Automated, Compositional and Iterative Deadlock Detection ∗ Sagar Chaki Edmund Clarke Jo¨ el Ouaknine Natasha Sharygina Carnegie Mellon University, Pittsburgh, USA {chaki|emc|ouaknine|natalie}@cs.cmu.edu Abstract We present an algorithm to detect deadlocks in concur- rent message-passing programs. Even though deadlock is inherently non-compositional and its absence is not pre- served by standard abstractions, our framework employs both abstraction and compositional reasoning to allevi- ate the state space explosion problem. We iteratively con- struct increasingly more precise abstractions on the ba- sis of spurious counterexamples to either detect a dead- lock or prove that no deadlock exists. Our approach is inspired by the counterexample-guided abstraction refine- ment paradigm. However, our notion of abstraction as well as our schemes for verification and abstraction refinement differ in key respects from existing abstraction refinement frameworks. Our algorithm is also compositional in that abstraction, counterexample validation, and refinement are all carried out component-wise and do not require the con- struction of the complete state space of the concrete sys- tem under consideration. Finally, our approach is com- pletely automated and provides diagnostic feedback in case a deadlock is detected. We have implemented our technique in the MAGIC verification tool and present encouraging re- sults (up to 20 times speed-up in time and 4 times less mem- ory consumption) with concurrent message-passing C pro- grams. We also report a bug in the real-time operating sys- tem MicroC/OS version 2.70. 1. Introduction Ensuring that standard software components are assem- bled in a way that guarantees the delivery of reliable ser- * This research was sponsored by the Semiconductor Research Corpora- tion (SRC) under contract no. 99-TJ-684, the National Science Foundation (NSF) under grants no. CCR-9803774 and CCR-0121547, the Office of Naval Research (ONR) and the Naval Research Laboratory (NRL) under contract no. N00014-01-1-0796, the Army Research Office (ARO) under contract no. DAAD19-01-1-0485, and was conducted as part of the PACC project at the Software Engineering Institute. The views and conclusions contained in this document are those of the authors and should not be in- terpreted as representing the official policies, either expressed or implied, of SRC, NSF, ONR, NRL, ARO, the U.S. Government or any other entity. vices is an important task for system designers. Certifying the absence of deadlock in a composite system is an exam- ple of a stringent requirement that has to be satisfi ed before the system can be deployed in real life. This is especially true for safety-critical systems, such as embedded systems or plant controllers, that are expected to always service re- quests within a fi xed time limit or be responsive to exter- nal stimuli. Moreover, in case a deadlock is detected, it is highly desirable to be able to provide system designers and implementers with appropriate diagnostic feedback. However, despite signifi cant efforts, validating the ab- sence of deadlock in systems of realistic complexity re- mains a major challenge. The problem is especially acute in the context of concurrent programs that communicate via mechanisms with blocking semantics, e.g., synchronous message-passing and semaphores. The primary obstacle is the well-known state space explosion problem whereby the size of the state space of a concurrent system in- creases exponentially with the number of components. Two paradigms are usually recognized as being the most effec- tive against the state space explosion problem: abstraction and compositional reasoning. Even though these two ap- proaches have been widely studied in the context of for- mal verifi cation [17, 11, 27, 19], they fi nd much less use in deadlock detection. This is possibly a consequence of the fact that deadlock is inherently non-compositional and its absence is not preserved by standard abstractions (see Ex- ample 3). Therefore, a compositional and abstraction-based deadlock detection scheme, such as the one we present in this article, is especially signifi cant. Counterexample-guided abstraction refi nement [22] (CEGAR for short) is a methodology that uses abstraction in an automated manner and has been successful in veri- fying real-life hardware [10] and software [3] systems. A CEGAR-based scheme iteratively computes more and more precise abstractions (starting with a very coarse one) of a target system on the basis of spurious counterexamples until a real counterexample is obtained or the system is found to be correct. The approach presented in this arti- cle combines both abstraction and compositional reason- ing within a CEGAR-based framework for verifying the ab- 0-7803-8509-8/04/$20.00 c 2004 IEEE.