#### DMCA

## Constraint-based Program Reasoning with Heaps and Separation

Citations: | 6 - 1 self |

### Citations

1751 | An Axiomatic Basis for Computer Programming
- Hoare
- 1969
(Show Context)
Citation Context ...e benefits of Separation Logic to constraint-based reasoning techniques for heap manipulating programs, such as constraint-based symbolic execution. Our method is based on an extension of Hoare Logic =-=[11]-=- defined in terms of the constraint language H. Whilst Separation Logic guarantees total correctness w.r.t. memory safety (e.g. no memory errors such as dereferencing dangling pointers, etc.), our ref... |

950 | Separation logic: A logic for shared mutable data structures
- Reynolds
- 2002
(Show Context)
Citation Context ...ant part of reasoning over heap manipulating programs is the ability to specify properties local to separate (i.e. non-overlapping) regions of memory. Most modern formalisms, such as Separation Logic =-=[20]-=-, Region Logic [2], and (Implicit) Dynamic Frames [16][22], incorporate some encoding of separation. Separation Logic [20] explicates separation between regions of memory through separating conjunctio... |

869 | Constraint logic programming: a survey,
- Jaffar, Maher
- 1994
(Show Context)
Citation Context ... can similarly be reduced to the normal form from Definition 3. For some applications we may extend H with ad hoc user-defined heap constraints. For this we can use Constraint Logic Programming (CLP) =-=[13]-=- over H, i.e. CLP(H). For example, the following CLP(H) predicate list(l, L) specifies a skeleton list constraint under the standard least model semantics of CLP: list(0, L) :- L ≏ ∅ list(l, L) :- l ... |

692 |
A machine program for theoremproving..
- Davis, Logemann, et al.
- 1962
(Show Context)
Citation Context ...e rules from Figure 1, such that the solutions to φ and ϕ correspond as per Proposition 1. The arbitrary Boolean structure of ϕ can be handled using the Davis-PutnamLogemann-Loveland (DPLL) algorithm =-=[6]-=- modulo the H-solver.in(H, p, v) ∧ in(H, p, w) =⇒ v = w (1) H ≏ ∅ ∧ in(H, p, v) =⇒ false (2) H ≏ (p ↦→ v) =⇒ in(H, p, v) (3) H ≏ (p ↦→ v) ∧ in(H, q, w) =⇒ p = q ∧ v = w (4) H ≏ H1∗H2 ∧ in(H, p, v) =⇒... |

526 | Guarded commands, nondeterminacy and formal derivation of programs
- Dijkstra
- 1975
(Show Context)
Citation Context ...tc.), our reformulation allows for weaker axiomatizations, such as a version that drops the memory-safety requirement. This allows for a Strongest Post Condition (SPC) predicate transformer semantics =-=[7]-=- to be defined in terms of H, which forms the basis of symbolic execution. The resulting Verification Conditions (VCs) can then be discharged using a suitable H-constraint solver/theorem prover. This ... |

455 | Theory and practice of constraint handling rules
- Fruhwirth
- 1994
(Show Context)
Citation Context ...tifier Free (QF) H-formulae based on the idea of heap membership propagation. We show that the algorithm is both sound and complete, and is readily implementable using Constraint Handling Rules (CHR) =-=[10]-=-. We present an implementation of an H-solver that has been integrated into a Satisfiability Modulo Theories (SMT) framework using SMCHR [8]. Our decision procedure is related to established algorithm... |

288 | A Fast Linear-Arithmetic Solver for DPLL(T).
- Dutertre, Moura
- 2006
(Show Context)
Citation Context ...sfiability Modulo Theories (SMT) framework that supports theory (T) solvers implemented in CHR. The SMCHR system also supports several “built-in” theories, such as a linear arithmetic solver based on =-=[9]-=-, that can be combined with the H-solver to handle the underlying (dis)equality constraints. The SMCHR system has also been extended to support disjunctive propagators [19] for rules with disjunctive ... |

163 | Smallfoot: Modular automatic assertion checking with separation logic.
- Berdine, Calcagno, et al.
- 2005
(Show Context)
Citation Context ...ce, or when interpolation fails to subsume a significant number of branches. Our tool and SMT solver implementation are preliminary and can likely be further optimized. 7 Related Work Several systems =-=[3]-=-[5][12] implement Separation Logic-based symbolic execution, as described in [4]. However, due to the memory-safety requirements of Separation Logic, symbolic execution is limited to formulae over the... |

144 | P.: Symbolic execution with separation logic
- Berdine, Calcagno, et al.
- 2005
(Show Context)
Citation Context ...ed to established algorithms for finite sets. We use the H-solver as the basis of a simple program verification tool using symbolic execution. In contrast to Separation Logic-based symbolic execution =-=[4]-=-, which is based on a set of rearrangement rules, our version is based on constraint solving using the H-solver as per Example 1 above. Our encoding allows for some optimization. Namely, we mitigate t... |

76 | Dynamic framing: Support for framing, dependencies and sharing without restriction.
- Kassios
- 2006
(Show Context)
Citation Context ...is the ability to specify properties local to separate (i.e. non-overlapping) regions of memory. Most modern formalisms, such as Separation Logic [20], Region Logic [2], and (Implicit) Dynamic Frames =-=[16]-=-[22], incorporate some encoding of separation. Separation Logic [20] explicates separation between regions of memory through separating conjunction (∗). For example, the Separation Logic formula list(... |

68 | Regional logic for local reasoning about global invariants.
- Banerjee, Naumann, et al.
- 2008
(Show Context)
Citation Context ...ng over heap manipulating programs is the ability to specify properties local to separate (i.e. non-overlapping) regions of memory. Most modern formalisms, such as Separation Logic [20], Region Logic =-=[2]-=-, and (Implicit) Dynamic Frames [16][22], incorporate some encoding of separation. Separation Logic [20] explicates separation between regions of memory through separating conjunction (∗). For example... |

47 | Propagation via lazy clause generation.
- Ohrimenko, Stuckey, et al.
- 2009
(Show Context)
Citation Context ...r arithmetic solver based on [9], that can be combined with the H-solver to handle the underlying (dis)equality constraints. The SMCHR system has also been extended to support disjunctive propagators =-=[19]-=- for rules with disjunctive bodies, such as Rule (5). For these benchmarks we either restrict ourselves to the fragment of Verifast that is fully automatable, or we provide the minimal annotations whe... |

43 | Lazy annotation for program testing and verification.
- McMillan
- 2010
(Show Context)
Citation Context ...ing the H-solver as per Example 1 above. Our encoding allows for some optimization. Namely, we mitigate the path explosion problem of symbolic execution by employing subsumption via interpolation [14]=-=[17]-=- techniques. This paper is organized as follows: Section 2 introduces Hoare and Separation Logic, Section 3 formally introduces the H-language, Section 4 introduces an extension of Hoare Logic based o... |

41 | F.: Implicit dynamic frames: Combining dynamic frames and separation logic.
- Smans, Jacobs, et al.
- 2009
(Show Context)
Citation Context ...he ability to specify properties local to separate (i.e. non-overlapping) regions of memory. Most modern formalisms, such as Separation Logic [20], Region Logic [2], and (Implicit) Dynamic Frames [16]=-=[22]-=-, incorporate some encoding of separation. Separation Logic [20] explicates separation between regions of memory through separating conjunction (∗). For example, the Separation Logic formula list(l)∗t... |

35 |
VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java.
- Jacobs, Smans, et al.
- 2011
(Show Context)
Citation Context ...e same way as with Figure 1. 6 Experiments In this section we test an implementation of the H-solver against verification conditions (VCs) derived from symbolic execution. We compare against Verifast =-=[12]-=-(version 12.12), a program verification system based on Separation Logic. Our motivation for the comparison is: (1) Verifast is based on forward symbolic execution, and (2) Verifast incorporates the ... |

34 | CHR ∨ : A flexible query language
- Abdennadher, Schütz
- 1998
(Show Context)
Citation Context ...H, p, v) (7) H ≏ H1∗H2 ∧ in(H1, p, v) ∧ in(H2, q, w) =⇒ p = q (8) Fig. 4. H-solver CHR propagation rules. We specify the H-solver as a set of Constraint Handling Rules [10] with disjunction (CHR ∨ ) =-=[1]-=- as shown in Figure 4. Here each rule (Head =⇒ Body) encodes constraint propagation, where the constraints Body are added to the store whenever a matching Head is found. Rule (1) encodes the functiona... |

34 | An interpolation method for CLP traversal
- Jaffar, Santosa, et al.
- 2009
(Show Context)
Citation Context ...g using the H-solver as per Example 1 above. Our encoding allows for some optimization. Namely, we mitigate the path explosion problem of symbolic execution by employing subsumption via interpolation =-=[14]-=-[17] techniques. This paper is organized as follows: Section 2 introduces Hoare and Separation Logic, Section 3 formally introduces the H-language, Section 4 introduces an extension of Hoare Logic bas... |

16 | Separation Logic Verification of C Programs with an SMT Solver
- Botincan, Parkinson, et al.
- 2009
(Show Context)
Citation Context ... or when interpolation fails to subsume a significant number of branches. Our tool and SMT solver implementation are preliminary and can likely be further optimized. 7 Related Work Several systems [3]=-=[5]-=-[12] implement Separation Logic-based symbolic execution, as described in [4]. However, due to the memory-safety requirements of Separation Logic, symbolic execution is limited to formulae over the fo... |

16 | Combining sets with elements
- Zarba
- 2004
(Show Context)
Citation Context ...epends on the recursively-defined list predicate as it relates H with F , and is therefore more difficult to prove. Our H-solving algorithm is related to analogous algorithms for finite sets, such as =-=[23]-=-. Although formalized differently, the basic idea is similar, i.e. based on the propagation of set membership x ∈ S constraints. In [21] this idea was adapted into a decision procedure for Region Logi... |

10 | A coinduction rule for entailment of recursively defined properties
- Jaffar, Santosa, et al.
- 2008
(Show Context)
Citation Context ...predicates for trees and arrays. The inclusion of CLP predicates requires stronger reasoning power in contrast to the base H-language. For this we can employ standard (yet incomplete) methods such as =-=[15]-=-. 4 Program Reasoning with H The core motivation of the H-language is reasoning over heap manipulating programs. For this we consider the following extensions of Hoare Logic [11]. 4.1 Direct Separatio... |

5 |
SMCHR: Satisfiability modulo Constraint Handling Rules
- Duck
(Show Context)
Citation Context ...eadily implementable using Constraint Handling Rules (CHR) [10]. We present an implementation of an H-solver that has been integrated into a Satisfiability Modulo Theories (SMT) framework using SMCHR =-=[8]-=-. Our decision procedure is related to established algorithms for finite sets. We use the H-solver as the basis of a simple program verification tool using symbolic execution. In contrast to Separatio... |

5 | Decision procedures for region logic
- Rosenberg, Banerjee, et al.
- 2012
(Show Context)
Citation Context ...thm is related to analogous algorithms for finite sets, such as [23]. Although formalized differently, the basic idea is similar, i.e. based on the propagation of set membership x ∈ S constraints. In =-=[21]-=- this idea was adapted into a decision procedure for Region Logic. Our approach works directly with heaps rather than indirectly via sets. 8 Future Work and Conclusions In this paper we presented a re... |