Model checking recursive programs interacting via the heap

Almost all modern imperative programming languages include operations for dynamically manipulating the heap, for example by allocating and deallocating objects, and by updating reference fields. In the presence of recursive procedures and local variables, the interactions of a program with the heap can become rather complex, as an unbounded number of objects can be allocated either on the call stack using local variables, or, anonymously, on the heap using reference fields. As such, a static analysis for recursive programs with dynamic manipulation of the heap is, in general, undecidable.In this paper we study the verification of recursive programs with unbounded allocation of objects, in a simple imperative language with heap manipulation. We present a semantics for this language which is improved w.r.t. heap allocation, using an abstraction that is precise (i.e., bisimilar with the standard/concrete semantics). For any program with a bounded visible heap, meaning that the number of objects reachable from variables at any point of execution is bounded, this abstraction is a finitary representation of its behaviour, even though an unbounded number of objects can appear in the state. As a consequence, for such programs model checking is decidable. Finally, we introduce a specification language for heap-properties, and we discuss model checking of heap invariant properties against heap-manipulating programs. We model a program with recursive procedure, local variables and dynamic allocation.We give an abstraction of the memory model that is precise.We show that model checking of programs with bounded visible heap is decidable.We introduce a logic for invariants checking using regular expressions.We give an implementation for model checking invariants using pushdown system specification.

[1]  Ahmed Bouajjani,et al.  Context-Bounded Analysis of Multithreaded Programs with Dynamic Linked Structures , 2007, CAV.

[2]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[3]  Grigore Rosu,et al.  Checking reachability using matching logic , 2012, OOPSLA '12.

[4]  Javier Esparza,et al.  A BDD-Based Model Checker for Recursive Programs , 2001, CAV.

[5]  Arnaud Sangnier,et al.  Formal Verification of Industrial Software with Dynamic Memory Management , 2010, 2010 IEEE 16th Pacific Rim International Symposium on Dependable Computing.

[6]  Frank S. de Boer,et al.  Bounded Model Checking of Recursive Programs with Pointers in K , 2012, WADT.

[7]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[8]  Thierry Coquand,et al.  A Decision Procedure for Regular Expression Equivalence in Type Theory , 2011, CPP.

[9]  Christel Baier,et al.  Principles of model checking , 2008 .

[10]  Xiaokang Qiu,et al.  Decidable logics combining heap structures and data , 2011, POPL '11.

[11]  Koushik Sen,et al.  Generating Optimal Monitors for Extended Regular Expressions , 2003, RV@CAV.

[12]  Vincenzo Ciancia,et al.  Symmetries, local names and dynamic (de)-allocation of names , 2010, Inf. Comput..

[13]  Frank S. de Boer,et al.  Unbounded Allocation in Bounded Heaps , 2013, FSEN.

[14]  Janusz A. Brzozowski,et al.  Derivatives of Regular Expressions , 1964, JACM.

[15]  Peter W. O'Hearn,et al.  A Decidable Fragment of Separation Logic , 2004, FSTTCS.

[16]  Stefan Schwoon,et al.  Model checking pushdown systems , 2002 .

[17]  Alain Finkel,et al.  Towards Model-Checking Programs with Lists , 2007, ILC.

[18]  Dexter Kozen,et al.  Kleene algebra with tests , 1997, TOPL.

[19]  Alexandra Silva,et al.  A Decision Procedure for Bisimilarity of Generalized Regular Expressions , 2010, SBMF.

[20]  Mads Dam,et al.  Model Checking Mobile Processes , 1993, Inf. Comput..

[21]  Frank S. de Boer,et al.  Interacting via the Heap in the Presence of Recursion , 2012, ICE.

[22]  Ofer Strichman,et al.  Bounded model checking , 2003, Adv. Comput..

[23]  Radu Iosif,et al.  A deadlock detection tool for concurrent Java programs , 1999, Softw. Pract. Exp..

[24]  Thomas Reps,et al.  WPDS++: A C++ library for weighted pushdown systems , 2005 .

[25]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[26]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[27]  Reinhard Wilhelm,et al.  A semantics for procedure local heaps and its abstractions , 2005, POPL '05.

[28]  Joost-Pieter Katoen,et al.  Who is Pointing When to Whom? , 2004, FSTTCS.

[29]  Marco Pistore,et al.  Structured coalgebras and minimal HD-automata for the pi-calculus , 2005, Theor. Comput. Sci..

[30]  Frank S. de Boer,et al.  Automated Verification of Recursive Programs with Pointers , 2012, IJCAR.

[31]  David L. Dill,et al.  Java model checking , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[32]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[33]  Christel Baier,et al.  Principles of Model Checking (Representation and Mind Series) , 2008 .

[34]  Pierre Wolper,et al.  A direct symbolic approach to model checking pushdown systems , 1997, INFINITY.

[35]  Narciso Martí-Oliet,et al.  All About Maude - A High-Performance Logical Framework, How to Specify, Program and Verify Systems in Rewriting Logic , 2007, All About Maude.