1 Simulating Reachability using First-Order Logic with Applications to Verification of Linked Data Structures Tal Lev-Ami 1, Neil Immerman 2, Tom Reps.

Slides:

Advertisements

Similar presentations

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Lecture 24 MAS 714 Hartmut Klauck

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

The Theory of NP-Completeness

1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer,

1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.

ISBN Chapter 3 Describing Syntax and Semantics.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.

1 Finite Model Theory Lecture 10 Second Order Logic.

Solving Partial Order Constraints for LPO termination.

1 Deciding separation formulas with SAT Ofer Strichman Sanjit A. Seshia Randal E. Bryant School of Computer Science, Carnegie Mellon University.

The Theory of NP-Completeness

Implicit Typing in Lambda Logic Copyright, 2005 Michael Beeson ESHOL Workshop LPAR-12 Jamaica, 2005.

Chapter 11: Limitations of Algorithmic Power

1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.

Describing Syntax and Semantics

Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)

Ofer Strichman, Technion Deciding Combined Theories.

1 First order theories. 2 Satisfiability The classic SAT problem: given a propositional formula , is  satisfiable ? Example:  Let x 1,x 2 be propositional.

Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.

Dagstuhl Seminar "Applied Deductive Verification" November Symbolically Computing Most-Precise Abstract Operations for Shape.

Effectively-Propositional Reasoning about Reachability in Linked Data Structures Shachar Itzhaky Anindya Banerjee Neil Immerman Aleks Nanevski Mooly Sagiv.

1 Employing decision procedures for automatic analysis and verification of heap-manipulating programs Greta Yorsh under the supervision of Mooly Sagiv.

1 A Combination Method for Generating Interpolants Greta Yorsh Madan Musuvathi Tel Aviv University, Israel Microsoft Research, Redmond, US CAV’05.

DECIDABILITY OF PRESBURGER ARITHMETIC USING FINITE AUTOMATA Presented by : Shubha Jain Reference : Paper by Alexandre Boudet and Hubert Comon.

SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.

1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.

1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.

Shape Analysis Overview presented by Greta Yorsh.

Verifying Properties of Well-Founded Linked Lists Verifying Properties of Well-Founded Linked Lists Shuvendu K. Lahiri Shaz Qadeer Software Reliability.

Chapter 2 Mathematical preliminaries 2.1 Set, Relation and Functions 2.2 Proof Methods 2.3 Logarithms 2.4 Floor and Ceiling Functions 2.5 Factorial and.

Logic CL4 Episode 16 0 The language of CL4 The rules of CL4 CL4 as a conservative extension of classical logic The soundness and completeness of CL4 The.

Week 10Complexity of Algorithms1 Hard Computational Problems Some computational problems are hard Despite a numerous attempts we do not know any efficient.

Course Overview and Road Map Computability and Logic.

Symbolically Computing Most-Precise Abstract Operations for Shape Analysis Greta Yorsh Thomas Reps Mooly Sagiv Tel Aviv University University of Wisconsin.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.

CS6133 Software Specification and Verification

From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA.

1 First order theories (Chapter 1, Sections 1.4 – 1.5) From the slides for the book “Decision procedures” by D.Kroening and O.Strichman.

Strings Basic data type in computational biology A string is an ordered succession of characters or symbols from a finite set called an alphabet Sequence.

1 Reasoning with Infinite stable models Piero A. Bonatti presented by Axel Polleres (IJCAI 2001,

Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.

Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications Chapter.

Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer.

CSC 413/513: Intro to Algorithms

CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.

Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.

Roman Manevich Ben-Gurion University Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 16: Shape Analysis.

Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

CSE-291: Ontologies in Data Integration Department of Computer Science & Engineering University of California, San Diego CSE-291: Ontologies in Data Integration.

Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson

Putting Static Analysis to Work for Verification A Case Study Tal Lev-Ami Thomas Reps Mooly Sagiv Reinhard Wilhelm.

From Classical Proof Theory to P vs. NP

Formal Methods: Model Checkers and Theorem Provers

Matching Logic An Alternative to Hoare/Floyd Logic

SMT-Based Verification of Parameterized Systems

Revisiting Predicate Logic LN chapters 3,4

Lecture 2 Propositional Logic

Symbolic Implementation of the Best Transformer

Chapter 11 Limitations of Algorithm Power

Symbolic Characterization of Heap Abstractions

Language-Independent Verification Framework

Properties of Relational Logic

Presentation transcript:

1 Simulating Reachability using First-Order Logic with Applications to Verification of Linked Data Structures Tal Lev-Ami 1, Neil Immerman 2, Tom Reps 3, Mooly Sagiv 1, Siddharth Srivastava 2 and Greta Yorsh 1 1 Tel Aviv University 2 University of Massachusetts-Amherst 3 University of Wisconsin-Madison CADE 2005

2 Applications of TC in verification Transitive closure is natural for reasoning about linked data structures Element (v) of a list (pointed to by x)  w. x(w)  n*(w,v) Acyclicity  v 1,v 2. n(v 1,v 2 )   n*(v 2,v 1 ) Unreachable objects (garbage)  v 2.  v 1. Var(v 1 )   f*(v 1,v 2 ) Deadlocks

3 Automated reasoning for FOL Powerful tools available for automated reasoning in FOL (with equality) Resolution SPASS, Vampire, … Nelson-Oppen Simplify, Zapato, … … Prove, disprove (or diverge)

4 What about FOL+TC? No known tools for automated reasoning in full FOL+TC No surprise – TC is very powerful, even small fragments of FOL become undecidable with the addition of TC C 2,  No R.E. axiomatization of TC in FOL

5 Agenda Verifying heap-manipulating programs Initial axiomatization Induction axiom scheme Automating axiom instantiation Conclusion

6 Verifying heap-manipulating programs Heap objects: Individuals Reference variables: Unary relation symbols x(v), y(v) – if v is pointed to by x, y Fields: Binary relation symbols n(v,w) – the n field of v points to w

7 Reflexive transitive closure n*(v 1,v 2 ) v 2 is reachable from v 1 by following 0 or more n-fields n*(v 1,v 2 ) is the least fixed point of n tc in  v 1,v 2.n tc (v 1,v 2 )↔(v 1 =v 2 )  w.n(v 1,w)  n tc (w,v 2 ) or  v 1,v 2.n tc (v 1,v 2 )↔(v 1 =v 2 )  w.n tc (v 1,w)  n(w,v 2 )

8 Verification example A list pointed to by x A list pointed to by y Show that x  y  the lists are disjoint

9 Premise Unary reachability (shorthand)  v. r z,n (v) ↔  w.z(w)  n*(w,v) No heap sharing  v,v 1,v 2.n(v 1,v)  n(v 2,v)  v 1 =v 2 No incoming edges to x and y  v,w. x(v)  y(v)   n(w, v) x and y are unique and different  v 1,v 2.x(v 1 )  x(v 2 )  v 1 =v 2  v 1,v 2.y(v 1 )  y(v 2 )  v 1 =v 2  v.  (x(v)  y(v))

10 Goal The lists pointed to by x and y are disjoint  v. r x,n (v)  r y,n (v)

11 Approximating TC in FOL Extend vocabulary with new binary relation symbol n tc Replace all occurrences of n* with n tc Add ‘Natural’ axioms  v 1,v 2.n tc (v 1,v 2 )↔(v 1 =v 2 )  w.n(v 1,w)  n tc (w,v 2 )  v 1,v 2.n tc (v 1,v 2 )↔(v 1 =v 2 )  w.n tc (v 1,w)  n(w,v 2 ) The problem – minimality Least fixed point is not expressible in FOL

12 TC-models TC-model - a model M s.t. if n and n tc are in the vocabulary of M, then (n tc ) M = (n M )*, i.e., M interprets n tc as the reflexive, transitive closure of its interpretation of n A set of axioms (axiomatization)  is TC-valid - if  is true in every TC-model. TC-complete - if for every formula  that is true in all TC-models,   

13 Approximating TC in FOL Natural axiomatization is TC-complete for acyclic finite models Not TC-complete otherwise Negative occurrences of TC are the problem TC-valid formulas with only positive occurrences of TC are implied from the natural axiomatization

14 Problems: cycles n n*=n tc n*  n tc n tc n n n TC-model u1u1 u2u2 u3u3 u4u4  v 1,v 2.n tc (v 1,v 2 )↔(v 1 =v 2 )  w.n(v 1,w)  n tc (w,v 2 )  v 1,v 2.n tc (v 1,v 2 )↔(v 1 =v 2 )  w.n tc (v 1,w)  n(w,v 2 )

15 n*=n tc … nnnn x … nnnn y n*  n tc x … nnn … n … nnnn y TC-model Problems: infinite models

16 Problems: infinite models Existing FOL theorem provers cannot be restricted to finite models Finiteness is not FOL expressible

17 Induction axiom scheme IND[P,Z,n] = (  w. Z(w)  P(w))  (  w 1,w 2. P(w 1 )  n(w 1,w 2 )  P(w 2 ))  (  w 1,w 2. Z(w 1 )  n tc (w 1,w 2 )  P(w 2 )) Incomplete Complete axiomatization is non-R.E. How to choose Z and P?

18 Choosing axiom instantiations Hard to find Z and P to instantiate IND directly Introduce new axiom schemes provable from IND in FOL Add enough axioms to  to prove target formula Used in practice to prove interesting examples

19 Ideas towards solution Reasoning about edges toward reasoning about paths Reasoning about one type of paths toward reasoning about another type

20 Coloring axioms Start with transitivity  w 1,w 2,w 3. n tc (w 1,w 2 )  n tc (w 2,w 3 )  n tc (w 1,w 3 ) Add instances of coloring axiom schemes NoExit NewStart

21 A NoExit NoExit[A,n] = (  w 1,w 2. A(w 1 )  n(w 1,w 2 )  A(w 2 ))  (  w 1,w 2. A(w 1 )  n tc (w 1,w 2 )  A(w 2 ))

22 n*=n tc … nnnn y … nnnn x n*  n tc y … nnn … n … nnnn x TC-model

23 Example Revisited Two lists pointed to by x and y respectively NoExit[  r x,n,n] Axiom Premise  v 1,v 2.  r x,n (v 1 )  n(v 1,v 2 )   r x,n (v 2 ) w n u v ¬n tc n tc x u’ n tc n = =

24 Example revisited Two lists pointed to by x and y respectively NoExit[  r x,n,n] Axiom Premise  v 1,v 2.  r x,n (v 1 )  n(v 1,v 2 )   r x,n (v 2 )  v 1,v 2.  r x,n (v 1 )  n tc (v 1,v 2 )   r x,n (v 2 )  disjointness:  v. r x,n (v)  r y,n (v)

25 f A g NewStart

26 g tc  f tc g tc f A g NewStart  w 1,w 2. A(w 1 )  A(w 2 )  g(w 1,w 2 )  f(w 1,w 2 )

27 g tc  f tc g tc f A g NewStart NewStart[A,g,f] = (  w 1,w 2. A(w 1 )  A(w 2 )  g(w 1,w 2 )  f(w 1,w 2 ))   w 1,w 2. g tc (w 1,w 2 )  f tc (w 1,w 2 )   w.  A(w)  g tc (w 1,w)  g tc (w,w 2 )

28 NewStart Important when updating fields Prove no fields changed within A Prove no incoming or no outgoing paths to A Conclude no paths changed within A

29 Instantiating coloring axiom schemes Coloring axioms are effective only if they can be automatically instantiated Verification of imperative programs Use boolean combinations of program variables and unary reachability Exponential number of axioms

30 Incremental algorithm Axioms are built as Premise  Conclusion Both closed formulas Try to prove Premise and only then introduce Conclusion Try boolean combinations in BFS

31 Prototype implementation Used to automatically prove partial correctness (given loop invariants) of several interesting programs Destructive reversal of singly linked list Destructive append Simple mark & sweep garbage collector Use SPASS as underlying theorem prover

32 Completeness TC-complete with respect to a theory Finiteness is expressible with TC TC-complete axiomatization implies FINITE-VALIDITY is decidable No R.E. TC-complete axioms with respect to logic with 2 binary relation symbols encoding partial functions

33 Related work Nelson’s axiomatization [Nelson ‘83] Incomplete and follows from IND Mark & Sweep Updating transitive closure using FO [Dong, Su ‘95], [Hesse ‘03] Induction [Bundy ’01] Inductionless induction [Lankford ‘81] [Comon ‘01] Decidable logics with TC (e.g. MSO)

34 Future work New axioms Finiteness END[n]:  v.  w. n tc (v, w)  (  u.  n(w, u))  (  u. n(w, u)  n tc (u, w)) Fragments of FOL where axiomatization is possible Integration with TVLA

35 Thank you