Temporal-Safety Proofs for Systems Code

  • Thomas A. Henzinger
  • George C. Necula
  • Ranjit Jhala
  • Grégoire Sutre
  • Rupak Majumdar
  • Westley Weimer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2404)


We present a methodology and tool for verifying and certifying systems code. The verification is based on the lazy-abstraction paradigm for intertwining the following three logical steps: construct a predicate abstraction from the code, model check the abstraction, and automatically refine the abstraction based on counterexample analysis. The certification is based on the proof-carrying code paradigm. Lazy abstraction enables the automatic construction of small proof certificates. The methodology is implemented in Blast, the Berkeley Lazy Abstraction Software verification Tool. We describe our experience applying Blast to Linux and Windows device drivers. Given the C code for a driver and for a temporal-safety monitor, Blast automatically generates an easily checkable correctness certificate if the driver satisfies the specification, and an error trace otherwise.


Model Check Proof Obligation Device Driver Speci Cation Reachable Region 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    T. Ball, R. Majumdar, T. Millstein, and S.K. Rajamani. Automatic predicate abstraction of C programs. Conf. Programming Language Design and Implementation, pp. 203–213. ACM, 2001.Google Scholar
  2. 2.
    T. Ball and S.K. Rajamani. Personal communication.Google Scholar
  3. 3.
    T. Ball and S.K. Rajamani. The Slast project: debugging system software via static analysis. Symp. Principles of Programming Languages, pp. 1–3. ACM, 2002.Google Scholar
  4. 4.
    D. Blei, C. Harrelson, R. Jhala, R. Majumdar, G.C. Necula, S.P. Rahul, W. Weimer, and D. Weitz. Vampyre: A Proof-generating Theorem Prover.
  5. 5.
    A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. An empirical study of operating system bugs. Symp. Operating System Principles, pp. 78–81. ACM, 2001.Google Scholar
  6. 6.
    E.M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction refinement. Computer-Aided Verification, LNCS 1855, pp. 154–169. Springer-Verlag, 2000.CrossRefGoogle Scholar
  7. 7.
    J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, Robby, S. Laubach, and H. Zheng. Bandera: extracting finite-state models from Java source code. Int. Conf. Software Engineering, pp. 439–448. ACM, 2000.Google Scholar
  8. 8.
    S. Das, D. L. Dill, and S. Park. Experience with predicate abstraction. Computer-Aided Verification, LNCS 1633, pp. 160–171. Springer-Verlag, 1999.CrossRefGoogle Scholar
  9. 9.
    D. Detlefs, G. Nelson, and J. Saxe. The Simplify Theorem Prover.
  10. 10.
    E. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976.Google Scholar
  11. 11.
    M.D. Ernst. Dynamically Discovering Likely Program Invariants. Ph.D. Thesis. University of Washington, Seattle, 2000.Google Scholar
  12. 12.
    J.S. Foster, T. Terauchi, and A. Aiken. Flow sensitive type qualifiers. Conf. Programming Languages Design and Implementation (to appear), ACM, 2002.Google Scholar
  13. 13.
    S. Graf and H. Saïdi. Construction of abstract state graphs with PVS. Computer-Aided Verification, LNCS 1254, pp. 72–83. Springer-Verlag, 1997.Google Scholar
  14. 14.
    R. Harper, F. Honsell, and G. Plotkin. A framework for defining logics. Journal of the ACM, 40:143–184, 1993.zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    T.A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. Symp. Principles of Programming Languages, pp. 58–70. ACM, 2002.Google Scholar
  16. 16.
    G. Holzmann. Logic verification of ANSI-C code with Spin. SPIN Workshop, LNCS 1885, pp. 131–147. Springer-Verlag, 2000.Google Scholar
  17. 17.
    K. Namjoshi. Certifying model checkers. Computer-Aided Verification, LNCS 2102, pp. 2–13. Springer-Verlag, 2001.Google Scholar
  18. 18.
    G.C. Necula. Proof carrying code. Symp. Principles of Programming Languages, pp. 106–119. ACM, 1997.Google Scholar
  19. 19.
    G. Necula and S.P. Rahul. Oracle-based checking of untrusted software. Symp. Principles of Programming Languages, pp. 142–154. ACM, 2001.Google Scholar
  20. 20.
    G.C. Necula and P. Lee. Efficient representation and validation of proofs. Symp. Logic in Computer Science, pp. 93–104. IEEE Computer Society, 1998.Google Scholar
  21. 21.
    G.C. Necula, S. McPeak, S.P. Rahul, and W. Weimer. CIL: intermediate language and tools for analysis and transformation of C programs. Compiler Construction, LNCS 2304, pp. 213–228. Springer-Verlag, 2002.CrossRefGoogle Scholar
  22. 22.
    D. Peled and L. Zuck. From model checking to a temporal proof. SPIN Workshop, LNCS 2057, pp. 1–14. Springer-Verlag, 2001.Google Scholar
  23. 23.
    F. Pfenning. Computation and Deduction. Lecture notes, CMU, 1997.Google Scholar
  24. 24.
    F. Somenzi. Colorado University Decision Diagram Package.
  25. 25.
    W. Visser, K. Havelund, G. Brat, and S. Park. Model Checking Programs. Conf. Automated Software Engineering, pp. 3–12. IEEE, 2000.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Thomas A. Henzinger
    • 1
  • George C. Necula
    • 1
  • Ranjit Jhala
    • 1
  • Grégoire Sutre
    • 2
  • Rupak Majumdar
    • 1
  • Westley Weimer
    • 1
  1. 1.EECS DepartmentUniversity of CaliforniaBerkeley
  2. 2.LaBRIUniversité de BordeauxFrance

Personalised recommendations