Dat3M: Memory Model Aware Verification

Dartagnan is a tool to check several correctness properties under weak memory models.

Requirements

• Maven 3.8 or above
• Java 17 or above
• GraalVM (only if you run in native mode; recommended!)
• Clang (only to verify C programs)
• Graphviz (only if option --witness=png is used)

Installation

Docker

The docker contains everything pre-installed to run the tool.

1. Build the container:

docker build . -t dartagnan

2. Run the container:

docker run -w /home/Dat3M -it dartagnan /bin/bash

From Sources

Set the following environment variables

export DAT3M_HOME=<Dat3M root>
export DAT3M_OUTPUT=$DAT3M_HOME/output
// The ones below are only required for native mode
export GRAALVM_HOME=<GraalVM distribution root>
export PATH=$DAT3M_HOME/dartagnan/target/:$PATH
// Use DYLD_LIBRARY_PATH for MacOS
export LD_LIBRARY_PATH=$DAT3M_HOME/dartagnan/target/libs/:$LD_LIBRARY_PATH

To build the tool in native mode (recommended!) run

mvn clean -Pnative install -DskipTests

Alternatively, to build the tool in JVM mode (faster compilation, but slower execution) run

mvn clean install -DskipTests

Usage

Dartagnan supports programs written in the .c, .ll, .litmus and spvasm formats. If you are verifying C code, be sure clang is in your PATH.

There are three possible results for the verification:

• FAIL: the property was violated.
• PASS: loops have been fully unrolled and the property satisfied.
• UNKNOWN: no violation was found, but loops have not been fully unrolled (you need to increase the unrolling bound).

To run Dartagnan from the console in native mode:

dartagnan <CAT file> [--target=<arch>] <program file> [options]

To run in JVM mode:

java -jar $DAT3M_HOME/dartagnan/target/dartagnan.jar <CAT file> [--target=<arch>] <program file> [options]

For programs written in .c, value <arch> specifies the programming language or architectures to which the program will be compiled. For programs written in .litmus format, if the --target option is not given, Dartagnan will automatically extract the <arch> from the litmus test header. <arch> must be one of the following:

• c11
• lkmm
• imm
• tso
• power
• arm8
• riscv
• ptx
• vulkan
• opencl

The target architecture is supposed to match (this is responsibility of the user) the intended weak memory model specified by the CAT file.

Further options can be specified using --<option>=<value>. Common options include:

• bound: unrolling bound for the BMC (default is 1).
• property: the properties to be checked. Possible values are program_spec (e.g, safety properties as program assertions), termination (i.e., all loops terminate), cat_spec (e.g., data races as specified in the cat file). Default is program_spec,cat_spec,termination.
• solver: specifies which SMT solver to use as a backend. Since we use JavaSMT, several SMT solvers are supported depending on the OS and the used SMT logic (default is Z3).
• method: specifies which solving method to use. Option lazy (the default one) uses a customized solver for memory consistency. Option eager solves a monolithic formula using SMT solving.

Dartagnan supports input non-determinism using the SVCOMP command __VERIFIER_nondet_X.

You can set up specific bounds for individual loops in the C code by annotating the loop with __VERIFIER_loop_bound(...). For example,

__VERIFIER_loop_bound(2);
while(1) {
    ...
}

will unroll this loop twice and use the bound passed to the --bound option for all other loops.

Dartagnan also comes with a user interface (not available from the docker container) where it is easy to import, export and modify both the program and the memory model and select the options for the verification engine (see below). You can start the user interface by running

java -jar $DAT3M_HOME/ui/target/ui.jar

Authors and Contact

Maintainer:

• Hernán Ponce de León

Developers:

• Natalia Gavrilenko
• Thomas Haas
• René Pascal Maseli
• Haining Tong

Former Developers:

• Florian Furbach

Please feel free to contact us in case of questions or to send feedback.

Awards

• Gold and Silver Medal @ SVCOMP 2025
• Gold Medal (x2) @ SVCOMP 2024
• Gold Medal @ SVCOMP 2023
• Distinguished Paper @ OOPSLA 2022

References

[1] Hernán Ponce de León, Florian Furbach, Keijo Heljanko, Roland Meyer: Portability Analysis for Weak Memory Models. PORTHOS: One Tool for all Models. SAS 2017.

[2] Hernán Ponce de León, Florian Furbach, Keijo Heljanko, Roland Meyer: BMC with Memory Models as Modules. FMCAD 2018.

[3] Natalia Gavrilenko, Hernán Ponce de León, Florian Furbach, Keijo Heljanko, Roland Meyer: BMC for Weak Memory Models: Relation Analysis for Compact SMT Encodings. CAV 2019.

[4] Hernán Ponce de León, Florian Furbach, Keijo Heljanko, Roland Meyer: Dartagnan: Bounded Model Checking for Weak Memory Models (Competition Contribution). TACAS 2020.

[5] Hernán Ponce de León, Thomas Haas, Roland Meyer: Dartagnan: Leveraging Compiler Optimizations and the Price of Precision (Competition Contribution). TACAS 2021.

[6] Hernán Ponce de León, Thomas Haas, Roland Meyer: Dartagnan: SMT-based Violation Witness Validation (Competition Contribution). TACAS 2022.

[7] Thomas Haas, Roland Meyer, Hernán Ponce de León: CAAT: Consistency as a Theory. OOPSLA 2022.

[8] Thomas Haas, René Maseli, Roland Meyer, Hernán Ponce de León: Static Analysis of Memory Models for SMT Encodings. OOPSLA 2023.

[9] Haining Tong, Natalia Gavrilenko, Hernán Ponce de León, Keijo Heljanko: Towards Unified Analysis of GPU Consistency. ASPLOS 2024.

[10] Thomas Haas, Roland Meyer, Hernán Ponce de León, Andrés Lomelí Garduño: Recurrence Sets for Proving Fair Non-termination under Axiomatic Memory Consistency Models. POPL 2026.