Results 1  10
of
38
Full functional verification of linked data structures
 In ACM Conf. Programming Language Design and Implementation (PLDI
, 2008
"... We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical high ..."
Abstract

Cited by 101 (19 self)
 Add to MetaCart
(Show Context)
We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical higherorder logic, that completely capture the desired behavior of the Java data structure implementations (with the exception of properties involving execution time and/or memory consumption). Given that the desired correctness properties include intractable constructs such as quantifiers, transitive closure, and lambda abstraction, it is a challenge to successfully prove the generated verification conditions. Our Jahob verification system uses integrated reasoning to split each verification condition into a conjunction of simpler subformulas, then apply a diverse collection of specialized decision procedures,
Data structure specifications via local equality axioms
 In CAV
, 2005
"... Abstract. We describe a program verification methodology for specifying global shape properties of data structures by means of axioms involving arbitrary predicates on scalar fields and pointer equalities in the neighborhood of a memory cell. We show that such local invariants are both natural and s ..."
Abstract

Cited by 81 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a program verification methodology for specifying global shape properties of data structures by means of axioms involving arbitrary predicates on scalar fields and pointer equalities in the neighborhood of a memory cell. We show that such local invariants are both natural and sufficient for describing a large class of data structures. We describe a complete decision procedure for such a class of axioms. The decision procedure is not only simpler and faster than in other similar systems, but has the advantage that it can be extended easily with reasoning for any decidable theory of scalar fields.
Software Model Checking
"... Software model checking is the algorithmic analysis of programs to prove properties of their executions. It traces its roots to logic and theorem proving, both to provide the conceptual framework in which to formalize the fundamental questions and to provide algorithmic procedures for the analysis o ..."
Abstract

Cited by 52 (0 self)
 Add to MetaCart
Software model checking is the algorithmic analysis of programs to prove properties of their executions. It traces its roots to logic and theorem proving, both to provide the conceptual framework in which to formalize the fundamental questions and to provide algorithmic procedures for the analysis of logical questions. The undecidability theorem [Turing 1936] ruled out the possibility of a sound and complete algorithmic solution for any sufficiently powerful programming model, and even under restrictions (such as finite state spaces), the correctness problem remained computationally intractable. However, just because a problem is hard does not mean it never appears in practice. Also, just because the general problem is undecidable does not imply that specific instances of the problem will also be hard. As the complexity of software systems grew, so did the need for some reasoning mechanism about correct behavior. (While we focus here on analyzing the behavior of a program relative to given correctness specifications, the development of specification mechanisms happened in parallel, and merits a different survey.) Initially, the focus of program verification research was on manual reasoning, and
Boolean heaps
 In SAS
, 2005
"... Abstract. We show that the idea of predicates on heap objects can be cast in the framework of predicate abstraction. This leads to an alternative view on the underlying concepts of threevalued shape analysis by Sagiv, Reps and Wilhelm. Our construction of the abstract post operator is analogous to ..."
Abstract

Cited by 49 (12 self)
 Add to MetaCart
(Show Context)
Abstract. We show that the idea of predicates on heap objects can be cast in the framework of predicate abstraction. This leads to an alternative view on the underlying concepts of threevalued shape analysis by Sagiv, Reps and Wilhelm. Our construction of the abstract post operator is analogous to the corresponding construction for classical predicate abstraction, except that predicates over objects on the heap take the place of state predicates, and boolean heaps (sets of bitvectors) take the place of boolean states (bitvectors). A program is abstracted to a program over boolean heaps. For each command of the program, the corresponding abstract command is effectively constructed by deductive reasoning, namely by the application of the weakest precondition operator and an entailment test. We thus obtain a symbolic framework for shape analysis. 1
Verifying properties of wellfounded linked lists
, 2005
"... We describe a novel method for verifying programs that manipulate linked lists, based on two new predicates that characterize reachability of heap cells. These predicates allow reasoning about both acyclic and cyclic lists uniformly with equal ease. The crucial insight behind our approach is that a ..."
Abstract

Cited by 45 (4 self)
 Add to MetaCart
We describe a novel method for verifying programs that manipulate linked lists, based on two new predicates that characterize reachability of heap cells. These predicates allow reasoning about both acyclic and cyclic lists uniformly with equal ease. The crucial insight behind our approach is that a circular list invariably contains a distinguished head cell that provides a handle on the list. This observation suggests a programming methodology that requires the heap of the program at each step to be wellfounded, i.e., for any field f in the program, every sequence u.f,u.f.f,... contains at least one head cell. We believe that our methodology captures the most common idiom of programming with linked data structures. We enforce our methodology by automatically instrumenting the program with updates to two auxiliary variables representing these predicates and adding assertions in terms of these auxiliary variables. To prove program properties and the instrumented assertions, we provide a firstorder axiomatization of our two predicates. We also introduce a novel induction principle made possible by the wellfoundedness of the heap. We use our induction principle to derive from two basic axioms a small set of additional firstorder axioms that are useful for proving the correctness of several programs. We have implemented our method in a tool and used it to verify the correctness of a variety of nontrivial programs manipulating both acyclic and cyclic singlylinked lists and doublylinked lists. We also demonstrate the use of indexed predicate abstraction to automatically synthesize loop invariants for these examples.
Simulating reachability using firstorder logic with applications to verification of linked data structures
 In CADE20
, 2005
"... This paper shows how to harness existing theorem provers for firstorder logic to automatically verify safety properties of imperative programs that perform dynamic storage allocation and destructive updating of pointervalued structure fields. One of the main obstacles is specifying and proving the ..."
Abstract

Cited by 39 (7 self)
 Add to MetaCart
This paper shows how to harness existing theorem provers for firstorder logic to automatically verify safety properties of imperative programs that perform dynamic storage allocation and destructive updating of pointervalued structure fields. One of the main obstacles is specifying and proving the (absence) of reachability properties among dynamically allocated cells. The main technical contributions are methods for simulating reachability in a conservative way using firstorder formulas—the formulas describe a superset of the set of program states that can actually arise. These methods are employed for semiautomatic program verification (i.e., using programmersupplied loop invariants) on programs such as markandsweep garbage collection and destructive reversal of a singly linked list. (The markandsweep example has been previously reported as being beyond the capabilities of ESC/Java.) 1
Field constraint analysis
 In Proc. Int. Conf. Verification, Model Checking, and Abstract Interpratation
, 2006
"... ..."
(Show Context)
Abstraction Refinement via Inductive Learning
 IN PROC. OF CAV’05, VOLUME 3576 OF LNCS
, 2005
"... This paper concerns how to automatically create abstractions for program analysis. We show that ..."
Abstract

Cited by 36 (8 self)
 Add to MetaCart
This paper concerns how to automatically create abstractions for program analysis. We show that
A Logic of Reachable Patterns in Linked DataStructures
, 2007
"... We define a new decidable logic for expressing and checking invariants of programs that manipulate dynamicallyallocated objects via pointers and destructive pointer updates. The main feature of this logic is the ability to limit the neighborhood of a node that is reachable via a regular expression ..."
Abstract

Cited by 33 (5 self)
 Add to MetaCart
We define a new decidable logic for expressing and checking invariants of programs that manipulate dynamicallyallocated objects via pointers and destructive pointer updates. The main feature of this logic is the ability to limit the neighborhood of a node that is reachable via a regular expression from a designated node. The logic is closed under boolean operations (entailment, negation) and has a finite model property. The key technical result is the proof of decidability. We show how to express preconditions, postconditions, and loop invariants for some interesting programs. It is also possible to express properties such as disjointness of datastructures, and lowlevel heap mutations. Moreover, our logic can express properties of arbitrary datastructures and of an arbitrary number of pointer fields. The latter provides a way to naturally specify postconditions that relate the fields on the entry of a procedure to the field on the exit of a procedure. Therefore, it is possible to use the logic to automatically prove partial correctness of programs performing lowlevel heap mutations.
An integrated proof language for imperative programs
 In PLDI’09
"... We present an integrated proof language for guiding the actions of multiple reasoning systems as they work together to prove complex correctness properties of imperative programs. The language operates in the context of a program verification system that uses multiple reasoning systems to discharge ..."
Abstract

Cited by 28 (5 self)
 Add to MetaCart
(Show Context)
We present an integrated proof language for guiding the actions of multiple reasoning systems as they work together to prove complex correctness properties of imperative programs. The language operates in the context of a program verification system that uses multiple reasoning systems to discharge generated proof obligations. It is designed to 1) enable developers to resolve key choice points in complex program correctness proofs, thereby enabling automated reasoning systems to successfully prove the desired correctness properties; 2) allow developers to identify key lemmas for the reasoning systems to prove, thereby guiding the reasoning systems to find an effective proof decomposition; 3) enable multiple reasoning systems to work together productively to prove a single correctness property by providing a mechanism that developers can use to divide the property into lemmas, each of which is suitable for