Citation Context

...s to, and the types that point at it. Role specifications are similar to our injectivity axioms. The role analysis in [9] provides greater automation but it can express fewer shapes. Separation logic =-=[18]-=- includes a notion of temporal locality, exploited by a frame rule that allows reasoning about only those heap areas accessed by a procedure. We believe such a notion is essentially orthogonal to, and...

Citation Context

...too imprecise. There are very expressive specification languages (e.g., reachability predicates [15], shape types [4]) with either negative or unknown decidability results. A few systems such as TVLA =-=[19]-=- and PALE [13] have similar expressivity and effectiveness, but use logics with transitive closure and thus incur additional restrictions. We propose to use local equality axioms for data structure sp...

Citation Context

...the core language. In contrast, if we allow axioms of the form ∀p. p.α = p.β (in the core language, but without the NS property), then we could encode any instance of the (undecidable) “word problem” =-=[8]-=- as an axiom set and a satisfiability query. Intuitively, an axiom with the nullable subterms property can be satisfied by setting to null any unconstrained subterms. This avoids having to materialize...

Citation Context

... termination. For the class of universally quantified axioms that we consider here we show a complete and terminating matching rule. This is a valuable result in a field where heuristics are the norm =-=[14,2]-=-. Our experimental results are encouraging. We show that we can describe the same data structures that are discussed in the PALE publications, with somewhat better performance results; we can also enc...

Citation Context

... presented here. However, the early work does not admit more refined notions of shape, as it does not address the use of quantifiers. Our work uses methods most similar to the Extended Static Checker =-=[3]-=- and Boogie/Spec# [11]. However, while we suspect that specifications similar to elements described here have been written before while verifying programs, we are unaware of any attempts to explore th...

Citation Context

...thin it. One advantage of our specification strategy is that we we can combine our satisfiability procedure with that of any predicate that works within the framework of a Nelson-Oppen theorem prover =-=[16]-=-. While other approaches often abstract scalars as boolean fields [13,19], we can reason about them precisely. For example, in order to verify that the function remove shown in Figure 1 preserves the ...

Citation Context

... There are very expressive specification languages (e.g., reachability predicates [15], shape types [4]) with either negative or unknown decidability results. A few systems such as TVLA [19] and PALE =-=[13]-=- have similar expressivity and effectiveness, but use logics with transitive closure and thus incur additional restrictions. We propose to use local equality axioms for data structure specification (“...

Citation Context

...ver, the early work does not admit more refined notions of shape, as it does not address the use of quantifiers. Our work uses methods most similar to the Extended Static Checker [3] and Boogie/Spec# =-=[11]-=-. However, while we suspect that specifications similar to elements described here have been written before while verifying programs, we are unaware of any attempts to explore their expressiveness or ...

Citation Context

...The second disadvantage is that only boolean scalar fields are allowed. Thus, all scalar values must first be abstracted into a set of boolean ghost fields, and updates inserted accordingly. 487sTVLA =-=[12,19]-=-, the Three Valued Logic Analyzer, uses abstract interpretation over a heap description that includes 1/2 or “don’t know” values. It obtains shape precision through the use of instrumentation predicat...

Citation Context

... termination. For the class of universally quantified axioms that we consider here we show a complete and terminating matching rule. This is a valuable result in a field where heuristics are the norm =-=[14,2]-=-. Our experimental results are encouraging. We show that we can describe the same data structures that are discussed in the PALE publications, with somewhat better performance results; we can also enc...

Citation Context

...or too difficult to reason about automatically. Here, we consider alternative approaches with similar expressiveness and effectiveness. PALE [13], the Pointer Assertion Logic Engine, uses graph types =-=[7]-=- to specify a data structure as consisting of a spanning tree backbone augmented with auxiliary pointers. One disadvantage is the restriction that the data structure have a tree backbone: disequality ...

Citation Context

... to approximate reachability using transitivity axioms, giving up some shape precision in exchange for more precision with respect to scalar values. The shape analysis algorithm of Hackett and Rugina =-=[5]-=- partitions the heap into regions and infers points-to relationships among them. Its shape descriptions are less precise; it can describe singly-linked lists but not doubly-linked lists. Roles [9] cha...

Citation Context

...ina [5] partitions the heap into regions and infers points-to relationships among them. Its shape descriptions are less precise; it can describe singly-linked lists but not doubly-linked lists. Roles =-=[9]-=- characterize an object by the types it points to, and the types that point at it. Role specifications are similar to our injectivity axioms. The role analysis in [9] provides greater automation but i...

Citation Context

...ut also be amenable to automatic reasoning. Type systems and alias analyses are often too imprecise. There are very expressive specification languages (e.g., reachability predicates [15], shape types =-=[4]-=-) with either negative or unknown decidability results. A few systems such as TVLA [19] and PALE [13] have similar expressivity and effectiveness, but use logics with transitive closure and thus incur...

Citation Context

...lias information but also be amenable to automatic reasoning. Type systems and alias analyses are often too imprecise. There are very expressive specification languages (e.g., reachability predicates =-=[15]-=-, shape types [4]) with either negative or unknown decidability results. A few systems such as TVLA [19] and PALE [13] have similar expressivity and effectiveness, but use logics with transitive closu...

Citation Context

...y notions of this paper. Early work on data structures showed that the property of an object being uniquely generated (e.g., every instance of cons(1,2) is the same object) has decidable consequences =-=[17]-=-, a result related to the decidability of the consequences of the injectivity axioms presented here. However, the early work does not admit more refined notions of shape, as it does not address the us...

Citation Context

...es, and TVLA has difficulty evolving instrumentation predicates when they use transitive closure. The difficulties of reasoning about transitive closure have been recently explored by Immerman et. al =-=[6]-=-, with significant negative decidability results. Our technique is to approximate reachability using transitivity axioms, giving up some shape precision in exchange for more precision with respect to ...

Citation Context

...he programmer must add explicit updates to ghost fields. Updates to ghost fields often follow a regular pattern, so are presumably amenable to inference, but in the limit human assistance is required =-=[10]-=-. 2.4 Temporary Invariant Breakage In our tool, the shape descriptions are required to accurately describe the heap at procedure entry and exit, and at all loop invariant points. But some programs nee...

Citation Context

...t-reach facts. Axiom S2 imposes an upper bound, and allows conclusion of must-reach facts, but includes a pointer disequality disjunct. To reason about set-theoretic concepts, we use the procedure in =-=[1]-=-. This example highlights the way our technique can integrate with powerful off-the-shelf “scalar” concepts to specify the relationship between shape and data. Finally, pc keyb and scull are two Linux...