Forest automata for verification of heap manipulation

We consider verification of programs manipulating dynamic linked data structures such as various forms of singly and doubly-linked lists or trees. We consider important properties for this kind of systems like no null-pointer dereferences, absence of garbage, shape properties, etc. We develop a verification method based on a novel use of tree automata to represent heap configurations. A heap is split into several “separated” parts such that each of them can be represented by a tree automaton. The automata can refer to each other allowing the different parts of the heaps to mutually refer to their boundaries. Moreover, we allow for a hierarchical representation of heaps by allowing alphabets of the tree automata to contain other, nested tree automata. Program instructions can be easily encoded as operations on our representation structure. This allows verification of programs based on symbolic state-space exploration together with refinable abstraction within the so-called abstract regular tree model checking. A motivation for the approach is to combine advantages of automata-based approaches (higher generality and flexibility of the abstraction) with some advantages of separation-logic-based approaches (efficiency). We have implemented our approach and tested it successfully on multiple non-trivial case studies.

[1]  Lukás Holík,et al.  Forest Automata for Verification of Heap Manipulation , 2011, CAV.

[2]  Ahmed Bouajjani,et al.  Programs with Lists Are Counter Automata , 2006, CAV.

[3]  David I. August,et al.  Shape analysis with inductive recursion synthesis , 2007, PLDI '07.

[4]  Peter W. O'Hearn,et al.  On Scalable Shape Analysis , 2007 .

[5]  Parosh Aziz Abdulla,et al.  Computing Simulations over Tree Automata , 2008, TACAS.

[6]  Parosh Aziz Abdulla,et al.  When Simulation Meets Antichains , 2010, TACAS.

[7]  Ahmed Bouajjani,et al.  Abstract Regular Tree Model Checking of Complex Dynamic Data Structures , 2006, SAS.

[8]  Parosh Aziz Abdulla,et al.  Monotonic Abstraction for Programs with Dynamic Memory Heaps , 2008, CAV.

[9]  Michael I. Schwartzbach,et al.  The pointer assertion logic engine , 2000, PLDI '01.

[10]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[11]  Parosh Aziz Abdulla,et al.  When Simulation Meets Antichains(on Checking Language Inclusion of NFA) , 2010 .

[12]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[13]  Shengchao Qin,et al.  Automated Verification of Shape and Size Properties Via Separation Logic , 2007, VMCAI.

[14]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[15]  Jyotirmoy V. Deshmukh,et al.  Automatic Verification of Parameterized Data Structures , 2006, TACAS.

[16]  Tomás Vojnar,et al.  Predator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic , 2011, CAV.

[17]  Peter W. O'Hearn,et al.  Shape Analysis for Composite Data Structures , 2007, CAV.

[18]  Xiaokang Qiu,et al.  Decidable logics combining heap structures and data , 2011, POPL '11.

[19]  Viktor Kuncak,et al.  Full functional verification of linked data structures , 2008, PLDI '08.

[20]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 2002, TOPL.