Symbolic shape analysis

The goal of program verification is to ensure software reliability by establishing a mathematical proof which guarantees that the software behaves correctly. Program analysis tools assist the developer in the verification process. Ideally a program analysis should be applicable to a wide range of verification problems without imposing a high burden on its users, i.e., without requiring deep mathematical knowledge and experience in program verification. A big step forward towards this ideal has been achieved by combining abstract interpretation with techniques for automated reasoning. In abstract interpretation one transforms the concrete program into an abstract program. The abstract program enables the analysis to statically collect information over all possible executions of the concrete program. This information is used to automatically verify the correctness of the concrete program. Abstract interpretation increases the degree of automation in verification by shifting the burden of formally reasoning about programs from the developer to the designer of the program analysis. Automated reasoning pushes the degree of automation even further. It enables the automatic construction of the abstraction for a specific program and a specific correctness property and (if necessary) the automatic refinement of this abstraction. We refer to program analyses that combine abstract interpretation with automated reasoning as symbolic program analysis. A problem that has recently seen much attention in program verification is the question of how to effectively deal with linked heap-allocated data structures. Program analyses that target properties of these data structures are commonly referred to as shape analyses. A symbolic shape analysis promises to handle a spectrum of different linked heap-allocated data structures, and a spectrum of properties to verify, without requiring the user to manually adjust the analysis to the specific problem instance. It was open what a symbolic shape analysis would look like. In this thesis we are concerned with this question. We present domain predicate abstraction, which generalizes predicate abstraction to the point where it becomes effectively applicable for shape analysis. Domain predicate abstraction incorporates the key idea of three-valued shape analysis into predicate abstraction by replacing predicates on program states by predicates on objects in the heap of program states. We show how to automate the transformation of a heap-manipulating program into an abstract program using automated reasoning procedures. We further develop an abstraction refinement technique that complements domain predicate abstraction to a fully automated symbolic shape analysis. Finally, we present field constraint analysis, a new technique for reasoning about heap programs. Field constraint analysis enables the application of decision procedures for reasoning about specific data structures (such as trees) to arbitrary data structures. This technique makes our symbolic shape analysis applicable to the diverse data structures that occur in practice. All the techniques presented in this thesis have been implemented and evaluated in the Bohne Verifier. We used Bohne to verify complex user-specified properties of data structure implementations. For instance, we were able to verify preservation of data structure invariants for operations on threaded binary trees (including sortedness and the in-order traversal invariant) without manually adjusting the analysis to this specific problem or providing user assistance beyond stating the properties to verify. We are not aware of any other shape analysis that can verify such properties with a comparable degree of automation.

[1]  Sriram K. Rajamani,et al.  Refining Approximations in Software Predicate Abstraction , 2004, TACAS.

[2]  Andreas Podelski,et al.  Boolean Heaps , 2005, SAS.

[3]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[4]  William Pugh,et al.  Skip Lists: A Probabilistic Alternative to Balanced Trees , 1989, WADS.

[5]  Ahmed Bouajjani,et al.  Abstract regular (tree) model checking , 2012, International Journal on Software Tools for Technology Transfer.

[6]  Bernd Finkbeiner,et al.  Language Containment Checking with Nondeterministic BDDs , 2001, TACAS.

[7]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[8]  David I. August,et al.  Shape analysis with inductive recursion synthesis , 2007, PLDI '07.

[9]  Amir Pnueli,et al.  Shape Analysis of Single-Parent Heaps , 2007, VMCAI.

[10]  Andreas Podelski,et al.  Boolean and Cartesian abstraction for model checking C programs , 2001, International Journal on Software Tools for Technology Transfer.

[11]  Peter W. O'Hearn,et al.  The Logic of Bunched Implications , 1999, Bulletin of Symbolic Logic.

[12]  Nils Klarlund,et al.  Graph types , 1993, POPL '93.

[13]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[14]  Peter W. O'Hearn,et al.  Shape Analysis for Composite Data Structures , 2007, CAV.

[15]  Roman Manevich,et al.  Partially Disjunctive Heap Abstraction , 2004, SAS.

[16]  A. Tarski A LATTICE-THEORETICAL FIXPOINT THEOREM AND ITS APPLICATIONS , 1955 .

[17]  Andreas Podelski,et al.  Transition invariants , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[18]  Viktor Kuncak,et al.  Full functional verification of linked data structures , 2008, PLDI '08.

[19]  Andreas Podelski,et al.  Abstraction Refinement for Termination , 2005, SAS.

[20]  Kedar S. Namjoshi,et al.  Shape Analysis through Predicate Abstraction and Model Checking , 2003, VMCAI.

[21]  Antoine Meyer,et al.  A logic of reachable patterns in linked data-structures , 2006, J. Log. Algebraic Methods Program..

[22]  Shuvendu K. Lahiri,et al.  Back to the future: revisiting precise program verification using SMT solvers , 2008, POPL '08.

[23]  Viktor Kuncak,et al.  Deciding Boolean Algebra with Presburger Arithmetic , 2006, Journal of Automated Reasoning.

[24]  Viktor Kuncak,et al.  Generalized Typestate Checking for Data Structure Consistency , 2005, VMCAI.

[25]  Shuvendu K. Lahiri,et al.  Verifying properties of well-founded linked lists , 2006, POPL '06.

[26]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[27]  Andrei Voronkov,et al.  The Anatomy of Vampire Implementing Bottom-up Procedures with Code Trees , 1995, J. Autom. Reason..

[28]  Thomas A. Henzinger,et al.  Lazy Shape Analysis , 2006, CAV.

[29]  Neil Immerman,et al.  Simulating Reachability Using First-Order Logic with Applications to Verification of Linked Data Structures , 2005, CADE.

[30]  Nissim Francez,et al.  Basic simple type theory , 1998 .

[31]  Ahmed Bouajjani,et al.  Abstract Regular Tree Model Checking of Complex Dynamic Data Structures , 2006, SAS.

[32]  Mark N. Wegman,et al.  Analysis of pointers and structures , 1990, SIGP.

[33]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[34]  Van Wyk,et al.  Data structures and C programs , 1988 .

[35]  Amir Pnueli,et al.  Shape Analysis by Predicate Abstraction , 2005, VMCAI.

[36]  Nils Klarlund,et al.  MONA Implementation Secrets , 2000, Int. J. Found. Comput. Sci..

[37]  Ahmed Bouajjani,et al.  Programs with lists are counter automata , 2011, Formal Methods Syst. Des..

[38]  Robert W. Floyd,et al.  Assigning meaning to programs , 1967 .

[39]  Neil Immerman,et al.  Descriptive Complexity , 1999, Graduate Texts in Computer Science.

[40]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[41]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, POPL.

[42]  Shuvendu K. Lahiri,et al.  Indexed Predicate Discovery for Unbounded System Verification , 2004, CAV.

[43]  George C. Necula,et al.  Data Structure Specifications via Local Equality Axioms , 2005, CAV.

[44]  Viktor Kuncak,et al.  Field Constraint Analysis , 2005, VMCAI.

[45]  Paul N. Hilfinger,et al.  Analysis of recursive types in an imperative language , 1994 .

[46]  Ranjit Jhala,et al.  Array Abstractions from Proofs , 2007, CAV.

[47]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[48]  Amir Pnueli,et al.  Ranking Abstraction as Companion to Predicate Abstraction , 2005, FORTE.

[49]  Kenneth L. McMillan,et al.  Quantified Invariant Generation Using an Interpolating Saturation Prover , 2008, TACAS.

[50]  Viktor Kuncak,et al.  Generalized Records and Spatial Conjunction in Role Logic , 2004, SAS.

[51]  Viktor Kuncak,et al.  Hob: A Tool for Verifying Data Structure Consistency , 2005, CC.

[52]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[53]  Andreas Podelski,et al.  Transition predicate abstraction and fair termination , 2005, POPL '05.

[54]  Hongseok Yang,et al.  Automatic Verification of Pointer Programs Using Grammar-Based Shape Analysis , 2005, ESOP.

[55]  Advised by , 1999 .

[56]  Thomas W. Reps,et al.  Symbolically Computing Most-Precise Abstract Operations for Shape Analysis , 2004, TACAS.

[57]  George C. Necula,et al.  Shape Analysis with Structural Invariant Checkers , 2007, SAS.

[58]  Jakob Engblom,et al.  The worst-case execution-time problem—overview of methods and survey of tools , 2008, TECS.

[59]  Eran Yahav,et al.  Verifying safety properties of concurrent Java programs using 3-valued logic , 2001, POPL '01.

[60]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[61]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[62]  Roman Manevich,et al.  Thread Quantification for Concurrent Shape Analysis , 2008, CAV.

[63]  Roman Manevich,et al.  Shape Analysis by Graph Decomposition , 2007, TACAS.

[64]  Cormac Flanagan,et al.  Predicate abstraction for software verification , 2002, POPL '02.

[65]  Peter W. O'Hearn,et al.  A Decidable Fragment of Separation Logic , 2004, FSTTCS.

[66]  Peter W. O'Hearn,et al.  Footprint Analysis: A Shape Analysis That Discovers Preconditions , 2007, SAS.

[67]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[68]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[69]  Thomas A. Henzinger,et al.  Invariant Synthesis for Combined Theories , 2007, VMCAI.

[70]  Michael I. Schwartzbach,et al.  The pointer assertion logic engine , 2000, PLDI '01.

[71]  Nils Klarlund,et al.  MONA Version 1.4 - User Manual , 2001 .

[72]  Sumit Gulwani,et al.  Lifting abstract interpreters to quantified logical domains , 2008, POPL '08.

[73]  Ahmed Bouajjani,et al.  Verifying Programs with Dynamic 1-Selector-Linked Structures in Regular Model Checking , 2005, TACAS.

[74]  Sigmund Cherem,et al.  Maintaining Doubly-Linked List Invariants in Shape Analysis with Local Reasoning , 2007, VMCAI.

[75]  Viktor Kuncak,et al.  Using First-Order Theorem Provers in the Jahob Data Structure Verification System , 2007, VMCAI.

[76]  Thomas W. Reps,et al.  Abstraction Refinement via Inductive Learning , 2005, CAV.

[77]  Shuvendu K. Lahiri,et al.  Zapato: Automatic Theorem Proving for Predicate Abstraction Refinement , 2004, CAV.

[78]  Reinhard Wilhelm,et al.  Logical characterizations of heap abstractions , 2003, TOCL.

[79]  Thomas A. Henzinger,et al.  Software Verification with BLAST , 2003, SPIN.

[80]  Neil Immerman,et al.  Abstraction for Shape Analysis with Fast and Precise Transformers , 2006, CAV.

[81]  Edmund M. Clarke,et al.  Arithmetic Strengthening for Shape Analysis , 2007, SAS.

[82]  Ralph-Johan Back,et al.  Refinement Calculus: A Systematic Introduction , 1998 .

[83]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[84]  Mark N. Wegman,et al.  Analysis of pointers and structures (with retrospective) , 1990 .

[85]  Radu Rugina,et al.  Region-based shape analysis with tracked locations , 2005, POPL '05.

[86]  Albert L. Baker,et al.  JML: A Notation for Detailed Design , 1999, Behavioral Specifications of Businesses and Systems.

[87]  Wei-Ngan Chin,et al.  Enhancing Program Verification with Lemmas , 2008, CAV.

[88]  David L. Dill,et al.  Successive approximation of abstract transition relations , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[89]  Reinhard Wilhelm,et al.  Solving shape-analysis problems in languages with destructive updating , 1998, TOPL.

[90]  Eran Yahav,et al.  Modular Shape Analysis for Dynamically Encapsulated Programs , 2007, ESOP.

[91]  K. Rustan M. Leino Recursive Object Types in a Logic of Object-Oriented Programs , 1998, Nord. J. Comput..

[92]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[93]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[94]  Viktor Kuncak,et al.  Role analysis , 2002, POPL '02.

[95]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[96]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[97]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[98]  Thomas W. Reps,et al.  Finite differencing of logical formulas for static analysis , 2010, TOPL.

[99]  Shuvendu K. Lahiri,et al.  A Reachability Predicate for Analyzing Low-Level Software , 2007, TACAS.

[100]  Neil Immerman,et al.  Verification via Structure Simulation , 2004, CAV.

[101]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[102]  Igor Walukiewicz,et al.  Guarded fixed point logic , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[103]  Zvonimir Rakamaric,et al.  A Logic and Decision Procedure for Predicate Abstraction of Heap-Manipulating Programs , 2006, VMCAI.

[104]  Neil D. Jones,et al.  Flow analysis and optimization of LISP-like structures , 1979, POPL.

[105]  Eran Yahav,et al.  Predicate Abstraction and Canonical Abstraction for Singly-Linked Lists , 2005, VMCAI.

[106]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[107]  Viktor Kuncak,et al.  Boolean Algebra of Shape Analysis Constraints , 2004, VMCAI.

[108]  Christoph Weidenbach,et al.  Combining Superposition, Sorts and Splitting , 2001, Handbook of Automated Reasoning.

[109]  Viktor Kuncak,et al.  Decision Procedures for Set-Valued Fields , 2005, Electron. Notes Theor. Comput. Sci..

[110]  Greg Nelson,et al.  Verifying reachability invariants of linked structures , 1983, POPL '83.

[111]  Thomas W. Reps,et al.  Revamping TVLA: Making Parametric Shape Analysis Competitive , 2007, CAV.

[112]  Shuvendu K. Lahiri,et al.  Constructing Quantified Invariants via Predicate Abstraction , 2004, VMCAI.

[113]  Neil Immerman,et al.  The Boundary Between Decidability and Undecidability for Transitive-Closure Logics , 2004, CSL.

[114]  Viktor Kuncak,et al.  On Role Logic , 2003, ArXiv.

[115]  Joseph Sifakis,et al.  A Unified Approach for Studying the Properties of Transition Systems , 1982, Theor. Comput. Sci..

[116]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[117]  Andreas Podelski,et al.  Heap Assumptions on Demand , 2008, CAV.

[118]  Viktor Kuncak,et al.  Modular data structure verification , 2007 .