1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer, Ahmed Bouajjani LIAFA, Univ. of Paris 7

2 Heap-Manipulating Programs Imperative programming languages Arbitrary size and structure of the heap Destructive updates of fields Invariants involve reachability in linked data-structures Temporary violations of data-structure invariants

3 Modeling Heaps Model heaps using directed labelled graphs –heap objects as nodes –pointer variables as unique labels on nodes –x = v means “v is pointed-to by x” –pointer fields as labels on edges – means “w is pointed-to by the n field of v” v w n

4 Specification Language Natural for reasoning about linked data- structures –reachability Useful –data-structure invariants –loop invariants / characterization of abstraction –pre- and post-conditions –low-level mutations –verification conditions Decidable for validity/satisfiability

5 MSO FO+TC FO Decidability with Reachability Limit the properties –Guarded fixpoint logic [Gradel et al, LICS’99 ] –EADTC [Immerman et al., CSL’04] –L R [Benedikt et. al., ESOP’99] Limit the graphs –MSO on trees [Rabin’69]

6 Using MSO on Trees –Supports reachability –Decidable on trees [Rabin’69] But –Non-elementary complexity –How to specify postconditions for procedures that mutate fields ? –e.g., in-place reversal of a singly-linked list –What about programs that temporarily manipulate non-trees ? –What about programs which manipulate non- trees ?

7 The Idea Balance between complex properties and complex graphs Allow regular properties of arbitrary graphs –disjointness –cyclicity –reversal –sharing

88 Logic of Reachable Patterns (LRP) A logic for reasoning about heap-manipulating programs and recursive data-structures Allows regular properties of arbitrary heaps –disjointness, cyclicity, reversal, sharing –arbitrary number of binary relations Closed under negation Finite model property Bounded model property Decidable –non-trivial proof of tree-like model property Useful for verificationUseful for verification

99 Syntax of LRP c[R]pArbitrary boolean combinations of reachability constraints: c[R]p  v 0,v 1,..., v n.R(c,v 0 )  p(v 0,v 1,...v n ) Routing expression R –R ::= | | c |  c | R 1.R 2 | (R 1 |R 2 ) | R* |  |  Pattern p –with designated free variable v 0 (central node) –of the form N(v 0,v 1,...v n )   (v 0,v 1,...v n ) –N is neighborhood formula –  is quantifier free formula ff with additional restrictions

10 Interesting Heap Properties c  R  p   ( c [R]  p ) –shorthand x  *  y –y is reachable from x x  +  x –x is cyclic x [ *. * ]  y –disjoint : objects reachable from x by following f-path are disjoint from objects reachable from y by following a f-path f f ff

11 List pointed-to by x is not shared x[ * ]uns f where uns f (v 0 )  (v 1 v 0 )  (v 2 v 0 )  (v 1 = v 2 ) Unshared Lists v2v2 v1v1 v0v0 f f f ff

12 Tree rooted at x x [ ( | )* ] (uns left,right  uns left  uns right )   x  ( | ) +  x where –uns f (v 0 )  (v 1 v 0 )  (v 2 v 0 )  (v 1 = v 2 ) –uns f,g (v 0 )   ((v 1 v 0 )  (v 2 v 0 )) Tree f ff leftright leftright g

13 Doubly-linked list pointed-to by x x[ * ]dll f,b where dll f,b (v 0 )  (v 0 v 1 )  (v 1 v 0 ) Doubly-linked Lists f f b v0v0 v1v1 f b

14 List with head pointers head[ * ]p where p (v 0 )  (v 1 v 0 )  (v 1 head) head ffffff g g g g g f g f

15  c  Var,f  Fields c[ * ] det f  null   null –all fields are deterministic det f (v 0 )  (v 0 v 1 )  (v 0 v 2 )  (v 1 = v 2 ) –node for NULL Well-Formed Heaps null fg v2v2 v1v1 v0v0 f f  f ff

16 Node reverse(Node x) { Node y = null; while (x != null) { Node t = x.n; x.n = y; y = x; x = t; } return y; } Reversal of Singly-linked List x y’

17 x y’ precondition x  *  null postcondition y’  *  null  x [ * ] inv n,n’ where inv n,n’  (v 0 v 1 )  (v 1 v 0 ) Reversal of Singly-linked List nn’ n n

18 –the list reachable from x’ is the same as it was on entry to the method x’ [ * ] same n,n’ where same n,n’ (v 0 )  (v 0 v 1 )  (v 0 v 1 ) –the list reachable from y’ is reversed y’  *  null  x [ (.  y’ )* ] inv n,n’ –the original edge n outgoing of y’ is to x’ y’   x’ Loop Invariant for Reverse x’ x y’ n n n nn’

19 postcondition  a  *  last  last   null  last   b  a[(.  last) *] same n,n'  b[ *] same n,n' Specification of Append precondition a  *  null   ( a  *. *  b ) n nn n n n n same n,n’  (v 0 v 1 )  (v 0 v 1 ) nn' class List { List n = null;... List append(List a, List b) acyclic(a) & disjoint(a, post append (a,b) if (a == null) return b; List d = a; while (d.n != null) d = d.n; d.n = b; return a; } Only the n-field of the last location reachable from a on entry is modified and it points to b If b acyclic before append, then the result of append is acyclic n'

20 Verification using LRP Verification condition generation in LRP –if pre and post conditions and loop invariants are in LRP then it is possible to generate verification condition formula in LRP Modular analysis –pre and post conditions in LRP –no need for loop invariants –use abstract domain with  in LRP Abstract domain of LRP formulas 20 ^

21Example [0]{ x   n  z } [1] y := x->n [2] x->n := NULL { y   *  z } x[0]   n[0] *  z[0]  x[0]   n[0]  y[1]  same x[0],n[0],n[1]  x[0]=x[1]  x[1]   n[2]  null  same y[1],n[1],n[2]  y[1]=y[2]  x[1]=x[2]  y[2]  (  n[2] )*  z[2]  x[0] != null  x[1] != null xzy null

22 Decidability of LRP Validity and satisfiability are decidable –closed under negation –it is sufficient to show that the satisfiability of LRP is decidable Proof –reduction to MSO on trees –based on non-trivial proof of model property

23Observation –(almost) all extra edges have one of their endpoints labeled with a constant –encode extra edges using unary relations head ffffff g g g g g f

24 Model Property of LRP If  has a model then  has a model in Bk –Bk is a set of graphs for which removing all edges to and from constants results in a graph in Ak –Ak is a set of graphs for which Gaifman graph is a tree with at most k additional edges –k is linear in the size of 

25 x nn nn null bbb b x fff f x r rl l r r r r A0A0 A1A1 A2A2 A4A4 x fffff ggggg f Gaifman graph of S graph S

26 x n n nn null b x f bb b ff f A0A0 A1A1 A2A2 B0B0 B0B0 B0B0 A4A4 B0B0 Gaifman graph of S graph S x rl rl r r r r x ffff f ggggg f

27 If  has a model then  has a model in Bk –  is of the form      –S   –S 0    and S 0  Bk but S 0    –S 1    and S 1  Bk... –S m    and S m  Bk –Sm  –Sm   27 S1S1 t1t1 S2S2 t2t2 S S0S0 h0h0 h1h1 h2h2 S m-1 SmSm tmtm... h m-1 hmhm Model Property of LRP t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f

28 If  has a model then  has a model in Bk –  is of the form      –from S   construct S m s.t. S m   and S m  Bk –every step t i is defined by a pattern 28 S1S1 t1t1 S2S2 t2t2 S S0S0 h0h0 h1h1 h2h2 S m-1 SmSm tmtm... h m-1 hmhm Model Property of LRP t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f

29Example t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f

30Example x yz t s t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f

31 x y x zExample t s t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f

32 x y zExample t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f t s

33 x yzExample t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f t s

34 If  has a model then  has a model in Bk –  is of the form      –from S   construct S m s.t. S m   and S m  Bk –every step t i is defined by a pattern –preserves h i –preserves Bk 34 S1S1 t1t1 S2S2 t2t2 S S0S0 h0h0 h1h1 h2h2 S m-1 SmSm tmtm... h m-1 hmhm Model Property of LRP t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f

35 Restrictions on Patterns Syntactically restrict pattern p in c[R]p Restrict positive equality formulas –p(v 0 )  N(v 0, v 1,..., v n )  (v 1 = v 2 ) –N is a conjunction of edge formulas –distance between v 1 and v 2 in N is at most 2 Restrict positive edge formulas –p(v 0 )  N(v 0, v 1,... v n )  (v 1 v 2 ) –N is a conjunction of edge formulas –distance between v 1 and v 2 in N is at most 1 f

36 Reduction: LRP to MSO on trees For every  in LRP we can construct a formula tr(  ) such that  is satisfiable (over graphs ) if and only if tr(  ) is satisfiable over trees 36 Bk

37 Other Decidable Fragments Allow reachability constraints  [R]p where  positive quantifier-free formulas Allow positive universal quantifications over constants and fields –not closed under negation –useful for modular specification

38 Undecidability Result Without restrictions on patterns, the logic becomed undecidable Idea: enforce existence of edges c 1 [ * ] p where p(v)  (v u)  (v v 1 )  (u u 1 )  (v 1 u 1 ) v1v1 u1u1 u v b b n n n bnnb

39 More Related Work Modal Logics –have tree model property (no equality) Hybrid Logics –equality only between named nodes –cannot express deterministic edge Description Logics –DL with nominals, deterministic roles and inverse roles is undecidable

40Summary LRP is useful –data-structure invariants (reachability) –loop invariants –verification conditions Satisfiability and validity of LRP formulas are decidable –model property –worst case complexity is doubly-exponential

41 Principles Arbitrary structure of the heap Regular properties –restrict quantification: no alternations –allow arbitrary boolean combinations of reachability constraints –use regular expressions to define reachability –syntactically limit the patterns Proof approach –model property –structure simulation