Bounded Model Checking of Multi-threaded Software using SMT solvers by Cordeiro, Lucas & Fischer, Bernd
Bounded Model Checking of
Multi-threaded Software 
using SMT solvers using SMT solvers
Lucas Cordeiro and  Bernd Fischer
lcc08r@ecs.soton.ac.ukBounded Model Checking of
Multi-threaded Software 
using SMT solvers using SMT solvers
Lucas Cordeiro and  Bernd Fischer
lcc08r@ecs.soton.ac.ukBounded Model Checking (BMC)
Basic Idea: check negation of given property up to given depth
. . .
M0 M1 M2 Mk-1 Mk
¬ϕ0 ¬ϕ1 ¬ϕ2 ¬ϕk-1 ¬ϕk
counterexample trace 





• transition system M unrolled k times
– for programs: unroll loops, unfold arrays, …
• translated into verification condition ψ such that
ψ ψ ψ ψ satisfiable iff ϕ ϕ ϕ ϕ has counterexample of max. depth k
• has been applied successfully to verify (embedded) software
counterexample trace • concurrency bugs are tricky to reproduce/debug because 
they usually occur under specific thread interleavings
– most common errors: 67% related to atomicity and order 
violations, 30% related to deadlock [Lu et al.’08]
• problem: the number of interleavings grows exponentially 
with the number of threads (n) and program statements (s) 
BMC of Multi-threaded Software
– number of executions: O(ns)
– context  switches among threads increase the number  of 
possible executions
• two important observations help us:
– concurrency bugs are shallow [Qadeer&Rehof’05]
– SAT/SMT solvers produce unsatisfiable cores that allow us to 
remove logic that is not relevant• exploit SMT solvers to:
– prune the property and data dependent search space (non-
chronological backtracking  and conflict clauses learning)
– remove interleavings that are not relevant by analyzing the 
Objective of this work
Exploit SMT to improve BMC of multi-threaded software
– remove interleavings that are not relevant by analyzing the 
proof of unsatisfiability [NOT Craig Interpolants yet]
• propose three approaches to SMT-based BMC:
– lazy exploration of the interleavings
– schedule guards to encode all interleavings
– underapproximation and widening (UW) [Grumberg&et al.’05]
• evaluate our approaches over multi-threaded applicationsLazy exploration of interleavings
C/C++
source verification  SMT 
Idea: iteratively generate all possible interleavings and 














reused/extended from the 




parse, and  
type-check
deadlock, atomicity and 
order violations, etc…Lazy exploration of interleavings
C/C++
source verification  SMT 








Idea: iteratively generate all possible interleavings and 














deadlock, atomicity and 
order violations, etc…
check satisfiability 
using an SMT solver
stop the generate-and-test 
loop if there is an error
scheduler
reused/extended from the 













• the scheduler allows one thread to execute at a given time 
(emulate the execution on a single core)
Step 1: expand 
thread with the 
smallest subscript















• allow preemptions only before visible statements (global 
variables and synchronization points)
Thread interleavings:
a1; a2; b1; b2
a1; b1; a2; b2
…Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Running Example
• the program has sequences of operations that need to be 
protected together to avoid atomicity violation
– requirement: the region of code (val1 and val2) should execute 
atomically
A state s ∈ S consists of 
the value of the program  2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=0; val2=0;
local variabes: t1= -1; t2= -1;
the value of the program 
counter pc and the values 
of all program variablesThread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {




2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=0; val2=0;
local variabes: t1= -1; t2= -1;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {




2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=0; val2=0;
local variabes: t1= -1; t2= -1;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {




write access to the shared 
variable val1 in statement 2
of the thread twoStage
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=0;
local variabes: t1= -1; t2= -1;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {




2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=0;
local variabes: t1= -1; t2= -1;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {





2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=0;
local variabes: t1= -1; t2= -1;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8
val1-access: WtwoStage,2 - Rreader,8
val2-access:
read access to the shared 
variable val1 in statement 8
of the thread reader
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=0;
local variabes: t1= -1; t2= -1;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8-11
val1-access: WtwoStage,2 - Rreader,8- Rreader,11
val2-access:
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=0;
local variabes: t1= 1; t2= -1;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8-11-12
val1-access: WtwoStage,2 - Rreader,8- Rreader,11
val2-access:
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=0;
local variabes: t1= 1; t2= -1;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8-11-12
val1-access: WtwoStage,2 - Rreader,8- Rreader,11
val2-access:
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=0;
local variabes: t1= 1; t2= -1;
CS2Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8-11-12-4
val1-access: WtwoStage,2 - Rreader,8- Rreader,11
val2-access:
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=0;
local variabes: t1= 1; t2= -1;
CS2Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8-11-12-4-5
val1-access: WtwoStage,2 - Rreader,8- Rreader,11 - RtwoStage,5
val2-access: WtwoStage,5
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=2;
local variabes: t1= 1; t2= -1;
CS2Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8-11-12-4-5-6
val1-access: WtwoStage,2 - Rreader,8- Rreader,11 - RtwoStage,5 
val2-access: WtwoStage,5
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=2;
local variabes: t1= 1; t2= -1;
CS2Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8-11-12-4-5-6
val1-access: WtwoStage,2 - Rreader,8- Rreader,11 - RtwoStage,5 
val2-access: WtwoStage,5
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);






global variables: val1=1; val2=2;
local variabes: t1= 1; t2= -1;
CS2Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8-11-12-4-5-6-13
val1-access: WtwoStage,2 - Rreader,8- Rreader,11 - RtwoStage,5 
val2-access: WtwoStage,5
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=2;




2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8-11-12-4-5-6-13-14
val1-access: WtwoStage,2 - Rreader,8- Rreader,11 - RtwoStage,5 
val2-access: WtwoStage,5 - Rreader,14
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=2;




2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8-11-12-4-5-6-13-14-15
val1-access: WtwoStage,2 - Rreader,8- Rreader,11 - RtwoStage,5 
val2-access: WtwoStage,5 - Rreader,14
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=2;




2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8-11-12-4-5-6-13-14-15-16
val1-access: WtwoStage,2 - Rreader,8- Rreader,11 - RtwoStage,5 
val2-access: WtwoStage,5 - Rreader,14
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=2;




2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving Is
statements: 1-2-3-7-8-11-12-4-5-6-13-14-15-16
val1-access: WtwoStage,2 - Rreader,8- Rreader,11 - RtwoStage,5 
val2-access: WtwoStage,5 - Rreader,14
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





QF formula is unsatisfiable,
i.e., assertion holdsThread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {




2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=0; val2=0;
local variabes: t1= -1; t2= -1;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {




2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=0;
local variabes: t1= -1; t2= -1;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {





2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=0;
local variabes: t1= -1; t2= -1;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving If
statements: 1-2-3-7-8-11-12-13-14-15-16
val1-access: WtwoStage,2- Rreader,8- Rreader,11 
val2-access: Rreader,14
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=0;
local variabes: t1= 1; t2= 0;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving If
statements: 1-2-3-7-8-11-12-13-14-15-16
val1-access: WtwoStage,2- Rreader,8- Rreader,11
val2-access: Rreader,14
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);






global variables: val1=1; val2=0;
local variabes: t1= 1; t2= 0;Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving If
statements: 1-2-3-7-8-11-12-13-14-15-16-4-5-6
val1-access: WtwoStage,2- Rreader,8- Rreader,11 - RtwoStage,5
val2-access: Rreader,14- WtwoStage,5
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





global variables: val1=1; val2=2;
local variabes: t1= 1; t2= 0;
CS2Thread twoStage
1:  lock(m1);
2:  val1 = 1;
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
Lazy exploration: interleaving If
statements: 1-2-3-7-8-11-12-13-14-15-16-4-5-6
val1-access: WtwoStage,2- Rreader,8- Rreader,11 - RtwoStage,5
val2-access: Rreader,14- WtwoStage,5
CS1
2:  val1 = 1;
3:  unlock(m1);
4:  lock(m2);
5:  val2 = val1 + 1;
6:  unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);




QF formula is satisfiable,










global and local variables
thread identifiers
CS1
Lazy Approach: State Transitions
execution paths














CS2• naïve but useful:
– bugs usually manifest with few context switches 
[Qadeer&Rehof’05]
– keep in memory the parent nodes of all unexplored paths only
– exploit which transitions are enabled in a given state
– bound the number of preemptions (C) allowed per threads
Observations about the lazy approach
– bound the number of preemptions (C) allowed per threads
>number of executions: O(nc)
– as each formula corresponds to one possible path only, its size 
is relatively small
• can suffer performance degradation:
− in particular for correct programs where we need to invoke the 
SMT solver once for each possible execution path• add a fresh variable (ts) for each context switch block (i) so 
that 0 < tsi ≤ number of threads
– record in which order the scheduler has executed the program 
(aka scheduler guards)
Schedule Recording
Idea: systematically encode all possible interleavings 
into one formula
(aka scheduler guards)
– SMT solver determines the order in which threads are simulated
• add scheduler guards only to effective statements 
(assignments and assertions)
– record effective context switches (ECS)
>context switches to an effective statement
– ECS block: sequence of program statements that are executed 











ts1==1 ∧ ts2==1 
→ val1=1
twoStage, reader
ts1==1 ∧ ts2==2 
→ lock(m1) 
twoStage, reader
ts1==2 ∧ ts2==1 
→ lock(m1)
twoStage, reader
ts1==2 ∧ ts2==2  
→ unlock(m1)
CS1















ts1==1 ∧ ts2==1 
→ val1=1
twoStage, reader
ts1==1 ∧ ts2==2 
→ lock(m1) 
twoStage, reader
ts1==2 ∧ ts2==1 
→ lock(m1)
twoStage, reader




If the guard of the parent node is 
false then the guard of the child 
node is false as wellSchedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




ECS block: sequence of 
program statements that 
are executed with no  2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1)); 
are executed with no 
intervening ECSSchedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);





guarded statement can only be 
executed if statement 1 is 
scheduled in the ECS block 1
each program statement is  2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1)); 
each program statement is 
then prefixed by a schedule 
guard tsi = j, where:
• i is the ECS block number
• j is the thread identifierSchedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);





ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1)); 
ts2 == 1Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);





ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);




ts2 == 1Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);




ts2 == 1Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2 ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);




ts2 == 1Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);





ts2 == 1Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);






ts2 == 1Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);







ts6 == 2Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);








ts6 == 2Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);









ts6 == 2Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);










ts6 == 2Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);











ts6 == 2Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);









ts10== 1 ts7 == 2
ts6 == 2Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1)); 









CSSchedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);













ts6 == 2Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);













ts6 == 2Schedule Recording: Interleaving Is
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);




CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1)); ts14== 2











ts6 == 2Schedule Recording: Interleaving If
Thread twoStage
1: lock(m1);
2: val1 = 1;    
Thread reader
7:  lock(m1);
8:  if (val1 == 0) {
statements: 1-2-3-7-8-11-12-13-14-15-16-4-5-6
twoStage-ECS: ts1,1-ts2,3-ts3,4-ts4,12-ts5,13-ts6,14
reader-ECS: ts7,4 -ts8,5 -ts11,6-ts12,7-ts13,8-ts14,9-ts15,10-ts16,11
CS ts4 == 2
ts5 == 2
ts1 == 1
ts2 == 1 2: val1 = 1;    
3: unlock(m1);
4: lock(m2); 
5: val2 = val1 + 1;
6: unlock(m2);
8:  if (val1 == 0) {
9:    unlock(m1);
10:  return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);















ts8 == 2• we systematically explore the thread interleavings as before, 
but now:
– add schedule guards to record in which order the scheduler 
has executed the program
– encode all execution paths into one formula
Observations about the schedule 
recoding approach
– encode all execution paths into one formula
> bound the number of preemptions 
> exploit which transitions are enabled in a given state 
• the number of threads and context switches can grow very 
large quickly, and easily “blow-up” the solver:
− there is a clear trade-off between usage of time and memory 
resources• start from a single interleaving (under-approximation) and 
widen the model by adding more interleavings incrementally
• main steps of the algorithm:
ψ
Under-approximation and Widening
Idea: check models with an increased set of allowed 
interleavings [Grumberg&et al.’05]
1. encode control literals (cli,j) into the verification condition ψ
> cli,j where i is the ECS block number and j is the thread identifier
2. check the satisfiability of ψ (stop if ψ is satisfiable)
3. extract proof objects generated by the SMT solver
4. check whether the proof depends on the control literals (stop if the 
proof does not depend on the control literals)
5. remove literals that participated in the proof and go to step 2• use the same guards as in the schedule recording approach 
as control literals 
– but here the schedule is updated based on the information 
extracted from the proof
UW Approach: Running Example
Thread twoStage
1:  lock(m1); cl1,twoStage → ts1 == 1
cl → ts == 1
1:  lock(m1);
2:  val1 = 1;    
3:  unlock(m1);
4:  lock(m2); 
5:  val2 = val1 + 1;
6:  unlock(m2);
cl2,twoStage → ts2 == 1
cl3,twoStage → ts3 == 1
cl8,twoStage → ts8 == 1
cl9,twoStage → ts9 == 1
cl10,twoStage→ ts10== 1
• reduce the number of control points from m x n to e x n
– m is the number of program statements; n is the number of 
threads, and e is the number of ECS blocksEvaluation EvaluationComparison of the Approaches
• Goal: compare efficiency of the proposed approaches
– lazy exploration
– schedule recording
– under-approximation and widening
• Set-up:
– ESBMC v1.6 together with the SMT solver Z3 v2.7
– support the logics QF_AUFBV and QF_AUFLIRA
– standard desktop PC, time-out 3600 secondsAbout the benchmarks
Module #L #P k #T #C Description
1 fsbench_ok 81 47 27 26 2 Frangipani file system
2 fsbench_bad 80 48 28 27 2
Frangipani file system with array 
out of bounds
3 indexer_ok 77 21 129 13 4
insert messages into a hash table 
concurrently






the number of BMC 
unrolling steps





5 reorder_bad 84 16 11 20 3 contains a data race
6 twostage_bad 128 8 16 30 3 contains an atomicity violation
7 wronglock_bad 110 8 5 8 7
threads do not obtain the same 
lock instance
8 exStbHDMI_ok 1060 25 16 2 20
set various capabilities in the 
HDMI device
9 exStbLED_ok 425 45 10 2 - front panel LED display
10 exStbThumb_bad 1109 243 2 2 1
Demonstrate how thumbnail 
images can be displayed and layer 
blending can be used
unrolling stepsAbout the benchmarks
Module #L #P k #T #C Description
1 fsbench_ok 81 47 27 26 2 Frangipani file system
2 fsbench_bad 80 48 28 27 2
Frangipani file system with array 
out of bounds
3 indexer_ok 77 21 129 13 4
insert messages into a hash table 
concurrently







5 reorder_bad 84 16 11 20 3 contains a data race
6 twostage_bad 128 8 16 30 3 contains an atomicity violation
7 wronglock_bad 110 8 5 8 7
threads do not obtain the same 
lock instance
8 exStbHDMI_ok 1060 25 16 2 20
set various capabilities in the 
HDMI device
9 exStbLED_ok 425 45 10 2 - front panel LED display
10 exStbThumb_bad 1109 243 2 2 1
Demonstrate how thumbnail 
images can be displayed and layer 
blending can be usedAbout the benchmarks
Module #L #P k #T #C Description
1 fsbench_ok 81 47 27 26 2 Frangipani file system
2 fsbench_bad 80 48 28 27 2
Frangipani file system with array 
out of bounds
3 indexer_ok 77 21 129 13 4
insert messages into a hash table 
concurrently







5 reorder_bad 84 16 11 20 3 contains a data race
6 twostage_bad 128 8 16 30 3 contains an atomicity violation
7 wronglock_bad 110 8 5 8 7
threads do not obtain the same 
lock instance
8 exStbHDMI_ok 1060 25 16 2 20
set various capabilities in the 
HDMI device
9 exStbLED_ok 425 45 10 2 - front panel LED display
10 exStbThumb_bad 1109 243 2 2 1
Demonstrate how thumbnail 
images can be displayed and layer 
blending can be usedAbout the benchmarks
Module #L #P k #T #C Description
1 fsbench_ok 81 47 27 26 2 Frangipani file system
2 fsbench_bad 80 48 28 27 2
Frangipani file system with array 
out of bounds
3 indexer_ok 77 21 129 13 4
insert messages into a hash table 
concurrently
4 aget-0.4_bad 1233 170 257 3 2
Multi-threaded download 
accelerator Set-top box  accelerator
5 reorder_bad 84 16 11 20 3 contains a data race
6 twostage_bad 128 8 16 30 3 contains an atomicity violation
7 wronglock_bad 110 8 5 8 7
threads do not obtain the same 
lock instance
8 exStbHDMI_ok 1060 25 16 2 20
set various capabilities in the 
HDMI device
9 exStbLED_ok 425 45 10 2 - front panel LED display
10 exStbThumb_bad 1109 243 2 2 1
Demonstrate how thumbnail 
images can be displayed and layer 
blending can be used
Set-top box 
applications from NXP 
semiconductorsComparison of the approaches (1)
Lazy Schedule UW
Time #P #I Time #P Time #P
Module Total Fail Error
#I/
#IF
Total Fail Error Total Fail Error Iter
fsbench_bad 1 1 0
729/
729
452 1 0 1779 1 0 2
fsbench_ok 282 0 0 676/0 334 0 0 335 0 0 1














indexer_ok 575 0 0 17160/
0 238 0 0 234 0 0 1
aget-0.4_bad 248 1 0 2/1 254 1 0 245 1 0 1
reorder_bad <1 1 0 32/20 <1 1 0 2 1 0 3
twostage_bad 3 1 0 41/15 2 1 0 7 1 0 4
wronglock_bad 84 1 0
20507/
16
293 1 0 2089 1 0 3
exStbHDMI_ok 268 0 0 1/0 260 0 0 278 0 0 1
exStbLED_ok 900 0 0 11/0 MO 0 1 MO 0 1 1
exStbThumb_bad 14 1 0 3/1 MO 0 1 MO 0 1 1
GOOD THING BAD THINGComparison of the approaches (1)
Lazy Schedule UW
Time #P #I Time #P Time #P
Module Total Fail Error
#I/
#IF
Total Fail Error Total Fail Error Iter
fsbench_bad 1 1 0
729/
729
452 1 0 1779 1 0 2
fsbench_ok 282 0 0 676/0 334 0 0 335 0 0 1
indexer_ok 575 0 0 17160/ 238 0 0 234 0 0 1
lazy encoding often 
more efficient than 
schedule recording 
and UW
indexer_ok 575 0 0 17160/
0 238 0 0 234 0 0 1
aget-0.4_bad 248 1 0 2/1 254 1 0 245 1 0 1
reorder_bad <1 1 0 32/20 <1 1 0 2 1 0 3
twostage_bad 3 1 0 41/15 2 1 0 7 1 0 4
wronglock_bad 84 1 0
20507/
16
293 1 0 2089 1 0 3
exStbHDMI_ok 268 0 0 1/0 260 0 0 278 0 0 1
exStbLED_ok 900 0 0 11/0 MO 0 1 MO 0 1 1
exStbThumb_bad 14 1 0 3/1 MO 0 1 MO 0 1 1Comparison of the approaches (2)
Lazy Schedule UW
Time #P #I Time #P Time #P
Module Total Fail Error
#I/
#IF
Total Fail Error Total Fail Error Iter
fsbench_bad 1 1 0
729/
729
452 1 0 1779 1 0 2
fsbench_ok 282 0 0 676/0 334 0 0 335 0 0 1
indexer_ok 575 0 0 17160/ 238 0 0 234 0 0 1
lazy encoding often more 
efficient than schedule 
recording and UW, but 
not always
indexer_ok 575 0 0 17160/
0 238 0 0 234 0 0 1
aget-0.4_bad 248 1 0 2/1 254 1 0 245 1 0 1
reorder_bad <1 1 0 32/20 <1 1 0 2 1 0 3
twostage_bad 3 1 0 41/15 2 1 0 7 1 0 4
wronglock_bad 84 1 0
20507/
16
293 1 0 2089 1 0 3
exStbHDMI_ok 268 0 0 1/0 260 0 0 278 0 0 1
exStbLED_ok 900 0 0 11/0 MO 0 1 MO 0 1 1
exStbThumb_bad 14 1 0 3/1 MO 0 1 MO 0 1 1Comparison of the approaches (3)
Lazy Schedule UW
Time #P #I Time #P Time #P
Module Total Fail Error
#I/
#IF
Total Fail Error Total Fail Error Iter
fsbench_bad 1 1 0
729/
729
452 1 0 1779 1 0 2
fsbench_ok 282 0 0 676/0 334 0 0 335 0 0 1
indexer_ok 575 0 0 17160/ 238 0 0 234 0 0 1
lazy encoding is 
extremely fast for 
satisfiable instances
indexer_ok 575 0 0 17160/
0 238 0 0 234 0 0 1
aget-0.4_bad 248 1 0 2/1 254 1 0 245 1 0 1
reorder_bad <1 1 0 32/20 <1 1 0 2 1 0 3
twostage_bad 3 1 0 41/15 2 1 0 7 1 0 4
wronglock_bad 84 1 0
20507/
16
293 1 0 2089 1 0 3
exStbHDMI_ok 268 0 0 1/0 260 0 0 278 0 0 1
exStbLED_ok 900 0 0 11/0 MO 0 1 MO 0 1 1
exStbThumb_bad 14 1 0 3/1 MO 0 1 MO 0 1 1Results
• lazy, schedule recording, and UW algorithms
– lazy: check constraints lazily is fast for satisfiable instances
– schedule recording: the number of threads and context switches 
can grow quickly (and easily “blow-up” the model checker)
– UW: memory overhead and slowdowns to extract the unsat core
• handle more than two threads, detect concurrency bugs (e.g., 
atomicity and order violations, deadlocks) 
Future Work
• partial order reduction (static and dynamic)
• interpolants to prove no interference of context switches
• fault localization in multi-threaded C programs
atomicity and order violations, deadlocks) 
• users.ecs.soton.ac.uk/lcc08r/esbmc/