Results 1  10
of
26
Natural Proofs for Structure, Data, and Separation
"... We propose natural proofs for reasoning with programs that manipulate datastructures against specifications that describe the structure of the heap, the data stored within it, and separation and framing of substructures. Natural proofs are a subclass of proofs that are amenable to completely autom ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
We propose natural proofs for reasoning with programs that manipulate datastructures against specifications that describe the structure of the heap, the data stored within it, and separation and framing of substructures. Natural proofs are a subclass of proofs that are amenable to completely automated reasoning, that provide sound but incomplete procedures, and that capture common reasoning tactics in program verification. We develop a dialect of separation logic over heaps, called Dryad, with recursive definitions that avoids explicit quantification. We develop ways to reason with heaplets using classical logic over the theory of sets, and develop natural proofs for reasoning using proof tactics involving disciplined unfoldings and formula abstractions. Natural proofs are encoded into decidable theories of firstorder logic so as to be discharged using SMT solvers. We also implement the technique and show that a large class of more than 100 correct programs that manipulate datastructures are amenable to full functional correctness using the proposed natural proof method. These programs are drawn from a variety of sources including standard datastructures, the SchorrWaite algorithm for garbage collection, a large number of lowlevel C routines from the Glib library and OpenBSD library, the Linux kernel, and routines from a secure verified OSbrowser project. Our work is the first that we know of that can handle such a wide range of full functional verification properties of heaps automatically, given pre/post and loop invariant annotations. We believe that this work paves the way for deductive verification technology to be used by programmers who do not (and need not) understand the internals of the underlying logic solvers, significantly increasing their applicability in building reliable systems.
EffectivelyPropositional Reasoning about Reachability in Linked Data Structures ⋆
"... Abstract. This paper proposes a novel method of harnessing existing SAT solvers to verify reachability properties of programs that manipulate linkedlist data structures. Such properties are essential for proving program termination, correctness of data structure invariants, and other safety propert ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This paper proposes a novel method of harnessing existing SAT solvers to verify reachability properties of programs that manipulate linkedlist data structures. Such properties are essential for proving program termination, correctness of data structure invariants, and other safety properties. Our solution is complete, i.e., a SAT solver produces a counterexample whenever a program does not satisfy its specification. This result is surprising since even firstorder theorem provers usually cannot deal with reachability in a complete way, because doing so requires reasoning about transitive closure. Our result is based on the following ideas: (1) Programmers must write assertions in a restricted logic without quantifier alternation or function symbols. (2) The correctness of many programs can be expressed in such restricted logics, although we explain the tradeoffs. (3) Recent results in descriptive complexity can be utilized to show that every program that manipulates potentially cyclic, singly and doublylinked lists and that is annotated with assertions written in this restricted logic, can be verified with a SAT solver. We implemented a tool atop Z3 and used it to show the correctness of several linked list programs. 1
Recursive proofs for inductive tree datastructures
 In POPL’12 (2012), ACM
"... Abstract We develop logical mechanisms and procedures to facilitate the verification of full functional properties of inductive tree datastructures using recursion that are sound, incomplete, but terminating. Our contribution rests in a new extension of firstorder logic with recursive definitions ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
(Show Context)
Abstract We develop logical mechanisms and procedures to facilitate the verification of full functional properties of inductive tree datastructures using recursion that are sound, incomplete, but terminating. Our contribution rests in a new extension of firstorder logic with recursive definitions called Dryad, a syntactical restriction on preand postconditions of recursive imperative programs using Dryad, and a systematic methodology for accurately unfolding the footprint on the heap uncovered by the program that leads to finding simple recursive proofs using formula abstraction and calls to SMT solvers. We evaluate our methodology empirically and show that several complex tree datastructure algorithms can be checked against full functional specifications automatically, given preand postconditions. This results in the first automatic terminating methodology for proving a wide variety of annotated algorithms on tree datastructures correct, including maxheaps, treaps, redblack trees, AVL trees, binomial heaps, and Btrees.
Accurate invariant checking for programs manipulating lists and arrays with infinite data
, 2011
"... Abstract. We propose a logicbased framework for automated reasoning about sequential programs manipulating singlylinked lists and arrays with unbounded data. We introduce the logic SLAD, which allows combining shape constraints, written in a fragment of Separation Logic, with data and size constra ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a logicbased framework for automated reasoning about sequential programs manipulating singlylinked lists and arrays with unbounded data. We introduce the logic SLAD, which allows combining shape constraints, written in a fragment of Separation Logic, with data and size constraints. We address the problem of checking the entailment between SLAD formulas, which is crucial in performing prepost condition reasoning. Although this problem is undecidable in general for SLAD, we propose a sound and powerful procedure that is able to solve this problem for a large class of formulas, beyond the capabilities of existing techniques and tools. We prove that this procedure is complete, i.e., it is actually a decision procedure for this problem, for an important fragment of SLAD including known decidable logics. We implemented this procedure and shown its preciseness and its efficiency on a significant benchmark of formulas. 1
D.: Learning universally quantified invariants of linear data structures
 CoRR
, 2013
"... Abstract. We propose a new automaton model, called quantified data automata over words, that can model quantified invariants over linear data structures, and build polytime active learning algorithms for them, where the learner is allowed to query the teacher with membership and equivalence queries ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a new automaton model, called quantified data automata over words, that can model quantified invariants over linear data structures, and build polytime active learning algorithms for them, where the learner is allowed to query the teacher with membership and equivalence queries. In order to express invariants in decidable logics, we invent a decidable subclass of QDAs, called elastic QDAs, and prove that every QDA has a unique minimallyoverapproximating elastic QDA. We then give an application of these theoretically sound and efficient active learning algorithms in a passive learning framework and show that we can efficiently learn quantified linear data structure invariants from samples obtained from dynamic runs for a large class of programs. 1
Efficient Decision Procedures for Heaps using STRAND
"... The Strand [10] logic allows expressing structural properties of heaps combined with the data stored in the nodes of the heap. A semantic fragment of Strand as well as a syntactically defined subfragment of it are known to be decidable [10]. The known decision procedure works by combining a decisi ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
The Strand [10] logic allows expressing structural properties of heaps combined with the data stored in the nodes of the heap. A semantic fragment of Strand as well as a syntactically defined subfragment of it are known to be decidable [10]. The known decision procedure works by combining a decision procedure for MSO on trees (implemented by the tool Mona) and a decision procedure for the quantifierfree fragment of the datatheory (say, integers, and implemented using a solver like Z3). The known algorithm for deciding the syntactically defined decidable fragment (which is the same as the one for the semantically defined decidable fragment) involves solving large MSO formulas over trees, whose solution is the main bottleneck in obtaining efficient algorithms. In this paper, we focus on the syntactically defined decidable fragment of Strand, and obtain a new and more efficient algorithm. Using a set of experiments obtained from verification conditions of heapmanipulating programs, we show the practical benefits of the new algorithm.
ICE: A Robust Framework for Learning Invariants
"... Abstract. We introduce ICE, a robust learning paradigm for synthesizing invariants, that learns using examples, counterexamples, and implications, and show that it admits honest teachers and strongly convergent mechanisms for invariant synthesis. We observe that existing algorithms for blackbox a ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce ICE, a robust learning paradigm for synthesizing invariants, that learns using examples, counterexamples, and implications, and show that it admits honest teachers and strongly convergent mechanisms for invariant synthesis. We observe that existing algorithms for blackbox abstract interpretation can be interpreted as ICElearning algorithms. We develop new strongly convergent ICElearning algorithms for two domains, one for learning Boolean combinations of numerical invariants for scalar variables and one for quantified invariants for arrays and dynamic lists. We implement these ICElearning algorithms in a verification tool and show they are robust, practical, and efficient. 1
Monotonic Abstraction for Programs with MultiplyLinked Structures
 In Proc. of RP, volume 6945 of LNCS
, 2011
"... Abstract. We investigate the use of monotonic abstraction and backward reachability analysis as means of performing shape analysis on programs with multiply pointed structures. By encoding the heap as a vertex and edgelabeled graph, we can model the low level behaviour exhibited by programs writte ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We investigate the use of monotonic abstraction and backward reachability analysis as means of performing shape analysis on programs with multiply pointed structures. By encoding the heap as a vertex and edgelabeled graph, we can model the low level behaviour exhibited by programs written in the C programming language. Using the notion of signatures, which are predicates that define sets of heaps, we can check properties such as absence of null pointer dereference and shape invariants. We report on the results from running a prototype based on the method on several programs such as insertion into and merging of doublylinked lists. 1
Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists
"... domain of automata, called automatic shapes. Automatic shapes are modeled after a particular version of quantified data automata on skinny trees (QSDAs), that allows to define universally quantified properties of programs manipulating acyclic heaps with a single pointer field, including datastructu ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
domain of automata, called automatic shapes. Automatic shapes are modeled after a particular version of quantified data automata on skinny trees (QSDAs), that allows to define universally quantified properties of programs manipulating acyclic heaps with a single pointer field, including datastructures such singlylinked lists. To ensure convergence oftheabstractfixedpointcomputation,weintroduceasubclassofQSDAs called elastic QSDAs, which forms an abstract domain. We evaluate our approach on several list manipulating programs and we show that the proposed domain is powerful enough to prove a large class of these programs correct. 1
On automating separation logic with trees and data.
, 2014
"... Abstract. Separation logic (SL) is a widely used formalism for verifying heap manipulating programs. Existing SL solvers focus on decidable fragments for listlike structures. More complex data structures such as trees are typically unsupported in implementations, or handled by incomplete heuristic ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. Separation logic (SL) is a widely used formalism for verifying heap manipulating programs. Existing SL solvers focus on decidable fragments for listlike structures. More complex data structures such as trees are typically unsupported in implementations, or handled by incomplete heuristics. While complete decision procedures for reasoning about trees have been proposed, these procedures suffer from high complexity, or make global assumptions about the heap that contradict the separation logic philosophy of local reasoning. In this paper, we present a fragment of classical firstorder logic for local reasoning about treelike data structures. The logic is decidable in NP and the decision procedure allows for combinations with other decidable firstorder theories for reasoning about data. Such extensions are essential for proving functional correctness properties. We have implemented our decision procedure and, building on earlier work on translating SL proof obligations into classical logic, integrated it into an SLbased verification tool. We successfully used the tool to verify functional correctness of treebased data structure implementations.