Thread Quantification for Concurrent Shape Analysis J. Berdine 1 , T. Lev-Ami 2,⋆ , R. Manevich 2,⋆⋆ , G. Ramalingam 3 , and M. Sagiv 2 1 Microsoft Research Cambridge, jjb@microsoft.com 2 Tel Aviv University, {tla,rumster,msagiv}@post.tau.ac.il 3 Microsoft Research India, grama@microsoft.com Abstract. In this paper we address the problem of shape analysis for concurrent programs. We present new algorithms, based on abstract interpretation, for auto- matically verifying properties of programs with an unbounded number of threads manipulating an unbounded shared heap. Our algorithms are based on a new abstract domain whose elements represent thread-quantified invariants: i.e., invariants satisfied by all threads. We exploit existing abstractions to represent the invariants. Thus, our technique lifts existing abstractions by wrapping universal quantification around elements of the base abstract domain. Such abstractions are effective because they are thread modular: e.g., they can capture correlations between the local variables of the same thread as well as correlations between the local variables of a thread and global variables, but forget correlations between the states of distinct threads. (The exact nature of the abstraction, of course, depends on the base abstraction lifted in this style.) We present techniques for computing sound transformers for the new abstraction by using transformers of the base abstract domain. We illustrate our technique in this paper by instantiating it to the Boolean Heap abstraction, producing a Quan- tified Boolean Heap abstraction. We have implemented an instantiation of our technique with Canonical Abstraction as the base abstraction and used it to suc- cessfully verify linearizability of data-structures in the presence of an unbounded number of threads. 1 Introduction This paper is concerned with verifying (basic safety and other functional correctness) properties of dynamically-allocated data structures in programs with an unbounded number of threads. For example, the techniques in this paper enable, for the first time, automatic verification of linearizability of various implementations of concurrent data structures even when an unbounded number of client threads manipulate these data structures concurrently. Our approach is based on abstract interpretation, which requires us to address the standard two principal challenges: – to define a finite representation of infinite sets of program states that can concisely and precisely express the properties of interest, and – to compute sound transformers, which over-approximate a program’s semantics using this representation. ⋆ Supported by an Adams Fellowship through the Israel Academy of Sciences and Humanities. ⋆⋆ This research was partially supported by the Clore Fellowship Programme.