Results 1  10
of
45
Data structure specifications via local equality axioms
 In CAV
, 2005
"... Abstract. We describe a program verification methodology for specifying global shape properties of data structures by means of axioms involving arbitrary predicates on scalar fields and pointer equalities in the neighborhood of a memory cell. We show that such local invariants are both natural and s ..."
Abstract

Cited by 79 (1 self)
 Add to MetaCart
Abstract. We describe a program verification methodology for specifying global shape properties of data structures by means of axioms involving arbitrary predicates on scalar fields and pointer equalities in the neighborhood of a memory cell. We show that such local invariants are both natural and sufficient for describing a large class of data structures. We describe a complete decision procedure for such a class of axioms. The decision procedure is not only simpler and faster than in other similar systems, but has the advantage that it can be extended easily with reasoning for any decidable theory of scalar fields.
Full functional verification of linked data structures
 In ACM Conf. Programming Language Design and Implementation (PLDI
, 2008
"... We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical high ..."
Abstract

Cited by 79 (17 self)
 Add to MetaCart
We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical higherorder logic, that completely capture the desired behavior of the Java data structure implementations (with the exception of properties involving execution time and/or memory consumption). Given that the desired correctness properties include intractable constructs such as quantifiers, transitive closure, and lambda abstraction, it is a challenge to successfully prove the generated verification conditions. Our Jahob verification system uses integrated reasoning to split each verification condition into a conjunction of simpler subformulas, then apply a diverse collection of specialized decision procedures,
Back to the Future  Revisiting Precise Program Verification using SMT Solvers
 POPL'08
, 2008
"... This paper takes a fresh look at the problem of precise verification of heapmanipulating programs using firstorder SatisfiabilityModuloTheories (SMT) solvers. We augment the specification logic of such solvers by introducing the Logic of Interpreted Sets and Bounded Quantification for specifying ..."
Abstract

Cited by 65 (14 self)
 Add to MetaCart
This paper takes a fresh look at the problem of precise verification of heapmanipulating programs using firstorder SatisfiabilityModuloTheories (SMT) solvers. We augment the specification logic of such solvers by introducing the Logic of Interpreted Sets and Bounded Quantification for specifying properties of heapmanipulating programs. Our logic is expressive, closed under weakest preconditions, and efficiently implementable on top of existing SMT solvers. We have created a prototype implementation of our logic over the solvers SIMPLIFY and Z3 and used our prototype to verify many programs. Our preliminary experience is encouraging; the completeness and the efficiency of the decision procedure is clearly evident in practice and has greatly improved the user experience of the verifier.
LightWeight Theorem Proving for Debugging and Verifying Units of Code
, 2003
"... Software bugs are very difficult to detect even in small units of code. Several techniques to debug or prove correct such units are based on the generation of a set of formulae whose unsatisfiability reveals the presence of an error. These techniques assume the availability of a theorem prover capab ..."
Abstract

Cited by 47 (25 self)
 Add to MetaCart
Software bugs are very difficult to detect even in small units of code. Several techniques to debug or prove correct such units are based on the generation of a set of formulae whose unsatisfiability reveals the presence of an error. These techniques assume the availability of a theorem prover capable of automatically discharging the resulting proof obligations. Building such a tool is a difficult, long, and errorprone activity. In this paper, we describe techniques to build provers which are highly automatic and flexible by combining stateoftheart superposition theorem provers and BDDs. We report experimental results on formulae extracted from the debugging of C functions manipulating pointers showing that an implementation of our techniques can discharge proof obligations which cannot be handled by Simplify (the theorem prover used in the ESC/Java tool) and performs much better on others. 1.
Verifying properties of wellfounded linked lists
, 2005
"... We describe a novel method for verifying programs that manipulate linked lists, based on two new predicates that characterize reachability of heap cells. These predicates allow reasoning about both acyclic and cyclic lists uniformly with equal ease. The crucial insight behind our approach is that a ..."
Abstract

Cited by 44 (5 self)
 Add to MetaCart
We describe a novel method for verifying programs that manipulate linked lists, based on two new predicates that characterize reachability of heap cells. These predicates allow reasoning about both acyclic and cyclic lists uniformly with equal ease. The crucial insight behind our approach is that a circular list invariably contains a distinguished head cell that provides a handle on the list. This observation suggests a programming methodology that requires the heap of the program at each step to be wellfounded, i.e., for any field f in the program, every sequence u.f,u.f.f,... contains at least one head cell. We believe that our methodology captures the most common idiom of programming with linked data structures. We enforce our methodology by automatically instrumenting the program with updates to two auxiliary variables representing these predicates and adding assertions in terms of these auxiliary variables. To prove program properties and the instrumented assertions, we provide a firstorder axiomatization of our two predicates. We also introduce a novel induction principle made possible by the wellfoundedness of the heap. We use our induction principle to derive from two basic axioms a small set of additional firstorder axioms that are useful for proving the correctness of several programs. We have implemented our method in a tool and used it to verify the correctness of a variety of nontrivial programs manipulating both acyclic and cyclic singlylinked lists and doublylinked lists. We also demonstrate the use of indexed predicate abstraction to automatically synthesize loop invariants for these examples.
Modular Data Structure Verification
 EECS DEPARTMENT, MASSACHUSETTS INSTITUTE OF TECHNOLOGY
, 2007
"... This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java ..."
Abstract

Cited by 36 (21 self)
 Add to MetaCart
This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java programs with dynamically allocated data structures. Developers write Jahob specifications in classical higherorder logic (HOL); Jahob reduces the verification problem to deciding the validity of HOL formulas. I present a new method for proving HOL formulas by combining automated reasoning techniques. My method consists of 1) splitting formulas into individual HOL conjuncts, 2) soundly approximating each HOL conjunct with a formula in a more tractable fragment and 3) proving the resulting approximation using a decision procedure or a theorem prover. I present three concrete logics; for each logic I show how to use it to approximate HOL formulas, and how to decide the validity of formulas in this logic. First, I present an approximation of HOL based on a translation to firstorder logic, which enables the use of existing resolutionbased theorem provers. Second, I present an approximation of HOL based on field constraint analysis, a new technique that enables
Simulating reachability using firstorder logic with applications to verification of linked data structures
 In CADE20
, 2005
"... This paper shows how to harness existing theorem provers for firstorder logic to automatically verify safety properties of imperative programs that perform dynamic storage allocation and destructive updating of pointervalued structure fields. One of the main obstacles is specifying and proving the ..."
Abstract

Cited by 35 (7 self)
 Add to MetaCart
This paper shows how to harness existing theorem provers for firstorder logic to automatically verify safety properties of imperative programs that perform dynamic storage allocation and destructive updating of pointervalued structure fields. One of the main obstacles is specifying and proving the (absence) of reachability properties among dynamically allocated cells. The main technical contributions are methods for simulating reachability in a conservative way using firstorder formulas—the formulas describe a superset of the set of program states that can actually arise. These methods are employed for semiautomatic program verification (i.e., using programmersupplied loop invariants) on programs such as markandsweep garbage collection and destructive reversal of a singly linked list. (The markandsweep example has been previously reported as being beyond the capabilities of ESC/Java.) 1
Finite differencing of logical formulas for static analysis
 IN PROC. 12TH ESOP
, 2003
"... This paper concerns mechanisms for maintaining the value of an instrumentationpredicate (a.k.a. derived predicate or view), defined via a logical formula over core predicates, in response to changes in the values of the core predicates. It presents an algorithm fortransforming the instrumentation p ..."
Abstract

Cited by 35 (18 self)
 Add to MetaCart
This paper concerns mechanisms for maintaining the value of an instrumentationpredicate (a.k.a. derived predicate or view), defined via a logical formula over core predicates, in response to changes in the values of the core predicates. It presents an algorithm fortransforming the instrumentation predicate's defining formula into a predicatemaintenance formula that captures what the instrumentation predicate's new value should be.This technique applies to programanalysis problems in which the semantics of statements is expressed using logical formulas that describe changes to corepredicate values,and provides a way to reflect those changes in the values of the instrumentation predicates.
Field constraint analysis
 In Proc. Int. Conf. Verification, Model Checking, and Abstract Interpratation
, 2006
"... ..."
Shape analysis through predicate abstraction and model checking
 In Proceedings of VMCAI
, 2003
"... Abstract. We propose a new framework, based on predicate abstraction and model checking, for shape analysis of programs. Shape analysis is used to statically collect information — such as possible reachability and sharing — about program stores. Rather than use a specialized abstract interpretation ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
Abstract. We propose a new framework, based on predicate abstraction and model checking, for shape analysis of programs. Shape analysis is used to statically collect information — such as possible reachability and sharing — about program stores. Rather than use a specialized abstract interpretation based on shape graphs, we instantiate a generic and automated abstraction procedure with shape predicates from a correctness property. This results in a predicatediscovery procedure that identifies predicates relevant for correctness, using an analysis based on weakest preconditions, and creates a finite state abstract program. The correctness property is then checked on the abstraction with a model checking tool. To enable this process, we calculate weakest preconditions for common shape properties, and present heuristics for accelerating convergence. Exploring abstract state spaces with model checkers enables one to tap into a wealth of techniques and highly optimized implementations for state space exploration, and to analyze properties that go beyond invariances. We illustrate this simple and flexible framework with the analysis of some “classical ” list manipulation programs, using our implementation of the abstraction algorithm, and the SPIN and COSPAN model checkers for state space exploration. 1