Local Verification of Global Invariants in Concurrent Programs

  • Ernie Cohen
  • Michał Moskal
  • Wolfram Schulte
  • Stephan Tobies
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6174)


We describe a practical method for reasoning about realistic concurrent programs. Our method allows global two-state invariants that restrict update of shared state. We provide simple, sufficient conditions for checking those global invariants modularly. The method has been implemented in VCC, an automatic, sound, modular verifier for concurrent C programs. VCC has been used to verify functional correctness of tens of thousands of lines of Microsoft’s Hyper-V virtualization platform and of SYSGO’s embedded real-time operating system PikeOS.


Theorem Prover Legal Action Concurrent Program Proof Obligation Safe Action 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Barnett, M., Naumann, D.A.: Friends need a bit more: Maintaining invariants over shared state. In: Kozenand, D., Shankland, C. (eds.) MPC 2004. LNCS, vol. 3125, pp. 54–84. Springer, Heidelberg (2004)Google Scholar
  2. 2.
    Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boogie: A modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Barnett, M., DeLine, R., Fähndrich, M., Leino, K.R.M., Schulte, W.: Verification of object-oriented programs with invariants. Journal of Object Technology 3(6), 27–56 (2004)Google Scholar
  4. 4.
    Baumann, C., Beckert, B., Blasum, H., Bormer, T.: Better avionics software reliability by code verification – A glance at code verification methodology in the Verisoft XT project. In: Embedded World 2009 Conference, Nuremberg, Germany, March 2009. Franzis Verlag (to appear, 2009)Google Scholar
  5. 5.
    Bornat, R., Calcagno, C., O’Hearn, P., Parkinson, M.: Permission accounting in separation logic. SIGPLAN Not. 40(1), 259–270 (2005)CrossRefGoogle Scholar
  6. 6.
    Calcagno, C., Yang, H., O’Hearn, P.W.: Computability and complexity results for a spatial assertion language for data structures. In: APLAS, pp. 289–300 (2001)Google Scholar
  7. 7.
    Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: A practical system for verifying concurrent C. In: Urban, C. (ed.) TPHOLs 2009. LNCS, vol. 5674, pp. 23–42. Springer, Heidelberg (2009) (invited paper)Google Scholar
  8. 8.
    Cohen, E., Moskal, M., Schulte, W., Tobies, S.: A precise yet efficient memory model for C. In: Workshop on Systems Software Verification (SSV 2009). Electr. Notes Theor. Comput. Sci., vol. 254, pp. 85–103. Elsevier Science B.V., Amsterdam (2009)Google Scholar
  9. 9.
    de Moura, L., Bjorner, N.: Z3: An Efficient SMT Solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Feng, X.: Local rely-guarantee reasoning. In: Shao, Z., Pierce, B.C. (eds.) POPL, pp. 315–327. ACM, New York (2009)Google Scholar
  11. 11.
    Feng, X., Ferreira, R., Shao, Z.: On the relationship between concurrent separation logic and assume-guarantee reasoning. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 173–188. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Hillebrand, M.A., Leinenbach, D.C.: Formal verification of a reader-writer lock implementation in C. In: Workshop on Systems Software Verification (SSV 2009). Electr. Notes Theor. Comput. Sci., vol. 254, pp. 123–141. Elsevier Science B.V., Amsterdam (2009)Google Scholar
  13. 13.
    Jacobs, B., Smans, J., Piessens, F., Schulte, W.: A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs. Electr. Notes Theor. Comput. Sci. 174(9), 23–47 (2007)CrossRefGoogle Scholar
  14. 14.
    Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: POPL, pp. 207–220. ACM, New York (2009)Google Scholar
  15. 15.
    Leino, K.R.M., Müller, P.: A basis for verifying multi-threaded programs. In: Castagna, G. (ed.) ESOP 2009. LNCS, vol. 5502, pp. 378–393. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Leino, K.R.M., Müller, P., Wallenburg, A.: Flexible immutability with frozen objects. In: Shankar, N., Woodcock, J. (eds.) VSTTE 2008. LNCS, vol. 5295, pp. 192–208. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    O’Hearn, P.W.: Resources, concurrency, and local reasoning. Theor. Comput. Sci. 375(1-3), 271–307 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: LICS, pp. 55–74. IEEE Computer Society, Los Alamitos (2002)Google Scholar
  19. 19.
    Vafeiadis, V., Parkinson, M. J.: A marriage of rely/Guarantee and separation logic. In: Caires, L., Vasconcelos, V.T. (eds.) CONCUR 2007. LNCS, vol. 4703, pp. 256–271. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Ernie Cohen
    • 1
  • Michał Moskal
    • 2
  • Wolfram Schulte
    • 2
  • Stephan Tobies
    • 1
  1. 1.European Microsoft Innovation CenterAachen
  2. 2.Microsoft ResearchRedmond

Personalised recommendations