Pragmatic Nonblocking Synchronization for Real-Time Systems
Proceedings of the General Track: 2002 USENIX Annual Technical Conference
Formalising the L4 microkernel API
CATS '06 Proceedings of the 12th Computing: The Australasian Theroy Symposium - Volume 51
Verified Protection Model of the seL4 Microkernel
VSTTE '08 Proceedings of the 2nd international conference on Verified Software: Theories, Tools, Experiments
The Verisoft Approach to Systems Verification
VSTTE '08 Proceedings of the 2nd international conference on Verified Software: Theories, Tools, Experiments
Secure Microkernels, State Monads and Scalable Refinement
TPHOLs '08 Proceedings of the 21st International Conference on Theorem Proving in Higher Order Logics
Formal Memory Models for the Verification of Low-Level Operating-System Code
Journal of Automated Reasoning
On the architecture of system verification environments
HVC'07 Proceedings of the 3rd international Haifa verification conference on Hardware and software: verification and testing
A formal verification study on the Rotterdam storm surge barrier
ICFEM'10 Proceedings of the 12th international conference on Formal engineering methods and software engineering
Hi-index | 0.00 |
This paper presents the preemption abstraction , an abstraction technique for lightweight verification of one sequential component of a concurrent system. Thereby, different components of the system are permitted to interfere with each other. The preemption abstraction yields a sequential abstract system that can easily be described in the higher-order logic of a theorem prover. One can therefore avoid the cumbersome and costly reasoning about all possible interleavings of state changes of each system component. The preemption abstraction is best suited for components that use preemption points, that is, where the concurrently running environment can only interfere at a limited number of points. The preemption abstraction has been used to model the IPC subsystem of the Fiasco microkernel. We proved two practically relevant properties of the model. On the attempt to prove a third property, namely that the assertions in the code are always valid, we discovered a bug that could potentially crash the whole system.