Published: 26th November 2012
DOI: 10.4204/EPTCS.102
ISSN: 2075-2180


Proceedings Seventh Conference on
Systems Software Verification
Sydney, Australia, 28-30 November 2012

Edited by: Franck Cassez, Ralf Huuck, Gerwin Klein and Bastian Schlich

Franck Cassez, Ralf Huuck, Gerwin Klein and Bastian Schlich
Invited Talk: Copilot: a Do-It-Yourself High-Assurance Compiler
Lee Pike
Invited Talk: Program Analysis and Verification based on the Construction and Checking of Automata
Andreas Podelski
Automatic Verification of Message-Based Device Drivers
Sidney Amani, Peter Chubb, Alastair F. Donaldson, Alexander Legg, Leonid Ryzhyk and Yanjin Zhu
Lessons Learned From Microkernel Verification — Specification is the New Bottleneck
Christoph Baumann, Bernhard Beckert, Holger Blasum and Thorsten Bormer
A Formal Model of a Virtual Filesystem Switch
Gidon Ernst, Gerhard Schellhorn, Dominik Haneberg, Jörg Pfähler and Wolfgang Reif
Automatic Function Annotations for Hoare Logic
Daniel Matichuk
Distributed Priority Synthesis
Chih-Hong Cheng, Rongjie Yan, Saddek Bensalem and Harald Ruess
On the Use of Underspecified Data-Type Semantics for Type Safety in Low-Level Code
Hendrik Tews, Marcus Völp and Tjark Weber
CTGEN - a Unit Test Generator for C
Tatiana Mangels and Jan Peleska
Static Analysis of Lockless Microcontroller C Programs
Eva Beckschulze, Sebastian Biallas and Stefan Kowalewski
Formal Semantics of Heterogeneous CUDA-C: A Modular Approach with Applications
Chris Hathhorn, Michela Becchi, William L. Harrison and Adam Procter
A Forward Reachability Algorithm for Bounded Timed-Arc Petri Nets
Alexandre David, Lasse Jacobsen, Morten Jacobsen and Jiří Srba
Time-Darts: A Data Structure for Verification of Closed Timed Automata
Kenneth Y. Jørgensen, Kim G. Larsen and Jiří Srba
Chiefly Symmetric: Results on the Scalability of Probabilistic Model Checking for Operating-System Code
Christel Baier, Marcus Daum, Benjamin Engel, Hermann Härtig, Joachim Klein, Sascha Klüppelholz, Steffen Märcker, Hendrik Tews and Marcus Völp
Verifying Probabilistic Correctness in Isabelle with pGCL
David Cock


This volume contains the papers accepted at the 7th Systems Software Verification Conference (SSV 2012), held in Sydney, November 28-30, 2012.

Industrial-strength software analysis and verification has advanced in recent years through the intro- duction of model checking, automated and interactive theorem proving, and static analysis techniques, as well as correctness by design, correctness by contract, and model-driven development. However, many techniques are working under restrictive assumptions that are invalidated by complex embedded systems software such as operating system kernels, low-level device drivers, or micro-controller code.

The aim of SSV workshops and conference series is to bring together researchers and developers from both academia and industry who are facing real software and real problems with the goal of finding real, applicable solutions.

This year we received 25 submissions and the Program Committee selected 13 submissions for pre- sentation at the conference. Each submission was reviewed by 3 Program Committee members. We wish to thank the Program Committee members and their sub-reviewers for their competent and timely reviews in the short allotted time-frame. We also thank the two invited speakers, Andreas Podelski (Uni- versity of Freiburg, Germany) and Lee Pike (Galois, Inc., USA) for accepting our invitation to give a presentation at SSV 2012.

SSV 2012 used the EasyChair conference system to manage the reviewing process. We are indebted to the EPTCS staff who provided flawless support in the preparation of this EPTCS volume. Finally, the SSV program chairs and organizers gratefully acknowledge the sponsorship of National ICT Australia Ltd (NICTA), Australia's Information and Communications Technology Research Centre of Excellence, and Red Lizard Software (

F. Cassez, R. Huuck, G. Klein and B. Schlich
November 2012, Sydney, Australia

Organizing Committee and Program Committee Chairs

Franck Cassez NICTA, Sydney, Australia
Ralf Huuck NICTA and UNSW, Sydney, Australia
Gerwin Klein NICTA and UNSW, Sydney, Australia
Bastian Schlich ABB Corporate Research, Ladenburg, Germany

Program Committee

Cyrille Artho AIST, RISEC, Japan
Stefan Berghofer Secunet, Germany
Frédéric Boniol ONERA, France
Alessandro Coglio Kestrel, USA
Joe Hurd Intel, USA
Stefan Kowalewski RWTH Aachen University, Germany
Thomas Kropf Robert Bosch GmbH and University of Tübingen, Germany
Kim G. Larsen CISS, Aalborg University, Denmark
Toby Murray NICTA, Sydney, Australia
Jan Peleska Verified Systems Int. GmbH and University of Bremen, Germany
John Regehr University of Utah, USA
Natarajan Shankar SRI, USA
Zhong Shao Yale, USA
Konrad Slind Rockwell Collins, USA
Jun Sun Singapore University of Technology and Design, Singapore

Additional Reviewers

Sidney Amani NICTA, Sydney, Australia
Sebastian Biallas RWTH Aachen University, Germany
Marc Förster RWTH Aachen University, Germany
Volker Kamin RWTH Aachen University, Germany
Guan Jun Liu Singapore University of Technology and Design, Singapore
Hongjin Liang Research Center for High-Confidence Software, USTC-Yale, China
Tahina Ramananandro Yale, USA

Copilot: a Do-It-Yourself High-Assurance Compiler

Lee Pike (Galois, Inc.)

The "do-it-yourself" (DIY) culture encourages individuals to design and craft objects on their own, without relying on outside experts. DIY construction should be inexpensive with easy-to-access ma- terials. Ranging from hobbyist electronics to urban farming to fashion, DIY is making somewhat of a resurgence across the United States. We see no reason why DIY culture should not also extend to compilers, and in particular, to high-assurance compilers.

From 2009-2011, NASA contracted Galois, Inc. to research the possibility of augmenting complex aerospace software systems with runtime verification. Our answer to the contract goals was Copilot, an embedded domain-specific language (EDSL) to generate embedded monitorsThe Copilot language itself, focusing on its RV uses for NASA, has been described [1, 2, 3].

Our assurance challenge in the project was phrased as, "Who watches the watchmen?" meaning that if the RV monitor is the last line of defense, then it must not fail or worse, introduce unintended faults itself. Nonetheless, because the primary goal of the project was to implement an RV system and to field- test it, few resources were available for assuring the correctness of the Copilot compiler. Our approach was born out of necessity. Specifically, we employ three not-so-secret weapons from the functional languages and formal meth- ods communities in our work including building EDSLs, building sub-Turing complete languages, and taking a verifying compiler approach to assurance. This talk summarizes our experiences on this work and provides recommendations for lightweight assurance methods for domain-specific compiler design.

Program Analysis and Verification based on the Construction and Checking of Automata

Andreas Podelski (University of Freiburg, Germany)

A recent approach to the verification of programs constructs a correctness proof in the form of a finite automaton. The automaton recognizes a set of traces. Here, a trace is any sequence of statements (not necessarily feasible and not necessarily on a path in the control flow graph of the program).

A trace can be formalized as a word over the alphabet of statements. A trace can also be viewed as as special case of a program. Applying static analysis or a symbolic method (e.g., SMT solving with interpolant generation) to a single trace, a correctness proof for the trace can be obtained in the form of a sequence of consecutive Hoare triples (or, phrased differently, an inductive sequence of assertions).

Given a program and n traces of the program, we can construct an automaton from the n different correctness proofs for the traces. The automaton recognizes a set of correct traces. We still need to check whether this set includes all the traces on a path in the control flow graph of the program. The check is an automata-theoretic operation (which is reducible to non-reachability in a finite graph). That is, the two steps of constructing and checking a proof neatly separate the two concerns of data and control in program verification. The construction of a proof in the form of an automaton accounts for the interpretation of statements in data domains. The automaton, however, has a meaning that is oblivious to the interpretation of statements: a set of words over a particular alphabet. The check of the proof uses this meaning of the automaton and accounts for the control flow of the program. The implementation of the check of the proof as an automata-theoretic inclusion check is reminiscent of model checking (the finite control flow graph defines the model, the automaton defines the property).

The resulting verification method is not compositional in the syntax of the program; it is compositional in a new, semantics-directed sense where modules are sets of traces; the sets of traces are constructed from mutually independent correctness proofs and intuitively correspond to different cases of program executions. Depending on the verification problem (the correctness property being safety or termination for sequential, recursive, or concurrent programs), the approach uses non-deterministic automata, nested-word automata, Büchi automata, or alternating automata as proofs.