Traditionally, the full verification of a program's functional correctness has been obtained with pen and paper or with interactive proof assistants, whereas only reduced verification tasks, such as extended static checking, have enjoyed the automation offered by satisfiability-modulo-theories (SMT) solvers. More recently, powerful SMT solvers and well-designed program verifiers are starting to break that tradition, thus reducing the effort involved in doing full verification.

This paper gives a tour of the language and verifier Dafny, which has been used to verify the functional correctness of a number of challenging pointer-based programs. The paper describes the features incorporated in Dafny, illustrating their use by small examples and giving a taste of how they are coded for an SMT solver. As a larger case study, the paper shows the full functional specification of the Schorr-Waite algorithm in Dafny.

/pdf/dafny-an-automatic-program-verifier-for-functional-2trag0l49s.pdf

Dafny: an automatic program verifier for functional correctness

We present a new approach to partial-order reduction for model checking software. This approach is based on initially exploring an arbitrary interleaving of the various concurrent processes/threads, and dynamically tracking interactions between these to identify backtracking points where alternative paths in the state space need to be explored. We present examples of multi-threaded programs where our new dynamic partial-order reduction technique significantly reduces the search space, even though traditional partial-order algorithms are helpless.

/pdf/dynamic-partial-order-reduction-for-model-checking-software-1ioo5wzpfm.pdf

Dynamic partial-order reduction for model checking software

VCC is an industrial-strength verification environment for low-level concurrent system code written in C. VCC takes a program (annotated with function contracts, state assertions, and type invariants) and attempts to prove the correctness of these annotations. It includes tools for monitoring proof attempts and constructing partial counterexample executions for failed proofs. This paper motivates VCC, describes our verification methodology, describes the architecture of VCC, and reports on our experience using VCC to verify the Microsoft Hyper-V hypervisor.

/pdf/vcc-a-practical-system-for-verifying-concurrent-c-5015oi9z23.pdf

VCC: A Practical System for Verifying Concurrent C

Concurrency is pervasive in large systems. Unexpected interference among threads often results in "Heisenbugs" that are extremely difficult to reproduce and eliminate. We have implemented a tool called CHESS for finding and reproducing such bugs. When attached to a program, CHESS takes control of thread scheduling and uses efficient search techniques to drive the program through possible thread interleavings. This systematic exploration of program behavior enables CHESS to quickly uncover bugs that might otherwise have remained hidden for a long time. For each bug, CHESS consistently reproduces an erroneous execution manifesting the bug, thereby making it significantly easier to debug the problem. CHESS scales to large concurrent programs and has found numerous bugs in existing systems that had been tested extensively prior to being tested by CHESS. CHESS has been integrated into the test frameworks of many code bases inside Microsoft and is used by testers on a daily basis.

/pdf/finding-and-reproducing-heisenbugs-in-concurrent-programs-2zb765d6ea.pdf

Finding and reproducing Heisenbugs in concurrent programs

Checking the satisfiability of logical formulas, SMT solvers scale orders of magnitude beyond custom ad hoc solvers.

Satisfiability modulo theories: introduction and applications

The quest for modular concurrency reasoning has led to recent proposals that extend program assertions to include not just knowledge about the state, but rights to access the state. We argue that these rights are really just sugar for knowledge that certain updates preserve certain invariants.

/pdf/invariants-modularity-and-rights-1iqtkjupom.pdf

Invariants, modularity, and rights

We, the organizers and participants, report our experiences from the 1st Verified Software Competition, held in August 2010 in Edinburgh at the VSTTE 2010 conference.

/pdf/the-1st-verified-software-competition-experience-report-10oqkx306b.pdf

The 1st verified software competition: experience report

https://www.microsoft.com/en-us/research/wp-content/uploads/2009/05/ssv2009.pdf

A Precise Yet Efficient Memory Model For C

We describe a practical method for reasoning about realistic concurrent programs Our method allows global two-state invariants that restrict update of shared state We provide simple, sufficient conditions for checking those global invariants modularly The method has been implemented in VCC, an automatic, sound, modular verifier for concurrent C programs VCC has been used to verify functional correctness of tens of thousands of lines of Microsoft's Hyper-V virtualization platform and of SYSGO's embedded real-time operating system PikeOS.

/pdf/local-verification-of-global-invariants-in-concurrent-2b7p4cxjwc.pdf

Ernie Cohen

Papers

VCC: A Practical System for Verifying Concurrent C

Invariants, modularity, and rights

The 1st verified software competition: experience report

A Precise Yet Efficient Memory Model For C

Local verification of global invariants in concurrent programs