Results 1  10
of
11
Natural Proofs for Data Structure Manipulation in C using Separation Logic
"... The natural proof technique for heap verification developed by Qiu et al. [32] provides a platform for powerful sound reasoning for specifications written in a dialect of separation logic called Dryad. Natural proofs are proof tactics that enable automated reasoning exploiting recursion, mimicking c ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
The natural proof technique for heap verification developed by Qiu et al. [32] provides a platform for powerful sound reasoning for specifications written in a dialect of separation logic called Dryad. Natural proofs are proof tactics that enable automated reasoning exploiting recursion, mimicking common patterns found in human proofs. However, these proofs are known to work only for a simple toy language [32]. In this work, we develop a framework called VCDRYAD that extends the VCC framework [9] to provide an automated deductive framework against separation logic specifications for C programs based on natural proofs. We develop several new techniques to build this framework, including (a) a novel tool architecture that allows encoding natural proofs at a higher level in order to use the existing VCC framework (including its intricate memory model, the underlying typechecker, and the SMTbased verification infrastructure), and (b) a synthesis of ghostcode annotations that captures natural proof tactics, in essence forcing VCC to find natural proofs using primarily decidable theories. We evaluate our tool extensively, on more than 150 programs, ranging from code manipulating standard data structures, wellknown open source library routines (Glib, OpenBSD), Linux kernel routines, customized OS data structures, etc. We show that all these C programs can be fully automatically verified using natural proofs (given pre/post conditions and loop invariants) without any userprovided proof tactics. VCDRYAD is perhaps the first deductive verification framework for heapmanipulating programs in a real language that can prove such a wide variety of programs automatically.
Natural Proofs for Asynchronous Programs using AlmostSynchronous Reductions
"... We consider the problem of provably verifying that an asynchronous messagepassing system satisfies its local assertions. We present a novel reduction scheme for asynchronous eventdriven programs that finds almostsynchronous invariants — invariants consisting of global states where message buf ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
We consider the problem of provably verifying that an asynchronous messagepassing system satisfies its local assertions. We present a novel reduction scheme for asynchronous eventdriven programs that finds almostsynchronous invariants — invariants consisting of global states where message buffers are close to empty. The reduction finds almostsynchronous invariants and simultaneously argues that they cover all local states. We show that asynchronous programs often have almostsynchronous invariants and that we can exploit this to build natural proofs that they are correct. We implement our reduction strategy, which is sound and complete, and show that it is more effective in proving programs correct as well as more efficient in finding bugs in several programs, compared to current search strategies which almost always diverge. The high point of our experiments is that our technique can prove the Windows Phone USB Driver written in P [9] correct for the responsiveness property, which was hitherto not provable using stateoftheart modelcheckers.
On automating separation logic with trees and data.
, 2014
"... Abstract. Separation logic (SL) is a widely used formalism for verifying heap manipulating programs. Existing SL solvers focus on decidable fragments for listlike structures. More complex data structures such as trees are typically unsupported in implementations, or handled by incomplete heuristic ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. Separation logic (SL) is a widely used formalism for verifying heap manipulating programs. Existing SL solvers focus on decidable fragments for listlike structures. More complex data structures such as trees are typically unsupported in implementations, or handled by incomplete heuristics. While complete decision procedures for reasoning about trees have been proposed, these procedures suffer from high complexity, or make global assumptions about the heap that contradict the separation logic philosophy of local reasoning. In this paper, we present a fragment of classical firstorder logic for local reasoning about treelike data structures. The logic is decidable in NP and the decision procedure allows for combinations with other decidable firstorder theories for reasoning about data. Such extensions are essential for proving functional correctness properties. We have implemented our decision procedure and, building on earlier work on translating SL proof obligations into classical logic, integrated it into an SLbased verification tool. We successfully used the tool to verify functional correctness of treebased data structure implementations.
Automating proofs of datastructure properties in imperative programs
 CoRR
"... We consider the problem of automated reasoning about dynamically manipulated data structures. The stateoftheart methods are limited to the unfoldandmatch (U+M) paradigm, where predicates are transformed via (un)folding operations induced from their definitions before being treated as uninterp ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We consider the problem of automated reasoning about dynamically manipulated data structures. The stateoftheart methods are limited to the unfoldandmatch (U+M) paradigm, where predicates are transformed via (un)folding operations induced from their definitions before being treated as uninterpreted. However, proof obligations from verifying programs with iterative loops and multiple function calls often do not succumb to this paradigm. Our contribution is a proof method which – beyond U+M – performs automatic formula rewriting by treating previously encountered obligations in each proof path as possible induction hypotheses. This enables us, for the first time, to systematically reason about a wide range of obligations, arising from practical program verification. We demonstrate the power of our proof rules on commonly used lemmas, thereby close the remaining gaps in existing stateoftheart systems. Another impact, probably more important, is that our method regains the power of compositional reasoning, and shows that the usage of userprovided lemmas is no longer needed for the existing set of benchmarks. This not only removes the burden of coming up with the appropriate lemmas, but also significantly boosts up the verification process, since lemma applications, coupled with unfolding, often induce very large search space. 1.
A Framework for Inductive Proofs of Data Structures
"... We consider the problem of automated program verification with emphasis on reasoning about dynamically manipulated data structures. We begin with an existing specification language which has two key features: (a) the use of explicit heap variables, and (b) user defined recursive properties in a wrap ..."
Abstract
 Add to MetaCart
(Show Context)
We consider the problem of automated program verification with emphasis on reasoning about dynamically manipulated data structures. We begin with an existing specification language which has two key features: (a) the use of explicit heap variables, and (b) user defined recursive properties in a wrapper logic language. The language provides a newlevel of expressiveness for specifying properties of heap manipulations. The main contribution, however, is an algorithm to automatically prove verification conditions when formulas in the specification language are used as assertions in programs. More precisely, we consider verification of heap manipulating programs that combines user written modular contracts and loop invariants with completely automated theorem proving of the resulting verification conditions. The key feature of the algorithm is the ability to automatically employ induction proof steps with respect to dynamically generated induction hypotheses. Though necessarily still incomplete, the algorithm provides a new level of automation. 1.
On Automated Lemma Generation for Separation Logic with Inductive Definitions?
"... Abstract. Separation Logic with inductive definitions is a wellknown approach for deductive verification of programs that manipulate dynamic data structures. Deciding verification conditions in this context is usually based on userprovided lemmas relating the inductive definitions. We propose a n ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Separation Logic with inductive definitions is a wellknown approach for deductive verification of programs that manipulate dynamic data structures. Deciding verification conditions in this context is usually based on userprovided lemmas relating the inductive definitions. We propose a novel approach for generating these lemmas automatically which is based on simple syntactic criteria and deterministic strategies for applying them. Our approach focuses on iterative programs, although it can be applied to recursive programs as well, and specifications that describe not only the shape of the data structures, but also their content or their size. Empirically, we find that our approach is powerful enough to deal with sophisticated benchmarks, e.g., iterative procedures for searching, inserting, or deleting elements in sorted lists, binary search tress, redblack trees, and AVL trees, in a very efficient way. 1
Abstractionguided Runtime Checking of Assertions on Lists
"... Abstract. We investigate ways to specify and check, at runtime, assertions that express properties of dynamically manipulated linkedlist data structures. Checking an assertion involving whether pointers point to a valid linked list and separation properties of these lists typically requires linea ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We investigate ways to specify and check, at runtime, assertions that express properties of dynamically manipulated linkedlist data structures. Checking an assertion involving whether pointers point to a valid linked list and separation properties of these lists typically requires linear or even quadratic time on the size of the heap. Our main contribution is a way to scale this checking by orders of magnitude, using a novel idea called abstractionguided runtime checking, whereby we maintain an accurate abstraction of the dynamic heap by utilizing the evolving runtime state, and where the abstraction helps in checking the runtime assertions much faster. We develop this synergistic combination of abstractions and runtime checking for lists, listsegments, and their separation, implement it, and show the tremendous performance gains it yields. In particular, when lists are manipulated using library functions, maintenance of the abstraction is within the libraries and yields constant runtime checking of assertions in the client code. We show that, as the number of assertions get frequent and the data structures get large, abstractionguided runtime checking, which includes maintenance of the abstraction and the runtime checks, gives close to constanttime per assertion overhead in practice. 1
On TemplateBased Inference of Rich Invariants in Leon
"... We present an approach for inferring rich invariants involving userdefined recursive functions over numerical and algebraic data types. In our approach, the developer provides the desired shape of the invariant using a set of templates. The templates are quantifierfree affine predicates with un ..."
Abstract
 Add to MetaCart
(Show Context)
We present an approach for inferring rich invariants involving userdefined recursive functions over numerical and algebraic data types. In our approach, the developer provides the desired shape of the invariant using a set of templates. The templates are quantifierfree affine predicates with unknown coefficients. We also provide an enumeration based strategy for automatically inferring some of the templates. We present a scalable counterexample driven algorithm that finds the unknown coefficients in templates and thus computes expressive inductive invariants. Our algorithm incrementally solves a set of quantified constraints involving recursive functions and data structures. We discuss several optimizations that make the approach scale to complex programs and present an empirical evaluation. Our implementation proves correctness properties as well as symbolic bounds on running times of recursive programs. For example, the implementation establishes that the time taken to insert into a redblack tree is bounded by the logarithm of its size. 1.
Poling: SMT Aided Linearizability Proofs
"... ns iste nt * Complete * W ell D ocumented*Easyto ..."
(Show Context)
Spatial Interpolants
"... Abstract. We propose SplInter, a new technique for proving properties of heapmanipulating programs that marries (1) a new separation logic–based analysis for heap reasoning with (2) an interpolationbased technique for refining heapshape invariants with data invariants. SplInter is property dire ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We propose SplInter, a new technique for proving properties of heapmanipulating programs that marries (1) a new separation logic–based analysis for heap reasoning with (2) an interpolationbased technique for refining heapshape invariants with data invariants. SplInter is property directed, precise, and produces counterexample traces when a property does not hold. Using the novel notion of spatial interpolants modulo theories, SplInter can infer complex invariants over general recursive predicates, e.g., of the form all elements in a linked list are even or a binary tree is sorted. Furthermore, we treat interpolation as a black box, which gives us the freedom to encode data manipulation in any suitable theory for a given program (e.g., bit vectors, arrays, or linear arithmetic), so that our technique immediately benefits from any future advances in SMT solving and interpolation. 1