Featherweight VeriFast

VeriFast is a leading research prototype tool for the sound modular verification of safety and correctness properties of single-threaded and multithreaded C and Java programs. It has been used as a vehicle for exploration and validation of novel program verification techniques and for industrial case studies; it has served well at a number of program verification competitions; and it has been used for teaching by multiple teachers independent of the authors. However, until now, while VeriFast's operation has been described informally in a number of publications, and specific verification techniques have been formalized, a clear and precise exposition of how VeriFast works has not yet appeared. In this article we present for the first time a formal definition and soundness proof of a core subset of the VeriFast program verification approach. The exposition aims to be both accessible and rigorous: the text is based on lecture notes for a graduate course on program verification, and it is backed by an executable machine-readable definition and machine-checked soundness proof in Coq

The Belgian Electronic Identity Card: a Verification Case Study

In the field of annotation-based source code level program verification for Java-like languages, separation-logic based verifiers offer a promising alternative to classic JML based verifiers such as ESC/Java2, the Mobius tool or Spec#. Researchers have demonstrated the advantages of separation logic based verification by showing that it is feasible to verify very challenging (though very small) sample code, such as design patterns, or highly concurrent code. However, there is little experience in using this new breed of verifiers on real code. In this paper we report on our experience of verifying several thousands of lines of Java Card code using VeriFast, one of the state-of-the-art separation logic based verifiers. We quantify annotation overhead, verification performance, and impact on code quality (number of bugs found). Finally, our experiments suggest a number of potential improvements to the VeriFast tool

Bronchoalveolar lavage cytological alveolar damage in patients with severe pneumonia

INTRODUCTION: Histological examination of lung specimens from patients with pneumonia shows the presence of desquamated pneumocytes and erythrophages. We hypothesized that these modifications should also be present in bronchoalveolar lavage fluid (BAL) from patients with hospital-acquired pneumonia. METHODS: We conducted a prospective study in mechanically ventilated patients with clinical suspicion of pneumonia. Patients were classified as having hospital-acquired pneumonia or not, in accordance with the quantitative microbiological cultures of respiratory tract specimens. A group of severe community-acquired pneumonias requiring mechanical ventilation during the same period was used for comparison. A specimen of BAL (20 ml) was taken for cytological analysis. A semiquantitative analysis of the dominant leukocyte population, the presence of erythrophages/siderophages and desquamated type II pneumocytes was performed. RESULTS: In patients with confirmed hospital-acquired pneumonia, we found that 13 out of 39 patients (33.3%) had erythrophages/siderophages in BAL, 18 (46.2%) had desquamated pneumocytes and 8 (20.5%) fulfilled both criteria. Among the patients with community-acquired pneumonia, 7 out of 15 (46.7%) had erythrophages/siderophages and 6 (40%) had desquamated pneumocytes on BAL cytology. Only four (26.7%) fulfilled both criteria. No patient without hospital-acquired pneumonia had erythrophages/siderophages and only 3 out of 18 (16.7%) had desquamated pneumocytes on BAL cytology. CONCLUSION: Cytological analysis of BAL from patients with pneumonia (either community-acquired or hospital-acquired) shows elements of cytological alveolar damage as hemorrhage and desquamated type II pneumocytes much more frequently than in BAL from patients without pneumonia. These elements had a high specificity for an infectious cause of pulmonary infiltrates but low specificity. These lesions could serve as an adjunct to diagnosis in patients suspected of having ventilator-associated pneumonia

Recommended β-lactam regimens are inadequate in septic patients treated with continuous renal replacement therapy

Introduction: Sepsis is responsible for important alterations in the pharmacokinetics of antibiotics. Continuous renal replacement therapy (CRRT), which is commonly used in septic patients, may further contribute to pharmacokinetic changes. Current recommendations for antibiotic doses during CRRT combine data obtained from heterogeneous patient populations in which different CRRT devices and techniques have been used. We studied whether these recommendations met optimal pharmacokinetic criteria for broad-spectrum antibiotic levels in septic shock patients undergoing CRRT.Methods: This open, prospective study enrolled consecutive patients treated with CRRT and receiving either meropenem (MEM), piperacillin-tazobactam (TZP), cefepime (FEP) or ceftazidime (CAZ). Serum concentrations of these antibiotics were determined by high-performance liquid chromatography from samples taken before (t = 0) and 1, 2, 5, and 6 or 12 hours (depending on the β-lactam regimen) after the administration of each antibiotic. Series of measurements were separated into those taken during the early phase ( 48 hours).Results: A total of 69 series of serum samples were obtained in 53 patients (MEM, n = 17; TZP, n = 16; FEP, n = 8; CAZ, n = 12). Serum concentrations remained above four times the minimal inhibitory concentration for Pseudomonas spp. for the recommended time in 81% of patients treated with MEM, in 71% with TZP, in 53% with CAZ and in 0% with FEP. Accumulation after 48 hours of treatment was significant only for MEM.Conclusions: In septic patients receiving CRRT, recommended doses of β-lactams for Pseudomonas aeruginosa are adequate for MEM but not for TZP, FEP and CAZ; for these latter drugs, higher doses and/or extended infusions should be used to optimise serum concentrations. © 2011 Seyler et al. licensee BioMed Central Ltd.SCOPUS: ar.jinfo:eu-repo/semantics/publishe

Downregulation of CD94/NKG2A inhibitory receptors on CD8+ T cells in HIV infection is more pronounced in subjects with detected viral load than in their aviraemic counterparts

The CD94/NKG2A heterodimer is a natural killer receptor (NKR), which inhibits cell-mediated cytotoxicity upon interaction with MHC class I gene products. It is expressed by NK cells and by a small fraction of activated CD8+ T lymphocytes. Abnormal upregulation of the CD94/NKG2A inhibitory NKR on cytotoxic T cells (CTLs) could be responsible for a failure of immunosurveillance in cancer or HIV infection. In this study, CD94/NKG2A receptor expression on CD8+ T lymphocytes and NK cells was assessed in 46 HIV-1-infected patients (24 viraemic, 22 aviraemic) and 10 healthy volunteers. The percentage of CD8+ T lymphocytes expressing the CD94/NKG2A inhibitory heterodimer was very significantly decreased in HIV-1-infected patients in comparison with non-infected controls. Within the HIV infected patients, the proportion of CD8+ T lymphocytes and NK cells expressing CD94/NKG2A was higher in subjects with undetectable viral loads in comparison with their viraemic counterparts. No significant difference was detected in the proportion of CD8+ T lymphocytes expressing the activatory CD94/NKG2C heterodimer between the HIV-1 infected patients and the healthy donors, nor between the vireamic and avireamic HIV-1 infected patients. In conclusion, chronic stimulation with HIV antigens in viraemic patients leads to a decreased rather than increased CD94/NKG2A expression on CD8+ T lymphocytes and NK cells

Evaluation of total body weight and body mass index cut-offs for increased cefazolin dose for surgical prophylaxis

AbstractFrench and American guidelines recommend increased dosage regimens of cefazolin (CFZ) for surgical prophylaxis in patients with a body mass index (BMI) ≥ 35 kg/m2 or with a total body weight (TBW) ≥ 120 kg. The objective of this study was to evaluate the accuracy of these cut-offs in identifying patients who require CFZ dose adjustment. A pharmacokinetic study was conducted in patients of varying TBW and BMI who received 2 g of CFZ intravenously for prophylaxis prior to digestive surgery. Adequacy of therapy, defined as a serum concentration of unbound CFZ (fCFZ) ≥ 4 mg/L, was evaluated 180 min (T180) and 240 min (T240) after the start of CFZ infusion. Possible factors associated with insufficient fCFZ levels were also assessed. A P-value of <0.05 was considered statistically significant. A total of 63 patients were included in the study, categorised according to BMI (<35 kg/m2, 20 patients; and ≥35 kg/m2, 43 patients) and TBW (<120 kg, 41 patients; and ≥120 kg, 22 patients). All patients had adequate drug levels at T180 but only 40/63 patients (63%) had adequate levels at T240. At T240, therapy was adequate in 15/20 patients (75%) and 25/43 patients (58%) with BMI <35 kg/m2 and ≥35 kg/m2, respectively (P = 0.20), and in 28/41 patients (68%) and 12/22 patients (55%) with TBW <120 kg and ≥120 kg, respectively (P = 0.28). No factor associated with insufficient fCFZ was identified. In conclusion, current BMI and TBW cut-offs are poor indicators of which patients could benefit from increased CFZ dosage regimens

Logic against Ghosts: Comparison of Two Proof Approaches for a List Module

International audienceModern verification projects continue to offer new challenges for formal verification. One of them is the linked list module of Contiki, a popular open-source operating system for the Internet of Things. It has a rich API and uses a particular list representation that make it different from the classical linked list implementations. Being widely used in the OS, the list module is critical for reliability and security. A recent work verified the list module using ghost arrays. This article reports on a new verification effort for this module. Realized in the Frama-C/Wp tool, the new approach relies on logic lists. A logic list provides a convenient high-level view of the linked list. The specifications of all functions are now proved faster and almost all automatically, only a small number of auxiliary lemmas and a couple of assertions being proved interactively in Coq. The proposed specifications are validated by proving a few client functions manipulating lists. During the verification, a more efficient implementation for one function was found and verified. We compare the new approach with the previous effort based on ghost arrays, and discuss the benefits and drawbacks of both techniques