VCC: A Practical System for Verifying Concurrent C

  • Ernie Cohen
  • Markus Dahlweid
  • Mark Hillebrand
  • Dirk Leinenbach
  • Michał Moskal
  • Thomas Santen
  • Wolfram Schulte
  • Stephan Tobies
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5674)


VCC is an industrial-strength verification environment for low-level concurrent system code written in C. VCC takes a program (annotated with function contracts, state assertions, and type invariants) and attempts to prove the correctness of these annotations. It includes tools for monitoring proof attempts and constructing partial counterexample executions for failed proofs. This paper motivates VCC, describes our verification methodology, describes the architecture of VCC, and reports on our experience using VCC to verify the Microsoft Hyper-V hypervisor.


Concurrent Program Separation Logic Type Invariant Page Table Atomic Block 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Verisoft XT: The Verisoft XT project (2007),
  2. 2.
    Cohen, E., Moskal, M., Schulte, W., Tobies, S.: A precise yet efficient memory model for C. In: SSV 2009. ENTCS. Elsevier Science B.V., Amsterdam (2009)Google Scholar
  3. 3.
    Flanagan, C., Freund, S.N., Qadeer, S.: Thread-modular verification for shared-memory programs. In: Le Métayer, D. (ed.) ESOP 2002. LNCS, vol. 2305, pp. 262–277. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Jacobs, B., Piessens, F., Leino, K.R.M., Schulte, W.: Safe concurrency for aggregate objects with invariants. In: Aichernig, B.K., Beckert, B. (eds.) SEFM 2005, pp. 137–147. IEEE, Los Alamitos (2005)Google Scholar
  5. 5.
    Maus, S., Moskal, M., Schulte, W.: Vx86: x86 assembler simulated in C powered by automated theorem proving. In: Meseguer, J., Roşu, G. (eds.) AMAST 2008. LNCS, vol. 5140, pp. 284–298. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Advanced Micro Devices (AMD), Inc.: AMD64 Architecture Programmer’s Manual: Vol. 1-3 (2006)Google Scholar
  7. 7.
    Intel Corporation: Intel 64 and IA-32 Architectures Software Developer’s Manual: Vol. 1-3b (2006)Google Scholar
  8. 8.
    Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. SIGPLAN Notices 37(5), 234–245 (2002)CrossRefGoogle Scholar
  9. 9.
    Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# programming system: An overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 49–69. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Microsoft Research: The HAVOC property checker,
  11. 11.
    Hillebrand, M.A., Leinenbach, D.C.: Formal verification of a reader-writer lock implementation in C. In: SSV 2009. ENTCS, Elsevier Science B.V., Amsterdam (2009); Source code, Google Scholar
  12. 12.
    Microsoft Research: Common compiler infrastructure,
  13. 13.
    Botinĉan, M., Parkinson, M., Schulte, W.: Separation logic verification of C programs with an SMT solver. In: SSV 2009. ENTCS. Elsevier Science B.V., Amsterdam (2009)Google Scholar
  14. 14.
    Barnett, M., Chang, B.Y.E., Deline, R., Jacobs, B., Leino, K.R.M.: Boogie: A modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Böhme, S., Moskal, M., Schulte, W., Wolff, B.: HOL-Boogie: An interactive prover-backend for the Verifiying C Compiler. Journal of Automated Reasoning (to appear, 2009)Google Scholar
  16. 16.
    de Moura, L., Bjørner, N.: Z3: An efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Owicki, S., Gries, D.: Verifying properties of parallel programs: An axiomatic approach. Communications of the ACM 19(5), 279–285 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Ashcroft, E.A.: Proving assertions about parallel programs. Journal of Computer and System Sciences 10(1), 110–135 (1975)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Jones, C.B.: Tentative steps toward a development method for interfering programs. ACM Transactions on Programming Languages and Systems 5(4), 596–619 (1983)CrossRefzbMATHGoogle Scholar
  20. 20.
    O’Hearn, P.W.: Resources, concurrency, and local reasoning. Theoretical Computer Science 375(1-3), 271–307 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: LICS 2002, pp. 55–74. IEEE, Los Alamitos (2002)Google Scholar
  22. 22.
    Bornat, R., Calcagno, C., O’Hearn, P.W., Parkinson, M.J.: Permission accounting in separation logic. In: Palsberg, J., Abadi, M. (eds.) POPL 2005, pp. 259–270. ACM, New York (2005)Google Scholar
  23. 23.
    Vafeiadis, V., Parkinson, M.J.: A marriage of rely/guarantee and separation logic. In: Caires, L., Vasconcelos, V.T. (eds.) CONCUR 2007. LNCS, vol. 4703, pp. 256–271. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. 24.
    Leino, K.R.M., Müller, P.: A basis for verifying multi-threaded programs. In: Castagna, G. (ed.) ESOP 2009. LNCS, vol. 5502, pp. 378–393. Springer, Heidelberg (2009)Google Scholar
  25. 25.
    Leino, K.R.M., Schulte, W.: Using history invariants to verify observers. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 80–94. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    Klein, G.: Operating system verification – An overview. Sādhanā: Academy Proceedings in Engineering Sciences 34(1), 27–69 (2009)MathSciNetzbMATHGoogle Scholar
  27. 27.
    Journal of Automated Reasoning: Operating System Verification 42(2–4) (2009)Google Scholar
  28. 28.
    Hohmuth, M., Tews, H.: The VFiasco approach for a verified operating system. In: 2nd ECOOP Workshop in Programming Languages and Operating Systems (2005)Google Scholar
  29. 29.
    Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards trustworthy computing systems: Taking microkernels to the next level. SIGOPS Oper. Syst. Rev. 41(4), 3–11 (2007)CrossRefGoogle Scholar
  30. 30.
    Ni, Z., Yu, D., Shao, Z.: Using XCAP to certify realistic systems code: Machine context management. In: Schneider, K., Brandt, J. (eds.) TPHOLs 2007. LNCS, vol. 4732, pp. 189–206. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  31. 31.
    Alkassar, E., Hillebrand, M.A., Leinenbach, D.C., Schirmer, N.W., Starostin, A., Tsyban, A.: Balancing the load: Leveraging a semantics stack for systems verification. Journal of Automated Reasoning: Operating System Verification 27, 389–454Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Ernie Cohen
    • 1
  • Markus Dahlweid
    • 2
  • Mark Hillebrand
    • 3
  • Dirk Leinenbach
    • 3
  • Michał Moskal
    • 2
  • Thomas Santen
    • 2
  • Wolfram Schulte
    • 4
  • Stephan Tobies
    • 2
  1. 1.Microsoft CorporationRedmondUSA
  2. 2.European Microsoft Innovation CenterAachenGermany
  3. 3.German Research Center for Artificial Intelligence (DFKI)SaarbrückenGermany
  4. 4.Microsoft ResearchRedmondUSA

Personalised recommendations