obtain
α ∧ ϕerr |= φ0 ∧ ϕerr . We prove that α ∧ ϕerr |= κi as follows.
If κi is obtained from the graph-based renement process, we prove that for each element
¬ϖ ∈ κi , α ∧ ϕerr |= ¬ϖ . Suppose that α ∧ ϕerr 2 ¬ϖ . en there must exist an assignment pi of
α ∧ ϕerr s.t. ϖ holds. Given that pi is a feasible counterexample, according to eorem 5.2, pi |= ¬ϖ ,
which is contradict with that ϖ holds in pi . Hence, we must have α ∧ ϕerr |= ¬ϖ and α ∧ ϕerr |= κi .
If κi is obtained from the constraint-based renement process, then κi = ¬ϖ where ϖ is an
unsatisable core of the formula which encodes all order requirements of an EOG. Suppose that
α ∧ ϕerr 2 ¬ϖ . en there must exist an assignment pi of α ∧ ϕerr s.t. ϖ holds, which is contradict
with that ϖ is an unsatisable core. Hence, we must have α ∧ ϕerr |= κi . 
Theorem 6.2. If our method concludes that the property is unsafe, then a true counterexample of
the property must exist.
Proof. In our method, the property is concluded unsafe only if the constraint-based EOG
validation process returns SAT. Given that the formula in the constraint-based EOG validation
process encodes all order requirements of the EOG exactly, according to Denition 4.4 and 4.5, the
EOG is feasible i the formula is satisable. Hence, the EOG is feasible. According to eorem 4.6,
the corresponding counterexample must be feasible. erefore, a true counterexample of the
property must exist. 
Theorem 6.3. Our method will terminate for any program with nite state space.
Proof. For a multi-threaded program with nite state space, the number of counterexamples of
the initial abstraction must be nite. Suppose that the counterexample obtained in the i-th iteration
is pii . According to Section 5, each kernel reason of the counterexample or the unsatisable core
obtained in the constraint-based renement process is just a subset of Gpii ∪ Spii . According to
equation (5) and (2), we have pii must be absent in the next abstraction. Hence, our method reduces
at least one counterexample in each iteration. It terminates when all counterexamples have been
reduced or a true counterexample is found. 
6.2 Eiciency
A both ecient and sound way for counterexample validation and renement generation will be
elegant. However, such procedure is usually dicult to devise. As an alternative, we integrate the
graph-analysis and constraint solving approaches together to obtain a both ecient and sound
method.
We have proved that enhanced by the constraint-based counterexample validation and renement
generation processes, our method is sound and complete. We now analyze the eectiveness of the
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:18 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
graph-based EOG validation method. If the EOG is infeasible, the infeasibility may be determined
by either the graph-based EOG validation process or the constraint-based EOG validation process.
Although both of these processes can rapidly determine such infeasibility, a much more eective
renement can be obtained if the infeasibility is determined from the graph-based EOG validation
process. Fortunately, cases similar to the “buery” example rarely occur in practice. In other
words, the graph-based EOG validation process can always identify the infeasibility with rare
exceptions.
Suppose that the verication problem is solved via n iterations. If the property is determined
to be unsafe, then all EOGs generated during the rst n − 1 rounds must be infeasible, which can
generally be identied by the graph-based EOG validation process. e constraint-based EOG
validation process is only invoked in the last iteration during which the property is violated. If the
property is proved safe w.r.t. the given loop unwinding depth, then the infeasibility of all the n
infeasible EOGs can generally be identied by the graph-based EOG validation process, and the
constraint-based EOG validation process will not be invoked.
In sum, advantages of our method include: 1) Without the scheduling constraint, the initial
abstractionφ0 is usually much smaller than the monolithic encoding. 2) e graph-based renement
process can usually obtain a small yet eective renement, which reduces a large amount of space in
each iteration whereas the size of all those renement constraints can usually be ignored compared
with that of the abstraction. 3) ough the graph-based validation process is not complete, it is
eective to identify the infeasibility in practice.
7 EXPERIMENTAL RESULTS
We have implemented our method on top of CBMC-4.9 3 and employed MiniSat2 as the back-end
constraint solver. Our tool is named Yogar-CBMC, and it is available at [36]. We use the 1047
multi-threaded programs of SV-COMP 2017 [36] as our benchmarks. In the experiments, our tool
supports nearly all features of C language and Preads.
7.1 Benchmark of SV-COMP 2017
e open-source, representative, and reproducible benchmarks of Competition on Soware Verica-
tion (SV-COMP) have been widely accepted for program verication. Given that these benchmarks
are devised for comparison of those state-of-the-art techniques and tools, a signicant number of
studies on concurrent program verication have performed their experiments on them.
e concurrency benchmarks of SV-COMP 2017 include 1047 examples and cover most of the
publicly available concurrent C programs that are used for verication. ough many of these
examples are small in size in previous years, dozens of complex examples have been added to
these benchmarks in recent years. For instance, the examples in the pthread-complex direc-
tory (collected by the CSeq team) are taken from the papers on PLDI15 [28], POPL15 [8], and
PPOPP14 [37], which are used for concurrent program debugging and testing; the examples in the
pthread-driver-races directory (collected by the SMACK+CORRAL team) are used for symbolic
analysis of the drivers from the Linux 4.0 kernel [13]; and the examples in the pthread-C-DAC
directory (collected by C-DAC) are from the industrial problems of Centre for Development of Ad-
vanced Computing, Pune, India. ese programs contain hundreds of lines, 4 to 8 threads, complex
structure variables with 2D pointers, and hundreds or even a thousand read/write accesses 4. Given
3Downloaded from hps://github.com/diblue/cbmc/releases on Nov 20, 2015
4A read/write access of a complex structure variable may contain hundreds of read/write accesses of boolean variables.
Here a read/write access of a complex structure variable is considered just one read/write access.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification1:19
these complex features, these programs are challenging for existing state-of-the-art concurrency
verication techniques and tools.
7.2 Experimental Setup
We conduct all of our experiments using a computer with Intel(R) Core(TM) i5-4210M CPU 2.60
GHz and 12 GB memory. A 900-second time limit is observed.
We select and compare two classes of the state-of-the-art tools with our method. e rst class
is those top winners in recent competitions, including MU-CSeq5 [39] and Lazy-CSeq-Abs5 [30].
MU-CSeq is the gold medal winner of SV-COMP 2016, and Lazy-CSeq-Abs is the silver medal
winner of SV-COMP 2017. e second class comprises those tools which methods are closely related
to ours, including CBMC [3] and Threader6 [31]. CBMC is a highly popular verier for program
verication. Dierent from our method, it provides an exact encoding of the scheduling constraint
for multi-threaded program verication. For Threader, to the best of our knowledge, it is the
best CEGAR-based verier for multi-threaded C programs. It has received the gold medal of the
concurrency track of SV-COMP 2013.
Given that dierent tools employ dierent techniques, each of which has its own features, it
is dicult to make the comparison absolutely fair. For example, Threader performs unbounded
verication, while all the other tools perform BMC; and given a loop unwinding depth, both MU-
CSeq and Lazy-CSeq-Abs are incomplete whereas all the other tools are complete. To make the
comparison as fair as possible, we select the latest available version of them, and set the parameters
of them to be that of the competition. We believe that these tools should perform best under
these parameters. For the loop unwinding depth, we set that of CBMC and Yogar-CBMC the
same as that of MU-CSeq. Specically, it is dynamically determined through syntax analysis. e
bound is set to 2 for programs with arrays, and n if some of the program’s for-loops are upper
bounded by a constant n [39]. Given that our method is implemented on top of CBMC. e only
dierence between CBMC and Yogar-CBMC is that CBMC employs the monolithic encoding while
we perform our abstraction renement on the scheduling constraint.
7.3 Eectiveness and Eiciency
Yogar-CBMC solved7 all the 1047 concurrent programs and has received the highest score of 1293
points. It has won the gold medal in the concurrency track of SV-COMP 2017 [36] (Warning: It will
violate our anonymity).
Overall comparison with state-of-the-art tools. Fig. 7 compares our tool with the state-of-the-art
tools, including MU-CSeq, Lazy-CSeq-Abs, and CBMC. Similar to SV-COMP 2017, we perform our
experiments on BenchExec 8 to achieve a reliable and repeatable benchmarking.
e experimental results for Lazy-CSeq-Abs and MU-CSeq are consistent with those in SV-
COMP 2017. However, the results in our experiments for CBMC is beer than those in SV-COMP
2017. e reason is that we have improved CBMC in several aspects, and we have also realized
some concurrency-related improvements in CBMC-5.5 9.
Fig. 7(a) compares the overall performance of Lazy-CSeq-Abs, MU-CSeq, CBMC, and Yogar-
CBMC based on the SV-COMP rules. e x-axis represents the accumulated score, while the y-axis
5Downloaded from hp://sv-comp.sosy-lab.org/2017/systems.php on January 24, 2017
6Downloaded from hp://sv-comp.sosy-lab.org/2014/participants.php on January 24, 2017
7Solve means that the verier gives a correct answer (true/false) within the time limit. Refer to [36] for the rules of the
competition.
8hps://github.com/sosy-lab/benchexec
9Released on August 20, 2016 in hps://github.com/diblue/cbmc/releases
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:20 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
0.1
1
10
100
1000
0 200 400 600 800 1000 1200
Lazy‐CSeq‐Abs
MU‐CSeq
CBMC
Our tool
Accumulated score
T i
m
e  
i n
  s e
c o
n d
sec.
(a) Time comparison
10
100
1000
0 200 400 600 800 1000
Lazy‐CSeq‐Abs
MU‐CSeq
CBMC
Our tool
Accumulated solved examples
M
e m
o r
y  
i n
  M
B
MB
(b) Memory comparison
Fig. 7. Compare with state-of-the-art tools
represents the time needed to achieve a certain score 10. Both our tool and Lazy-CSeq-Abs have
successfully solved all examples and obtained 1293 points, while MU-CSeq and CBMC obtained
1243 and 1258 points, respectively. Lazy-CSeq-Abs, MU-CSeq, and CBMC spent 9820, 2540, and
12300 s to nish all examples, respectively, while our tool completed all examples within 1550 s.
Fig. 7(b) shows the overall memory consumption of the aforementioned tools. Lazy-CSeq-Abs,
MU-CSeq, CBMC, and Yogar-CBMC require 104, 103, 84 and 43 GB to solve all 1047 examples,
respectively. Given that the scheduling constraint is ignored in the abstraction, our tool always
solves small problems and consumes much less memory than the three other tools.
We further compare our tool with Lazy-CSeq-Abs, MU-CSeq, CBMC, and Threader to evaluate
its performance.
Yogar-CBMC versus Lazy-CSeq-Abs. Compared with Lazy-CSeq-Abs, our tool runs 6.34 times
faster on average, and consumes only 41% of the memory over all 1047 examples. As shown
in Fig. 8(a), Lazy-CSeq-Abs outperforms our tool in only 12 of the 1047 examples. With its
abstract interpretation technique, Lazy-CSeq-Abs outperforms our tool in those examples where
the numerical analysis dominates the complexity.
Yogar-CBMC versus MU-CSeq. MU-CSeq fails to solve 30 of the 1047 examples. Compared with
this tool, our tool runs 2.43 times faster on average and consumes only 36% of the memory for the
remaining 1017 examples. As shown in Fig. 8(b), MU-CSeq outperforms our tool in only 33 of the
1047 examples. By applying the memory unwinding technique to limit the number of writes, the
encoding size of MU-CSeq is insensitive to the scale of the data structures, thereby outperforming
our tool for some special examples.
Yogar-CBMC versus CBMC. Fig. 9(a) compares CBMC with our tool. CBMC fails to solve 23 of
the 1047 examples. Both CBMC and our tool can easily solve 92% of these examples. For these trivial
examples, the monolithic encoding may sometimes run faster. However, our tool outperforms
CBMC by 35.8 times on average in the 56 complex cases in which CBMC needs more than two
seconds to solve them.
10e rules to assign the score can be found in hp://sv-comp.sosy-lab.org/2017/rules.php
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification1:21
0.1
1
10
100
1000
0.1 1 10 100 1000
Our tool
La
zy
‐CS
eq
‐Ab
s
sec.
sec.
(a) Our tool versus Lazy-CSeq-Abs
0.1
1
10
100
1000
0.1 1 10 100 1000
Our tool
M
U
‐CS
eq
sec.
sec.
(b) Our tool versus MU-CSeq
Fig. 8. Compare with Lazy-CSeq-Abs and MU-CSeq
0.1
1
10
100
1000
0.1 1 10 100 1000
Our tool
CB
M
C
sec.
sec.
(a) Our tool versus CBMC
0.1
1
10
100
1000
0.1 1 10 100 1000
Our tool
T h
r e
a d
e r
(b) Our tool versus Threader
Fig. 9. Compare with CBMC and Threader
Yogar-CBMC versus Threader. Threader only participated in SV-COMP 2013 and 2014. Given
that this tool cannot solve many of the examples in SV-COMP 2017, we compare it with our tool on
the benchmarks of SV-COMP 2014, which contain only 78 examples. Fig. 9(b) presents the results.
Our tool has completed all 78 examples within the time limit, while Threader completed only
59 examples. Moreover, our tool and Threader require 140 s and 6865 s to solve these examples
respectively, thereby showing that our tool is 49 times faster than Threader on average. However,
as we have declared before, Threader performs unbounded verication, while we perform BMC.
7.4 Essence Analysis
e performance of our tool is mainly aected by the number of renements, size of constraints
and cost of constraint solving, etc. We also justify the benets from the graph-based renement
generation method.
Number of renements. Fig. 10(a) presents the number of renements of our tool in the experi-
ments. e point (50, 644) indicates that 644 examples can be solved in less than 50 renements.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:22 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
0
200
400
600
800
1000
0 50 100 150 200 250
Number of refinements
N
u
m
b
er
 o
f 
ex
am
p
le
s
(a) Number of renements
0.1
1
10
100
1000
0.1 1 10 100 1000
Our tool
S A
T ‐
C E
G A
R
(b) Our tool versus SAT-CEGAR
Fig. 10. Number of refinements and benefits from EOG
Fig. 10(a) shows that most of the examples can be solved in less than 80 renements. In our method,
we successfully decomposed the complex verication problem into dozens of small problems.
Size of renements. Our experimental results reveal that without the scheduling constraint, the
formula size reduces to 1/8 on average and to 1/1200 in the extreme case, thereby allowing for the
abstractions to be solved quickly. However, the number of clauses increased during the renement
process can usually be ignored. Most of the examples in our experiments show hundreds or even
thousands of increase in the number of CNF clauses during the renements. However, the CNF
clause number of the abstraction may reach millions.
Cost of constraint solving. Without the scheduling constraint, the abstractions can usually be
solved instantly. Meanwhile, the graph-based EOG validation and renement generation processes
are not trivial. We have observed that in our experiments, our tool has spent most of its time
on graph analysis for those examples where the scheduling constraint dominates the encoding.
Meanwhile, for those examples where the complexity mainly stems from the complex data structures
and numerical calculation, our tool has spent most of its time on constraint solving.
Eciency benet from the graph-based renement generation. e eciency of our method mainly
benets from the graph-based renement generation. We have implemented another scheduling
constraint based abstraction renement method, SAT-CEGAR, which employs only constraint
solving for EOG validation and renement generation. SAT-CEGAR has solved only 265 of the 1047
examples in the experiments. Fig. 10(b) compares the performance of our tool with SAT-CEGAR in
solving these examples. Our tool outperforms SAT-CEGAR for most examples, and runs 58 times
faster on average. On average, our tool nds 9.3 core kernel reasons in each renement, with each
kernel reason having an average clause length of 3.06. Meanwhile, SAT-CEGAR only nds one
kernel reason in each renement, with each reason having an average clause length of 7.5.
Exceptions where the graph-based EOG validation method fails. In our method, if the constraint
solving based renement process is invoked and returns UNSAT, then we cannot achieve an
eective renement. How oen does this case occur in the experiments? Fortunately, we have not
observed cases similar to the “buery” example in our experiments, and the constraint solving
based renement process has never been invoked.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification1:23
7.5 Threats to Validity
One threat to the validity is the limited benchmarks we have used. For those examples where the
scheduling constraint is not a major part of the encoding, our method may still need dozens of
renements. Given that those abstractions may have similar size with the monolithic encoding,
our method may perform worse than the monolithic method.
Another threat to the validity is the tools we have used. Given that dierent technologies have
dierent advantages, it is dicult to give an absolute fair comparison. In some other scenarios, one
may prefer Threader and other tools.
e third threat to the validity is the parameters we have used for each tool. Most tools have
some parameters related with their techniques, such as the loop unwinding depth. Given that
dierent tools may have dierent parameters, it is dicult to compare all the tools under the same
parameters.
8 RELATEDWORK
Addressing the control state explosion resulting from concurrency poses a signicant challenge to
concurrent program verication. Several techniques have recently been studied to overcome this
problem, including stateless model checking [1, 4, 9, 24], compositional reasoning [14, 22, 29, 32],
bounded model checking [3, 10, 20, 25, 38, 43], and abstraction renement [11, 12, 21, 29, 35], etc.
e general idea of stateless model checking is to employ partial order reduction (POR) or
dynamic partial order reduction (DPOR) [1, 4, 9, 41] to explore only non-redundant interleavings.
ere are also some work which reduces the search space by restricting the schedules of the
program [5, 40]. In compositional reasoning, rather than considering all possible interleavings
of a program, the property is decomposed into dierent components. Each component is then
considered in isolation, without any knowledge of the precise concurrent context. Recent work on
compositional reasoning includes assume-guarantee reasoning [15, 16], rely-guarantee reasoning
[19, 22, 27], thread-modular reasoning [29], and compositional reasoning [14, 32], etc.
Our scheduling constraint based abstraction renement method explores both bounded model
checking and abstraction renement. Aerward, we compare our study with the recent work on
these two methods.
On Bounded Model Checking. Bounded model checking has been considered an ecient technique
to address the interleaving problem. In SV-COMP 2017, 16 out of the 18 participants in the
concurrency track have adopted this technique [6]. However, pure BMC is still not ecient enough.
Many existing tools combine this method with other techniques. ESBMC combines symbolic model
checking with explicit state space exploration [10]. VVT employs a CTIGAR method, an SMT-based
IC3 algorithm that incorporates CEGAR [20]. e interleaving problem can also be addressed by
translating the concurrent programs into sequential programs. Tools implementing this technique
include MU-CSeq [38], Lazy-CSeq-Abs [25], and SMACK[34], etc.
However, all of these work gives an exact encoding of the scheduling constraint, while we ignore
this constraint and employ a scheduling constraint based abstraction renement method to obtain
a small yet eective abstraction w.r.t. the property.
On Abstraction Renement. Abstraction renement has been widely studied in concurrent pro-
gram verication. Most of these work employs predicate abstraction to address the data space
explosion problem [11, 12, 21–23, 42]. In predicate abstraction, it uses a nite number of predicates
to abstract the program. If an abstraction counterexample is spurious, it nds predicates that add
more details of the program to rene the abstraction, s.t. the spurious counterexample is absent in
the laer abstraction models. To nd the right set of predicates in less iterations, many heuristics
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:24 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
have been proposed. For example, Ashutosh Gupta and omas A. Henzinger et al. accelerated the
search for the right predicates by exploring the bad abstraction traces [21]. By contrast, we employ
abstraction renement to address the control space explosion problem resulting from the thread
interleavings. Our abstraction and renement methods are both dierent with that of predicate
abstraction.
e work most related to ours focuses on interference abstraction (IA) [35]. N. Sinha and C.
Wang also performed abstraction renement to deal with the overhead of the exact encoding of
the concurrent behavior. However, they abstracted the behavior by restricting the sets of read
events and read-write links, while we consider all read events and read-write links but relax the
scheduling constraint. Accordingly, their abstraction was rened by introducing new read events
and read-write links, while we perform the renement by exploring a graph-based method to
analyze core kernel reasons that make an counterexample infeasible. Moreover, they employ
a mixed framework of over- and under-approximations, while our method produces only over-
approximation abstractions. Given that their implementation was for Java program slices, an
empirical comparision between their and our method is dicult.
Another work closely related to ours is [26]. In this work, M. Kusano and C. Wang also presented
a set of deduction rules to help determine the infeasibility of an interference combination. However,
our task is to determine the feasibility of a counterexample which contains a large number of
read-write links, and our main innovation is to devise a graph-based renement generation method
to obtain an eective renement constraint. In addition, our deduction rules are much simpler yet
stronger than theirs.
To deal with the interleaving problem, A. Farzan and Z. Kincaid also divided the verication
into data and control modules, and incorporated them into an abstraction renement framework
[17, 18]. e dierence is that in their work, the verication is reasoned by data-ow analysis, while
we represent the program by SSA statements and employ graph and constraint based EOG analysis
approaches to do the renement. In addition, their work focuses on parameterized programs, while
we concentrate on multi-threaded programs based on Preads.
9 CONCLUSIONS
is paper proposed a scheduling constraint based abstraction renement method for multi-threaded
program verication. To obtain an eective renement, we also devised two graph-based algorithms
for counterexample validation and renement generation. Our experiment results on benchmarks
of SV-COMP 2017 show that our method is promising and signicantly outperforms the existing
state-of-the-art tools. We plan to extend this technique to weak memory models, such as TSO, PSO,
POWER, in the future.
REFERENCES
[1] Parosh Aziz Abdulla, Stavros Aronis, Bengt Jonsson, and Konstantinos F. Sagonas. 2014. Optimal dynamic partial
order reduction. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL. 373–384.
[2] Sarita V. Adve and Kourosh Gharachorloo. 1996. Shared Memory Consistency Models: A Tutorial. IEEE Computer 29,
12 (1996), 66–76.
[3] Jade Alglave, Daniel Kroening, and Michael Tautschnig. 2013. Partial Orders for Ecient Bounded Model Checking of
Concurrent Soware. In International Conference on Computer Aided Verication, CAV. 141–157.
[4] Jiri Barnat, Lubos Brim, Vojtech Havel, Jan Havlı´cek, Jan Kriho, Milan Lenco, Petr Rockai, Vladimı´r Still, and Jirı´
Weiser. 2013. DiVinE 3.0 - An Explicit-State Model Checker for Multithreaded C & C++ Programs. In International
Conference on Computer Aided Verication, CAV. 863–868.
[5] Tom Bergan, Luis Ceze, and Dan Grossman. 2013. Input-covering schedules for multithreaded programs. In ACM
SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA.
677–692.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification1:25
[6] Dirk Beyer. 2017. Reliable and Reproducible Competition Results with BenchExec and Witnesses (Report on SV-COMP
2017). In International Conference on Tools and Algorithms for Construction and Analysis of Systems, TACAS.
[7] Armin Biere, Alessandro Cimai, Edmund M. Clarke, and Yunshan Zhu. 1999. Symbolic Model Checking without
BDDs. In International Conference on Tools and Algorithms for Construction and Analysis of Systems, TACAS. 193–207.
[8] Ahmed Bouajjani, Michael Emmi, Constantin Enea, and Jad Hamza. 2015. Tractable Renement Checking for
Concurrent Objects. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL. 651–662.
[9] Katherine E. Coons, Madan Musuvathi, and Kathryn S. McKinley. 2013. Bounded partial-order reduction. In ACM
SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA.
833–848.
[10] Lucas C. Cordeiro, Jeremy Morse, Denis Nicole, and Bernd Fischer. 2012. Context-Bounded Model Checking with
ESBMC 1.17 - (Competition Contribution). In International Conference on Tools and Algorithms for Construction and
Analysis of Systems, TACAS. 534–537.
[11] Andrei Marian Dan, Yuri Meshman, Martin T. Vechev, and Eran Yahav. 2013. Predicate Abstraction for Relaxed
Memory Models. In International Static Analysis Symposium, SAS. 84–104.
[12] Andrei Marian Dan, Yuri Meshman, Martin T. Vechev, and Eran Yahav. 2015. Eective Abstractions for Verication
under Relaxed Memory Models. In International Conference on Verication, Model Checking and Abstract Interpretation,
VMCAI. 449–466.
[13] Pantazis Deligiannis, Alastair F. Donaldson, and Zvonimir Rakamaric. 2015. Fast and Precise Symbolic Analysis of
Concurrency Bugs in Device Drivers (T). In 30th IEEE/ACM International Conference on Automated Soware Engineering,
ASE 2015, Lincoln, NE, USA. 166–177.
[14] omas Dinsdale-Young, Lars Birkedal, Philippa Gardner, Mahew J. Parkinson, and Hongseok Yang. 2013. Views:
compositional reasoning for concurrent programs. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming
Languages, POPL. 287–300.
[15] Karam Abd Elkader, Orna Grumberg, Corina S. Pasareanu, and Sharon Shoham. 2015. Automated Circular Assume-
Guarantee Reasoning. In International Symposium on Formal Methods, FM. 23–39.
[16] Karam Abd Elkader, Orna Grumberg, Corina S. Pasareanu, and Sharon Shoham. 2016. Automated Circular Assume-
Guarantee Reasoning with N-way Decomposition and Alphabet Renement. In International Conference on Computer
Aided Verication, CAV. 329–351.
[17] Azadeh Farzan and Zachary Kincaid. 2012. Verication of parameterized concurrent programs by modular reasoning
about data and control. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL. 297–308.
[18] Azadeh Farzan and Zachary Kincaid. 2013. Duet: Static Analysis for Unbounded Parallelism. In International Conference
on Computer Aided Verication, CAV. 191–196.
[19] Ivan Gavran, Filip Niksic, Aditya Kanade, Rupak Majumdar, and Viktor Vafeiadis. 2015. Rely/Guarantee Reasoning for
Asynchronous Programs. In International Conference on Concurrency eory, CONCUR. 483–496.
[20] Henning Gu¨nther, Alfons Laarman, and Georg Weissenbacher. 2016. Vienna Verication Tool: IC3 for Parallel Soware
- (Competition Contribution). In International Conference on Tools and Algorithms for Construction and Analysis of
Systems, TACAS. 954–957.
[21] Ashutosh Gupta, omas A. Henzinger, Arjun Radhakrishna, Roopsha Samanta, and orsten Tarrach. 2015. Succinct
Representation of Concurrent Trace Sets. InACMSIGPLAN-SIGACT Symposium on Principles of Programming Languages,
POPL. 433–444.
[22] Ashutosh Gupta, Corneliu Popeea, and Andrey Rybalchenko. 2011. Predicate abstraction and renement for verifying
multi-threaded programs. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL.
331–344.
[23] Ashutosh Gupta, Corneliu Popeea, and Andrey Rybalchenko. 2011. reader: A Constraint-Based Verier for Multi-
threaded Programs. In International Conference on Computer Aided Verication, CAV. 412–417.
[24] Je Huang. 2015. Stateless model checking concurrent programs with maximal causality reduction. In ACM SIGPLAN
Conference on Programming Language Design and Implementation, PLDI. 165–174.
[25] Omar Inverso, Ermenegildo Tomasco, Bernd Fischer, Salvatore La Torre, and Gennaro Parlato. 2014. Bounded Model
Checking of Multi-threaded C Programs via Lazy Sequentialization. In International Conference on Computer Aided
Verication, CAV. 585–602.
[26] Markus Kusano and Chao Wang. 2016. Flow-sensitive composition of thread-modular abstract interpretation. In
Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Soware Engineering, FSE 2016, Seale,
WA, USA, November 13-18. 799–809.
[27] Ori Lahav and Viktor Vafeiadis. 2015. Owicki-Gries Reasoning for Weak Memory Models. In International Colloquium
on Automata, Languages and Programming, ICALP. 311–323.
[28] Nuno Machado, Brandon Lucia, and Luı´s E. T. Rodrigues. 2015. Concurrency debugging with dierential schedule
projections. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI. 586–595.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:26 Liangze Yin, Wei Dong, Wanwei Liu, and Ji Wang
[29] Alexander Malkis, Andreas Podelski, and Andrey Rybalchenko. 2010. read-Modular Counterexample-Guided
Abstraction Renement. In International Static Analysis Symposium, SAS. 356–372.
[30] Truc L. Nguyen, Omar Inverso, Bernd Fischer, Salvatore La Torre, and Gennaro Parlato. 2017. Lazy-CSeq 2.0: Combining
lazy sequentialization with abstract interpretation - (Competition Contribution). In International Conference on Tools
and Algorithms for Construction and Analysis of Systems, TACAS.
[31] Corneliu Popeea and Andrey Rybalchenko. 2013. reader: A Verier for Multi-threaded Programs - (Competition
Contribution). In International Conference on Tools and Algorithms for Construction and Analysis of Systems, TACAS.
633–636.
[32] Corneliu Popeea, Andrey Rybalchenko, and Andreas Wilhelm. 2014. Reduction for compositional verication of
multi-threaded programs. In Formal Methods in Computer-Aided Design, FMCAD. 187–194.
[33] Shaz Qadeer and Jakob Rehof. 2005. Context-Bounded Model Checking of Concurrent Soware. In International
Conference on Tools and Algorithms for Construction and Analysis of Systems, TACAS. 93–107.
[34] Zvonimir Rakamaric and Michael Emmi. 2014. SMACK: Decoupling Source Language Details from Verier Implemen-
tations. In Proceedings of the 26th International Conference on Computer Aided Verication, CAV 2014, Vienna, Austria,
July 18-22. 106–113.
[35] Nishant Sinha and Chao Wang. 2011. On interference abstractions. In ACM SIGPLAN-SIGACT Symposium on Principles
of Programming Languages, POPL. 423–434.
[36] SV-COMP. 2017. 2017 soware verication competition. (Warning: It will violate our anonymity). hp://sv-comp.
sosy-lab.org/2017/. (2017).
[37] Paul omson, Alastair F. Donaldson, and Adam Bes. 2014. Concurrency testing using schedule bounding: an
empirical study. In ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming, PPoPP. 15–28.
[38] Ermenegildo Tomasco, Omar Inverso, Bernd Fischer, Salvatore La Torre, and Gennaro Parlato. 2015. Verifying
Concurrent Programs by Memory Unwinding. In International Conference on Tools and Algorithms for Construction
and Analysis of Systems, TACAS. 551–565.
[39] Ermenegildo Tomasco, Truc L. Nguyen, Omar Inverso, Bernd Fischer, Salvatore La Torre, and Gennaro Parlato. 2016.
MU-CSeq 0.4: Individual Memory Location Unwindings - (Competition Contribution). In International Conference on
Tools and Algorithms for Construction and Analysis of Systems, TACAS. 938–941.
[40] Jingyue Wu, Yang Tang, Gang Hu, Heming Cui, and Junfeng Yang. 2012. Sound and precise analysis of parallel programs
through schedule specialization. In ACM SIGPLAN Conference on Programming Language Design and Implementation,
PLDI. 205–216.
[41] Naling Zhang, Markus Kusano, and Chao Wang. 2015. Dynamic partial order reduction for relaxed memory models.
In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI. 250–259.
[42] Xin Zhang, Ravi Mangal, Radu Grigore, Mayur Naik, and Hongseok Yang. 2014. On abstraction renement for program
analyses in Datalog. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI. 27.
[43] Manchun Zheng, Michael S. Rogers, Ziqing Luo, Mahew B. Dwyer, and Stephen F. Siegel. 2015. CIVL: Formal
Verication of Parallel Programs. In International Conference on Automated Soware Engineering, ASE. 830–835.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
