Results 1  10
of
22
Symbolic optimization with SMT solvers
 In Proc. of the 41st ACM SIGPLANSIGACT Symposium on Principles of Programming Languages. ACM
, 2014
"... Abstract The rise in efficiency of Satisfiability Modulo Theories (SMT) solvers has created numerous uses for them in software verification, program synthesis, functional programming, refinement types, etc. In all of these applications, SMT solvers are used for generating satisfying assignments (e. ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
(Show Context)
Abstract The rise in efficiency of Satisfiability Modulo Theories (SMT) solvers has created numerous uses for them in software verification, program synthesis, functional programming, refinement types, etc. In all of these applications, SMT solvers are used for generating satisfying assignments (e.g., a witness for a bug) or proving unsatisfiability/validity (e.g., proving that a subtyping relation holds). We are often interested in finding not just an arbitrary satisfying assignment, but one that optimizes (minimizes/maximizes) certain criteria. For example, we might be interested in detecting program executions that maximize energy usage (performance bugs), or synthesizing short programs that do not make expensive API calls. Unfortunately, none of the available SMT solvers offer such optimization capabilities. In this paper, we present SYMBA, an efficient SMTbased optimization algorithm for objective functions in the theory of linear real arithmetic (LRA). Given a formula ' and an objective function t, SYMBA finds a satisfying assignment of ' that maximizes the value of t. SYMBA utilizes efficient SMT solvers as black boxes. As a result, it is easy to implement and it directly benefits from future advances in SMT solvers. Moreover, SYMBA can optimize a set of objective functions, reusing information between them to speed up the analysis. We have implemented SYMBA and evaluated it on a large number of optimization benchmarks drawn from program analysis tasks. Our results indicate the power and efficiency of SYMBA in comparison with competing approaches, and highlight the importance of its multiobjectivefunction feature.
A decision procedure for satisfiability in separation logic with inductive predicates, in: LICS’14
, 2014
"... We show that the satisfiability problem for the “symbolic heap” fragment of separation logic with general inductively defined predicates — which includes most fragments employed in program verification — is decidable. Our decision procedure is based on the computation of a certain fixed point from ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
(Show Context)
We show that the satisfiability problem for the “symbolic heap” fragment of separation logic with general inductively defined predicates — which includes most fragments employed in program verification — is decidable. Our decision procedure is based on the computation of a certain fixed point from the definition of an inductive predicate, called its “base”, that exactly characterises its satisfiability. A complexity analysis of our decision procedure shows that it runs, in the worst case, in exponential time. In fact, we show that the satisfiability problem for our inductive predicates is EXPTIMEcomplete, and becomes NPcomplete when the maximum arity over all predicates is bounded by a constant. Finally, we provide an implementation of our decision procedure, and analyse its performance both on a synthetically generated set of test formulas, and on a second test set harvested from the separation logic literature. For the large majority of these test cases, our tool reports times in the low milliseconds. Categories and Subject Descriptors F.3.1 [Logics and Mean
Natural Proofs for Data Structure Manipulation in C using Separation Logic
"... The natural proof technique for heap verification developed by Qiu et al. [32] provides a platform for powerful sound reasoning for specifications written in a dialect of separation logic called Dryad. Natural proofs are proof tactics that enable automated reasoning exploiting recursion, mimicking c ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
The natural proof technique for heap verification developed by Qiu et al. [32] provides a platform for powerful sound reasoning for specifications written in a dialect of separation logic called Dryad. Natural proofs are proof tactics that enable automated reasoning exploiting recursion, mimicking common patterns found in human proofs. However, these proofs are known to work only for a simple toy language [32]. In this work, we develop a framework called VCDRYAD that extends the VCC framework [9] to provide an automated deductive framework against separation logic specifications for C programs based on natural proofs. We develop several new techniques to build this framework, including (a) a novel tool architecture that allows encoding natural proofs at a higher level in order to use the existing VCC framework (including its intricate memory model, the underlying typechecker, and the SMTbased verification infrastructure), and (b) a synthesis of ghostcode annotations that captures natural proof tactics, in essence forcing VCC to find natural proofs using primarily decidable theories. We evaluate our tool extensively, on more than 150 programs, ranging from code manipulating standard data structures, wellknown open source library routines (Glib, OpenBSD), Linux kernel routines, customized OS data structures, etc. We show that all these C programs can be fully automatically verified using natural proofs (given pre/post conditions and loop invariants) without any userprovided proof tactics. VCDRYAD is perhaps the first deductive verification framework for heapmanipulating programs in a real language that can prove such a wide variety of programs automatically.
Expressive Completeness of Separation Logic With Two Variables and No Separating Conjunction ∗
"... We show that firstorder separation logic with one record field restricted to two variables and the separating implication (no separating conjunction) is as expressive as weak secondorder logic, substantially sharpening a previous result. Capturing weak secondorder logic with such a restricted form ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
We show that firstorder separation logic with one record field restricted to two variables and the separating implication (no separating conjunction) is as expressive as weak secondorder logic, substantially sharpening a previous result. Capturing weak secondorder logic with such a restricted form of separation logic requires substantial updates to known proof techniques. We develop these, and as a byproduct identify the smallest fragment of separation logic known to be undecidable: firstorder separation logic with one record field, two variables, and no separating conjunction.
Separation logic with one quantified variable. arXiv
, 2014
"... Abstract. We investigate firstorder separation logic with one record field restricted to a unique quantified variable (1SL1). Undecidability is known when the number of quantified variables is unbounded and the satisfiability problem is PSPACEcomplete for the propositional fragment. We show that ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We investigate firstorder separation logic with one record field restricted to a unique quantified variable (1SL1). Undecidability is known when the number of quantified variables is unbounded and the satisfiability problem is PSPACEcomplete for the propositional fragment. We show that the satisfiability problem for 1SL1 is PSPACEcomplete and we characterize its expressive power by showing that every formula is equivalent to a Boolean combination of atomic properties. This contributes to our understanding of fragments of firstorder separation logic that can specify properties about the memory heap of programs with singlylinked lists. When the number of program variables is fixed, the complexity drops to polynomial time. All the fragments we consider contain the magic wand operator and firstorder quantification over a single variable. 1
Compositional entailment checking for a fragment of separation logic
 In APLAS
"... Abstract. We present a (semi)decision procedure for checking entailment between separation logic formulas with inductive predicates specifying complex data structures corresponding to finite nesting of various kinds of linked lists: acyclic or cyclic, singly or doubly linked, skip lists, etc. The ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. We present a (semi)decision procedure for checking entailment between separation logic formulas with inductive predicates specifying complex data structures corresponding to finite nesting of various kinds of linked lists: acyclic or cyclic, singly or doubly linked, skip lists, etc. The decision procedure is compositional in the sense that it reduces the problem of checking entailment between two arbitrary formulas to the problem of checking entailment between a formula and an atom. Subsequently, in case the atom is a predicate, we reduce the entailment to testing membership of a tree derived from the formula in the language of a tree automaton derived from the predicate. We implemented this decision procedure and tested it successfully on verification conditions obtained from programs using singly and doubly linked nested lists as well as skip lists. 1
On automating separation logic with trees and data.
, 2014
"... Abstract. Separation logic (SL) is a widely used formalism for verifying heap manipulating programs. Existing SL solvers focus on decidable fragments for listlike structures. More complex data structures such as trees are typically unsupported in implementations, or handled by incomplete heuristic ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. Separation logic (SL) is a widely used formalism for verifying heap manipulating programs. Existing SL solvers focus on decidable fragments for listlike structures. More complex data structures such as trees are typically unsupported in implementations, or handled by incomplete heuristics. While complete decision procedures for reasoning about trees have been proposed, these procedures suffer from high complexity, or make global assumptions about the heap that contradict the separation logic philosophy of local reasoning. In this paper, we present a fragment of classical firstorder logic for local reasoning about treelike data structures. The logic is decidable in NP and the decision procedure allows for combinations with other decidable firstorder theories for reasoning about data. Such extensions are essential for proving functional correctness properties. We have implemented our decision procedure and, building on earlier work on translating SL proof obligations into classical logic, integrated it into an SLbased verification tool. We successfully used the tool to verify functional correctness of treebased data structure implementations.
Modular Reasoning about Heap Paths via Effectively Propositional Formulas
"... First order logic with transitive closure, and separation logic enable elegant interactive verification of heapmanipulating programs. However, undecidabilty results and high asymptotic complexity of checking validity preclude complete automatic verification of such programs, even when loop invarian ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
First order logic with transitive closure, and separation logic enable elegant interactive verification of heapmanipulating programs. However, undecidabilty results and high asymptotic complexity of checking validity preclude complete automatic verification of such programs, even when loop invariants and procedure contracts are specified as formulas in these logics. This paper tackles the problem of proceduremodular verification of reachability properties of heapmanipulating programs using efficient decision procedures that are complete: that is, a SAT solver must generate a counterexample whenever a program does not satisfy its specification. By (a) requiring each procedure modifies a fixed set of heap partitions and creates a bounded amount of heap sharing, and (b) restricting program contracts and loop invariants to use only deterministic paths in the heap, we show that heap reachability updates can be described in a simple manner. The restrictions force program specifications and verification conditions to lie within a fragment of firstorder logic with transitive closure that is reducible to effectively propositional logic, and hence facilitate sound, complete and efficient verification. We implemented a tool atop Z3 and report on preliminary experiments that establish the correctness of several programs that manipulate linked data structures.
Automating proofs of datastructure properties in imperative programs
 CoRR
"... We consider the problem of automated reasoning about dynamically manipulated data structures. The stateoftheart methods are limited to the unfoldandmatch (U+M) paradigm, where predicates are transformed via (un)folding operations induced from their definitions before being treated as uninterp ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We consider the problem of automated reasoning about dynamically manipulated data structures. The stateoftheart methods are limited to the unfoldandmatch (U+M) paradigm, where predicates are transformed via (un)folding operations induced from their definitions before being treated as uninterpreted. However, proof obligations from verifying programs with iterative loops and multiple function calls often do not succumb to this paradigm. Our contribution is a proof method which – beyond U+M – performs automatic formula rewriting by treating previously encountered obligations in each proof path as possible induction hypotheses. This enables us, for the first time, to systematically reason about a wide range of obligations, arising from practical program verification. We demonstrate the power of our proof rules on commonly used lemmas, thereby close the remaining gaps in existing stateoftheart systems. Another impact, probably more important, is that our method regains the power of compositional reasoning, and shows that the usage of userprovided lemmas is no longer needed for the existing set of benchmarks. This not only removes the burden of coming up with the appropriate lemmas, but also significantly boosts up the verification process, since lemma applications, coupled with unfolding, often induce very large search space. 1.