Refinement-based program verification via three-valued-logic analysis

Recently, Sagiv, Reps, and Wilhelm introduced a powerful abstract-interpretation framework for program analysis based on three-valued logic [84]. Instantiations of this framework have been used to show a number of interesting properties of programs that manipulate a variety of linked data structures. However, two aspects of the framework represented significant challenges in its user-model. The work that is reported in this thesis addressed these two shortcomings, developed solutions to them, and carried out experiments to demonstrate their effectiveness. The first aspect is the need to specify the set of instrumentation relations, which define the abstraction used in the analysis. This thesis presents a method that refines an abstraction automatically. Refinement is carried out by introducing new instrumentation relations (defined via logical formulas over core relations, which capture the basic properties of memory configurations). We present two strategies for refining an abstraction. The simpler strategy is effective in many cases. The second strategy uses a previously known machine-learning algorithm in a new way, namely, to learn an appropriate abstraction (by learning defining formulas for additional instrumentation relations). An advantage of our method is that it does not require the use of a theorem prover. The use of learning, in lieu of deduction-based techniques, constitutes a paradigm shift: the abstraction is constructed by observing (and generalizing) properties of memory configurations. The second aspect is the need to specify relation-maintenance formulas, which describe how the effect of statements in the language (expressed using logical formulas that describe changes to core-relation values) can be reflected in the values of instrumentation relations. (These formulas define the abstract transfer functions of the abstract semantics used for analyzing programs.) Manual creation of relation-maintenance formulas is a time-consuming and error-prone process. This thesis presents an algorithm to generate relation-maintenance formulas completely automatically. The algorithm is based on the principle of finite differencing, and transforms an instrumentation relation's defining formula into a relation-maintenance formula that captures what the instrumentation relation's new value should be.

[1]  Roberto Giacobazzi,et al.  Making abstract interpretations complete , 2000, JACM.

[2]  David L. Dill,et al.  Counter-Example Based Predicate Discovery in Predicate Abstraction , 2002, FMCAD.

[3]  Alexandru Nicolau,et al.  Parallelizing Programs with Recursive Data Structures , 1989, IEEE Trans. Parallel Distributed Syst..

[4]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[5]  Greg Nelson,et al.  Verifying reachability invariants of linked structures , 1983, POPL '83.

[6]  Neil Immerman,et al.  Dyn-FO: A Parallel, Dynamic Complexity Class , 1997, J. Comput. Syst. Sci..

[7]  Noam Rinetzky,et al.  Interprocedural Shape Analysis for Recursive Programs , 2001, CC.

[8]  Michael I. Jordan,et al.  Bug isolation via remote program sampling , 2003, PLDI.

[9]  Neil Immerman,et al.  The Boundary Between Decidability and Undecidability for Transitive-Closure Logics , 2004, CSL.

[10]  Nils Klarlund,et al.  Graph types , 1993, POPL '93.

[11]  Deepak Goyal,et al.  Deriving specialized program analyses for certifying component-client conformance , 2002, PLDI '02.

[12]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[13]  Jianwen Su,et al.  Incremental maintenance of recursive views using relational calculus/SQL , 2000, SGMD.

[14]  Eran Yahav,et al.  Verifying safety properties of concurrent Java programs using 3-valued logic , 2001, POPL '01.

[15]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[16]  Neil D. Jones,et al.  Flow analysis and optimization of LISP-like structures , 1979, POPL.

[17]  Eran Yahav,et al.  Predicate Abstraction and Canonical Abstraction for Singly-Linked Lists , 2005, VMCAI.

[18]  David L. Dill,et al.  Experience with Predicate Abstraction , 1999, CAV.

[19]  Luc De Raedt,et al.  Inductive Logic Programming: Theory and Methods , 1994, J. Log. Program..

[20]  Thomas W. Reps,et al.  Numeric Domains with Summarized Dimensions , 2004, TACAS.

[21]  Shuvendu K. Lahiri,et al.  Verifying properties of well-founded linked lists , 2006, POPL '06.

[22]  Thomas W. Reps,et al.  Symbolic Implementation of the Best Transformer , 2004, VMCAI.

[23]  Ching-Tsun Chou,et al.  The Mathematical Foundation fo Symbolic Trajectory Evaluation , 1999, CAV.

[24]  Mark N. Wegman,et al.  Analysis of pointers and structures , 1990, SIGP.

[25]  Gary Lindstrom,et al.  Scanning List Structures Without Stacks or Tag Bits , 1973, Information Processing Letters.

[26]  Jr. Sheldon B. Akers,et al.  On a Theory of Boolean Functions , 1959 .

[27]  Michael Rodeh,et al.  Checking Cleanness in Linked Lists , 2000, SAS.

[28]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[29]  Yanhong A. Liu,et al.  Discovering auxiliary information for incremental computation , 1996, POPL '96.

[30]  Patrice Godefroid,et al.  Automatically closing open reactive programs , 1998, PLDI.

[31]  Rodney W. Topor,et al.  The correctness of the Schorr-Waite list marking algorithm , 1979, Acta Informatica.

[32]  Eran Yahav,et al.  Verifying safety properties using separation and heterogeneous abstractions , 2004, PLDI '04.

[33]  Neil Immerman,et al.  Dynamic computational complexity , 2003 .

[34]  Tobias Nipkow,et al.  Proving pointer programs in higher-order logic , 2005, Inf. Comput..

[35]  Eran Yahav,et al.  Automatically Verifying Concurrent Queue Algorithms , 2003, SoftMC@CAV.

[36]  Michael I. Schwartzbach,et al.  The pointer assertion logic engine , 2000, PLDI '01.

[37]  R. Mike Cameron-Jones,et al.  FOIL: A Midterm Report , 1993, ECML.

[38]  Eran Yahav,et al.  Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management , 2003, SAS.

[39]  Willard Van Orman Quine,et al.  The Problem of Simplifying Truth Functions , 1952 .

[40]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[41]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[42]  B. V. Fraassen Singular Terms, Truth-Value Gaps, and Free Logic , 1966 .

[43]  Yanhong A. Liu,et al.  Systematic Derivation of Incremental Programs , 1995, Sci. Comput. Program..

[44]  Olivier Coudert,et al.  Two-level logic minimization: an overview , 1994, Integr..

[45]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[46]  Tsutomu Sasao,et al.  Ternary Decision Diagrams and their Applications , 1996 .

[47]  Reinhard Wilhelm,et al.  A semantics for procedure local heaps and its abstractions , 2005, POPL '05.

[48]  Bertrand Jeannet,et al.  A Relational Approach to Interprocedural Shape Analysis , 2004, SAS.

[49]  Thomas W. Reps,et al.  Finite Differencing of Logical Formulas for Static Analysis , 2003, ESOP.