## Type-Based Data Structure Verification

### BibTeX

@MISC{_type-baseddata,

author = {},

title = {Type-Based Data Structure Verification},

year = {}

}

### OpenURL

### Abstract

Author information hidden for double-blind review We present a refinement type-based approach for the static verification of complex data structure invariants. Our approach is based on the observation that complex data structures are often fashioned from two elements: recursion (e.g., lists and trees), and maps (e.g., arrays and hash tables). We introduce two novel type-based mechanisms targeted towards these elements: recursive refinements and polymorphic refinements. These mechanisms automate the challenging work of generalizing and instantiating rich universal invariants by piggybacking simple refinement predicates on top of types, and carefully dividing the labor of analysis between the type system and an SMT solver [6]. Further, the mechanisms permit the use of the abstract interpretation framework of liquid type inference [18] to automatically synthesize complex invariants from simple logical qualifiers, thereby almost completely automating the verification. We have implemented our approach in DSOLVE, which uses liquid types to verify OCAML programs. We present experiments that show that our type-based approach reduces the manual annotations required to verify complex properties like sortedness, balancedness, binary-search-ordering, and acyclicity by more than an order of magnitude. 1.

### Citations

704 |
Types and Programming Languages
- Pierce
- 2002
(Show Context)
Citation Context ... types, and a system of iso-recursive types. We assume that appropriate fold and unfold annotations are automatically placed in the source at the standard construction and matching sites respectively =-=[16]-=-. We assume that different types use disjoint constructors, and that in pattern-match expressions there is exactly one match-binding for each constructor of the appropriate type. The run-time values a... |

417 | Z3: An efficient SMT solver
- Moura, Bjørner
- 2008
(Show Context)
Citation Context ...lizing and instantiating rich universal invariants by piggybacking simple refinement predicates on top of types, and carefully dividing the labor of analysis between the type system and an SMT solver =-=[6]-=-. Further, the mechanisms permit the use of the abstract interpretation framework of liquid type inference [18] to automatically synthesize complex invariants from simple logical qualifiers, thereby a... |

289 | Dependent types in practical programming
- Xi, Pfenning
- 1999
(Show Context)
Citation Context ...e graph satisfies an acyclicity invariant like DAG from (3), in Section 2.2. 7. Related Work Indexed Type based approaches use types augmented with indices which capture invariants of recursive types =-=[20, 4, 7]-=-. Recursive refinements offer several significant advantages over indices. First, they are strictly more expressive. While any index can be directly encoded with measures, it is unclear if canonical i... |

227 | Purely Functional Data Structures
- Okasaki
- 1998
(Show Context)
Citation Context ...ier) annotations, and T(s) is the time in seconds, DSOLVE requires to verify each property. • Heap: a binary heap library, (due to Filliâtre [8]) • Splayheap: a splay tree based heap, (due to Okasaki =-=[15]-=-) • Malloc: a resource management library, • Bdd: a binary decision diagram library (due to Filliâtre [8]) • Unionfind: the textbook union-find data structure, • Subvsolve: a DAG-based bit-level infer... |

118 |
Hybrid type checking
- Flanagan
- 2006
(Show Context)
Citation Context ...ta structure invariants. Refinement Types. Our system is built on the idea of refining ML types with predicates over program values that specify additional constraints satisfied by values of the type =-=[9]-=-. Base values, for example, those of type integer (denoted int), can be described as {ν :int | e} where ν is a special value variable not appearing in the program, and e is a boolean-valued expression... |

112 | TVLA: A system for implementing static analyses
- Lev-Ami, Sagiv
- 2000
(Show Context)
Citation Context ...estructive heap updates. These techniques work by carefully controlling generalization (i.e., “blurring”) and instantiation (i.e., “focusing”) using a combination of user-defined recursive predicates =-=[13, 21]-=- and abstract domains tailored to the structure being analyzed [10, 3]. Our insight is that in high-level languages, shape invariants can be guaranteed using a rich type system. Furthermore, by piggyb... |

85 | Scalable shape analysis for systems code
- Yang, Lee, et al.
- 2008
(Show Context)
Citation Context ...estructive heap updates. These techniques work by carefully controlling generalization (i.e., “blurring”) and instantiation (i.e., “focusing”) using a combination of user-defined recursive predicates =-=[13, 21]-=- and abstract domains tailored to the structure being analyzed [10, 3]. Our insight is that in high-level languages, shape invariants can be guaranteed using a rich type system. Furthermore, by piggyb... |

79 | Full functional verification of linked data structures
- Zee, Kuncak, et al.
- 2008
(Show Context)
Citation Context ...ese and the code, verification conditions (VCs) are generated whose validity implies that the code meets the specification. The VCs are then proved using automatic [12] or interactive theorem proving =-=[14, 22, 17]-=-. These approaches allow for the specification of far more expressive properties than is possible in our system. However, they require significantly more manual effort in interacting with the prover. ... |

64 | Back to the future: revisiting precise program verification using smt solvers
- Lahiri, Qadeer
- 2008
(Show Context)
Citation Context ...r-order specification logic. From these and the code, verification conditions (VCs) are generated whose validity implies that the code meets the specification. The VCs are then proved using automatic =-=[12]-=- or interactive theorem proving [14, 22, 17]. These approaches allow for the specification of far more expressive properties than is possible in our system. However, they require significantly more ma... |

58 | SSA is functional programming
- Appel
- 1998
(Show Context)
Citation Context ...s a map from integer keys i to integer values greater than 1 and i − 1. Memoization. Consider the memoized fibonacci function fib in Figure 3. The example is shown in the SSA-converted style of Appel =-=[2]-=-, with t0 being the input name of the memo table, and t1, t2 the names after updates. To verify that fib always returns a value greater than 1 and greater than (the argument) i − 1, we require the uni... |

51 | Relational inductive shape analysis
- Chang, Rival
- 2008
(Show Context)
Citation Context ... generalization (i.e., “blurring”) and instantiation (i.e., “focusing”) using a combination of user-defined recursive predicates [13, 21] and abstract domains tailored to the structure being analyzed =-=[10, 3]-=-. Our insight is that in high-level languages, shape invariants can be guaranteed using a rich type system. Furthermore, by piggybacking refinements on top of the types, one can use abstract interpret... |

39 | A.: Lifting abstract interpreters to quantified logical domains
- Gulwani, McCloskey, et al.
- 2008
(Show Context)
Citation Context ... generalization (i.e., “blurring”) and instantiation (i.e., “focusing”) using a combination of user-defined recursive predicates [13, 21] and abstract domains tailored to the structure being analyzed =-=[10, 3]-=-. Our insight is that in high-level languages, shape invariants can be guaranteed using a rich type system. Furthermore, by piggybacking refinements on top of the types, one can use abstract interpret... |

32 | Liquid types
- Rondon, Kawaguchi, et al.
- 2008
(Show Context)
Citation Context ...s, and carefully dividing the labor of analysis between the type system and an SMT solver [6]. Further, the mechanisms permit the use of the abstract interpretation framework of liquid type inference =-=[18]-=- to automatically synthesize complex invariants from simple logical qualifiers, thereby almost completely automating the verification. We have implemented our approach in DSOLVE, which uses liquid typ... |

30 | A Unified System of Type Refinements
- Dunfield
- 2007
(Show Context)
Citation Context ...rdered AVL-tree based implementation of finite maps, (from the OCAML standard library) • Ralist: a random-access lists library, (due to Xi [19]) • Redblack: a red-black tree library, (due to Dunfield =-=[7]-=-) • Stablesort: a tail recursive mergesort, (from the OCAML standard library) • Vec: a tree-based vector library (due to de Alfaro [5])Program LOC Ann. T(s) Property List-sort 111 7 5 Sorted, Elts Ma... |

16 | Ynot: Reasoning with the awkward squad
- Nanevski, Morrisett, et al.
(Show Context)
Citation Context ...ese and the code, verification conditions (VCs) are generated whose validity implies that the code meets the specification. The VCs are then proved using automatic [12] or interactive theorem proving =-=[14, 22, 17]-=-. These approaches allow for the specification of far more expressive properties than is possible in our system. However, they require significantly more manual effort in interacting with the prover. ... |

14 | A Hoare logic for call-by-value functional programs
- Régis-Gianas, Pottier
- 2008
(Show Context)
Citation Context ...ese and the code, verification conditions (VCs) are generated whose validity implies that the code meets the specification. The VCs are then proved using automatic [12] or interactive theorem proving =-=[14, 22, 17]-=-. These approaches allow for the specification of far more expressive properties than is possible in our system. However, they require significantly more manual effort in interacting with the prover. ... |

13 | ATS: A Language That Combines Programming with Theorem Proving
- Cui, Donnelly, et al.
- 2005
(Show Context)
Citation Context ...e graph satisfies an acyclicity invariant like DAG from (3), in Section 2.2. 7. Related Work Indexed Type based approaches use types augmented with indices which capture invariants of recursive types =-=[20, 4, 7]-=-. Recursive refinements offer several significant advantages over indices. First, they are strictly more expressive. While any index can be directly encoded with measures, it is unclear if canonical i... |

4 |
DML code examples. http://www.cs.bu.edu/fac/hwxi/DML
- Xi
(Show Context)
Citation Context ...luding insertion-sort, merge-sort and quick-sort, • Map: an ordered AVL-tree based implementation of finite maps, (from the OCAML standard library) • Ralist: a random-access lists library, (due to Xi =-=[19]-=-) • Redblack: a red-black tree library, (due to Dunfield [7]) • Stablesort: a tail recursive mergesort, (from the OCAML standard library) • Vec: a tree-based vector library (due to de Alfaro [5])Prog... |

2 |
Vec: Extensible, functional arrays for ocaml. http://www.dealfaro.com/vec.html
- Alfaro
(Show Context)
Citation Context ...o Xi [19]) • Redblack: a red-black tree library, (due to Dunfield [7]) • Stablesort: a tail recursive mergesort, (from the OCAML standard library) • Vec: a tree-based vector library (due to de Alfaro =-=[5]-=-)Program LOC Ann. T(s) Property List-sort 111 7 5 Sorted, Elts Map 98 14 25 Balance, BST, Set Ralist 92 3 2 Len Redblack 106 2 29 Balance, Color, BST Stablesort 124 1 4 Sorted Vec 343 9 87 Balance, L... |

2 |
Ocaml software. http://www.lri.fr/ filliatr/software.en.html
- Filliâtre
(Show Context)
Citation Context ...e properties verified, Ann. is the number of manual (qualifier) annotations, and T(s) is the time in seconds, DSOLVE requires to verify each property. • Heap: a binary heap library, (due to Filliâtre =-=[8]-=-) • Splayheap: a splay tree based heap, (due to Okasaki [15]) • Malloc: a resource management library, • Bdd: a binary decision diagram library (due to Filliâtre [8]) • Unionfind: the textbook union-f... |

2 | Bit-level types for high-level reasoning
- Jhala, Majumdar
- 2006
(Show Context)
Citation Context ...esource management library, • Bdd: a binary decision diagram library (due to Filliâtre [8]) • Unionfind: the textbook union-find data structure, • Subvsolve: a DAG-based bit-level inference algorithm =-=[11]-=- On the programs, we check the following properties: Sorted, the output list is sorted, Elts, the output list has the same elements as the input, Balance, the output trees are balanced, BST, the outpu... |

1 |
Please contact PC chair for details
- Anonymous
(Show Context)
Citation Context ... Schemas T, S ::= T(E), S(E) Depend. Types, Schemas ˆT , ˆ S ::= T(Q), S(Q) Liquid Types, Schemas Figure 5. MLref: Syntax value semantics, formalized using a standard small-step operational semantics =-=[1]-=-. In Section 4 (resp. Section 5), we extend MLref with recursive refinements (resp. polymorphic refinements). Expressions. The expressions of MLref, summarized in Figure 5, include variables, primitiv... |