## A logic and decision procedure for predicate abstraction of heap-manipulating programs (2005)

### Cached

### Download Links

- [www.cs.ubc.ca]
- [www.zvonimir.info]
- [soarlab.org]
- DBLP

### Other Repositories/Bibliography

Venue: | UBC Dept. Comp. Sci |

Citations: | 22 - 4 self |

### BibTeX

@TECHREPORT{Bingham05alogic,

author = {Jesse Bingham and Zvonimir Rakamarić},

title = {A logic and decision procedure for predicate abstraction of heap-manipulating programs},

institution = {UBC Dept. Comp. Sci},

year = {2005}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. An important and ubiquitous class of programs are heap-manipulating programs (HMP), which manipulate unbounded linked data structures by following pointers and updating links. Predicate abstraction hasprovedtobeaninvaluable technique in the field of software model checking; this technique relies on an efficient decision procedure for the underlying logic. The expression and proof of many interesting HMP safety properties require transitive closure predicates; such predicates express that some node can be reached from another node by following a sequence of (zero or more) links in the data structure. Unfortunately, adding support for transitive closure often yields undecidability, so one must be careful in defining such a logic. Our primary contributions are the definition of a simple transitive closure logic for use in predicate abstraction of HMPs, and a decision procedure for this logic. Through several experimental examples, we demonstrate that our logic is expressive enough to prove interesting properties with predicate abstraction, and that our decision procedure provides us with both a time and space advantage over previous approaches. 1

### Citations

3153 | Graph-based algorithms for Boolean function manipulation - Bryant - 1986 |

2004 |
Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...n hints” to converge. 3 Verification Approach 3.1 Predicate Abstraction Our approach to verifying heap programs is based on predicate abstraction [16], which is an instance of abstract interpretation =-=[10]-=-. In the framework of abstract interpretation, a concrete system (in our case an HMP) is verified by constructing a finite-state overapproximation of the concrete system called the abstract system. Le... |

663 | Counterexampleguided abstraction refinement
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...r verification to go through can be tricky business. Many works have addressed this issue of predicate discovery [13, 4, 18, 11], which falls under the more general umbrella of abstraction refinement =-=[9]-=-. As in recent papers on this topic [2, 23], in our current framework, predicates are added by manual inspection of counterexample behaviors; applying automatic predicate discovery techniques is an im... |

648 | Construction of abstract state graphs with PVS
- Graf, Säıdi
- 1997
(Show Context)
Citation Context ...checking has emerged as a vibrant area of formal verification research. Much of the success of applying model checking to software has come from the use of predicate abstraction on the program source =-=[16, 14, 3, 18]-=-. In predicate abstraction, sets of states of the program and program transitions are over-approximated using a finite set of predicates over the program variables. These predicates (or boolean combin... |

579 | Parametric shape analysis via 3-valued logic
- Sagiv, Reps, et al.
- 1999
(Show Context)
Citation Context ...procedure with non-elementary complexity, so, there are programs that cannot be verified in practice. Furthermore, loop invariants must be provided by the user. The Three Valued Logic Analyzer (TVLA) =-=[32, 25]-=- extends conventional abstract interpretation with a third “uncertain” logic value, and builds so-called 3-valued logical structures that abstract the reachable states at each program point (a.k.a. ca... |

498 |
The Science of Programming
- Gries
- 1981
(Show Context)
Citation Context ...) involves a call to the decision procedure to determine if the following formula is satisfiable: γ(ρ) ∧ wp(γ(a)) (1) where γ is the concretization function,andwp is the weakest precondition operator =-=[17]-=-. Intuitively, γ maps a cube to a logic formula that denotes the set of concrete states represented by the cube. Formally, for a cube µ let P(µ) (resp. N(µ)) denote the set {i | µ(bi)=true} (resp. {i ... |

486 | Lazy abstraction
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ...checking has emerged as a vibrant area of formal verification research. Much of the success of applying model checking to software has come from the use of predicate abstraction on the program source =-=[16, 14, 3, 18]-=-. In predicate abstraction, sets of states of the program and program transitions are over-approximated using a finite set of predicates over the program variables. These predicates (or boolean combin... |

425 | Automatic predicate abstraction of C programs - Ball, Majumdar, et al. - 2001 |

151 | Modeling and verifying systems using a logic of counter arithmetic with lambda expressions and uninterpreted functions
- Bryant, Lahiri, et al.
- 2002
(Show Context)
Citation Context ...le that is used to derive additional axioms when necessary. Because of the purely first-order axiomatization, they are able to harness the power of available automated theorem provers; they use UCLID =-=[8]-=- as the underlying inference engine. Dams and Namjoshi [11] propose an approach based on predicate abstraction and model checking. They abstract a program by iteratively calculating weakest preconditi... |

150 | The pointer assertion logic engine
- Møller, Schwartzbach
- 2001
(Show Context)
Citation Context ...of a program automatically (given an appropriate set of predicates), while they require a user to provide loop invariants, which can be a significant burden. The Pointer Assertion Logic Engine (PALE) =-=[29]-=- specifies heap structures using graph types [22], which are tree-shaped data structures augmented with extra pointers. The authors show that many common heap structures can be defined that way, some ... |

138 | Experience with Predicate Abstraction
- Das, Dill, et al.
- 1999
(Show Context)
Citation Context ...checking has emerged as a vibrant area of formal verification research. Much of the success of applying model checking to software has come from the use of predicate abstraction on the program source =-=[16, 14, 3, 18]-=-. In predicate abstraction, sets of states of the program and program transitions are over-approximated using a finite set of predicates over the program variables. These predicates (or boolean combin... |

126 | Graph types
- Klarlund, Schwartzbach
- 1993
(Show Context)
Citation Context ...set of predicates), while they require a user to provide loop invariants, which can be a significant burden. The Pointer Assertion Logic Engine (PALE) [29] specifies heap structures using graph types =-=[22]-=-, which are tree-shaped data structures augmented with extra pointers. The authors show that many common heap structures can be defined that way, some of which we cannot express. PALE relies on a deci... |

118 | TVLA: A system for implementing static analyses
- Lev-Ami, Sagiv
(Show Context)
Citation Context ...procedure with non-elementary complexity, so, there are programs that cannot be verified in practice. Furthermore, loop invariants must be provided by the user. The Three Valued Logic Analyzer (TVLA) =-=[32, 25]-=- extends conventional abstract interpretation with a third “uncertain” logic value, and builds so-called 3-valued logical structures that abstract the reachable states at each program point (a.k.a. ca... |

113 |
Techniques for program verification
- Nelson
- 1981
(Show Context)
Citation Context ...e name of the link function). For example, f ∗ ( f (x),x) expresses that x is a node in a circular linked list. Several papers have previously identified the importance of transitive closure for HMPs =-=[30, 31, 5, 19, 2, 23]-=-. Unfortunately, adding support for transitive closure to even relatively tame logics often yields undecidability [19]. Our first contribution is a fragment of the decidable logics that we show (throu... |

102 |
Predicate abstraction for software verification
- Flanagan, Qadeer
- 2002
(Show Context)
Citation Context ...oblem by computing a set R α ⊆ A such that α(R) ⊆ R α . Verification succeeds if one can prove that R α → ψ. A key difference in the various approaches to predicate abstraction is how R α is computed =-=[16, 14, 12, 15, 2, 11]-=-. This typically involves numerous queries to a decision procedure for the underlying logic and there are tradeoffs between how accurately R α approximates α(R) and the number and complexity of these ... |

81 | Putting static analysis to work for verification: A case study - Lev-Ami, Reps, et al. - 2000 |

79 | Data Structure Specifications via Local Equality Axioms
- McPeak, Necula
- 2005
(Show Context)
Citation Context ...nd memory, since these BDDs tend to blow-up. The technique of Kesten and Pnueli [21] for establishing termination employed by Balaban et al. is likely compatible with our work also. McPeak and Necula =-=[28]-=- specify heap data structures using local equality axioms, which constrain only a bounded fragment of the heap around some node. This enables them to describe a variety of shapes and reason about scal... |

70 |
Successive Approximation of Abstract Transition Relations
- Das, Dill
- 2001
(Show Context)
Citation Context ...oblem by computing a set R α ⊆ A such that α(R) ⊆ R α . Verification succeeds if one can prove that R α → ψ. A key difference in the various approaches to predicate abstraction is how R α is computed =-=[16, 14, 12, 15, 2, 11]-=-. This typically involves numerous queries to a decision procedure for the underlying logic and there are tradeoffs between how accurately R α approximates α(R) and the number and complexity of these ... |

61 | Relative completeness of abstraction refinement for software model checking
- Ball, Podelski, et al.
- 2002
(Show Context)
Citation Context ...ss of information inherent in the abstraction. Finding the “right” set of predicates for verification to go through can be tricky business. Many works have addressed this issue of predicate discovery =-=[13, 4, 18, 11]-=-, which falls under the more general umbrella of abstraction refinement [9]. As in recent papers on this topic [2, 23], in our current framework, predicates are added by manual inspection of counterex... |

59 |
Shape analysis by predicate abstraction
- Balaban, Pnueli, et al.
- 2005
(Show Context)
Citation Context ...e name of the link function). For example, f ∗ ( f (x),x) expresses that x is a node in a circular linked list. Several papers have previously identified the importance of transitive closure for HMPs =-=[30, 31, 5, 19, 2, 23]-=-. Unfortunately, adding support for transitive closure to even relatively tame logics often yields undecidability [19]. Our first contribution is a fragment of the decidable logics that we show (throu... |

59 | Automatic Verification of Pointer Programs Using Monadic Second-order Logic
- Jensen, Jørgensen, et al.
(Show Context)
Citation Context ...st. ZIP – zips two linked lists, shuffling the elements of both list into one. Then, the tail of the longer list is appended to the resulting list. This example is taken from a paper by Jensen et al. =-=[20]-=-. SORTED-ZIP – joins the elements of two sorted lists into one, also sorted. Here the data elements are simply booleans, so “sorted” means that all nodes with false fields come before nodes with true ... |

54 |
Verifying reachability invariants of linked structures
- Nelson
- 1983
(Show Context)
Citation Context ...e name of the link function). For example, f ∗ ( f (x),x) expresses that x is a node in a circular linked list. Several papers have previously identified the importance of transitive closure for HMPs =-=[30, 31, 5, 19, 2, 23]-=-. Unfortunately, adding support for transitive closure to even relatively tame logics often yields undecidability [19]. Our first contribution is a fragment of the decidable logics that we show (throu... |

53 | Counter-example based predicate discovery in predicate abstraction
- Das, Dill
(Show Context)
Citation Context ...ss of information inherent in the abstraction. Finding the “right” set of predicates for verification to go through can be tricky business. Many works have addressed this issue of predicate discovery =-=[13, 4, 18, 11]-=-, which falls under the more general umbrella of abstraction refinement [9]. As in recent papers on this topic [2, 23], in our current framework, predicates are added by manual inspection of counterex... |

53 | Predicate Abstraction and Canonical Abstraction for Singly-Linked Lists
- Manevich, Yahav, et al.
- 2005
(Show Context)
Citation Context ...ays the most precise w.r.t. the given set of predicates. TVLA does not make such a guarantee, although some work has been done to make TLVA more precise [33]. TVLA is also employed by Manevich et al. =-=[27]-=-, who observe that the number of shared nodes in linked lists is bounded and present a novel definition of “uninterrupted list segments”. This is used to define predicate and canonical abstractions of... |

52 | Symbolically computing most-precise abstract operations for shape analysis
- Yorsh, Reps, et al.
(Show Context)
Citation Context ...wever, the abstract invariant we compute is always the most precise w.r.t. the given set of predicates. TVLA does not make such a guarantee, although some work has been done to make TLVA more precise =-=[33]-=-. TVLA is also employed by Manevich et al. [27], who observe that the number of shared nodes in linked lists is bounded and present a novel definition of “uninterrupted list segments”. This is used to... |

46 | Verifying properties of well-founded linked lists
- Lahiri, Qadeer
- 2006
(Show Context)
Citation Context |

39 | A decidable logic for describing linked data structures
- Benedikt, Reps, et al.
- 1999
(Show Context)
Citation Context |

34 | Verification by augmented finitary abstraction
- Kesten, Pnueli
(Show Context)
Citation Context ...orem, and build BDDs representing all models up to the small model size. This is a bottleneck in both computation time and memory, since these BDDs tend to blow-up. The technique of Kesten and Pnueli =-=[21]-=- for establishing termination employed by Balaban et al. is likely compatible with our work also. McPeak and Necula [28] specify heap data structures using local equality axioms, which constrain only ... |

34 | Abstraction refinement via inductive learning
- Loginov, Reps, et al.
- 2005
(Show Context)
Citation Context ...hey only verify the simple property of no null dereferences (they also verify cyclicity for two examples). We are verifying more complicated properties, for instance SO. Very recently, Loginov et al. =-=[26]-=- have used TVLA to fully automatically verify the bubblesort example. For the two examples in common with Lahiri and Qadeer [23], 9 LIST-REVERSE and SORTED-INSERT, we are significantly faster at verif... |

32 | The boundary between decidability and undecidability for transitive-closure logics
- IMMERMAN, RABINOVICH, et al.
- 2004
(Show Context)
Citation Context |

31 | Shape analysis through predicate abstraction and model checking
- Dams, Namjoshi
- 2003
(Show Context)
Citation Context .... Because of the purely first-order axiomatization, they are able to harness the power of available automated theorem provers; they use UCLID [8] as the underlying inference engine. Dams and Namjoshi =-=[11]-=- propose an approach based on predicate abstraction and model checking. They abstract a program by iteratively calculating weakest preconditions of shape predicates, and are able to handle second-orde... |

2 | A tundra-steppe transition on - E, Armbruster - 1989 |

1 | nontrival maximal SCCs of (V,E) are basins - All |