## Full functional verification of linked data structures (2008)

### Cached

### Download Links

Venue: | In ACM Conf. Programming Language Design and Implementation (PLDI |

Citations: | 84 - 17 self |

### BibTeX

@INPROCEEDINGS{Zee08fullfunctional,

author = {Karen Zee and Viktor Kuncak and Martin C. Rinard},

title = {Full functional verification of linked data structures},

booktitle = {In ACM Conf. Programming Language Design and Implementation (PLDI},

year = {2008}

}

### OpenURL

### Abstract

We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical higher-order logic, that completely capture the desired behavior of the Java data structure implementations (with the exception of properties involving execution time and/or memory consumption). Given that the desired correctness properties include intractable constructs such as quantifiers, transitive closure, and lambda abstraction, it is a challenge to successfully prove the generated verification conditions. Our Jahob verification system uses integrated reasoning to split each verification condition into a conjunction of simpler subformulas, then apply a diverse collection of specialized decision procedures,

### Citations

802 |
Isabelle/HOL – A Proof Assistant for Higher-Order Logic. LNCS 2283
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ... E [76]), an interface to SMT provers (CVC3 [26] and Z3 [19]), an interface to MONA [67], an interface to the BAPA decision procedure [44, 46], and interfaces to interactive theorem provers (Isabelle =-=[63]-=- and Coq [11]). • Proof Decomposition: Jahob allows the developer to insert program-point-specific lemmas and proof hints into the imperative source code. Jahob proves these lemmas (using the full ran... |

588 | Parametric shape analysis via 3-valued logic
- SAGIV, REPS, et al.
(Show Context)
Citation Context ... that are known to be intractable for automated reasoning systems [36, 45]. Researchers have therefore focused on more tractable goals: verify some (but not all) of the desired correctness properties =-=[6, 18, 28, 42, 47, 49, 50, 74, 88, 89]-=-, work with programs that do not manipulate recursive linked data structures [29, 81], or use finitization to check correctness properties within a bounded analysis scope [15, 20, 38, 70, 77, 78]. Whi... |

571 | PVS: A Prototype Verification System
- Owre, Rushby, et al.
- 1992
(Show Context)
Citation Context ...fidence in the correctness of the implementation. • Integrated Reasoning Systems: In recent years researchers have developed a range of decision procedures, theorem provers, and other reasoning tools =-=[11,16,19,26,27,30,46,47,55,63,65, 76, 84]-=-. Techniques that enable these reasoning tools to seamlessly interoperate within a unified reasoning framework (such as Nelson-Oppen combination [60] and our formula approximation) greatly increase th... |

563 | Extended static checking for Java
- Flanagan, Leino, et al.
- 2002
(Show Context)
Citation Context ...es are perfectly adequate for this purpose. Software verification tools. Software verification tools that can prove properties of linked data structures include Spec# [8], ESC/Modula-3 [21], ESC/Java =-=[24]-=-, ESC/Java2 [17], Krakatoa [23, 53], KIV [7], KeY [3], and LOOP [82]. To the best of our knowledge, none of these systems have been used to verify the full functional correctness of a collection of li... |

545 |
Introduction to HOL: A Theorem Proving Environment for Higher Order Logic
- GORDON, MELHAM
- 1993
(Show Context)
Citation Context ...fidence in the correctness of the implementation. • Integrated Reasoning Systems: In recent years researchers have developed a range of decision procedures, theorem provers, and other reasoning tools =-=[11,16,19,26,27,30,46,47,55,63,65, 76, 84]-=-. Techniques that enable these reasoning tools to seamlessly interoperate within a unified reasoning framework (such as Nelson-Oppen combination [60] and our formula approximation) greatly increase th... |

525 |
Interactive Theorem Proving and Program Development - Coq’Art: The Calculus of Inductive Constructions
- Bertot, Castéran
- 2004
(Show Context)
Citation Context ...interface to SMT provers (CVC3 [26] and Z3 [19]), an interface to MONA [67], an interface to the BAPA decision procedure [44, 46], and interfaces to interactive theorem provers (Isabelle [63] and Coq =-=[11]-=-). • Proof Decomposition: Jahob allows the developer to insert program-point-specific lemmas and proof hints into the imperative source code. Jahob proves these lemmas (using the full range of its rea... |

431 | Automatic Predicate Abstraction of C Programs
- Ball, Majumdar, et al.
- 2001
(Show Context)
Citation Context ... that are known to be intractable for automated reasoning systems [36, 45]. Researchers have therefore focused on more tractable goals: verify some (but not all) of the desired correctness properties =-=[6, 18, 28, 42, 47, 49, 50, 74, 88, 89]-=-, work with programs that do not manipulate recursive linked data structures [29, 81], or use finitization to check correctness properties within a bounded analysis scope [15, 20, 38, 70, 77, 78]. Whi... |

339 | Cute: a concolic unit testing engine for c
- Sen, Marinov, et al.
- 2005
(Show Context)
Citation Context ..., 42, 47, 49, 50, 74, 88, 89], work with programs that do not manipulate recursive linked data structures [29, 81], or use finitization to check correctness properties within a bounded analysis scope =-=[15, 20, 38, 70, 77, 78]-=-. While systems exist that can specify, and in principle even potentially verify, the full range of desired data structure correctness properties [3,7,53,82], to the best of our knowledge no previous ... |

310 | Extended static checking
- Detlefs, Leino, et al.
- 1998
(Show Context)
Citation Context ...omated techniques are perfectly adequate for this purpose. Software verification tools. Software verification tools that can prove properties of linked data structures include Spec# [8], ESC/Modula-3 =-=[21]-=-, ESC/Java [24], ESC/Java2 [17], Krakatoa [23, 53], KIV [7], KeY [3], and LOOP [82]. To the best of our knowledge, none of these systems have been used to verify the full functional correctness of a c... |

299 | Korat: automated testing based on Java predicates
- Boyapati, Khurshid, et al.
(Show Context)
Citation Context ..., 42, 47, 49, 50, 74, 88, 89], work with programs that do not manipulate recursive linked data structures [29, 81], or use finitization to check correctness properties within a bounded analysis scope =-=[15, 20, 38, 70, 77, 78]-=-. While systems exist that can specify, and in principle even potentially verify, the full range of desired data structure correctness properties [3,7,53,82], to the best of our knowledge no previous ... |

244 | Compositional pointer and escape analysis for Java programs - Whaley, Rinard - 1999 |

231 | Abstractions from proofs - Henzinger, Jhala, et al. - 2004 |

205 | Verification of object-oriented programs with invariants
- Barnett, DeLine, et al.
(Show Context)
Citation Context ...does not support dynamic class loading, exceptions, or dynamic dispatch. Techniques exist, however, that should make it possible to extend our modular verification approach to support such constructs =-=[8,17,32]-=-. Two limitations could be eliminated by minor extensions. We currently model numbers as algebraic quantities with unbounded precision and assume that object allocation always successfully produces a ... |

150 | The pointer assertion logic engine
- Møller, Schwartzbach
- 2001
(Show Context)
Citation Context ...n verify programs that manipulate only linked lists [47]. In some cases, it is also possible to express reachability properties in first-order logic [14, 41, 48, 51, 55, 61]. Approaches based on MONA =-=[58, 87]-=- guarantee completeness for reachability properties. By themselves, these approaches are not sufficient for the verification of many important data structure properties. Our experience indicates, howe... |

138 |
The TPTP Problem Library: CNF Release v1.2.1
- Sutcliffe, Suttner
- 1998
(Show Context)
Citation Context ...ttempt fails. 6.2 First-order Provers Decades of research into first-order theorem proving by resolution have produced carefully engineered systems capable of proving non-trivial first-order formulas =-=[76, 80, 84]-=-. Jahob leverages this development by translating higher-order logic into first-order logic [14]. This translation is very effective for formulas without transitive closure and arithmetic. Such formul... |

137 | The E Equational Theorem Prover
- Schulz
(Show Context)
Citation Context ...pecialized reasoning systems to complex higher-order logic formulas. Our implemented Jahob system, for example, contains a simple syntactic prover, interfaces to first-order provers (SPASS [84] and E =-=[76]-=-), an interface to SMT provers (CVC3 [26] and Z3 [19]), an interface to MONA [67], an interface to the BAPA decision procedure [44, 46], and interfaces to interactive theorem provers (Isabelle [63] an... |

128 | Smallfoot: Modular automatic assertion checking with separation logic
- Berdine, Calcagno, et al.
(Show Context)
Citation Context ...and unverified rules for updating instrumentation predicates). Approaches to automating separation logic have similarly focused primarily on shape properties as opposed to full correctness properties =-=[10]-=-. These approaches have recently been extended to verify bag and size properties (although the system does not support arrays or loops) [62]. Advanced type systems similarly use recursive data structu... |

126 | Mona: Monadic second-order logic in practice
- Gulmann, Jensen, et al.
- 1995
(Show Context)
Citation Context ...ucts not directly supported by a given specialized reasoning system, typically by replacing problematic constructs with logically stronger and simpler approximations. Decision procedures such as MONA =-=[30]-=- perform reasoning under the assumption that the models of given formulas are trees. The Jahob interfaces to such decision procedures recognize subformulas that express the relevant structure (such as... |

120 | Symbolic Bounds Analysis of Pointers, Array Indices, and Accessed Memory Regions - RUGINA, RINARD - 2000 |

114 |
Techniques for program verification
- NELSON
- 1980
(Show Context)
Citation Context ...soning tools [11,16,19,26,27,30,46,47,55,63,65, 76, 84]. Techniques that enable these reasoning tools to seamlessly interoperate within a unified reasoning framework (such as Nelson-Oppen combination =-=[60]-=- and our formula approximation) greatly increase the value of each individual tool. One potential result is a proliferation of specialized reasoning tools, a corresponding increase in the combined cap... |

111 | Integrating decision procedures into heuristic theorem provers: A case study of linear arithmetic
- Boyer, Moore
- 1988
(Show Context)
Citation Context ...fidence in the correctness of the implementation. • Integrated Reasoning Systems: In recent years researchers have developed a range of decision procedures, theorem provers, and other reasoning tools =-=[11,16,19,26,27,30,46,47,55,63,65, 76, 84]-=-. Techniques that enable these reasoning tools to seamlessly interoperate within a unified reasoning framework (such as Nelson-Oppen combination [60] and our formula approximation) greatly increase th... |

104 | Avoiding exponential explosion: Generating compact verification conditions
- Flanagan, Saxe
- 2001
(Show Context)
Citation Context ...n-deterministic choice with assume statements, as in control-flow graph representations. The Jahob encoding of loops with loop invariants is analogous to the sound version of the encoding in ESC/Java =-=[25]-=-. Encoding and semantics of proof constructs. One of our observations is that proof constructs have natural translations into the guarded command language (as presented in Figure 12). This translation... |

100 | Role analysis
- Kuncak, Lam, et al.
- 2002
(Show Context)
Citation Context ...s.Shape analysis. The goal of shape analysis is typically to verify only data structure shape properties (and not full functional correctness properties such as the change of data structure content) =-=[18, 28, 28, 41, 50, 74]-=-. Parameterized shape analyses such as TVLA have been extended to prove properties beyond shape, such as ordering of list elements [52] and the correctness of a binary search tree with a set interface... |

93 | Combining superposition, sorts and splitting
- Weidenbach
(Show Context)
Citation Context ...ctions of specialized reasoning systems to complex higher-order logic formulas. Our implemented Jahob system, for example, contains a simple syntactic prover, interfaces to first-order provers (SPASS =-=[84]-=- and E [76]), an interface to SMT provers (CVC3 [26] and Z3 [19]), an interface to MONA [67], an interface to the BAPA decision procedure [44, 46], and interfaces to interactive theorem provers (Isabe... |

86 | Proof General: A generic tool for proof development
- Aspinall
(Show Context)
Citation Context ...thematical notation for concepts such as set union (∪) and universal quantification (∀). Developers can use the ProofGeneral editor mode to view these symbols in either ASCII or mathematical notation =-=[5]-=- class AssocList { //: public specvar content :: ”(obj ∗ obj) set” public Object put(Object k0, Object v0) /∗: requires ”k0 ̸= null ∧ v0 ̸= null” modifies content ensures ”content = old content − {(k0... |

81 | Putting static analysis to work for verification: A case study
- Lev-Ami, Reps, et al.
- 2000
(Show Context)
Citation Context ...uch as the change of data structure content) [18, 28, 28, 41, 50, 74]. Parameterized shape analyses such as TVLA have been extended to prove properties beyond shape, such as ordering of list elements =-=[52]-=- and the correctness of a binary search tree with a set interface [68] (using manually devised and unverified rules for updating instrumentation predicates). Approaches to automating separation logic ... |

79 | Data Structure Specifications via Local Equality Axioms
- McPeak, Necula
- 2005
(Show Context)
Citation Context |

74 | Isabelle/Isar — a versatile environment for human-readable formal proof documents
- Wenzel
(Show Context)
Citation Context ...ets with cardinality constraints. Proof methods based on natural deduction combined with automated provers have recently been shown to be effective for obtaining complex proofs in interactive provers =-=[4, 85]-=-. Although Jahob supports the use of interactive provers, its proof commands provide an alternative way of decomposing proof obligations without ever leaving the world of the original Java program. Th... |

73 | Proving pointer programs in higher-order logic
- Mehta, Nipkow
(Show Context)
Citation Context ...en used to verify the correctness of purely functional data structures such as a binary search tree with a map interface [39], an AVL tree with a set interface [64], and garbage collection algorithms =-=[56]-=-. In the Verisoft project researchers have developed Isabelle proofs of correctness for doubly-linked list implementations [2]. It is natural to consider combinations of automated techniques to increa... |

73 | Commutativity analysis: A new analysis technique for parallelizing compilers
- Rinard, Diniz
- 1997
(Show Context)
Citation Context ...dented combination of scalability and precision [42, 49]. • Commuting Operations: If all operations in a computation commute, it is possible to generate code that executes the computation in parallel =-=[69]-=-. Applying this principle to computations that manipulate linked data structures can be challenging because commuting operations on linked data structures often produce different but semantically equi... |

70 | The KRAKATOA Tool for Certification of JAVA/JAVACARD Programs annotated
- MARCHÉ, PAULIN-MOHRING, et al.
(Show Context)
Citation Context ...thin a bounded analysis scope [15, 20, 38, 70, 77, 78]. While systems exist that can specify, and in principle even potentially verify, the full range of desired data structure correctness properties =-=[3,7,53,82]-=-, to the best of our knowledge no previous system has actually done so (see Section 8). 1.2 The Result This paper presents our experience using integrated reasoning in the Jahob verification system to... |

68 | Back to the future: revisiting precise program verification using SMT solvers
- Lahiri, Qadeer
- 2008
(Show Context)
Citation Context ...properties of data structures but are not complete for reachability properties. However, decision procedures that support reachability exist that can verify programs that manipulate only linked lists =-=[47]-=-. In some cases, it is also possible to express reachability properties in first-order logic [14, 41, 48, 51, 55, 61]. Approaches based on MONA [58, 87] guarantee completeness for reachability propert... |

59 | Pointer and escape analysis for multithreaded programs - Salcianu, Rinard - 2001 |

58 | Verification of Non-Functional Programs using Interpretations in Type Theory, in "Journal of Functional Programming
- FILLIÂTRE
- 2003
(Show Context)
Citation Context ...his purpose. Software verification tools. Software verification tools that can prove properties of linked data structures include Spec# [8], ESC/Modula-3 [21], ESC/Java [24], ESC/Java2 [17], Krakatoa =-=[23, 53]-=-, KIV [7], KeY [3], and LOOP [82]. To the best of our knowledge, none of these systems have been used to verify the full functional correctness of a collection of linked data structures. For example, ... |

55 | Incrementalized pointer and escape analysis - Vivien, Rinard - 2001 |

54 | Formal system development with KIV
- Balser, Reif, et al.
- 2000
(Show Context)
Citation Context ...thin a bounded analysis scope [15, 20, 38, 70, 77, 78]. While systems exist that can specify, and in principle even potentially verify, the full range of desired data structure correctness properties =-=[3,7,53,82]-=-, to the best of our knowledge no previous system has actually done so (see Section 8). 1.2 The Result This paper presents our experience using integrated reasoning in the Jahob verification system to... |

54 |
Verifying reachability invariants of linked structures
- Nelson
- 1983
(Show Context)
Citation Context ... procedures that support reachability exist that can verify programs that manipulate only linked lists [47]. In some cases, it is also possible to express reachability properties in first-order logic =-=[14, 41, 48, 51, 55, 61]-=-. Approaches based on MONA [58, 87] guarantee completeness for reachability properties. By themselves, these approaches are not sufficient for the verification of many important data structure propert... |

49 |
Shape analysis with inductive recursion synthesis
- Guo, Vachharajani, et al.
- 2007
(Show Context)
Citation Context ... that are known to be intractable for automated reasoning systems [36, 45]. Researchers have therefore focused on more tractable goals: verify some (but not all) of the desired correctness properties =-=[6, 18, 28, 42, 47, 49, 50, 74, 88, 89]-=-, work with programs that do not manipulate recursive linked data structures [29, 81], or use finitization to check correctness properties within a bounded analysis scope [15, 20, 38, 70, 77, 78]. Whi... |

47 |
An electronic purse specification, refinement, and proof
- Stepney, Cooper, et al.
- 2000
(Show Context)
Citation Context ...s implementation [33, 34], which is not a recursive linked data structure. LOOP, KIV, Jive, and Krakatoa have been used to verify smartcard applications (an electronic purse and the Mondex case study =-=[29, 79, 81]-=-), which do not contain complex linked data structures. KeY has also been used to prove the correctness of an insertion operation into a TreeMap [71]. While these efforts suggest that the verification... |

46 | Verifying properties of well-founded linked lists
- Lahiri, Qadeer
- 2006
(Show Context)
Citation Context ... procedures that support reachability exist that can verify programs that manipulate only linked lists [47]. In some cases, it is also possible to express reachability properties in first-order logic =-=[14, 41, 48, 51, 55, 61]-=-. Approaches based on MONA [58, 87] guarantee completeness for reachability properties. By themselves, these approaches are not sufficient for the verification of many important data structure propert... |

44 | Efficient e-matching for smt solvers
- Moura, Bjørner
- 2007
(Show Context)
Citation Context ...logic formulas. Our implemented Jahob system, for example, contains a simple syntactic prover, interfaces to first-order provers (SPASS [84] and E [76]), an interface to SMT provers (CVC3 [26] and Z3 =-=[19]-=-), an interface to MONA [67], an interface to the BAPA decision procedure [44, 46], and interfaces to interactive theorem provers (Isabelle [63] and Coq [11]). • Proof Decomposition: Jahob allows the ... |

44 | The SMT-LIB Standard: Version 1.2
- Ranise, Tinelli
- 2006
(Show Context)
Citation Context ...ted Jahob system, for example, contains a simple syntactic prover, interfaces to first-order provers (SPASS [84] and E [76]), an interface to SMT provers (CVC3 [26] and Z3 [19]), an interface to MONA =-=[67]-=-, an interface to the BAPA decision procedure [44, 46], and interfaces to interactive theorem provers (Isabelle [63] and Coq [11]). • Proof Decomposition: Jahob allows the developer to insert program-... |

43 | Automatic verification of pointer programs using grammar-based shape analysis
- Lee, Yang, et al.
- 2005
(Show Context)
Citation Context |

41 | The integration Project for the JACK Environment
- Bouali, Gnesi, et al.
- 1994
(Show Context)
Citation Context ...testing. Jahob and other systems based on theorem proving verify that data structures are correct for all executions. In contrast, testing and software model checking approaches based on finitization =-=[13,15,20,38,70,77,78]-=- check the correctness of only finitely many executions (and not the correctness of the remaining infinitely many executions). Systems such as Bogor [70] and JACK [13] integrate several techniques for... |

41 | TestEra: Specification-based testing of Java programs using SAT
- Khurshid, Marinov
(Show Context)
Citation Context ..., 42, 47, 49, 50, 74, 88, 89], work with programs that do not manipulate recursive linked data structures [29, 81], or use finitization to check correctness properties within a bounded analysis scope =-=[15, 20, 38, 70, 77, 78]-=-. While systems exist that can specify, and in principle even potentially verify, the full range of desired data structure correctness properties [3,7,53,82], to the best of our knowledge no previous ... |

40 | Boolean heaps
- Podelski, Wies
- 2005
(Show Context)
Citation Context ...shape analysis can verify shape properties, yielding performance better than when using shape analysis alone [12]. Jahob contains an implementation of an alternative approach, symbolic shape analysis =-=[66,87,88]-=-, which generalizes the predicate abstraction domain to perform shape analysis. We have not used symbolic shape analysis for the examples in this paper. However, we have applied symbolic shape analysi... |

39 | Modular Data Structure Verification - KUNCAK - 2007 |

37 | Verifying a file system implementation
- Arkoudas, Zee, et al.
- 2004
(Show Context)
Citation Context ...ets with cardinality constraints. Proof methods based on natural deduction combined with automated provers have recently been shown to be effective for obtaining complex proofs in interactive provers =-=[4, 85]-=-. Although Jahob supports the use of interactive provers, its proof commands provide an alternative way of decomposing proof obligations without ever leaving the world of the original Java program. Th... |

37 | Simulating Reachability Using First-Order Logic with Applications to Verification of Linked Data Structures
- Lev-Ami, Immerman, et al.
- 2005
(Show Context)
Citation Context ... procedures that support reachability exist that can verify programs that manipulate only linked lists [47]. In some cases, it is also possible to express reachability properties in first-order logic =-=[14, 41, 48, 51, 55, 61]-=-. Approaches based on MONA [58, 87] guarantee completeness for reachability properties. By themselves, these approaches are not sufficient for the verification of many important data structure propert... |

37 | Field constraint analysis
- Wies, Kuncak, et al.
- 2006
(Show Context)
Citation Context ...rmulas that express the relevant structure (such as treeness or transitive closure). They then expose this structure to the decision procedure by applying techniques such as field constraint analysis =-=[87]-=- and encoding transitive closure using second-order quantifiers. Together, these techniques make it possible to productively apply arbitrary collections of specialized reasoning systems to complex hig... |