2009
DOI: 10.1007/978-3-642-03359-9_2
|View full text |Cite
|
Sign up to set email alerts
|

VCC: A Practical System for Verifying Concurrent C

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
278
0
5

Year Published

2010
2010
2023
2023

Publication Types

Select...
6
3

Relationship

1
8

Authors

Journals

citations
Cited by 424 publications
(294 citation statements)
references
References 19 publications
0
278
0
5
Order By: Relevance
“…1 allows writing state on which θ set depends. 8 So interface specifications need to provide clients with sufficient information to reason about the boundary. For MM , it is not an invariant like R but rather the individual method specifications that facilitate such reasoning (see Sect.…”
Section: Dynamic Boundaries and Second Order Framingmentioning
confidence: 99%
See 1 more Smart Citation
“…1 allows writing state on which θ set depends. 8 So interface specifications need to provide clients with sufficient information to reason about the boundary. For MM , it is not an invariant like R but rather the individual method specifications that facilitate such reasoning (see Sect.…”
Section: Dynamic Boundaries and Second Order Framingmentioning
confidence: 99%
“…The use of ghost state to encode inductive properties without induction has been fruitful in verifications using SMT solvers (e.g., [8,16,40]). Our use of ghost state for frame conditions and separation reasoning was directly inspired by the state-dependent effects of Kassios [18] (who calls them dynamic frames, whence our term "dynamic boundary").…”
Section: Related Workmentioning
confidence: 99%
“…We view the scheduler-related functionality of the kernel as an ADT, specify its intended behaviour in Z, and then verify that the implementation refines the high-level ADT. We used four levels of models (two in Z and one in VCC [10]g h o s t code, apart from the C implementation itself), and proved successive refinements between them. Barring a few manual steps, all our refinement conditions were phrased and proved in VCC, using its very useful ghost constructs.…”
Section: Introductionmentioning
confidence: 99%
“…1 : 1+x.next.length(), in which another call to length occurs. [4,7,12,17,18,20], in which the problem of verifying a program is encoded as a logical formula, and then handled by automatic theorem provers (typically SMT solvers). Since SMT solvers reason at a purely logical level, many problem aspects such as the program's heap state, and (for permission logics) auxiliary state to track the permissions currently held by a thread, are encoded as mathematical maps (total functions).…”
Section: Introductionmentioning
confidence: 99%