Efficient Deadlock-Freedom Checking using Local Analysis and SAT Solving Pedro Antonino, Thomas Gibson-Robinson, and A.W. Roscoe Department of Computer Science, University of Oxford, UK {pedro.antonino,thomas.gibson-robinson,bill.roscoe}@cs.ox.ac.uk Abstract. We build upon established techniques of deadlock analysis by formulating a new sound but incomplete framework for deadlock freedom analysis that tackles some sources of imprecision of current incomplete techniques. Our new deadlock candidate criterion is based on constraints derived from the analysis of the state space of pairs of components. This new characterisation represents an improvement in the accuracy of current incomplete techniques; in particular, the so-called non-hereditary deadlock-free systems (i.e. deadlock-free systems that have a deadlocking subsystem), which are neglected by most incomplete techniques, are tackled by our framework. Furthermore, we demonstrate how SAT checkers can be used to efficiently implement our framework in a way that, typically, scales better than current techniques for deadlock analysis. This is demonstrated by a series of practical experiments. 1 Introduction Deadlock freedom is usually an important goal when developing and verifying a concurrent system. A system is deadlock free if and only if it cannot reach a state in which it can perform no further actions. Moreover, many safety properties can be reduced to verifying deadlock freedom of modified systems [12]. Unsurprisingly, even when restricted to deadlock analysis, existing automated verification techniques still suffer from the state explosion problem. Incomplete techniques for deadlock analysis [6, 15, 14] have been proposed in attempts to circumvent the state explosion problem. These frequently scale far better than the full state analysis required by model checking, and are sound in proving deadlock freedom, but (i) tend not to provide examples of deadlocks when they fail and (ii) can fail even for some deadlock-free systems; the latter is what is meant by “incomplete”. One can see this incompleteness as the price to pay for achieving scalability. Current incomplete techniques are typically built around the principle that a deadlock state, under reasonable assumptions, always presents a cycle of ungranted requests between components of the system 1 . An ungranted request arises from 1 Depending on the properties of the underlying communicating system, one might be able to restrict such cycles to proper cycles which have at least three nodes, and where all the nodes are distinct.