Back to the future: revisiting precise program verification using SMT solvers

This paper takes a fresh look at the problem of precise verification of heap-manipulating programs using first-order Satisfiability-Modulo-Theories (SMT) solvers. We augment the specification logic of such solvers by introducing the Logic of Interpreted Sets and Bounded Quantification for specifying properties of heap-manipulating programs. Our logic is expressive, closed under weakest preconditions, and efficiently implementable on top of existing SMT solvers. We have created a prototype implementation of our logic over the solvers Simplify and Z3 and used our prototype to verify many programs. Our preliminary experience is encouraging; the completeness and the efficiency of the decisionprocedure is clearly evident in practice and has greatly improved the user experience of the verifier.

[1]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[2]  Greg Nelson,et al.  Simplification by Cooperating Decision Procedures , 1979, TOPL.

[3]  Greg Nelson,et al.  Fast Decision Procedures Based on Congruence Closure , 1980, JACM.

[4]  Greg Nelson,et al.  Verifying reachability invariants of linked structures , 1983, POPL '83.

[5]  Yuri Gurevich,et al.  The Classical Decision Problem , 1997, Perspectives in Mathematical Logic.

[6]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[7]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[8]  Michael I. Schwartzbach,et al.  The pointer assertion logic engine , 2000, PLDI '01.

[9]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[10]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[11]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[12]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[13]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[14]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[15]  Peter W. O'Hearn,et al.  A Decidable Fragment of Separation Logic , 2004, FSTTCS.

[16]  K. Rustan M. Leino,et al.  BoogiePL: A typed procedural language for checking object-oriented programs , 2005 .

[17]  George C. Necula,et al.  Data Structure Specifications via Local Equality Axioms , 2005, CAV.

[18]  K. Rustan M. Leino,et al.  Weakest-precondition of unstructured programs , 2005, PASTE '05.

[19]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[20]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[21]  Amir Pnueli,et al.  Shape Analysis by Predicate Abstraction , 2005, VMCAI.

[22]  Viktor Kuncak,et al.  Decision Procedures for Set-Valued Fields , 2005, Electron. Notes Theor. Comput. Sci..

[23]  Antoine Meyer,et al.  A logic of reachable patterns in linked data-structures , 2006, J. Log. Algebraic Methods Program..

[24]  Calogero G. Zarba,et al.  A Theory of Singly-Linked Lists and its Extensible Decision Procedure , 2006, Fourth IEEE International Conference on Software Engineering and Formal Methods (SEFM'06).

[25]  Shuvendu K. Lahiri,et al.  Verifying properties of well-founded linked lists , 2006, POPL '06.

[26]  Bruno Dutertre,et al.  A Fast Linear-Arithmetic Solver for DPLL(T) , 2006, CAV.

[27]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[28]  A. Meyer,et al.  A logic of reachable patterns in linked data-structures , 2006, J. Log. Algebraic Methods Program..

[29]  Alan J. Hu,et al.  An Inference-Rule-Based Decision Procedure for Verification of Heap-Manipulating Programs with Mutable Data and Cyclic Data Structures , 2007, VMCAI.

[30]  Shuvendu K. Lahiri,et al.  A Decision Procedure for Well-Founded Reachability , 2007 .

[31]  Nikolaj Bjørner,et al.  Efficient E-Matching for SMT Solvers , 2007, CADE.

[32]  Shuvendu K. Lahiri,et al.  A Reachability Predicate for Analyzing Low-Level Software , 2007, TACAS.

[33]  Peter W. O'Hearn,et al.  Shape Analysis for Composite Data Structures , 2007, CAV.

[34]  Back to the future: revisiting precise program verification using SMT solvers , 2008, POPL.

[35]  Neil Immerman,et al.  Simulating Reachability Using First-Order Logic with Applications to Verification of Linked Data Structures , 2005, CADE.