## Existential heap abstraction entailment is undecidable (2003)

### Cached

### Download Links

- [lara.epfl.ch]
- [lara.epfl.ch]
- [www.cag.lcs.mit.edu]
- [www.cag.csail.mit.edu]
- [people.csail.mit.edu]
- [people.csail.mit.edu]
- [www.mit.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In 10th Annual International Static Analysis Symposium (SAS 2003 |

Citations: | 14 - 7 self |

### BibTeX

@INPROCEEDINGS{Kuncak03existentialheap,

author = {Viktor Kuncak and Martin Rinard},

title = {Existential heap abstraction entailment is undecidable},

booktitle = {In 10th Annual International Static Analysis Symposium (SAS 2003},

year = {2003},

pages = {11--13}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. In this paper we study constraints for specifying properties of data structures consisting of linked objects allocated in the heap. Motivated by heap summary graphs in role analysis and shape analysis we introduce the notion of regular graph constraints. A regular graph constraint is a graph representing the heap summary; a heap satisfies a constraint if and only if the heap can be homomorphically mapped to the summary. Regular graph constraints form a very simple and natural fragment of the existential monadic second-order logic over graphs. One of the key problems in a compositional static analysis is proving that procedure preconditions are satisfied at every call site. For role analysis, precondition checking requires determining the validity of implication, i.e., entailment of regular graph constraints. The central result of this paper is the undecidability of regular graph constraint entailment. The undecidability of the entailment problem is surprising because of the simplicity of regular graph constraints: in particular, the satisfiability of regular graph constraints is decidable. Our undecidability result implies that there is no complete algorithm for statically checking procedure preconditions or postconditions, simplifying static analysis results, or checking that given analysis results are correct. While incomplete conservative algorithms for regular graph constraint entailment checking are possible, we argue that heap specification languages should avoid second-order existential quantification in favor of explicitly specifying a criterion for summarizing objects.

### Citations

574 | Parametric shape analysis via 3-valued logic
- SAGIV, REPS, et al.
- 2002
(Show Context)
Citation Context ...8] to the case where all program statements are reachable. In contrast, our result shows that local analysis of a single statement is undecidable. Most shape analysis algorithms are non-compositional =-=[5, 16, 23, 30, 31]-=- and many of them were originally used for program optimization. In such an analysis, the imprecision in heap property entailment can cause the analysis to perform some extra fixpoint iterations but m... |

570 | Principles of Program Analysis
- Nielson, Nielson, et al.
- 1999
(Show Context)
Citation Context ...traint on a graph G is a constraint stating that G can be homomorphically mapped to another graph G ′ . The constraint satisfaction relation → corresponds to abstraction relation in program analys=-=es, [26]. Defini-=-tion 4. We say that a graph G satisfies the constraints given by a graph G ′ , and write G → G ′ , iff there exists a homomorphism from G to G ′ . Homomorphism between directed graphs is a spe... |

560 |
Introduction to the Theory of Computation
- Sipser
- 2005
(Show Context)
Citation Context ...e main technical contribution of the paper (additional proof details are in [22]). A common way of showing the undecidability of problems over graphs is to encode Turing machine computation histories =-=[32]-=- as a special form of graphs called grids. The difficulty with showing the undecidability of entailment of regular graph constraints is that regular graph constraints cannot define the subclass of gri... |

394 | Zadeck, “Analysis of pointers and structures
- Chase, Wegman, et al.
- 1990
(Show Context)
Citation Context ...8] to the case where all program statements are reachable. In contrast, our result shows that local analysis of a single statement is undecidable. Most shape analysis algorithms are non-compositional =-=[5, 16, 23, 30, 31]-=- and many of them were originally used for program optimization. In such an analysis, the imprecision in heap property entailment can cause the analysis to perform some extra fixpoint iterations but m... |

381 | A theory of type qualifiers - Foster, Fahndrich, et al. - 1999 |

371 | Enforcing high-level protocols in low-level software
- DeLine, Fahndrich
- 2001
(Show Context)
Citation Context ...quirements of the compositional analysis that motivate the study of the completeness of heap property entailment algorithms. 4sSeveral recent systems support the analysis of tree-like data structures =-=[3, 9, 15,24,33,36]-=-. The restriction to tree-like data structures is in contrast to our notion of a heap, which allows nodes with in-degree greater than one. The presence of non-tree data structures is one of the key fa... |

368 | Alloy: A Lightweight Object Modelling Notation
- Jackson
(Show Context)
Citation Context ...implication of heap properties can then be approximated by combining sharpening with simple structural comparison of three-valued structures. Elements of the first-order logic with transitive closure =-=[20, 31]-=- or first-order logic with inductive definitions [25], [19, Page 57] seem to be necessary for naturally expressing reachability properties. Reachability properties are in turn useful as a criterion fo... |

350 | Checking system rules using system-specific, programmer-written compiler extensions - Engler, Chelf, et al. - 2000 |

299 | Solving shape-analysis problems in languages with destructive updating
- Sagiv, Reps, et al.
- 1998
(Show Context)
Citation Context ...8] to the case where all program statements are reachable. In contrast, our result shows that local analysis of a single statement is undecidable. Most shape analysis algorithms are non-compositional =-=[5, 16, 23, 30, 31]-=- and many of them were originally used for program optimization. In such an analysis, the imprecision in heap property entailment can cause the analysis to perform some extra fixpoint iterations but m... |

287 | Descriptive Complexity - Immerman - 1999 |

280 |
The Classical Decision Problem
- Börger, Grädel, et al.
- 1996
(Show Context)
Citation Context ... the other hand, there are subclasses of H that have an undecidable satisfiability problem. One such subclass is the class of grids. For grids, regular graph constraints correspond to tiling problems =-=[2, 17]-=-, which are undecidable because they can represent Turing machine computation histories [32]. A smaller class can have a more difficult regular graph constraint satisfiability problem if it is not def... |

255 |
Tree automata techniques and applications. Available at http://www.grappa.univ-lille3.fr/tata
- Comon, Dauchet, et al.
- 1997
(Show Context)
Citation Context ... homomorphism from H to G. Regular graph constraints allow specifying properties of graphs in some given class of graphs C. If C is the set of trees, regular graph constraints reduce to tree automata =-=[6,35]-=-; if C is the set of grids, the constraints reduce to domino systems [17]. We therefore view regular graph constraints as a natural generalization of constraints on trees and grids, a generalization t... |

255 | ESP: path-sensitive program verification in polynomial time - Das, Lerner, et al. - 2002 |

216 |
Typestate: A programming language concept for enhancing software reliability
- STROM, YEMINI
- 1986
(Show Context)
Citation Context ...erefore desirable to develop abstractions that change as the properties of objects change. A typestate is a system where types of objects change over time. A simple typestate system was introduced in =-=[34]; -=-more recent examples include [8–11,14,21,33,36]. Similarly to [13], these typestate systems are a step towards the highly automated static checking of complex properties of objects. One of the diffi... |

178 |
Raymie Stata. Extended static checking for Java
- Flanagan, Leino, et al.
- 2002
(Show Context)
Citation Context ...ies of objects change. A typestate is a system where types of objects change over time. A simple typestate system was introduced in [34]; more recent examples include [8–11,14,21,33,36]. Similarly t=-=o [13]-=-, these typestate systems are a step towards the highly automated static checking of complex properties of objects. One of the difficulties in specifying properties of objects in the presence of linke... |

176 | Alias types
- Smith, Walker, et al.
- 2000
(Show Context)
Citation Context ...quirements of the compositional analysis that motivate the study of the completeness of heap property entailment algorithms. 4sSeveral recent systems support the analysis of tree-like data structures =-=[3, 9, 15,24,33,36]-=-. The restriction to tree-like data structures is in contrast to our notion of a heap, which allows nodes with in-degree greater than one. The presence of non-tree data structures is one of the key fa... |

160 | Detecting conflicts between structure accesses - Larus, Hilfinger - 1988 |

150 | The pointer assertion logic engine
- Møller, Schwartzbach
- 2000
(Show Context)
Citation Context ...quirements of the compositional analysis that motivate the study of the completeness of heap property entailment algorithms. 4sSeveral recent systems support the analysis of tree-like data structures =-=[3, 9, 15,24,33,36]-=-. The restriction to tree-like data structures is in contrast to our notion of a heap, which allows nodes with in-degree greater than one. The presence of non-tree data structures is one of the key fa... |

149 | The expression of graph properties and graph transformations in monadic second-order logic, in
- Courcelle
- 1997
(Show Context)
Citation Context ...a natural generalization of constraints on trees and grids, a generalization that is much weaker than the monadic second-order logic (for which undecidability over non-tree-like domains is well known =-=[7]-=-). In this paper we consider as the class C the set of heaps. Our notion of heap (Definition 2) is motivated by the garbage collected heap in programming languages such as Java or ML. Heaps contain a ... |

139 | Alias types for recursive data structures
- Walker, Morrisett
(Show Context)
Citation Context |

112 |
Techniques for Program Verification
- Nelson
- 1980
(Show Context)
Citation Context ...y combining sharpening with simple structural comparison of three-valued structures. Elements of the first-order logic with transitive closure [20, 31] or first-order logic with inductive definitions =-=[25]-=-, [19, Page 57] seem to be necessary for naturally expressing reachability properties. Reachability properties are in turn useful as a criterion for summarizing sets of objects, leading to potentially... |

100 | Role analysis
- Kuncak, Lam, et al.
- 2002
(Show Context)
Citation Context ...e objects y such that x references y. The idea that important properties of an object x depend on the the number and properties of objects z such that z references x was introduced in the role system =-=[21]-=-. Existential Semantics of Roles. To allow definitions of cyclic structures, in [21, Section 3.3] we have adopted the following semantics: a heap satisfies a set of properties if there exists some ass... |

88 |
On monadic NP vs. monadic co-NP
- Fagin, Stockmeyer, et al.
- 1995
(Show Context)
Citation Context ...ing constraints are satisfied. We call constraints defined in this way role constraints. The existential quantification over predicate names can be expressed in existential monadic second-order logic =-=[12]-=-. Role constraints explicitly specify constraints on incoming and outgoing fields of objects as well as inverse reference and acyclicity constraints. Role constraints encode may-reachability propertie... |

85 |
The Undecidability of Aliasing
- Ramalingam
- 1994
(Show Context)
Citation Context ...ecking equivalence or subsumption of dataflow facts expressed as regular graph constraints; every conservative fixpoint algorithm must perform some unnecessary iterations in some cases. Related Work. =-=[27] s-=-hows the undecidability of alias analysis for programs with general control-flow, strengthening the consequence of Rice’s theorem [28] to the case where all program statements are reachable. In cont... |

84 |
automata, and logic
- Languages
- 1997
(Show Context)
Citation Context ... homomorphism from H to G. Regular graph constraints allow specifying properties of graphs in some given class of graphs C. If C is the set of trees, regular graph constraints reduce to tree automata =-=[6,35]-=-; if C is the set of grids, the constraints reduce to domino systems [17]. We therefore view regular graph constraints as a natural generalization of constraints on trees and grids, a generalization t... |

75 | Shape types
- Fradet, Métayer
- 1997
(Show Context)
Citation Context |

71 |
Classes of recursively enumerable sets and their decision problems
- Rice
- 1953
(Show Context)
Citation Context ...erform some unnecessary iterations in some cases. Related Work. [27] shows the undecidability of alias analysis for programs with general control-flow, strengthening the consequence of Rice’s theore=-=m [28]-=- to the case where all program statements are reachable. In contrast, our result shows that local analysis of a single statement is undecidable. Most shape analysis algorithms are non-compositional [5... |

70 | Model theory, Volume 42 of Encyclopedia of Mathematics and its Applications - Hodges - 1993 |

69 | Fickle: Dynamic object re-classification - Drossopoulou, Damiani, et al. - 2001 |

66 | Two-dimensional languages
- Giammarresi, Restivo
- 1997
(Show Context)
Citation Context ...rties of graphs in some given class of graphs C. If C is the set of trees, regular graph constraints reduce to tree automata [6,35]; if C is the set of grids, the constraints reduce to domino systems =-=[17]-=-. We therefore view regular graph constraints as a natural generalization of constraints on trees and grids, a generalization that is much weaker than the monadic second-order logic (for which undecid... |

56 |
Graph minors | a survey
- Robertson, Seymour
- 1985
(Show Context)
Citation Context ...responder graphs using a finite set of allowed and disallowed homomorphic summaries (Section 3.4), a construction vaguely resembling the characterization of planar graphs in terms of forbidden minors =-=[29]. -=-Some Consequences. Regular graph constraints are closed under conjunction and, in certain cases, closed under disjunction (Section 2.3). Due to closure under conjunction, implication P ⇒ Q is reduci... |

52 | Deciding Validity in a Spatial Logic for Trees
- Calcagno, Cardelli, et al.
- 2005
(Show Context)
Citation Context |

40 | Path-sensitive program verification in polynomial time - Das, Lerner, et al. - 2002 |

39 | Is it a tree, a DAG or a cyclic graph
- Ghiya, Hendren
- 1996
(Show Context)
Citation Context |

22 | Checking system rules using system-speci programmer-written compiler extensions - Engler, Chelf, et al. - 2000 |

19 | A Theory of Type Quali - Foster, Fahndrich, et al. - 1999 |

14 |
The Pointer Assertion Logic Engine
- Mller, Schwartzbach
- 2001
(Show Context)
Citation Context ...quirements of the compositional analysis that motivate the study of the completeness of heap property entailment algorithms. 4 Several recent systems support the analysis of tree-like data structures =-=[3, 9, 15,24,33,36]-=-. The restriction to tree-like data structures is in contrast to our notion of a heap, which allows nodes with in-degree greater than one. The presence of non-tree data structures is one of the key fa... |

14 |
Techniques for program veri
- Nelson
- 1981
(Show Context)
Citation Context ...ted by combining sharpening with simple structural comparison of three-valued structures. Elements of thesrst-order logic with transitive closure [20, 31] orsrst-order logic with inductive denitions [=-=25]-=-, [19, Page 57] seem to be necessary for naturally expressing reachability properties. Reachability properties are in turn useful as a criterion for summarizing sets of objects, leading to potentially... |

12 | Extended static checking for Java - Nelson, Stata - 2002 |

11 | Detecting con between structure accesses - Larus, Hil - 1988 |

9 |
Mooly Sagiv. A decidable logic for linked data structures
- Benedikt, Reps
- 1999
(Show Context)
Citation Context ...n of a heap, which allows nodes with in-degree greater than one. The presence of non-tree data structures is one of the key factors that make the implication of regular graph constraints undecidable. =-=[1]-=- suggests an alternative way to gain decidability. The logic Lr in [1] allows specifying reachability properties between local variables. What Lr does not allow is defining a set of nodes A using some... |

8 | Typestate checking and regular graph constraints
- Kuncak, Rinard
- 2002
(Show Context)
Citation Context ...the entailment problem for regular graph constraints is undecidable. We sketch this undecidability result in Section 3 as the main technical contribution of the paper (additional proof details are in =-=[22]-=-). A common way of showing the undecidability of problems over graphs is to encode Turing machine computation histories [32] as a special form of graphs called grids. The difficulty with showing the u... |

8 | Path-sensitive program veri in polynomial time - Das, Lerner, et al. - 2002 |

8 | Fickle : Dynamic object re-classi - Drossopoulou, Damiani, et al. - 2001 |

5 | On the non-approximability of points-to analysis - Chakaravarthy, Horwitz - 2002 |