Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verifying Properties of Well-Founded Linked Lists Verifying Properties of Well-Founded Linked Lists Shuvendu K. Lahiri Shaz Qadeer Software Reliability.

Published byAusten Arnold Modified over 8 years ago

Similar presentations

Presentation on theme: "Verifying Properties of Well-Founded Linked Lists Verifying Properties of Well-Founded Linked Lists Shuvendu K. Lahiri Shaz Qadeer Software Reliability."— Presentation transcript:

1 Verifying Properties of Well-Founded Linked Lists Verifying Properties of Well-Founded Linked Lists Shuvendu K. Lahiri Shaz Qadeer Software Reliability Research Microsoft Research Microsoft Research

2 – 2 – Motivation for analyzing linked lists Verify control, memory, and API safety of low- level systems code Integers Arrays Singly linked lists Doubly linked lists (acyclic and cyclic)

3 – 3 – Motivation for analyzing linked lists Verify control, memory, and API safety of low- level systems code Integers Arrays Singly linked lists Doubly linked lists (acyclic and cyclic) Establish properties about linking structure and content Absence of null dereference, memory leaks All elements of a list have data value 0 List1 and List2 are disjoint

4 – 4 – Example: Acyclic linked list iteration //@ requires hd != null //@ ensures  v  R(hd): v.data = 0 void acyclic_simple(Cell hd) { Cell iter = hd; while (iter != null) { iter.data = 0; iter = iter.next; }}

5 – 5 – Problem Existing program analyses either lack scalability or precision for such programs/properties

6 – 6 – Reasoning in first-order logic Can support many theories important for program verification Uninterpreted functions, linear arithmetic, arrays, quantifiers Reason about programs with a mix of scalar variables, arithmetic, arrays Powerful analysis engines Pioneering work by Nelson-Oppen[’79] Recent advances in SAT-based theorem provers

7 – 7 – Program verification and first-order logic Automated software verification tools SLAM, BLAST, MAGIC,… ESC/JAVA, Boogie,.. Perform symbolic reasoning for first-order logic Theorem provers to discharge verification conditions Operations for abstract interpretation (predicate abstraction, join,..) Automatic abstraction-refinement

8 – 8 – Linked lists and reach Class Cell { int data; Cell next; }; R (u) = Set of cells reachable from u using next field = {u, u.next, u.next.next,…} = {u, u.next, u.next.next,…} x R(x)R(x)R(x)R(x)

9 – 9 – Example Acyclic linked list iteration //@ requires hd != null //@ ensures  v  R(hd): v.data = 0 void acyclic_simple(Cell hd) { Cell iter = hd; while (iter != null) { iter.data = 0; iter = iter.next; }}hditer Visited = R(hd)\ R(iter) Loop invariant  u  Visited: u.data = 0

10 – 10 – Reachability predicate Need to reason about reachability predicate e.g.  u  R(x): u.data = 0 Need axioms to relate the field next and R However, reachability can’t be modeled in first- order logic Finite first-order axiomatization of reachability impossible

11 – 11 – Motivation for this work Simple axioms may suffice for many examples Provide a first-order axiomatization of Reach Necessarily incomplete First investigated by Nelson [POPL’83] Enable list manipulating programs (also containing integers, arrays etc.) to be analyzed uniformly Can leverage first-order reasoning Predicate abstraction,… Abstraction refinement

12 – 12 – Example Acyclic linked list iteration //@ requires hd != null //@ ensures  v  R(hd): v.data = 0 void acyclic_simple(Cell hd) { Cell iter = hd; while (iter != null) { iter.data = 0; iter = iter.next; }}hditer Visited = R(hd)\ R(iter) Loop invariant  u  Visited: u.data = 0 Axiom for reach:  u,  v : v  R(u)  (v = u  ( u.next  null  v  R(u.next)) )

13 – 13 – Example Acyclic linked list iteration //@ requires hd != null //@ ensures  v  R(hd): v.data = 0 void acyclic_simple(Cell hd) { Cell iter = hd; while (iter != null) { iter.data = 0; iter = iter.next; }} Loop invariant  u  Visited: u.data = 0 Axiom for reach:  u,  v : v  R(u)  (v = u  ( u.next  null  v  R(u.next)) ) Axiom sufficient to prove the example hditer Visited = R(hd)\ R(iter)

14 – 14 – Rest of the talk How to Handle cyclic lists Handle destructive updates Generate first-order axioms for Reach Well-founded linked lists How it makes the above tasks amenableResults Deciding ground fragment with Reach predicate

15 – 15 – Part1: Cyclic List Traversal Cyclic linked list iteration //@ requires hd points to a cyclic list //@ ensures  v  R(hd): v.data = 0 void cyclic_simple(Cell hd) { hd.data = 0; iter = hd.next; while (iter != hd) { iter.data = 0; iter = iter.next; }} iter Visited = ? hd No way to express Visited using R alone R for every cell in the cycle contains all the cells in the cycle R for every cell in the cycle contains all the cells in the cycle

16 – 16 – Cyclic List Traversal Cyclic linked list iteration //@ requires hd points to a cyclic list //@ ensures  v  R(hd): v.data = 0 void cyclic_simple(Cell hd) { hd.data = 0; iter = hd.next; while (iter != hd) { iter.data = 0; iter = iter.next; }} iter Visited = ? hd Proving even null-dereference is non-trivial

17 – 17 – Observation Usually, every cycle of “next” has at least one distinguished cell Usually, the “head” of the list This cell breaks the symmetry in the list For each linking field “f”, a subset of fields in the heap are heads Denoted by H f Cells denoted by Always includes null

18 – 18 – New Predicates R f and B f H f = Set of head cells for field f R f (u) Set of cells u, u.f, u.f.f,…, until the first cell in H B f (u) The first cell from the sequence u.f, u.f.f, …, that belongs to H The “block” for uxy R f (x) R f (z) zxy B f (x) = null B f (x) = y B f (y) = x B f (z) = x

19 – 19 – Well-founded heap Given H f, a set of “head” cells for a field f Well-founded field f For any cell u, the sequence u.f, u.f.f, …, intersects with a cell in H f Well-founded heap Every linking field f is well-founded wrt to H f i.e., every f cycle has at least one H f cell

20 – 20 – Programming methodology Programmer must supply H f Programmer must supply H f Every mutation of the linking field f is required to preserve well-foundedness Every mutation of the linking field f is required to preserve well-foundedness Restricted to programs maninpulating well founded heaps only Restricted to programs maninpulating well founded heaps only Almost all list programs obey this restriction

21 – 21 – Cyclic List Traversal Cyclic linked list iteration //@ requires hd points to a cyclic list //@ ensures  v  R(hd): v.data = 0 void cyclic_simple(Cell hd) { hd.data = 0; iter = hd.next; while (iter != hd) { iter.data = 0; iter = iter.next; }} iter hd Visited = ?

22 – 22 – Cyclic List Traversal Cyclic linked list iteration //@ requires hd  H  B(hd) = hd //@ ensures  v  R(hd): v.data = 0 void cyclic_simple(Cell hd) { hd.data = 0; iter = hd.next; while (iter != hd) { iter.data = 0; iter = iter.next; }} iter R(iter) hd Visited = (iter = hd) ? R(iter) ? R(iter) : R(hd) \ R(iter) : R(hd) \ R(iter) Loop invariant:  u  Visited: u.data = 0  u  Visited: u.data = 0 B(iter) = hd B(iter) = hd

23 – 23 – Axioms Required Axiom for R v  R (u)  (v = u  (u.next  H  v  R (u.next)) v  R (u)  (v = u  (u.next  null  v  R (u.next)) Axiom for B B (u) = u.next  H ? u.next : B (u.next) Able to prove the example (similar to acyclic case) with these axioms

24 – 24 – Part 2: Destructive updates x.f := yIssues R, B need to be updated Since f is updated Destructive updates may make the heap ill- founded Flag such programs as bad

25 – 25 – Updates to R, B (some cases) x.f := y y u x y u x R (u) = R (u) \ R (x) R (y) R (u) = R (u) \ R (x)  {x}  R (y) B (u) = B (y) R (u) = R (u) \ R (x) R (u) = R (u) \ R (x)  {x} B (u) = y

26 – 26 – Ensuring well-foundedness x.f := y y x Orphan cycle: Cycle with no H cells Add assert ( x R (y) y H ) before each x.f := y Add assert ( x  R (y)  y  H ) before each x.f := y

27 – 27 – Updating cells in H f H f is a program variable now H f.Add(x) Adds the cell pointed to by x to H f Useful when creating a cycle for the first time H f.Remove(x) Removes the cell pointed to by x to H f Remove one head when two cycles with a head each are fused Updates to R f, B f still remain quantifier-free

28 – 28 – Summary: Instrumentation Quantifier-free updates to auxiliary variables R, B Similar to acyclic case [Dong & Su ‘95] Very difficult to update R for cyclic lists in general Instrumentation captures “well-foundedness” precisely The instrumented program goes wrong (violates an assertion) iff the source program  goes wrong (violates some assertions), or  heap of the source program becomes not well- founded

29 – 29 – Part 3: Axioms Required Base axiom for R v  R (u)  (v = u  (u.next  H  v  R (u.next)) Base axiom for B B (u) = u.next  H ? u.next : B (u.next) Fundamental axioms The axioms capture the intended meaning of R and B in any finite and well-founded state of the program

30 – 30 – Generating new axioms Not possible to express finiteness and well- foundedness in first-order logic Derive new axioms from the base axioms Using induction For well-founded heaps We provide an induction principle to generate derived axioms from base axioms

31 – 31 – Induction principle Proposed axiom:  u. P(u) To prove P(u) for any cell u in a finite well- founded heap Base Case u.f  H  P(u) Establish for all u at a distance 1 from H cells Induction Step  u.f  H  (P(u.f)  P(u))  u.f has a shorter distance to H than u (well- founded induction)

32 – 32 – Some derived axioms Transitivity R (u,v)  R (v,w)  R (u,w)Antisymmetry R (u,v)  R (v,u)  u = vBlock R (u,v)  v  H  u = v Bounded distinctness All cells in the set {u, u.f,…,} until the first H cell are distinct from each other Instantiate this for bounded sizes (e.g. 1) u.f  H  u  u.f

33 – 33 – Derived Axioms Set of axioms are fairly fundamental properties and fairly intuitive Can be easily proved from the base axioms using the induction principle Suffice for a large set of examples Otherwise derive new axioms using the base axioms and induction

34 – 34 – Benefits of well-founded lists  Set of required axioms almost similar to acyclic case  Allows us to update R f, B f relations using simple quantifier-free formulas  Provides an induction principle to establish derived axioms easily

35 – 35 – Experimental setup Instrumentation Add R, B + Updates + Assertions VC Generator (UCLID) Theorem Prover (UCLID) Axioms for R, B Annotated Source Program Proved/Failure

36 – 36 – UCLID Verification system for systems modeled in first-order logic Bryant, Lahiri, Seshia, CAV’02  Checking verification conditions Uses quantifier instantiation Uses various decision procedures for uninterpreted functions, arrays, arithmetic  Inferring loop invariants with indexed predicate abstraction

37 – 37 – Examples Simple_cyclic List traversalReverse In place reversal of an acyclic listSorted_insert Inserts a cell in a sorted list Requires arithmetic reasoningSet_union Merges two equivalence classes implemented as cyclic listsDlist_remove Removes a cell from a cyclic doubly linked list

38 – 38 – Experiments Proving Verification Conditions (VCs) Most examples take < 1 s Loop Invariant synthesis using indexed predicate abstraction

39 – 39 – Synthesizing invariants by indexed predicate abstraction Flanagan & Qadeer POPL’02 Lahiri & Bryant VMCAI ‘04Principle Provide a set of predicates P over state variables + “index variables” X Intuitively X contains heap cells, or indices into arrays e.g. P = {R next (u,v), B next (u) = v, a[i] < a[j] + 1, …} X = {u,v,i,j,…}Theorem Indexed predicate abstraction constructs the strongest loop invariant of the form  X:  (P)  is a Boolean combination of predicates in P

40 – 40 – Synthesizing invariants in UCLID //@requires null  H next //@requires B next (l) = null //@ensures B next (res) = null //@ensures R next (res) = R 0 next (l) Cell reverse (Cell l){ Cell curr = l; Cell res = null; while (curr != null){ Cell tmp = curr.next; curr.next = res; res = curr; curr = tmp; } return res; }Predicates X = {u} X = {u} P = { P = { u = null, u = curr, u = res, u = l 0, u = null, u = curr, u = res, u = l 0, curr = null, l = l 0, curr = null, l = l 0, R next (curr,u), R next (curr,u), R next (res,u), R next (res,u), R next (l,u), R next (l,u), H next (u), H next (u), R 0 next (l 0,u), R 0 next (l 0,u), B next (u) = null B next (u) = null } Tool constructs loop invariant in 0.57 sec

41 – 41 – Results with Predicate Abstraction Predicates provided manually Predicates provided manually Example #-Predicates (#-index) UCLID time (s) simple_cyclic 15 (1) 0.12 reverse 12 (1) 0.57 set_union 24 (1) 0.66 sorted_insert 21 (2) 17.32 dlist_remove-1.23 Used Barcelogic tool for theorem proving Used Barcelogic tool for theorem proving Note: Results significantly improved from paper Note: Results significantly improved from paper

42 – 42 – Decision procedure for ground fragment Deciding ground formulas over R f (u,v), ~R f (u,v), u = f(v), u ≠ v, u  H f, u  H f, u = B f (v) Reduce dependency on derived axioms A complete framework when VCs are quantifier- free Solving quantifier-free queries after instantiating quantifiersResult Checking satisfiability of a conjunction NP- complete

43 – 43 – Related work First-order axiomatization of reachability Nelson ’83, Lev-Ami et al. ’05 First-order reasoning without reachability Necula & McPeak ’05 Shape analysis with 3-valued logic Sagiv et al. ’99, … TVLA Predicate abstraction for lists Dams et al. ’03, Balaban et al. ’05, Manevich et al. ’05, Bingham ’06 Separation logic O’Hearn et al. ’01, Reynolds ’02,

44 – 44 – Conclusions Two new predicates R, B for well-founded heaps Instrumentation of source program with auxiliary variables for the predicates First-order axiomatization New induction principle Simpler derived axiomsImplementation Leverage first-order theorem provers Indexed predicate abstraction provides a uniform scheme for synthesizing invariants

Download ppt "Verifying Properties of Well-Founded Linked Lists Verifying Properties of Well-Founded Linked Lists Shuvendu K. Lahiri Shaz Qadeer Software Reliability."

Similar presentations

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.

Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
50.530: Software Engineering

50.530: Software Engineering
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.

Gennaro Parlato (LIAFA, Paris, France) Joint work with P. Madhusudan Xiaokang Qie University of Illinois at Urbana-Champaign.
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.

Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

Similar presentations

Ads by Google