An Inference-Rule-Based Decision Procedure for Verification of Heap-Manipulating Programs with Mutable Data and Cyclic Data Structures

Research on the automatic verification of heap-manipulating programs (HMPs)--programs that manipulate unbounded linked data structures via pointers --has blossomed recently, with many different approaches all showing leaps in performance and expressiveness. A year ago, we proposed a small logic for specifying predicates about HMPs and demonstrated that an inference-rule-based decision procedure could be performance-competitive, and in many cases superior to other methods known at the time. That work, however, was a proof-of-concept, with a logic fragment too small to verify most real programs. In this work, we generalize our previous results to be practically useful: we allow the data in heap nodes to be mutable, we allow more than a single pointer field, and we add new primitives needed to verify cyclic structures. Each of these extensions necessitates new or changed inference rules, with the concomitant changes to the proofs and decision procedure. Yet, our new decision procedure, with the more general logic, actually runs as fast as our previous results. With these generalizations, we can automatically verify many more HMP examples, including three small container functions from the Linux kernel.

[1]  Alan J. Hu,et al.  A Better Logic and Decision Procedure for Predicate Abstraction of Heap-Manipulating Programs , 2006 .

[2]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[3]  Neil Immerman,et al.  Simulating Reachability Using First-Order Logic with Applications to Verification of Linked Data Structures , 2005, CADE.

[4]  Peter W. O'Hearn,et al.  Smallfoot: Modular Automatic Assertion Checking with Separation Logic , 2005, FMCO.

[5]  Graham Steel,et al.  Deduction with XOR Constraints in Security API Modelling , 2005, CADE.

[6]  Charles Gregory Nelson,et al.  Techniques for program verification , 1979 .

[7]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[8]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[9]  Neil Immerman,et al.  The Boundary Between Decidability and Undecidability for Transitive-Closure Logics , 2004, CSL.

[10]  E. Clarke,et al.  Inferring Invariants in Separation Logic for Imperative List-processing Programs , 2005 .

[11]  Amir Pnueli,et al.  Shape Analysis by Predicate Abstraction , 2005, VMCAI.

[12]  Calogero G. Zarba,et al.  A Theory of Singly-Linked Lists and its Extensible Decision Procedure , 2006, Fourth IEEE International Conference on Software Engineering and Formal Methods (SEFM'06).

[13]  Thomas W. Reps,et al.  Symbolically Computing Most-Precise Abstract Operations for Shape Analysis , 2004, TACAS.

[14]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[15]  Thomas Reps,et al.  A decidable logic for linked data structures , 1999 .

[16]  Robin Milner,et al.  Theories for the Global Ubiquitous Computer , 2004, FoSSaCS.

[17]  Antoine Meyer,et al.  A logic of reachable patterns in linked data-structures , 2006, J. Log. Algebraic Methods Program..

[18]  Alex K. Simpson,et al.  Computational Adequacy in an Elementary Topos , 1998, CSL.

[19]  Eran Yahav,et al.  Predicate Abstraction and Canonical Abstraction for Singly-Linked Lists , 2005, VMCAI.

[20]  David L. Dill,et al.  Experience with Predicate Abstraction , 1999, CAV.

[21]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[22]  Viktor Kuncak,et al.  Field Constraint Analysis , 2005, VMCAI.

[23]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[24]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[25]  Nils Klarlund,et al.  MONA Implementation Secrets , 2000, CIAA.

[26]  Greg Nelson,et al.  Verifying reachability invariants of linked structures , 1983, POPL '83.

[27]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[28]  Kenneth L. McMillan Applications of Craig Interpolation to Model Checking , 2005, ICATPN.

[29]  Neil Immerman,et al.  Abstraction for Shape Analysis with Fast and Precise Transformers , 2006, CAV.

[30]  Cormac Flanagan,et al.  Predicate abstraction for software verification , 2002, POPL '02.

[31]  Shuvendu K. Lahiri,et al.  Verifying properties of well-founded linked lists , 2006, POPL '06.

[32]  Peter W. O'Hearn,et al.  A Decidable Fragment of Separation Logic , 2004, FSTTCS.

[33]  Thomas W. Reps,et al.  Abstraction Refinement via Inductive Learning , 2005, CAV.

[34]  Zvonimir Rakamaric,et al.  A Logic and Decision Procedure for Predicate Abstraction of Heap-Manipulating Programs , 2006, VMCAI.

[35]  Kousha Etessami,et al.  Verifying Probabilistic Procedural Programs , 2004, FSTTCS.

[36]  Michael I. Schwartzbach,et al.  The pointer assertion logic engine , 2000, PLDI '01.

[37]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[38]  Kedar S. Namjoshi,et al.  Shape Analysis through Predicate Abstraction and Model Checking , 2003, VMCAI.

[39]  Alexey Gotsman,et al.  Interprocedural Shape Analysis with Separated Heap Abstractions , 2006, SAS.

[40]  Bernhard Thalheim,et al.  Abstract State Machines 2004. Advances in Theory and Practice , 2004, Lecture Notes in Computer Science.

[41]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[42]  Neil Immerman,et al.  Verification via Structure Simulation , 2004, CAV.