Comments on: Happy new year and validation http://www.yodaiken.com/2007/12/happy-new-year-and-validation/ Systems software technology and business Fri, 22 Jul 2011 13:41:42 +0000 hourly 1 http://wordpress.org/?v=3.1 By: regehr http://www.yodaiken.com/2007/12/happy-new-year-and-validation/comment-page-1/#comment-46 regehr Wed, 02 Jan 2008 17:04:54 +0000 http://yodaiken.com/?p=127#comment-46 Thanks Victor. Just one more comment: I think we should make a distinction between a tool that can verify threaded code and a tool that can verify the code that implements threading. The latter is what you are looking for here and it is much more difficult. Furthermore it is arguably unnecessary -- a reasonable engineering solution is to get someone really good to write the dispatcher/scheduler and then focus verification effort on the mountains of code written by the rest of us that run on top of that core functionality. Thanks Victor. Just one more comment: I think we should make a distinction between a tool that can verify threaded code and a tool that can verify the code that implements threading. The latter is what you are looking for here and it is much more difficult. Furthermore it is arguably unnecessary — a reasonable engineering solution is to get someone really good to write the dispatcher/scheduler and then focus verification effort on the mountains of code written by the rest of us that run on top of that core functionality.

]]> By: yodaiken http://www.yodaiken.com/2007/12/happy-new-year-and-validation/comment-page-1/#comment-45 yodaiken Tue, 01 Jan 2008 02:23:51 +0000 http://yodaiken.com/?p=127#comment-45 See update to the post. See update to the post.

]]> By: John Regehr http://www.yodaiken.com/2007/12/happy-new-year-and-validation/comment-page-1/#comment-44 John Regehr Sat, 29 Dec 2007 21:02:47 +0000 http://yodaiken.com/?p=127#comment-44 Victor-- I feel bad that I do not understand this famous old code fragment. I'm guessing that save() and resume() are part of the process dispatcher and that save() returns true on a direct return and false on indirect return? What is the property to be verified -- that panic() is unreachable? How much more code than this needs to be entrained before verification becomes possible? One problem with verifying code like this is that it may require a model both of C code and its underlying machine. Very tricky! It may be better to find a way to separately verify the machine-dependent and machine-independent parts. Victor– I feel bad that I do not understand this famous old code fragment. I’m guessing that save() and resume() are part of the process dispatcher and that save() returns true on a direct return and false on indirect return?

What is the property to be verified — that panic() is unreachable? How much more code than this needs to be entrained before verification becomes possible? One problem with verifying code like this is that it may require a model both of C code and its underlying machine. Very tricky! It may be better to find a way to separately verify the machine-dependent and machine-independent parts.

]]>