## Combining theorem proving with static analysis for data structure consistency (2004)

### Cached

### Download Links

Venue: | In International Workshop on Software Verification and Validation (SVV 2004 |

Citations: | 22 - 16 self |

### BibTeX

@INPROCEEDINGS{Zee04combiningtheorem,

author = {Karen Zee and Patrick Lam and Viktor Kuncak and Martin Rinard},

title = {Combining theorem proving with static analysis for data structure consistency},

booktitle = {In International Workshop on Software Verification and Validation (SVV 2004},

year = {2004}

}

### OpenURL

### Abstract

Abstract We describe an approach for combining theorem proving techniques with static analysis to analyze data structure consistency for programs that manipulate heterogeneous data structures. Our system uses interactive theorem proving and shape analysis to verify that data structure implementations conform to set interfaces. A simpler static analysis then uses the verified set interfaces to verify properties that characterize how shared objects participate in multiple data structures. We have successfully applied this technique to several programs and found that theorem proving within circumscribed regions of the program combined with static analysis enables the verification of large-scale program properties.

### Citations

717 |
Isabelle/HOL — A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...em Provers. We use the Isabelle interactive theorem prover [31] to discharge the verification conditions generated by our analysis plugin. Other interactive theorem provers include Athena [1] and HOL =-=[30]-=-. The ACL2 [17] system can apply theorem-proving and term rewriting techniques to verify properties of large-scale systems, among them software systems [28]. Combinations of Decidable Theories. One po... |

711 | Introduction to Algorithms”, Second Edition
- Cormen, Leiserson, et al.
- 2001
(Show Context)
Citation Context ...powerful (and hence more scalable) analysis to verify scheduler properties. 2.1 Suspended Queue Module The priority queue module implements a priority queue of suspended processes using a binary heap =-=[7]-=-. Figure 1 presents the skeleton of the SuspendedQueue implementation module. This module introduces one field into the Process format, namely the p field indicating the priority of each process objec... |

538 | Parametric shape analysis via 3-valued logic
- Sagiv, Reps, et al.
(Show Context)
Citation Context ...y exhibit unacceptable behavior and may crash. Motivated by the importance of this problem, researchers have developed algorithms for verifying that programs preserve important consistency properties =-=[2,10,12,27,33,35]-=-. ∗ This research was supported in part by the SingaporeMIT Alliance, DARPA award FA8750-04-2-0254, and NSF grants CCR00-86154, CCR00-63513, CCR00-73513, CCR0209075, CCR-0341620, and CCR-0325283. Ensu... |

518 | Extended Static Checking for Java
- Flanagan, Leino, et al.
- 2002
(Show Context)
Citation Context ...y exhibit unacceptable behavior and may crash. Motivated by the importance of this problem, researchers have developed algorithms for verifying that programs preserve important consistency properties =-=[2,10,12,27,33,35]-=-. ∗ This research was supported in part by the SingaporeMIT Alliance, DARPA award FA8750-04-2-0254, and NSF grants CCR00-86154, CCR00-63513, CCR00-73513, CCR0209075, CCR-0341620, and CCR-0325283. Ensu... |

393 | S.K.: Automatic predicate abstraction of c programs
- Ball, Majumdar, et al.
- 2001
(Show Context)
Citation Context ...y exhibit unacceptable behavior and may crash. Motivated by the importance of this problem, researchers have developed algorithms for verifying that programs preserve important consistency properties =-=[2,10,12,27,33,35]-=-. ∗ This research was supported in part by the SingaporeMIT Alliance, DARPA award FA8750-04-2-0254, and NSF grants CCR00-86154, CCR00-63513, CCR00-73513, CCR0209075, CCR-0341620, and CCR-0325283. Ensu... |

352 | Simplify: A theorem prover for program checking
- Detlefs, Nelson, et al.
- 2003
(Show Context)
Citation Context ...and combine the decision procedures for different properties using NelsonOppen techniques [29,32] and their generalizations such as [36–38]. Theorem provers based on these principles include Simplify =-=[9]-=-, Verifun [11], and CVC [34]. Our system can take advantage of combined decision procedures, but also allows specialized analyses that use customized internal representations of dataflow facts. 8 Conc... |

292 | Extended static checking
- Detlefs, Leino, et al.
- 1998
(Show Context)
Citation Context |

287 | An overview of JML tools and applications
- Burdy, Cheon, et al.
- 2003
(Show Context)
Citation Context ... basis. Program Checking Tools. ESC/Java [12] is a program checking tool whose purpose is to identify common errors in programs using program specifications in a subset of the Java Modelling Language =-=[4]-=-. ESC/Java sacrifices soundness in that it does not model all details of the program heap, but can detect some common programming errors. Other tools focus on verifying properties of concurrent progra... |

211 | Abstractions from proofs
- Henzinger, Jhala, et al.
- 2004
(Show Context)
Citation Context ...ess in that it does not model all details of the program heap, but can detect some common programming errors. Other tools focus on verifying properties of concurrent programs [3, 5] or device drivers =-=[2, 15]-=-. One important difference between this research and our 12 spec module Arrayset { format Node; } predvar setInit; sets Content : Node; proc init() requires true modifies Content, setInit ensures setI... |

149 |
Data refinement: model-oriented proof methods and their comparison
- WP, Engelhardt
- 1998
(Show Context)
Citation Context ...onjunction with other plugins. We identified data structures that implement dynamically changing sets as good candidates upon which to focus theorem proving effort. Using the ideas of data refinement =-=[8,16]-=-, we can naturally specify the preconditions and postconditions on such data structures using formulas in the boolean algebra of sets. We can verify once and for all that the data structure implementa... |

144 | The pointer assertion logic engine
- Møller, Schwartzbach
- 2001
(Show Context)
Citation Context |

136 |
Isabelle: A Generic Theorem
- Paulson
- 1994
(Show Context)
Citation Context ...On the other hand, theorem proving techniques can in principle verify arbitrarily complicated consistency properties; this statement especially applies to interactive theorem provers such as Isabelle =-=[31]-=- and Athena [1] that allow writing general mathematical statements about program state. The difficulty in using theorem proving tools is that their application may require manual effort and familiarit... |

113 | CVC: A Cooperating Validity Checker
- Stump, Barrett, et al.
- 2002
(Show Context)
Citation Context ...ocedures for different properties using NelsonOppen techniques [29,32] and their generalizations such as [36–38]. Theorem provers based on these principles include Simplify [9], Verifun [11], and CVC =-=[34]-=-. Our system can take advantage of combined decision procedures, but also allows specialized analyses that use customized internal representations of dataflow facts. 8 Concluding Remarks In this paper... |

106 |
Techniques for program verification
- Nelson
- 1981
(Show Context)
Citation Context ...ions of Decidable Theories. One possible alternative to combining analyses is to use a single analysis engine and combine the decision procedures for different properties using NelsonOppen techniques =-=[29,32]-=- and their generalizations such as [36–38]. Theorem provers based on these principles include Simplify [9], Verifun [11], and CVC [34]. Our system can take advantage of combined decision procedures, b... |

99 | Avoiding exponential explosion: generating compact verification conditions
- Flanagan, Saxe
- 2001
(Show Context)
Citation Context ...variants specified in the abstraction section. In our example we need a representation invariant 0 ≤ s. 8 3. Statement desugaring: translate statements into a loop-free guarded command language (e.g. =-=[13]-=-). 4. Verification condition generation: using weakest precondition semantics, create the formula whose validity implies the conformance of the procedure with respect to its specification. 5. Separati... |

99 | Role analysis
- Kuncak, Lam, et al.
- 2002
(Show Context)
Citation Context ...e consistency properties of (potentially-recursive) linked data structures. Researchers have developed many shape analyses and the field remains one of the most active areas in program analysis today =-=[20, 27, 33]-=-. These analyses focus on extracting or verifying detailed consistency properties of individual data structures. These analyses are very precise on their domain of applicability, but are forced to mak... |

82 | Types as models: Model checking message-passing programs. Pages 45–57 of
- Chaki, Rajamani, et al.
- 2002
(Show Context)
Citation Context ...SC/Java sacrifices soundness in that it does not model all details of the program heap, but can detect some common programming errors. Other tools focus on verifying properties of concurrent programs =-=[3, 5]-=- or device drivers [2, 15]. One important difference between this research and our 12 spec module Arrayset { format Node; } predvar setInit; sets Content : Node; proc init() requires true modifies Con... |

74 | Shape types
- Fradet, Métayer
- 1997
(Show Context)
Citation Context ...lysis techniques have proven to be successful in achieving high levels of automation for verifying the consistency of some important classes of data structures such as linked lists, trees, and graphs =-=[12, 14, 27, 33]-=-. Unfortunately, while effective for data structures within their targeted class, these tools are necessarily either incomplete or unsound for many other data structures. Data structure diversity pres... |

63 |
Data refinement refined
- He, Hoare, et al.
- 1986
(Show Context)
Citation Context ...onjunction with other plugins. We identified data structures that implement dynamically changing sets as good candidates upon which to focus theorem proving effort. Using the ideas of data refinement =-=[8,16]-=-, we can naturally specify the preconditions and postconditions on such data structures using formulas in the boolean algebra of sets. We can verify once and for all that the data structure implementa... |

60 | Theorem proving using lazy proof explication
- Flanagan, Joshi, et al.
(Show Context)
Citation Context ...he decision procedures for different properties using NelsonOppen techniques [29,32] and their generalizations such as [36–38]. Theorem provers based on these principles include Simplify [9], Verifun =-=[11]-=-, and CVC [34]. Our system can take advantage of combined decision procedures, but also allows specialized analyses that use customized internal representations of dataflow facts. 8 Concluding Remarks... |

51 | STeP: Deductive-algorithmic verification of reactive and real-time systems
- Bjørner, Browne, et al.
(Show Context)
Citation Context ...SC/Java sacrifices soundness in that it does not model all details of the program heap, but can detect some common programming errors. Other tools focus on verifying properties of concurrent programs =-=[3, 5]-=- or device drivers [2, 15]. One important difference between this research and our 12 spec module Arrayset { format Node; } predvar setInit; sets Content : Node; proc init() requires true modifies Con... |

36 | Verifying a file system implementation
- Arkoudas, Zee, et al.
- 2004
(Show Context)
Citation Context ...d, theorem proving techniques can in principle verify arbitrarily complicated consistency properties; this statement especially applies to interactive theorem provers such as Isabelle [31] and Athena =-=[1]-=- that allow writing general mathematical statements about program state. The difficulty in using theorem proving tools is that their application may require manual effort and familiarity with their be... |

35 | Deconstructing Shostak
- Rueß, Shankar
(Show Context)
Citation Context ...ions of Decidable Theories. One possible alternative to combining analyses is to use a single analysis engine and combine the decision procedures for different properties using NelsonOppen techniques =-=[29,32]-=- and their generalizations such as [36–38]. Theorem provers based on these principles include Simplify [9], Verifun [11], and CVC [34]. Our system can take advantage of combined decision procedures, b... |

32 | Mona Version 1.4 User Manual
- Klarlund, Møller
- 2001
(Show Context)
Citation Context ...n then carries out a dataflow analysis over boolean formulas for each procedure, updating set contents after procedure calls and flag field mutations. The flag plugin uses the MONA decision procedure =-=[18]-=- as well as a range of formula simplifications [23] to perform operations on these boolean formulas. The PALE analysis plugin [27] implements a shape analysis that can verify detailed properties of co... |

30 | Logical characterizations of heap abstractions
- Yorsh
- 2003
(Show Context)
Citation Context |

27 |
Complexity of Boolean Algebras
- Kozen
- 1980
(Show Context)
Citation Context ...dule. Free variables of these formulas denote abstract sets declared in specification sections. The expressive power of such formulas is the first-order theory of boolean algebras, which is decidable =-=[19,26]-=-. The decidability of the specification language ensures that analysis plugins can precisely propagate the specified relations between the abstract sets. 3.3 Analysis Overview The analysis of a module... |

23 | Generalized typestate checking using set interfaces and pluggable analyses - Lam, Kuncak, et al. - 2004 |

19 | Proving theorems about Java and the JVM with ACL2
- Moore
- 2003
(Show Context)
Citation Context ... theorem provers include Athena [1] and HOL [30]. The ACL2 [17] system can apply theorem-proving and term rewriting techniques to verify properties of large-scale systems, among them software systems =-=[28]-=-. Combinations of Decidable Theories. One possible alternative to combining analyses is to use a single analysis engine and combine the decision procedures for different properties using NelsonOppen t... |

16 | On our experience with modular pluggable analyses
- Lam, Kuncak, et al.
- 2004
(Show Context)
Citation Context ...(p in InList) modifies InList ensures InList’ = InList + p; proc remove(p : Process) requires p in InList modifies InList ensures InList’ = InList - p; Figure 4: Running List Specification Module gin =-=[23]-=- to verify the conformance of the linked list to the set interface in Figure 4. 2.3 Scheduler Module Figure 5 presents the Scheduler implementation module. This module contributes a status field to Pr... |

14 |
Extensions for multi-module records in conventional programming languages
- Cheriton, Wolf
- 1987
(Show Context)
Citation Context ...ng fields while allowing modules to share objects. When the program creates an object with format T, the newly-created object contains the fields contributed to format T by all modules in the program =-=[6]-=-. A simple type checker for the implementation language statically ensures that each module accesses only fields that it has contributed to an object. Note that no analysis plugin needs the full layou... |

14 |
Über mögligkeiten im relativkalkül
- Loewenheim
- 1915
(Show Context)
Citation Context ...dule. Free variables of these formulas denote abstract sets declared in specification sections. The expressive power of such formulas is the first-order theory of boolean algebras, which is decidable =-=[19,26]-=-. The decidability of the specification language ensures that analysis plugins can precisely propagate the specified relations between the abstract sets. 3.3 Analysis Overview The analysis of a module... |

14 | Combining sets with elements - Zarba - 2004 |

13 | A quantifier elimination algorithm for a fragment of set theory involving the cardinality operator - Zarba - 2004 |

10 | On modular pluggable analyses using set interfaces
- Lam, Kuncak, et al.
- 2003
(Show Context)
Citation Context ... means practical. The specification of a procedure is derived from the abstract requires, modifies, and ensures clauses using the definitions of abstract sets as well as the representation invariants =-=[21]-=-. We also require that a procedure never violate the preconditions of its callees. Figure 10 illustrates our analysis of the Scheduler module from our example: to ensure that Scheduler meets its speci... |

7 | The hob project web page. http://catfish.csail.mit.edu/∼plam/mpa - Lam, Kuncak, et al. - 2004 |

5 | The Combination Problem in Automated Reasoning - Zarba - 2004 |

3 |
Uber m"ogligkeiten im relativkalk"ul
- Loewenheim
- 1915
(Show Context)
Citation Context ...dule. Free variables of these formulas denote abstract sets declared in specification sections. The expressive power of such formulas is the first-order theory of boolean algebras, which is decidable =-=[19, 26]-=-. The decidability of the specification language ensures that analysis plugins can precisely propagate the specified relations between the abstract sets. 3.3 Analysis Overview The analysis of a module... |

1 | Verifying set interfaces based on object field values - Lam, Kuncak, et al. - 2005 |