Extracting Safe Thread Schedules from Incomplete Model Checking Results

Model checkers frequently fail to completely verify a concurrent program, even if partial-order reduction is applied. The verication engineer is left in doubt whether the program is safe and the eort towards verifying the program is wasted. We present a technique that uses the results of such incomplete verication attempts to construct a (fair) scheduler that allows the safe execution of the partially veried concurrent program. This scheduler restricts the execution to schedules that have been proven safe (and prevents executions that were found to be erroneous). We evaluate the performance of our technique and show how it can be improved using partial-order reduction. While constraining the scheduler results in a considerable performance penalty in general, we show that in some cases our approach| somewhat surprisingly|even leads to faster executions.