Property-Directed Shape Analysis

This paper addresses the problem of automatically generating quantified invariants for programs that manipulate singly and doubly linked-list data structures. Our algorithm is property-directed–i.e., its choices are driven by the properties to be proven. The algorithm is able to establish that a correct program has no memory-safety violations–e.g., null-pointer dereferences, double frees–and that data-structure invariants are preserved. For programs with errors, the algorithm produces concrete counterexamples. More broadly, the paper describes how to integrate IC3 with full predicate abstraction. The analysis method is complete in the following sense: if an inductive invariant that proves that the program satisfies a given property is expressible as a Boolean combination of a given set of predicates, then the analysis will find such an invariant. To the best of our knowledge, this method represents the first shape-analysis algorithm that is capable of (i)areporting concrete counterexamples, or alternatively (ii)aestablishing that the predicates in use are not capable of proving the property in question.

[1]  Andreas Podelski,et al.  Boolean and Cartesian abstraction for model checking C programs , 2001, International Journal on Software Tools for Technology Transfer.

[2]  Neil Immerman,et al.  Effectively-Propositional Reasoning about Reachability in Linked Data Structures , 2013, CAV.

[3]  Xiaokang Qiu,et al.  Efficient Decision Procedures for Heaps Using STRAND , 2011, SAS.

[4]  Nikolaj Bjørner,et al.  Deciding Effectively Propositional Logic Using DPLL and Substitution Sets , 2008, IJCAR.

[5]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[6]  Andreas Podelski,et al.  Counterexample-guided focus , 2010, POPL '10.

[7]  Andrei Voronkov,et al.  Invariant Generation in Vampire , 2011, TACAS.

[8]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[9]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[10]  Nikolaj Bjørner,et al.  Generalized Property Directed Reachability , 2012, SAT.

[11]  Christof Löding,et al.  Learning Universally Quantified Invariants of Linear Data Structures , 2013, CAV.

[12]  Thomas W. Reps,et al.  Symbolically Computing Most-Precise Abstract Operations for Shape Analysis , 2004, TACAS.

[13]  José Nuno Oliveira,et al.  FME 2001: Formal Methods for Increasing Software Productivity , 2001, Lecture Notes in Computer Science.

[14]  Alessandro Cimatti,et al.  Theory and Applications of Satisfiability Testing – SAT 2012 , 2012, Lecture Notes in Computer Science.

[15]  Neil Immerman,et al.  Abstraction for Shape Analysis with Fast and Precise Transformers , 2006, CAV.

[16]  Thomas Reps,et al.  PostHat and All That : Attaining Most-Precise Inductive Invariants ⋆ , 2013 .

[17]  Alexandru Nicolau,et al.  Parallelizing Programs with Recursive Data Structures , 1989, IEEE Trans. Parallel Distributed Syst..

[18]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[19]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[20]  Cormac Flanagan,et al.  Predicate abstraction for software verification , 2002, POPL '02.

[21]  R. Wilhelm,et al.  Parametric Shape Analysis via 3 - valued Logic TOPLAS , 2002 .

[22]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[23]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[24]  Eran Yahav,et al.  Predicate Abstraction and Canonical Abstraction for Singly-Linked Lists , 2005, VMCAI.

[25]  K. Rustan M. Leino,et al.  Houdini, an Annotation Assistant for ESC/Java , 2001, FME.

[26]  Sumit Gulwani,et al.  Program verification using templates over predicate abstraction , 2009, PLDI '09.

[27]  Alberto Griggio,et al.  Software Model Checking via IC3 , 2012, CAV.

[28]  Thomas W. Reps,et al.  PostHat and All That: Automating Abstract Interpretation , 2015, Electron. Notes Theor. Comput. Sci..

[29]  Robert K. Brayton,et al.  Efficient implementation of property directed reachability , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[30]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[31]  Peter W. O'Hearn,et al.  Shape Analysis for Composite Data Structures , 2007, CAV.

[32]  Henny B. Sipma,et al.  Scalable Analysis of Linear Systems Using Mathematical Programming , 2005, VMCAI.

[33]  Gennaro Parlato,et al.  Quantified Data Automata on Skinny Trees: An Abstract Domain for Lists , 2013, SAS.