## On verifying complex properties using symbolic shape analysis (2006)

### Cached

### Download Links

Venue: | In Workshop on Heap Abstraction and Verification (collocated with ETAPS |

Citations: | 11 - 6 self |

### BibTeX

@TECHREPORT{Wies06onverifying,

author = {Thomas Wies and Viktor Kuncak and Karen Zee and Martin Rinard and Andreas Podelski},

title = {On verifying complex properties using symbolic shape analysis},

institution = {In Workshop on Heap Abstraction and Verification (collocated with ETAPS},

year = {2006}

}

### OpenURL

### Abstract

One of the main challenges in the verification of software systems is the analysis of statically unbounded data structures with dynamic memory allocation, such as linked data structures and arrays. We describe Bohne, a new analysis for verifying data structures. Bohne verifies data structure operations and shows that 1) the operations preserve data structure invariants and 2) the operations satisfy their specifications expressed in terms of changes to the set of objects stored in the data structure. During the analysis, Bohne infers loop invariants in the form of disjunctions of universally quantified Boolean combinations of formulas, represented as sets of binary decision diagrams. To synthesize loop invariants of this form, Bohne uses a combination of decision procedures for Monadic Second-Order Logic over trees, SMT-LIB decision procedures (currently CVC Lite), first-order provers such as SPASS and E, and the automated reasoner within the Isabelle interactive theorem prover. This architecture shows that synthesized loop invariants can serve as a useful communication mechanism between different decision procedures. In addition, Bohne uses field constraint analysis, a combination mechanism that enables the use of uninterpreted function symbols within formulas of Monadic Second-Order Logic over trees. Using Bohne, we have verified operations on data structures such as linked lists with iterators and back pointers, trees with and without parent pointers, two-level skip lists, array data structures, and sorted lists. We have deployed Bohne in the Hob and Jahob data structure analysis systems, enabling us to combine Bohne with analyses of data structure clients and apply it in the context of larger programs. This paper describes the Bohne algorithm, the techniques that Bohne uses to reduce the amount of annotations and the running time of the analysis. 1

### Citations

2939 | Graph-based algorithms for Boolean function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...domain. These partial orders induce Boolean algebra structures. We denote by ⊓, ⊔ and · the meet, join and complement operations of these Boolean algebras. Bohne usees binary decision diagrams (BDDs) =-=[9]-=- to implement Boolean heaps, the abstract domain, and operations of the Boolean algebras. Context-sensitive Cartesian post. The abstract post operator implemented in Bohne is a refinement of the abstr... |

1889 |
R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction of approximation of fixed points
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ... properties of data structures and properties expressible using linear arithmetic and first-order logic. 1.1 Related Work We next put the Bohne algorithm in the context of two abstract interpretation =-=[11]-=- approaches that are closest to symbolic shape analysis: predicate abstraction and parametric shape analysis. We then discuss the work on decision procedures because Bohne uses a validity checker for ... |

731 |
Isabelle/HOL: a proof assistant for higher-order logic, volume 2283
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...provers for numerical and first-order properties, as opposed to using a Nelson-Oppen style theorem prover. This allowed us to easily combine several tools that were developed completely independently =-=[25,4,42]-=-. Shape analysis approaches have also been used to verify sortedness properties [38] relying on manually abstracting a sortedness relation. Decision procedures. Our symbolic shape analysis algorithm r... |

603 | H.: Construction of abstract state graphs with PVS
- Graf, Saïdi
- 1997
(Show Context)
Citation Context ...rpretation [11], a static analysis is defined by lattice-theoretic domains and by fixpoint iteration over the domains. Symbolic shape analysis can be seen as a generalization of predicate abstraction =-=[22]-=-. For predicate abstraction the analysis computes an invariant; the fixpoint operator is an abstraction of the post operator; the concrete domain consists of sets of states (represented by closed form... |

540 | Parametric shape analysis via 3-valued logic
- Sagiv, Reps, et al.
(Show Context)
Citation Context ...s. It is therefore not surprising that the most successful verification approaches for analysis of data structures use parameterized abstract domains; these analyses include parametric shape analysis =-=[47]-=- as well as predicate abstraction [3, 23] and its generalizations [14, 31]. This paper presents Bohne, an algorithm for inferring loop invariants of programs that manipulate heap-allocated data struct... |

475 |
Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions
- Bertot, Castéran
- 2004
(Show Context)
Citation Context ...e data structures, and linear arithmetic. These two decision procedures are most relevant for the present paper. In our system (Figure 1) we also use interactive theorem provers Isabelle [42] and Coq =-=[5]-=- to debug the proof obligations and translations into decision procedures, as well as to automatically discharge some proof obligations using simplication and proof search built into these provers. We... |

446 | Lazy abstraction
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ... the most successful verification approaches for analysis of data structures use parameterized abstract domains; these analyses include parametric shape analysis [47] as well as predicate abstraction =-=[3, 23]-=- and its generalizations [14, 31]. This paper presents Bohne, an algorithm for inferring loop invariants of programs that manipulate heap-allocated data structures. Like predicate abstraction, Bohne i... |

396 | Automatic predicate abstraction of C programs
- Ball, Majumdar, et al.
- 2001
(Show Context)
Citation Context ... the most successful verification approaches for analysis of data structures use parameterized abstract domains; these analyses include parametric shape analysis [47] as well as predicate abstraction =-=[3, 23]-=- and its generalizations [14, 31]. This paper presents Bohne, an algorithm for inferring loop invariants of programs that manipulate heap-allocated data structures. Like predicate abstraction, Bohne i... |

204 |
CVC Lite: A new implementation of the cooperating validity checker
- Barrett, Berezin
- 2004
(Show Context)
Citation Context ...provers for numerical and first-order properties, as opposed to using a Nelson-Oppen style theorem prover. This allowed us to easily combine several tools that were developed completely independently =-=[25,4,42]-=-. Shape analysis approaches have also been used to verify sortedness properties [38] relying on manually abstracting a sortedness relation. Decision procedures. Our symbolic shape analysis algorithm r... |

161 |
Generalized finite automata theory with application to a decision problem of second-order logic
- Thatcher, Wright
(Show Context)
Citation Context ...sis. The first source of complexity is the fact that the invariants contain reachability predicates. To address this problem, Bohne uses a decision procedure for monadic second-order logic over trees =-=[50,25]-=-, and combines it with uninterpreted function symbols in a way that preserves completeness in important cases [54]. The second source of complexity is that the invariants contain universal quantifiers... |

145 | The Pointer Assertion Logic Engine
- Møller, Schwartzbach
- 2001
(Show Context)
Citation Context ...lysis originally used for compiler optimizations [24, 19, 18] and lacked the precision needed to establish invariants that Bohne is analyzing. Precise data structure analyses for verification include =-=[29, 16, 26, 35, 41, 20, 47]-=- and have recently also been applied to verify set implementations [45]. Unlike Bohne, most shape analyses that synthesize loop invariants are based on precomputed transfer functions and a fixed (thou... |

128 | A local shape analysis based on separation logic
- Distefano, O’Hearn, et al.
- 2006
(Show Context)
Citation Context ...to reason about the sizes of data structures, we used a new decision procedure [30, 28] with a reduction to Presburger arithmetic. Several recent decision procedures address specifically linked lists =-=[1, 12, 39, 7, 44]-=-, where the emphasis is on the predictability (decision procedures for well-defined classes of properties of linked lists), the efficiency (membership in NP), the ability to interoperate with other re... |

128 | E – A Brainiac Theorem Prover - Schulz |

127 |
The TPTP Problem Library: CNF Release v1.2.1
- G, Suttner
- 1998
(Show Context)
Citation Context ... discharge some proof obligations using simplication and proof search built into these provers. We have also had success using first-order theorem provers Vampire [51], E [48] (via the TPTP interface =-=[49]-=-) as well as SPASS [52]. We used first-order theorem provers in Jahob to verify implementations of data structures [8], avoiding the use of reachability using specification variables similarly to the ... |

124 | Graph types
- Klarlund, Schwartzbach
- 1993
(Show Context)
Citation Context ...lysis originally used for compiler optimizations [24, 19, 18] and lacked the precision needed to establish invariants that Bohne is analyzing. Precise data structure analyses for verification include =-=[29, 16, 26, 35, 41, 20, 47]-=- and have recently also been applied to verify set implementations [45]. Unlike Bohne, most shape analyses that synthesize loop invariants are based on precomputed transfer functions and a fixed (thou... |

120 |
an annotation assistant for ESC/Java
- Houdini
- 2001
(Show Context)
Citation Context ...esugaring of loops [15]. In particular, the propagation is still applicable in the presence of heap manipulations that preserve the invariants in each loop-free code fragment. Unlike the Houdini tool =-=[13]-=-, precondition conjunct propagation does not attempt to invent new predicates. 7 Experiments We applied Bohne to verify operations on various data structures. Our experiments cover data structures suc... |

99 | Avoiding exponential explosion: generating compact verification conditions
- Flanagan, Saxe
- 2001
(Show Context)
Citation Context ...cision procedure calls). The use of decision procedures makes this analysis more general than the syntactic approach for computing frame conditions for loops used in ESC/Java-like desugaring of loops =-=[15]-=-. In particular, the propagation is still applicable in the presence of heap manipulations that preserve the invariants in each loop-free code fragment. Unlike the Houdini tool [13], precondition conj... |

99 | Role analysis
- Kuncak, Lam, et al.
- 2002
(Show Context)
Citation Context ...lysis originally used for compiler optimizations [24, 19, 18] and lacked the precision needed to establish invariants that Bohne is analyzing. Precise data structure analyses for verification include =-=[29, 16, 26, 35, 41, 20, 47]-=- and have recently also been applied to verify set implementations [45]. Unlike Bohne, most shape analyses that synthesize loop invariants are based on precomputed transfer functions and a fixed (thou... |

94 |
Predicate abstraction for software verification
- FLANAGAN, S
(Show Context)
Citation Context ...n approaches for analysis of data structures use parameterized abstract domains; these analyses include parametric shape analysis [47] as well as predicate abstraction [3, 23] and its generalizations =-=[14, 31]-=-. This paper presents Bohne, an algorithm for inferring loop invariants of programs that manipulate heap-allocated data structures. Like predicate abstraction, Bohne is parameterized by the properties... |

90 | Combining superposition, sorts and splitting
- Weidenbach
(Show Context)
Citation Context ...bligations using simplication and proof search built into these provers. We have also had success using first-order theorem provers Vampire [51], E [48] (via the TPTP interface [49]) as well as SPASS =-=[52]-=-. We used first-order theorem provers in Jahob to verify implementations of data structures [8], avoiding the use of reachability using specification variables similarly to the approaches taken in [29... |

79 | Putting static analysis to work for verification: A case study
- Lev-Ami, Reps, et al.
- 2000
(Show Context)
Citation Context ...e theorem prover. This allowed us to easily combine several tools that were developed completely independently [25,4,42]. Shape analysis approaches have also been used to verify sortedness properties =-=[38]-=- relying on manually abstracting a sortedness relation. Decision procedures. Our symbolic shape analysis algorithm relies on decision procedures for expressive logics to perform synthesis of loop inva... |

78 | Data structure specifications via local equality axioms
- McPeak, Necula
- 2005
(Show Context)
Citation Context ...52]. We used first-order theorem provers in Jahob to verify implementations of data structures [8], avoiding the use of reachability using specification variables similarly to the approaches taken in =-=[29,40]-=- and automated to some extent in [37]. Finally, to reason about the sizes of data structures, we used a new decision procedure [30, 28] with a reduction to Presburger arithmetic. Several recent decisi... |

74 | Shape types
- Fradet, Métayer
- 1997
(Show Context)
Citation Context |

73 | Connection analysis: A practical interprocedural heap analysis for C
- Ghiya, Hendren
- 1996
(Show Context)
Citation Context ...analysis. Shape analyses are precise analyses for linked data structures. They were 2sWies et al: Verifying Complex Properties using Symbolic Shape Analysis originally used for compiler optimizations =-=[24, 19, 18]-=- and lacked the precision needed to establish invariants that Bohne is analyzing. Precise data structure analyses for verification include [29, 16, 26, 35, 41, 20, 47] and have recently also been appl... |

70 | MONA implementation secrets
- Klarlund, Møller, et al.
(Show Context)
Citation Context ...sis. The first source of complexity is the fact that the invariants contain reachability predicates. To address this problem, Bohne uses a decision procedure for monadic second-order logic over trees =-=[50,25]-=-, and combines it with uninterpreted function symbols in a way that preserves completeness in important cases [54]. The second source of complexity is that the invariants contain universal quantifiers... |

69 |
Program Flow Analysis, Theory and Applications, chapter 4, Flow Analysis and Optimization of LISP-like Structures
- Jones, Muchnick
- 1983
(Show Context)
Citation Context ...te predicates is exponential in the number of properties [31, 42]. Shape analysis. Shape analyses are precise analyses for linked data structures. They were originally used for compiler optimizations =-=[13,14,18]-=- and lacked precision needed to establish invariants that Bohne is analyzing. Precise data structure analysis for the purpose of verification include [11,20,23,28,32,39] and have recently also been ap... |

57 |
Shape analysis by predicate abstraction
- Balaban, Pnueli, et al.
(Show Context)
Citation Context ...to reason about the sizes of data structures, we used a new decision procedure [30, 28] with a reduction to Presburger arithmetic. Several recent decision procedures address specifically linked lists =-=[1, 12, 39, 7, 44]-=-, where the emphasis is on the predictability (decision procedures for well-defined classes of properties of linked lists), the efficiency (membership in NP), the ability to interoperate with other re... |

56 | M.: Reasoning in expressive description logics with fixpoints based on automata on infinite trees
- Calvanese, Giacomo, et al.
- 1999
(Show Context)
Citation Context ...so take advantage of logics for reasoning about reachability, such as the logic of reachable shapes [55]. Existing logics, such as guarded fixpoint logic [21] and description logics with reachability =-=[10,17]-=- are attractive because of their expressive power, but so far no decision procedures for these logics have been implemented. 3sWies et al: Verifying Complex Properties using Symbolic Shape Analysis 1.... |

54 | Interprocedural shape analysis with separated heap abstractions
- Gotsman, Berdine, et al.
- 2006
(Show Context)
Citation Context |

53 |
Verifying reachability invariants of linked structures
- Nelson
- 1983
(Show Context)
Citation Context ...ted theorem provers such as Vampire [40] and SPASS [41] can be used to reason about properties of linked data structures, but axiomatizing reachability in first-order logic is non-trivial in practice =-=[29, 33]-=- and not possible in general. 1.1 Contributions We have previously described the general idea of symbolic shape analysis [35] as well as the field constraint analysis decision procedure for combining ... |

51 | Predicate abstraction and canonical abstraction for singly-linked lists
- Manevich, Yahav, et al.
- 2005
(Show Context)
Citation Context ...ion are properties of objects in a state, as opposed to global properties of a state, and the number of global predicates needed to emulate state predicates is exponential in the number of properties =-=[39, 53]-=-. The advantages of combining predicate abstraction with shape analysis are clearly demonstrated in lazy shape analysis [6]. Lazy shape analysis performs independent runs of a shape analysis algorithm... |

51 | Symbolically computing most-precise abstract operations for shape analysis
- Yorsh, Reps, et al.
- 2004
(Show Context)
Citation Context ...iants are based on precomputed transfer functions and a fixed (though parameterized) set of properties to be tracked; recent approaches enable automation of such computation using decision procedures =-=[57, 56, 58, 43, 54]-=- or finite differencing [46]. Our approach differs from [32] in using complete reasoning about reachability in both lists and trees, and using a different architecture of the reasoning procedure. Our ... |

48 |
Zapato: Automatic theorem proving for predicate abstraction refinement
- Ball, Cook, et al.
- 2004
(Show Context)
Citation Context ...vious abstractions. We do this on the level of decision procedure calls by caching the queries and the results of the calls. Syntactic caching of decision procedure queries has been used before (e.g. =-=[2]-=- mentions its use in the SLAM system [3]). The problem with simple syntactic caching of formulas in shape analysis is that the context formulae are passed to the decision procedure as part of the quer... |

45 | Indexed predicate discovery for unbounded system verification
- Lahiri, Bryant
- 2004
(Show Context)
Citation Context ...n approaches for analysis of data structures use parameterized abstract domains; these analyses include parametric shape analysis [47] as well as predicate abstraction [3, 23] and its generalizations =-=[14, 31]-=-. This paper presents Bohne, an algorithm for inferring loop invariants of programs that manipulate heap-allocated data structures. Like predicate abstraction, Bohne is parameterized by the properties... |

43 | Verifying properties of well-founded linked lists
- Lahiri, Qadeer
- 2006
(Show Context)
Citation Context ...terized) set of properties to be tracked; recent approaches enable automation of such computation using decision procedures [57, 56, 58, 43, 54] or finite differencing [46]. Our approach differs from =-=[32]-=- in using complete reasoning about reachability in both lists and trees, and using a different architecture of the reasoning procedure. Our reasoning procedure uses a coarse-grain combination of reach... |

42 | Automatic verification of pointer programs using grammarbased shape analysis
- Lee, Yang, et al.
- 2005
(Show Context)
Citation Context |

39 |
The anatomy of Vampire: implementing bottom-up procedures with code trees
- Voronkov
- 1995
(Show Context)
Citation Context ...ocedures, as well as to automatically discharge some proof obligations using simplication and proof search built into these provers. We have also had success using first-order theorem provers Vampire =-=[51]-=-, E [48] (via the TPTP interface [49]) as well as SPASS [52]. We used first-order theorem provers in Jahob to verify implementations of data structures [8], avoiding the use of reachability using spec... |

38 | Boolean heaps
- Podelski, Wies
- 2005
(Show Context)
Citation Context ...for exploring this analysis domainsWies et al: Verifying Complex Properties using Symbolic Shape Analysis using decision procedures. The algorithm was initially developed as a symbolic shape analysis =-=[53, 43]-=- for linked data structures and uses the key idea of many shape analyses, made explicit in the TVLA analyzer [47, 36]: the partitioning of objects according to certain unary predicates. One of the obs... |

37 | Is it a tree, a DAG, or a cyclic graph
- Ghiya, Hendren
- 1996
(Show Context)
Citation Context ...analysis. Shape analyses are precise analyses for linked data structures. They were 2sWies et al: Verifying Complex Properties using Symbolic Shape Analysis originally used for compiler optimizations =-=[24, 19, 18]-=- and lacked the precision needed to establish invariants that Bohne is analyzing. Precise data structure analyses for verification include [29, 16, 26, 35, 41, 20, 47] and have recently also been appl... |

36 | Modular Data Structure Verification
- Kuncak
- 2007
(Show Context)
Citation Context ...sing specification variables similarly to the approaches taken in [29,40] and automated to some extent in [37]. Finally, to reason about the sizes of data structures, we used a new decision procedure =-=[30, 28]-=- with a reduction to Presburger arithmetic. Several recent decision procedures address specifically linked lists [1, 12, 39, 7, 44], where the emphasis is on the predictability (decision procedures fo... |

35 | Simulating reachability using first-order logic with applications to verification of linked data structures
- Lev-Ami, Immerman, et al.
- 2005
(Show Context)
Citation Context ... in Jahob to verify implementations of data structures [8], avoiding the use of reachability using specification variables similarly to the approaches taken in [29,40] and automated to some extent in =-=[37]-=-. Finally, to reason about the sizes of data structures, we used a new decision procedure [30, 28] with a reduction to Presburger arithmetic. Several recent decision procedures address specifically li... |

35 | Finite differencing of logical formulas for static analysis. Trans. on Prog. Lang. and Syst. 6, 32. A System for Generating Abstract
- Reps, Sagiv, et al.
- 2004
(Show Context)
Citation Context ...tions and a fixed (though parameterized) set of properties to be tracked; recent approaches enable automation of such computation using decision procedures [57, 56, 58, 43, 54] or finite differencing =-=[46]-=-. Our approach differs from [32] in using complete reasoning about reachability in both lists and trees, and using a different architecture of the reasoning procedure. Our reasoning procedure uses a c... |

34 | Field constraint analysis
- Wies, Kuncak, et al.
- 2006
(Show Context)
Citation Context ...problem, Bohne uses a decision procedure for monadic second-order logic over trees [50,25], and combines it with uninterpreted function symbols in a way that preserves completeness in important cases =-=[54]-=-. The second source of complexity is that the invariants contain universal quantifiers in an essential way. Among the main approaches for dealing with quantified invariants in predicate abstraction is... |

31 | Deciding Boolean Algebra with Presburger Arithmetic
- Kuncak, Nguyen, et al.
(Show Context)
Citation Context ...sing specification variables similarly to the approaches taken in [29,40] and automated to some extent in [37]. Finally, to reason about the sizes of data structures, we used a new decision procedure =-=[30, 28]-=- with a reduction to Presburger arithmetic. Several recent decision procedures address specifically linked lists [1, 12, 39, 7, 44], where the emphasis is on the predictability (decision procedures fo... |

30 | Logical characterizations of heap abstractions
- Yorsh
- 2003
(Show Context)
Citation Context ...iants are based on precomputed transfer functions and a fixed (though parameterized) set of properties to be tracked; recent approaches enable automation of such computation using decision procedures =-=[57, 56, 58, 43, 54]-=- or finite differencing [46]. Our approach differs from [32] in using complete reasoning about reachability in both lists and trees, and using a different architecture of the reasoning procedure. Our ... |

25 | A logic of reachable patterns in linked data-structures
- Yorsh, Rabinovich, et al.
(Show Context)
Citation Context ...ision procedures when they are applicable and using more general reasoning otherwise. Bohne could also take advantage of logics for reasoning about reachability, such as the logic of reachable shapes =-=[44]-=-. Existing logics, such as guarded fixpoint logic [15] and description logics with reachability [6, 12] are attractive because of their expressive power, but so far no decision procedures for these lo... |

24 | Lazy Shape Analysis
- Beyer, Henzinger, et al.
- 2006
(Show Context)
Citation Context ... to emulate state predicates is exponential in the number of properties [39, 53]. The advantages of combining predicate abstraction with shape analysis are clearly demonstrated in lazy shape analysis =-=[6]-=-. Lazy shape analysis performs independent runs of a shape analysis algorithm, whose results are then used to improve the precision of predicate abstraction. In contrast, our symbolic shape analysis g... |

22 | Decision procedures for guarded logics
- Grädel
- 1999
(Show Context)
Citation Context ... both list and tree structures. Bohne could also take advantage of logics for reasoning about reachability, such as the logic of reachable shapes [55]. Existing logics, such as guarded fixpoint logic =-=[21]-=- and description logics with reachability [10,17] are attractive because of their expressive power, but so far no decision procedures for these logics have been implemented. 3sWies et al: Verifying Co... |

22 | Combining theorem proving with static analysis for data structure consistency
- Zee, Lam, et al.
- 2004
(Show Context)
Citation Context ...escribed the general idea of symbolic shape analysis [35] as well as the field constraint analysis decision procedure for combining reachability reasoning with uninterpreted function symbols [43]. In =-=[48]-=- we have described splitting of proof obligations in the context of verifying proof obligations using the Isabelle interactive theorem prover. One of the insights in this paper is that such splitting ... |

21 | A Logic and Decision Procedure for Predicate Abstraction of Heap-Manipulating Programs
- Bingham, Rakamaric
(Show Context)
Citation Context ...to reason about the sizes of data structures, we used a new decision procedure [30, 28] with a reduction to Presburger arithmetic. Several recent decision procedures address specifically linked lists =-=[1, 12, 39, 7, 44]-=-, where the emphasis is on the predictability (decision procedures for well-defined classes of properties of linked lists), the efficiency (membership in NP), the ability to interoperate with other re... |