VCC: A Practical System for Verifying Concurrent C

VCC is an industrial-strength verification environment for low-level concurrent system code written in C. VCC takes a program (annotated with function contracts, state assertions, and type invariants) and attempts to prove the correctness of these annotations. It includes tools for monitoring proof attempts and constructing partial counterexample executions for failed proofs. This paper motivates VCC, describes our verification methodology, describes the architecture of VCC, and reports on our experience using VCC to verify the Microsoft Hyper-V hypervisor.

[1]  Hendrik Tews,et al.  The VFiasco approach for a verified operating system , 2005 .

[2]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[3]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[4]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[5]  Kim G. Larsen,et al.  On Modal Refinement and Consistency , 2007, CONCUR.

[6]  Stephen Gilmore,et al.  Mobile Resource Guarantees for Smart Devices , 2004, CASSIS.

[7]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[8]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[9]  K. Rustan M. Leino,et al.  A Basis for Verifying Multi-threaded Programs , 2009, ESOP.

[10]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[11]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[12]  Frank Piessens,et al.  Safe concurrency for aggregate objects with invariants , 2005, Third IEEE International Conference on Software Engineering and Formal Methods (SEFM'05).

[13]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[14]  Wolfram Schulte,et al.  Local Verification of Global Invariants in Concurrent Programs , 2010, CAV.

[15]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[16]  Mark A. Hillebrand,et al.  Formal Verification of a Reader-Writer Lock Implementation in C , 2009, SSV.

[17]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[18]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[19]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[20]  Stefan M. Petters,et al.  Towards trustworthy computing systems: taking microkernels to the next level , 2007, OPSR.

[21]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[22]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[23]  Wolfram Schulte,et al.  A Precise Yet Efficient Memory Model For C , 2009, Electron. Notes Theor. Comput. Sci..

[24]  David Aspinall,et al.  Formalising Java's Data Race Free Guarantee , 2007, TPHOLs.

[25]  Stephen N. Freund,et al.  Thread-Modular Verification for Shared-Memory Programs , 2002, ESOP.

[26]  Wolfram Schulte,et al.  Separation Logic Verification of C Programs with an SMT Solver , 2009, Electron. Notes Theor. Comput. Sci..

[27]  Wolfram Schulte,et al.  Vx86: x86 Assembler Simulated in C Powered by Automated Theorem Proving , 2008, AMAST.

[28]  Burkhart Wolff,et al.  HOL-Boogie—An Interactive Prover-Backend for the Verifying C Compiler , 2009, Journal of Automated Reasoning.

[29]  Frank D. Valencia,et al.  Formal Methods for Components and Objects , 2002, Lecture Notes in Computer Science.

[30]  Edward A. Ashcroft,et al.  Proving Assertions about Parallel Programs , 1975, J. Comput. Syst. Sci..

[31]  K. Rustan M. Leino,et al.  Using History Invariants to Verify Observers , 2007, ESOP.

[32]  Peter W. O'Hearn,et al.  Permission accounting in separation logic , 2005, POPL '05.

[33]  Bastian Schlich,et al.  Operating System Verification , 2009, Journal of Automated Reasoning.

[34]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.