Results 1  10
of
34
Full functional verification of linked data structures
 In ACM Conf. Programming Language Design and Implementation (PLDI
, 2008
"... We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical high ..."
Abstract

Cited by 79 (17 self)
 Add to MetaCart
We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical higherorder logic, that completely capture the desired behavior of the Java data structure implementations (with the exception of properties involving execution time and/or memory consumption). Given that the desired correctness properties include intractable constructs such as quantifiers, transitive closure, and lambda abstraction, it is a challenge to successfully prove the generated verification conditions. Our Jahob verification system uses integrated reasoning to split each verification condition into a conjunction of simpler subformulas, then apply a diverse collection of specialized decision procedures,
Back to the Future  Revisiting Precise Program Verification using SMT Solvers
 POPL'08
, 2008
"... This paper takes a fresh look at the problem of precise verification of heapmanipulating programs using firstorder SatisfiabilityModuloTheories (SMT) solvers. We augment the specification logic of such solvers by introducing the Logic of Interpreted Sets and Bounded Quantification for specifying ..."
Abstract

Cited by 65 (14 self)
 Add to MetaCart
This paper takes a fresh look at the problem of precise verification of heapmanipulating programs using firstorder SatisfiabilityModuloTheories (SMT) solvers. We augment the specification logic of such solvers by introducing the Logic of Interpreted Sets and Bounded Quantification for specifying properties of heapmanipulating programs. Our logic is expressive, closed under weakest preconditions, and efficiently implementable on top of existing SMT solvers. We have created a prototype implementation of our logic over the solvers SIMPLIFY and Z3 and used our prototype to verify many programs. Our preliminary experience is encouraging; the completeness and the efficiency of the decision procedure is clearly evident in practice and has greatly improved the user experience of the verifier.
A reachability predicate for analyzing lowlevel software
 In Tools and Algorithms for the Construction and Analysis of Systems (TACAS
, 2007
"... Abstract. Reasoning about heapallocated data structures such as linked lists and arrays is challenging. The reachability predicate has proved to be useful for reasoning about the heap in typesafe languages where memory is manipulated by dereferencing object fields. Sound and precise analysis for s ..."
Abstract

Cited by 37 (12 self)
 Add to MetaCart
Abstract. Reasoning about heapallocated data structures such as linked lists and arrays is challenging. The reachability predicate has proved to be useful for reasoning about the heap in typesafe languages where memory is manipulated by dereferencing object fields. Sound and precise analysis for such data structures becomes significantly more challenging in the presence of lowlevel pointer manipulation that is prevalent in systems software. In this paper, we give a novel formalization of the reachability predicate in the presence of internal pointers and pointer arithmetic. We have designed an annotation language for C programs that makes use of the new predicate. This language enables us to specify properties of many interesting data structures present in the Windows kernel. We present preliminary experience with a prototype verifier on a set of illustrative C benchmarks. 1
Simulating reachability using firstorder logic with applications to verification of linked data structures
 In CADE20
, 2005
"... This paper shows how to harness existing theorem provers for firstorder logic to automatically verify safety properties of imperative programs that perform dynamic storage allocation and destructive updating of pointervalued structure fields. One of the main obstacles is specifying and proving the ..."
Abstract

Cited by 35 (7 self)
 Add to MetaCart
This paper shows how to harness existing theorem provers for firstorder logic to automatically verify safety properties of imperative programs that perform dynamic storage allocation and destructive updating of pointervalued structure fields. One of the main obstacles is specifying and proving the (absence) of reachability properties among dynamically allocated cells. The main technical contributions are methods for simulating reachability in a conservative way using firstorder formulas—the formulas describe a superset of the set of program states that can actually arise. These methods are employed for semiautomatic program verification (i.e., using programmersupplied loop invariants) on programs such as markandsweep garbage collection and destructive reversal of a singly linked list. (The markandsweep example has been previously reported as being beyond the capabilities of ESC/Java.) 1
Finite differencing of logical formulas for static analysis
 IN PROC. 12TH ESOP
, 2003
"... This paper concerns mechanisms for maintaining the value of an instrumentationpredicate (a.k.a. derived predicate or view), defined via a logical formula over core predicates, in response to changes in the values of the core predicates. It presents an algorithm fortransforming the instrumentation p ..."
Abstract

Cited by 35 (18 self)
 Add to MetaCart
This paper concerns mechanisms for maintaining the value of an instrumentationpredicate (a.k.a. derived predicate or view), defined via a logical formula over core predicates, in response to changes in the values of the core predicates. It presents an algorithm fortransforming the instrumentation predicate's defining formula into a predicatemaintenance formula that captures what the instrumentation predicate's new value should be.This technique applies to programanalysis problems in which the semantics of statements is expressed using logical formulas that describe changes to corepredicate values,and provides a way to reflect those changes in the values of the instrumentation predicates.
Field constraint analysis
 In Proc. Int. Conf. Verification, Model Checking, and Abstract Interpratation
, 2006
"... ..."
A Logic of Reachable Patterns in Linked DataStructures
, 2007
"... We define a new decidable logic for expressing and checking invariants of programs that manipulate dynamicallyallocated objects via pointers and destructive pointer updates. The main feature of this logic is the ability to limit the neighborhood of a node that is reachable via a regular expression ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
We define a new decidable logic for expressing and checking invariants of programs that manipulate dynamicallyallocated objects via pointers and destructive pointer updates. The main feature of this logic is the ability to limit the neighborhood of a node that is reachable via a regular expression from a designated node. The logic is closed under boolean operations (entailment, negation) and has a finite model property. The key technical result is the proof of decidability. We show how to express preconditions, postconditions, and loop invariants for some interesting programs. It is also possible to express properties such as disjointness of datastructures, and lowlevel heap mutations. Moreover, our logic can express properties of arbitrary datastructures and of an arbitrary number of pointer fields. The latter provides a way to naturally specify postconditions that relate the fields on the entry of a procedure to the field on the exit of a procedure. Therefore, it is possible to use the logic to automatically prove partial correctness of programs performing lowlevel heap mutations.
Decision procedures for algebraic data types with abstractions
 IN 37TH ACM SIGACTSIGPLAN SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES (POPL), 2010. DECISION PROCEDURES FOR ORDERED COLLECTIONS 15 SHE75. SAHARON SHELAH. THE MONADIC THEORY OF ORDER. THA ANNALS OF MATHEMATICS OF MATHEMATICS
, 2010
"... We describe a family of decision procedures that extend the decision procedure for quantifierfree constraints on recursive algebraic data types (term algebras) to support recursive abstraction functions. Our abstraction functions are catamorphisms (term algebra homomorphisms) mapping algebraic data ..."
Abstract

Cited by 23 (11 self)
 Add to MetaCart
We describe a family of decision procedures that extend the decision procedure for quantifierfree constraints on recursive algebraic data types (term algebras) to support recursive abstraction functions. Our abstraction functions are catamorphisms (term algebra homomorphisms) mapping algebraic data type values into values in other decidable theories (e.g. sets, multisets, lists, integers, booleans). Each instance of our decision procedure family is sound; we identify a widely applicable manytoone condition on abstraction functions that implies the completeness. Complete instances of our decision procedure include the following correctness statements: 1) a functional data structure implementation satisfies a recursively specified invariant, 2) such data structure conforms to a contract given in terms of sets, multisets, lists, sizes, or heights, 3) a transformation of a formula (or lambda term) abstract syntax tree changes the set of free variables in the specified way.
Abstraction for shape analysis with fast and precise transfomers
 In CAV
, 2006
"... Abstract. This paper addresses the problem of proving safety properties of imperative programs manipulating dynamically allocated data structures using destructive pointer updates. We present a new abstraction for linked data structures whose underlying graphs do not contain cycles. The abstraction ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
Abstract. This paper addresses the problem of proving safety properties of imperative programs manipulating dynamically allocated data structures using destructive pointer updates. We present a new abstraction for linked data structures whose underlying graphs do not contain cycles. The abstraction is simple and allows us to decide reachability between dynamically allocated heap cells. We present an efficient algorithm that computes the effect of low level heap mutations in the most precise way. The algorithm does not rely on the usage of a theorem prover. In particular, the worst case complexity of computing a single successor abstract state is O(V log V) states can be exponential in V. A prototype of the algorithm was implemented and is shown to be fast. Our method also handles programs with “simple cycles ” such as cyclic singlylinked lists, (cyclic) doublylinked lists, and trees with parent pointers. Moreover, we allow programs which temporarily violate these restrictions as long as they are restored in loop boundaries. 1
A logic and decision procedure for predicate abstraction of heapmanipulating programs
 UBC Dept. Comp. Sci
, 2005
"... Abstract. An important and ubiquitous class of programs are heapmanipulating programs (HMP), which manipulate unbounded linked data structures by following pointers and updating links. Predicate abstraction hasprovedtobeaninvaluable technique in the field of software model checking; this technique ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
Abstract. An important and ubiquitous class of programs are heapmanipulating programs (HMP), which manipulate unbounded linked data structures by following pointers and updating links. Predicate abstraction hasprovedtobeaninvaluable technique in the field of software model checking; this technique relies on an efficient decision procedure for the underlying logic. The expression and proof of many interesting HMP safety properties require transitive closure predicates; such predicates express that some node can be reached from another node by following a sequence of (zero or more) links in the data structure. Unfortunately, adding support for transitive closure often yields undecidability, so one must be careful in defining such a logic. Our primary contributions are the definition of a simple transitive closure logic for use in predicate abstraction of HMPs, and a decision procedure for this logic. Through several experimental examples, we demonstrate that our logic is expressive enough to prove interesting properties with predicate abstraction, and that our decision procedure provides us with both a time and space advantage over previous approaches. 1