Download presentation

Presentation is loading. Please wait.

Published byRosalyn Arnold Modified over 2 years ago

1
1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer, Ahmed Bouajjani LIAFA, Univ. of Paris 7

2
2 Heap-Manipulating Programs Imperative programming languages Arbitrary size and structure of the heap Destructive updates of fields Invariants involve reachability in linked data-structures Temporary violations of data-structure invariants

3
3 Modeling Heaps Model heaps using directed labelled graphs –heap objects as nodes –pointer variables as unique labels on nodes –x = v means “v is pointed-to by x” –pointer fields as labels on edges – means “w is pointed-to by the n field of v” v w n

4
4 Specification Language Natural for reasoning about linked data- structures –reachability Useful –data-structure invariants –loop invariants / characterization of abstraction –pre- and post-conditions –low-level mutations –verification conditions Decidable for validity/satisfiability

5
5 MSO FO+TC FO Decidability with Reachability Limit the properties –Guarded fixpoint logic [Gradel et al, LICS’99 ] –EADTC [Immerman et al., CSL’04] –L R [Benedikt et. al., ESOP’99] Limit the graphs –MSO on trees [Rabin’69]

6
6 Using MSO on Trees –Supports reachability –Decidable on trees [Rabin’69] But –Non-elementary complexity –How to specify postconditions for procedures that mutate fields ? –e.g., in-place reversal of a singly-linked list –What about programs that temporarily manipulate non-trees ? –What about programs which manipulate non- trees ?

7
7 The Idea Balance between complex properties and complex graphs Allow regular properties of arbitrary graphs –disjointness –cyclicity –reversal –sharing

8
88 Logic of Reachable Patterns (LRP) A logic for reasoning about heap-manipulating programs and recursive data-structures Allows regular properties of arbitrary heaps –disjointness, cyclicity, reversal, sharing –arbitrary number of binary relations Closed under negation Finite model property Bounded model property Decidable –non-trivial proof of tree-like model property Useful for verificationUseful for verification

9
99 Syntax of LRP c[R]pArbitrary boolean combinations of reachability constraints: c[R]p v 0,v 1,..., v n.R(c,v 0 ) p(v 0,v 1,...v n ) Routing expression R –R ::= | | c | c | R 1.R 2 | (R 1 |R 2 ) | R* | | Pattern p –with designated free variable v 0 (central node) –of the form N(v 0,v 1,...v n ) (v 0,v 1,...v n ) –N is neighborhood formula – is quantifier free formula ff with additional restrictions

10
10 Interesting Heap Properties c R p ( c [R] p ) –shorthand x * y –y is reachable from x x + x –x is cyclic x [ *. * ] y –disjoint : objects reachable from x by following f-path are disjoint from objects reachable from y by following a f-path f f ff

11
11 List pointed-to by x is not shared x[ * ]uns f where uns f (v 0 ) (v 1 v 0 ) (v 2 v 0 ) (v 1 = v 2 ) Unshared Lists v2v2 v1v1 v0v0 f f f ff

12
12 Tree rooted at x x [ ( | )* ] (uns left,right uns left uns right ) x ( | ) + x where –uns f (v 0 ) (v 1 v 0 ) (v 2 v 0 ) (v 1 = v 2 ) –uns f,g (v 0 ) ((v 1 v 0 ) (v 2 v 0 )) Tree f ff leftright leftright g

13
13 Doubly-linked list pointed-to by x x[ * ]dll f,b where dll f,b (v 0 ) (v 0 v 1 ) (v 1 v 0 ) Doubly-linked Lists f f b v0v0 v1v1 f b

14
14 List with head pointers head[ * ]p where p (v 0 ) (v 1 v 0 ) (v 1 head) head ffffff g g g g g f g f

15
15 c Var,f Fields c[ * ] det f null null –all fields are deterministic det f (v 0 ) (v 0 v 1 ) (v 0 v 2 ) (v 1 = v 2 ) –node for NULL Well-Formed Heaps null fg v2v2 v1v1 v0v0 f f f ff

16
16 Node reverse(Node x) { Node y = null; while (x != null) { Node t = x.n; x.n = y; y = x; x = t; } return y; } Reversal of Singly-linked List x y’

17
17 x y’ precondition x * null postcondition y’ * null x [ * ] inv n,n’ where inv n,n’ (v 0 v 1 ) (v 1 v 0 ) Reversal of Singly-linked List nn’ n n

18
18 –the list reachable from x’ is the same as it was on entry to the method x’ [ * ] same n,n’ where same n,n’ (v 0 ) (v 0 v 1 ) (v 0 v 1 ) –the list reachable from y’ is reversed y’ * null x [ (. y’ )* ] inv n,n’ –the original edge n outgoing of y’ is to x’ y’ x’ Loop Invariant for Reverse x’ x y’ n n n nn’

19
19 postcondition a * last last null last b a[(. last) *] same n,n' b[ *] same n,n' Specification of Append precondition a * null ( a *. * b ) n nn n n n n same n,n’ (v 0 v 1 ) (v 0 v 1 ) nn' class List { List n = null;... List append(List a, List b) { @requires acyclic(a) & disjoint(a, b) @ensures post append (a,b) if (a == null) return b; List d = a; while (d.n != null) d = d.n; d.n = b; return a; } Only the n-field of the last location reachable from a on entry is modified and it points to b If b acyclic before append, then the result of append is acyclic n'

20
20 Verification using LRP Verification condition generation in LRP –if pre and post conditions and loop invariants are in LRP then it is possible to generate verification condition formula in LRP Modular analysis –pre and post conditions in LRP –no need for loop invariants –use abstract domain with in LRP Abstract domain of LRP formulas 20 ^

21
21Example [0]{ x n z } [1] y := x->n [2] x->n := NULL { y * z } x[0] n[0] * z[0] x[0] n[0] y[1] same x[0],n[0],n[1] x[0]=x[1] x[1] n[2] null same y[1],n[1],n[2] y[1]=y[2] x[1]=x[2] y[2] ( n[2] )* z[2] x[0] != null x[1] != null xzy null

22
22 Decidability of LRP Validity and satisfiability are decidable –closed under negation –it is sufficient to show that the satisfiability of LRP is decidable Proof –reduction to MSO on trees –based on non-trivial proof of model property

23
23Observation –(almost) all extra edges have one of their endpoints labeled with a constant –encode extra edges using unary relations head ffffff g g g g g f

24
24 Model Property of LRP If has a model then has a model in Bk –Bk is a set of graphs for which removing all edges to and from constants results in a graph in Ak –Ak is a set of graphs for which Gaifman graph is a tree with at most k additional edges –k is linear in the size of

25
25 x nn nn null bbb b x fff f x r rl l r r r r A0A0 A1A1 A2A2 A4A4 x fffff ggggg f Gaifman graph of S graph S

26
26 x n n nn null b x f bb b ff f A0A0 A1A1 A2A2 B0B0 B0B0 B0B0 A4A4 B0B0 Gaifman graph of S graph S x rl rl r r r r x ffff f ggggg f

27
27 If has a model then has a model in Bk – is of the form –S –S 0 and S 0 Bk but S 0 –S 1 and S 1 Bk... –S m and S m Bk –Sm –Sm 27 S1S1 t1t1 S2S2 t2t2 S S0S0 h0h0 h1h1 h2h2 S m-1 SmSm tmtm... h m-1 hmhm Model Property of LRP t s x z x * y x[( . y)*]inv f,b x[ ]det f

28
28 If has a model then has a model in Bk – is of the form –from S construct S m s.t. S m and S m Bk –every step t i is defined by a pattern 28 S1S1 t1t1 S2S2 t2t2 S S0S0 h0h0 h1h1 h2h2 S m-1 SmSm tmtm... h m-1 hmhm Model Property of LRP t s x z x * y x[( . y)*]inv f,b x[ ]det f

29
29Example t s x z x * y x[( . y)*]inv f,b x[ ]det f

30
30Example x yz t s t s x z x * y x[( . y)*]inv f,b x[ ]det f

31
31 x y x zExample t s t s x z x * y x[( . y)*]inv f,b x[ ]det f

32
32 x y zExample t s x z x * y x[( . y)*]inv f,b x[ ]det f t s

33
33 x yzExample t s x z x * y x[( . y)*]inv f,b x[ ]det f t s

34
34 If has a model then has a model in Bk – is of the form –from S construct S m s.t. S m and S m Bk –every step t i is defined by a pattern –preserves h i –preserves Bk 34 S1S1 t1t1 S2S2 t2t2 S S0S0 h0h0 h1h1 h2h2 S m-1 SmSm tmtm... h m-1 hmhm Model Property of LRP t s x z x * y x[( . y)*]inv f,b x[ ]det f

35
35 Restrictions on Patterns Syntactically restrict pattern p in c[R]p Restrict positive equality formulas –p(v 0 ) N(v 0, v 1,..., v n ) (v 1 = v 2 ) –N is a conjunction of edge formulas –distance between v 1 and v 2 in N is at most 2 Restrict positive edge formulas –p(v 0 ) N(v 0, v 1,... v n ) (v 1 v 2 ) –N is a conjunction of edge formulas –distance between v 1 and v 2 in N is at most 1 f

36
36 Reduction: LRP to MSO on trees For every in LRP we can construct a formula tr( ) such that is satisfiable (over graphs ) if and only if tr( ) is satisfiable over trees 36 Bk

37
37 Other Decidable Fragments Allow reachability constraints [R]p where positive quantifier-free formulas Allow positive universal quantifications over constants and fields –not closed under negation –useful for modular specification

38
38 Undecidability Result Without restrictions on patterns, the logic becomed undecidable Idea: enforce existence of edges c 1 [ * ] p where p(v) (v u) (v v 1 ) (u u 1 ) (v 1 u 1 ) v1v1 u1u1 u v b b n n n bnnb

39
39 More Related Work Modal Logics –have tree model property (no equality) Hybrid Logics –equality only between named nodes –cannot express deterministic edge Description Logics –DL with nominals, deterministic roles and inverse roles is undecidable

40
40Summary LRP is useful –data-structure invariants (reachability) –loop invariants –verification conditions Satisfiability and validity of LRP formulas are decidable –model property –worst case complexity is doubly-exponential

41
41 Principles Arbitrary structure of the heap Regular properties –restrict quantification: no alternations –allow arbitrary boolean combinations of reachability constraints –use regular expressions to define reachability –syntactically limit the patterns Proof approach –model property –structure simulation

Similar presentations

OK

Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.

Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Download ppt on transportation in human beings the largest Ppt on fire extinguisher types class Ppt on db2 introduction to accounting Ppt on forward rate agreement calculator Download ppt on foundry technology Ppt on france in french Ppt on uses and misuses of internet Ppt on importance of drinking water Ppt on condition of girl child in india Ppt on travel and tourism industry in india