Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer,

Published byRosalyn Arnold Modified over 9 years ago

Similar presentations

Presentation on theme: "1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer,"— Presentation transcript:

1 1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer, Ahmed Bouajjani LIAFA, Univ. of Paris 7

2 2 Heap-Manipulating Programs Imperative programming languages Arbitrary size and structure of the heap Destructive updates of fields Invariants involve reachability in linked data-structures Temporary violations of data-structure invariants

3 3 Modeling Heaps Model heaps using directed labelled graphs –heap objects as nodes –pointer variables as unique labels on nodes –x = v means “v is pointed-to by x” –pointer fields as labels on edges – means “w is pointed-to by the n field of v” v w n

4 4 Specification Language Natural for reasoning about linked data- structures –reachability Useful –data-structure invariants –loop invariants / characterization of abstraction –pre- and post-conditions –low-level mutations –verification conditions Decidable for validity/satisfiability

5 5 MSO FO+TC FO Decidability with Reachability Limit the properties –Guarded fixpoint logic [Gradel et al, LICS’99 ] –EADTC [Immerman et al., CSL’04] –L R [Benedikt et. al., ESOP’99] Limit the graphs –MSO on trees [Rabin’69]

6 6 Using MSO on Trees –Supports reachability –Decidable on trees [Rabin’69] But –Non-elementary complexity –How to specify postconditions for procedures that mutate fields ? –e.g., in-place reversal of a singly-linked list –What about programs that temporarily manipulate non-trees ? –What about programs which manipulate non- trees ?

7 7 The Idea Balance between complex properties and complex graphs Allow regular properties of arbitrary graphs –disjointness –cyclicity –reversal –sharing

8 88 Logic of Reachable Patterns (LRP) A logic for reasoning about heap-manipulating programs and recursive data-structures Allows regular properties of arbitrary heaps –disjointness, cyclicity, reversal, sharing –arbitrary number of binary relations Closed under negation Finite model property Bounded model property Decidable –non-trivial proof of tree-like model property Useful for verificationUseful for verification

9 99 Syntax of LRP c[R]pArbitrary boolean combinations of reachability constraints: c[R]p  v 0,v 1,..., v n.R(c,v 0 )  p(v 0,v 1,...v n ) Routing expression R –R ::= | | c |  c | R 1.R 2 | (R 1 |R 2 ) | R* |  |  Pattern p –with designated free variable v 0 (central node) –of the form N(v 0,v 1,...v n )   (v 0,v 1,...v n ) –N is neighborhood formula –  is quantifier free formula ff with additional restrictions

10 10 Interesting Heap Properties c  R  p   ( c [R]  p ) –shorthand x  *  y –y is reachable from x x  +  x –x is cyclic x [ *. * ]  y –disjoint : objects reachable from x by following f-path are disjoint from objects reachable from y by following a f-path f f ff

11 11 List pointed-to by x is not shared x[ * ]uns f where uns f (v 0 )  (v 1 v 0 )  (v 2 v 0 )  (v 1 = v 2 ) Unshared Lists v2v2 v1v1 v0v0 f f f ff

12 12 Tree rooted at x x [ ( | )* ] (uns left,right  uns left  uns right )   x  ( | ) +  x where –uns f (v 0 )  (v 1 v 0 )  (v 2 v 0 )  (v 1 = v 2 ) –uns f,g (v 0 )   ((v 1 v 0 )  (v 2 v 0 )) Tree f ff leftright leftright g

13 13 Doubly-linked list pointed-to by x x[ * ]dll f,b where dll f,b (v 0 )  (v 0 v 1 )  (v 1 v 0 ) Doubly-linked Lists f f b v0v0 v1v1 f b

14 14 List with head pointers head[ * ]p where p (v 0 )  (v 1 v 0 )  (v 1 head) head ffffff g g g g g f g f

15 15  c  Var,f  Fields c[ * ] det f  null   null –all fields are deterministic det f (v 0 )  (v 0 v 1 )  (v 0 v 2 )  (v 1 = v 2 ) –node for NULL Well-Formed Heaps null fg v2v2 v1v1 v0v0 f f  f ff

16 16 Node reverse(Node x) { Node y = null; while (x != null) { Node t = x.n; x.n = y; y = x; x = t; } return y; } Reversal of Singly-linked List x y’

17 17 x y’ precondition x  *  null postcondition y’  *  null  x [ * ] inv n,n’ where inv n,n’  (v 0 v 1 )  (v 1 v 0 ) Reversal of Singly-linked List nn’ n n

18 18 –the list reachable from x’ is the same as it was on entry to the method x’ [ * ] same n,n’ where same n,n’ (v 0 )  (v 0 v 1 )  (v 0 v 1 ) –the list reachable from y’ is reversed y’  *  null  x [ (.  y’ )* ] inv n,n’ –the original edge n outgoing of y’ is to x’ y’   x’ Loop Invariant for Reverse x’ x y’ n n n nn’

19 19 postcondition  a  *  last  last   null  last   b  a[(.  last) *] same n,n'  b[ *] same n,n' Specification of Append precondition a  *  null   ( a  *. *  b ) n nn n n n n same n,n’  (v 0 v 1 )  (v 0 v 1 ) nn' class List { List n = null;... List append(List a, List b) { @requires acyclic(a) & disjoint(a, b) @ensures post append (a,b) if (a == null) return b; List d = a; while (d.n != null) d = d.n; d.n = b; return a; } Only the n-field of the last location reachable from a on entry is modified and it points to b If b acyclic before append, then the result of append is acyclic n'

20 20 Verification using LRP Verification condition generation in LRP –if pre and post conditions and loop invariants are in LRP then it is possible to generate verification condition formula in LRP Modular analysis –pre and post conditions in LRP –no need for loop invariants –use abstract domain with  in LRP Abstract domain of LRP formulas 20 ^

21 21Example [0]{ x   n  z } [1] y := x->n [2] x->n := NULL { y   *  z } x[0]   n[0] *  z[0]  x[0]   n[0]  y[1]  same x[0],n[0],n[1]  x[0]=x[1]  x[1]   n[2]  null  same y[1],n[1],n[2]  y[1]=y[2]  x[1]=x[2]  y[2]  (  n[2] )*  z[2]  x[0] != null  x[1] != null xzy null

22 22 Decidability of LRP Validity and satisfiability are decidable –closed under negation –it is sufficient to show that the satisfiability of LRP is decidable Proof –reduction to MSO on trees –based on non-trivial proof of model property

23 23Observation –(almost) all extra edges have one of their endpoints labeled with a constant –encode extra edges using unary relations head ffffff g g g g g f

24 24 Model Property of LRP If  has a model then  has a model in Bk –Bk is a set of graphs for which removing all edges to and from constants results in a graph in Ak –Ak is a set of graphs for which Gaifman graph is a tree with at most k additional edges –k is linear in the size of 

25 25 x nn nn null bbb b x fff f x r rl l r r r r A0A0 A1A1 A2A2 A4A4 x fffff ggggg f Gaifman graph of S graph S

26 26 x n n nn null b x f bb b ff f A0A0 A1A1 A2A2 B0B0 B0B0 B0B0 A4A4 B0B0 Gaifman graph of S graph S x rl rl r r r r x ffff f ggggg f

27 27 If  has a model then  has a model in Bk –  is of the form      –S   –S 0    and S 0  Bk but S 0    –S 1    and S 1  Bk... –S m    and S m  Bk –Sm  –Sm   27 S1S1 t1t1 S2S2 t2t2 S S0S0 h0h0 h1h1 h2h2 S m-1 SmSm tmtm... h m-1 hmhm Model Property of LRP t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f

28 28 If  has a model then  has a model in Bk –  is of the form      –from S   construct S m s.t. S m   and S m  Bk –every step t i is defined by a pattern 28 S1S1 t1t1 S2S2 t2t2 S S0S0 h0h0 h1h1 h2h2 S m-1 SmSm tmtm... h m-1 hmhm Model Property of LRP t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f

29 29Example t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f

30 30Example x yz t s t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f

31 31 x y x zExample t s t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f

32 32 x y zExample t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f t s

33 33 x yzExample t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f t s

34 34 If  has a model then  has a model in Bk –  is of the form      –from S   construct S m s.t. S m   and S m  Bk –every step t i is defined by a pattern –preserves h i –preserves Bk 34 S1S1 t1t1 S2S2 t2t2 S S0S0 h0h0 h1h1 h2h2 S m-1 SmSm tmtm... h m-1 hmhm Model Property of LRP t  s  x  z  x  *  y  x[( .  y)*]inv f,b  x[  ]det f

35 35 Restrictions on Patterns Syntactically restrict pattern p in c[R]p Restrict positive equality formulas –p(v 0 )  N(v 0, v 1,..., v n )  (v 1 = v 2 ) –N is a conjunction of edge formulas –distance between v 1 and v 2 in N is at most 2 Restrict positive edge formulas –p(v 0 )  N(v 0, v 1,... v n )  (v 1 v 2 ) –N is a conjunction of edge formulas –distance between v 1 and v 2 in N is at most 1 f

36 36 Reduction: LRP to MSO on trees For every  in LRP we can construct a formula tr(  ) such that  is satisfiable (over graphs ) if and only if tr(  ) is satisfiable over trees 36 Bk

37 37 Other Decidable Fragments Allow reachability constraints  [R]p where  positive quantifier-free formulas Allow positive universal quantifications over constants and fields –not closed under negation –useful for modular specification

38 38 Undecidability Result Without restrictions on patterns, the logic becomed undecidable Idea: enforce existence of edges c 1 [ * ] p where p(v)  (v u)  (v v 1 )  (u u 1 )  (v 1 u 1 ) v1v1 u1u1 u v b b n n n bnnb

39 39 More Related Work Modal Logics –have tree model property (no equality) Hybrid Logics –equality only between named nodes –cannot express deterministic edge Description Logics –DL with nominals, deterministic roles and inverse roles is undecidable

40 40Summary LRP is useful –data-structure invariants (reachability) –loop invariants –verification conditions Satisfiability and validity of LRP formulas are decidable –model property –worst case complexity is doubly-exponential

41 41 Principles Arbitrary structure of the heap Regular properties –restrict quantification: no alternations –allow arbitrary boolean combinations of reachability constraints –use regular expressions to define reachability –syntactically limit the patterns Proof approach –model property –structure simulation

Download ppt "1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer,"

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.

Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Abstraction of programs manipulating pointers using modal logics Yoshinori TANABE (IST & AIST) (Joint work with Yoshifumi YUASA, Toshifusa SEKIZAWA and.

Abstraction of programs manipulating pointers using modal logics Yoshinori TANABE (IST & AIST) (Joint work with Yoshifumi YUASA, Toshifusa SEKIZAWA and.
 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.

 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.
August 27-29 2007Moscow meeting1August 27-29 2007Moscow meeting1August 27-29 2007Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.

August Moscow meeting1August Moscow meeting1August Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.
Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.

Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.
ECE 667 Synthesis & Verification - Boolean Functions 1 ECE 667 Spring 2013 ECE 667 Spring 2013 Synthesis and Verification of Digital Circuits Boolean Functions.

ECE 667 Synthesis & Verification - Boolean Functions 1 ECE 667 Spring 2013 ECE 667 Spring 2013 Synthesis and Verification of Digital Circuits Boolean Functions.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Combining Theories Sharing Set Operations Thomas Wies joint work with Ruzica Piskac and Viktor Kuncak TexPoint fonts used in EMF. Read the TexPoint manual.

Combining Theories Sharing Set Operations Thomas Wies joint work with Ruzica Piskac and Viktor Kuncak TexPoint fonts used in EMF. Read the TexPoint manual.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
ECE 667 - Synthesis & Verification - Lecture 18 1 ECE 697B (667) Spring 2006 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Word-level.

ECE Synthesis & Verification - Lecture 18 1 ECE 697B (667) Spring 2006 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Word-level.

Similar presentations

Ads by Google