This example is from a talk "Software Model Checking with SLAM" given at PLDI'03 by Sriram K. Rajamani of Microsoft Research (see http://research.microsoft.com/slam/).  The example involves the following code fragment from a Windows device driver:

  do {
    KeAcquireSpinLock();
    nPacketsOld = nPackets; 
    if (request) {
      request = request->Next;
      KeReleaseSpinLock();
      nPackets++;
    }
  } while (nPackets != nPacketsOld);
  KeReleaseSpinLock();

The driver will hang if it tries to release a lock it does not have or if it tries to acquire a lock it already has, so we must verify that this does not happen.  We must also assume that the driver does not have the lock initially.

Abbreviating the atomic actions as

  do {
    kA;
    n; 
    if (R) {
      u;
      kR;
      m;
    }
  } while (~B);
  kR;

and translating to KAT using

  do p while C  =  p;(C;p)*;~C
  if C then p  =  C;p + ~C,

we get

  kA;n;(R;u;kR;m + ~R);(~B;kA;n;(R;u;kR;m + ~R))*;B;kR

Let A be the assertion that the driver has the lock.  The assertion that the driver does not initially have the lock can be asserted as a precondition:

(1)   ~A;kA;n;(R;u;kR;m + ~R);(~B;kA;n;(R;u;kR;m + ~R))*;B;kR

The precondition for safe execution of kA is ~A, and the precondition for safe execution of kR is A.  Asserting these preconditions immediately before every occurrence of kA or kR, we get

(2)   ~A;~A;kA;n;(R;u;A;kR;m + ~R);(~B;~A;kA;n;(R;u;A;kR;m + ~R))*;B;A;kR

We must show that (1) and (2) are equivalent.  This will say that that the original program guarantees that the preconditions for safe execution hold before every critical operation.  We may reason under the following premises:

  kA = kA;A       acquiring the lock acquires it
  kR = kR;~A      releasing the lock releases it
  B;m = B;m;~B    if two integer variables are equal and we increment one, then they are no longer equal
  n = n;B         setting one variable equal to another makes them equal
  A;n = n;A       commutativity conditions
  A;u = u;A
  A;m = m;A
  B;u = u;B
  B;kR = kR;B

A complete proof can be found in the file MSdriver.xml.  Type "load MSdriver" and "reset" at the KAT command prompt to try your hand at reproving this.
