Verifying Concurrent List-Manipulating Programs by LTL Model Checking

We present a novel approach to the verification of concurrent pointer– manipulating programs which operate on singly–linked lists. By abstracting from chains (i.e., non–interrupted sublists) in the heap, we obtain a finite–state representation of all possible executions of a given program. The combination of a simple pointer logic for expressing heap properties and of temporal operators then allows us to employ standard LTL model checking techniques. The usability of this approach is demonstrated by establishing correctness properties of a producer/consumer system and of a concurrent garbage collector.

[1]  Monica S. Lam,et al.  An Efficient Inclusion-Based Points-To Analysis for Strictly-Typed Languages , 2002, SAS.

[2]  Marius Bozga,et al.  Storeless semantics and alias logic , 2003, PPoPP 2003.

[3]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[4]  Olivier Tardieu,et al.  Demand-driven pointer analysis , 2001, PLDI '01.

[5]  Thomas Noll,et al.  Algebraic Correctness Proofs for Compiling Recursive Function Definitions with Strictness Information , 2006, Acta Informatica.

[6]  Alain Deutsch,et al.  Interprocedural may-alias analysis for pointers: beyond k-limiting , 1994, PLDI '94.

[7]  Hong-Seok Kim,et al.  Bottom-Up and Top-Down Context-Sensitive Summary-Based Pointer Analysis , 2004, SAS.

[8]  Berthold Vöcking,et al.  Adaptive routing with stale information , 2005, PODC '05.

[9]  Mesut Gunes,et al.  From Simulations to Testbeds — Architecture of the Hybrid MCG-Mesh Testbed , 2006 .

[10]  Patrice Godefroid,et al.  Dynamic partial-order reduction for model checking software , 2005, POPL '05.

[11]  Benedikt Bollig,et al.  Replaying Play In and Play Out: Synthesis of Design Models from Scenarios by Learning , 2007, TACAS.

[12]  Kedar S. Namjoshi,et al.  Shape Analysis through Predicate Abstraction and Model Checking , 2003, VMCAI.

[13]  Reinhard Wilhelm,et al.  A semantics for procedure local heaps and its abstractions , 2005, POPL '05.

[14]  Thomas W. Reps,et al.  Abstraction Refinement via Inductive Learning , 2005, CAV.

[15]  Torsten Kuhlen,et al.  Utilizing optical sensors from mice for new input devices , 2006 .

[16]  Joost-Pieter Katoen,et al.  Who is Pointing When to Whom? On the Automated Verification of Linked List Structures , 2004 .

[17]  Eran Yahav,et al.  Predicate Abstraction and Canonical Abstraction for Singly-Linked Lists , 2005, VMCAI.

[18]  Patrice Godefroid,et al.  Partial-Order Methods for the Verification of Concurrent Systems , 1996, Lecture Notes in Computer Science.

[19]  Jianwen Zhu,et al.  Symbolic pointer analysis revisited , 2004, PLDI '04.

[20]  Radu Rugina,et al.  Region-based shape analysis with tracked locations , 2005, POPL '05.

[21]  Neil Immerman,et al.  Simulating Reachability Using First-Order Logic with Applications to Verification of Linked Data Structures , 2005, CADE.

[22]  Jan Borchers,et al.  Scrolling Through Time: Improving Interfaces for Searching and Navigating Continuous Audio Timelines , 2006 .

[23]  Thomas A. Henzinger,et al.  Software Verification with BLAST , 2003, SPIN.

[24]  David L. Dill,et al.  Experience with Predicate Abstraction , 1999, CAV.

[25]  Peter W. O'Hearn,et al.  Automatic Termination Proofs for Programs with Shape-Shifting Heaps , 2006, CAV.

[26]  Christof Löding,et al.  Unranked Tree Automata with Sibling Equalities and Disequalities , 2007, ICALP.

[27]  Berthold Vöcking,et al.  A Counterexample to the Fully Mixed Nash Equilibrium Conjecture , 2005 .

[28]  Ahmed Bouajjani,et al.  Abstract Regular Tree Model Checking of Complex Dynamic Data Structures , 2006, SAS.

[29]  Neil Immerman,et al.  Abstraction for Shape Analysis with Fast and Precise Transformers , 2006, CAV.

[30]  Anders Møller,et al.  The Pointer Assertion Logic Engine , 2000 .

[31]  Joost-Pieter Katoen,et al.  Safety and Liveness in Concurrent Pointer Programs , 2005, FMCO.

[32]  Bertrand Jeannet,et al.  A Relational Approach to Interprocedural Shape Analysis , 2004, SAS.

[33]  Susan Horwitz,et al.  Pointer-Range Analysis , 2004, SAS.

[34]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[35]  Felix C. Freiling,et al.  An offensive approach to teaching information security : 'Aachen summer school applied IT security , 2005 .

[36]  Franz Josef Och,et al.  Statistical machine translation: from single word models to alignment templates , 2002 .

[37]  Ahmed Bouajjani,et al.  Verifying Programs with Dynamic 1-Selector-Linked Structures in Regular Model Checking , 2005, TACAS.

[38]  Stefan Richter,et al.  Parameterized power domination complexity , 2006, Inf. Process. Lett..

[39]  Felix C. Freiling,et al.  Optimal Randomized Fair Exchange with Secret Shared Coins , 2005, OPODIS.

[40]  U. Naumann,et al.  Toward Low Static Memory Jacobian Accumulation , 2006 .

[41]  Reinhard Wilhelm,et al.  Solving shape-analysis problems in languages with destructive updating , 1998, TOPL.

[42]  Jürgen Giesl,et al.  Proving and Disproving Termination of Higher-Order Functions , 2005, FroCoS.

[43]  Benedikt Bollig,et al.  Automata and logics for message sequence charts , 2005 .

[44]  Felix C. Freiling,et al.  Efficient Reductions for Wait-Free Termination Detection in Faulty Distributed Systems , 2005 .

[45]  Michael Weber,et al.  Parallel algorithms for verification on large systems , 2006 .

[46]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[47]  David L. Dill,et al.  Successive approximation of abstract transition relations , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[48]  Benedikt Bollig,et al.  Message-passing automata are expressively equivalent to EMSO logic , 2006, Theor. Comput. Sci..

[49]  Felix C. Freiling,et al.  Secure Multi-Party Computation with Security Modules , 2005, Sicherheit.

[50]  Zinaida Benenson,et al.  Tampering with Motes: Real-World Physical Attacks on Wireless Sensor Networks , 2006, SPC.

[51]  Alexey Gotsman,et al.  Interprocedural Shape Analysis with Separated Heap Abstractions , 2006, SAS.

[52]  Andreas Podelski,et al.  Boolean Heaps , 2005, SAS.

[53]  Jan Borchers,et al.  Selexels: a Conceptual Framework for Pointing Devices with Low Expressiveness , 2006 .

[54]  Lars Birkedal,et al.  Local reasoning about a copying garbage collector , 2004, POPL '04.

[55]  Shin Nakajima,et al.  The SPIN Model Checker : Primer and Reference Manual , 2004 .

[56]  Hongseok Yang,et al.  Automatic Verification of Pointer Programs Using Grammar-Based Shape Analysis , 2005, ESOP.

[57]  Jürgen Giesl,et al.  SAT Solving for Termination Analysis with Polynomial Interpretations , 2007, SAT.

[58]  Thomas A. Henzinger,et al.  Lazy Shape Analysis , 2006, CAV.

[59]  Greg Nelson,et al.  Verifying reachability invariants of linked structures , 1983, POPL '83.

[60]  Peter W. O'Hearn,et al.  Permission accounting in separation logic , 2005, POPL '05.

[61]  Thorsten Holz,et al.  A Pointillist Approach for Comparing Honeypots , 2005, DIMVA.

[62]  Felix C. Freiling,et al.  Revisiting Failure Detection and Consensus in Omission Failure Environments , 2005, ICTAC.

[63]  Danilo Beuche,et al.  Report of the GI Work Group "Requirements Management Tools for Product Line Engineering" , 2006 .

[64]  Amir Pnueli,et al.  Shape Analysis by Predicate Abstraction , 2005, VMCAI.

[65]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[66]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[67]  Yuxiao Hu,et al.  Optimal vertex elimination in single-expression-use graphs , 2008, TOMS.

[68]  Thomas Noll,et al.  Optimization of Straight-Line Code Revisited , 2006, Softwaretechnik-Trends.

[69]  Christof Löding,et al.  Transforming structures by set interpretations , 2007, Log. Methods Comput. Sci..

[70]  Nathan R. Tallent,et al.  ADJOINT CODE BY SOURCE TRANSFORMATION WITH OPENAD/F , 2006 .

[71]  Dino Salvo Distefano,et al.  On model checking the dynamics of object-based software : a foundational approach , 2003 .

[72]  U. Naumann,et al.  Intraprocedural Adjoint Code Generated by the Differentiation-Enabled NAGWare Fortran Compiler , 2006 .

[73]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[74]  U. Naumann Syntax-Directed Derivative Code (Part II: Intraprocedural Adjoint Code) , 2005 .

[75]  Pascal Fradet,et al.  Static Detection of Pointer Errors: An Axiomatisation and a Checking Algorithm , 1996, ESOP.

[76]  Christof Löding,et al.  Solving the Sabotage Game Is PSPACE-Hard , 2003, MFCS.

[77]  Jürgen Giesl,et al.  Improving Dependency Pairs , 2003, LPAR.

[78]  Joost-Pieter Katoen,et al.  Counterexamples in Probabilistic Model Checking , 2007, TACAS.

[79]  Stefan Richter,et al.  A Faster Algorithm for the Steiner Tree Problem , 2006, STACS.

[80]  Jan Borchers,et al.  coJIVE: A System to Support Collaborative Jazz Improvisation , 2007 .

[81]  Peter Schneider-Kamp,et al.  Mechanizing Dependency Pairs , 2003 .

[82]  Eran Yahav,et al.  Verifying Temporal Heap Properties Specified via Evolution Logic , 2006, Log. J. IGPL.

[83]  Eran Yahav,et al.  Interprocedural Shape Analysis for Cutpoint-Free Programs , 2005, SAS.

[84]  Eran Yahav,et al.  Verifying safety properties using separation and heterogeneous abstractions , 2004, PLDI '04.

[85]  Yassine Lakhnech,et al.  On Logics of Aliasing , 2004, SAS.

[86]  Mark N. Wegman,et al.  Analysis of pointers and structures , 1990, SIGP.

[87]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.