Results 1  10
of
13
Decidable logics combining heap structures and data
 IN: POPL’11
, 2011
"... We define a new logic, STRAND, that allows reasoning with heapmanipulating programs using deductive verification and SMT solvers. STRAND logic (“STRucture ANd Data ” logic) formulas express constraints involving heap structures and the data they contain; they are defined over a class of pointerstru ..."
Abstract

Cited by 26 (9 self)
 Add to MetaCart
(Show Context)
We define a new logic, STRAND, that allows reasoning with heapmanipulating programs using deductive verification and SMT solvers. STRAND logic (“STRucture ANd Data ” logic) formulas express constraints involving heap structures and the data they contain; they are defined over a class of pointerstructures R defined using MSOdefined relations over trees, and are of the form ∃⃗x∀⃗yϕ(⃗x, ⃗y), where ϕ is a monadic secondorder logic (MSO) formula with additional quantification that combines structural constraints as well as dataconstraints, but where the dataconstraints are only allowed to refer to ⃗x and ⃗y. The salient aspects of the logic are: (a) the logic is powerful, allowing existential and universal quantification over the nodes, and complex combinations of data and structural constraints; (b) checking Hoaretriples for linear blocks of statements with preconditions and postconditions expressed as Boolean combinations of existential and universal STRAND formulas reduces to satisfiability of a STRAND formula; (c) there are powerful decidable fragments of STRAND, one semantically defined and one syntactically defined, where the decision procedure works by combining the theory of MSO over trees and the quantifierfree theory of the underlying datalogic. We demonstrate the effectiveness and practicality of the logic by checking verification conditions generated in proving properties of several heapmanipulating programs, using a tool that combines an MSO decision procedure over trees (MONA) with an SMT solver for integer constraints (Z3).
Natural Proofs for Structure, Data, and Separation
"... We propose natural proofs for reasoning with programs that manipulate datastructures against specifications that describe the structure of the heap, the data stored within it, and separation and framing of substructures. Natural proofs are a subclass of proofs that are amenable to completely autom ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
We propose natural proofs for reasoning with programs that manipulate datastructures against specifications that describe the structure of the heap, the data stored within it, and separation and framing of substructures. Natural proofs are a subclass of proofs that are amenable to completely automated reasoning, that provide sound but incomplete procedures, and that capture common reasoning tactics in program verification. We develop a dialect of separation logic over heaps, called Dryad, with recursive definitions that avoids explicit quantification. We develop ways to reason with heaplets using classical logic over the theory of sets, and develop natural proofs for reasoning using proof tactics involving disciplined unfoldings and formula abstractions. Natural proofs are encoded into decidable theories of firstorder logic so as to be discharged using SMT solvers. We also implement the technique and show that a large class of more than 100 correct programs that manipulate datastructures are amenable to full functional correctness using the proposed natural proof method. These programs are drawn from a variety of sources including standard datastructures, the SchorrWaite algorithm for garbage collection, a large number of lowlevel C routines from the Glib library and OpenBSD library, the Linux kernel, and routines from a secure verified OSbrowser project. Our work is the first that we know of that can handle such a wide range of full functional verification properties of heaps automatically, given pre/post and loop invariant annotations. We believe that this work paves the way for deductive verification technology to be used by programmers who do not (and need not) understand the internals of the underlying logic solvers, significantly increasing their applicability in building reliable systems.
Z3^10: Applications, Enablers, Challenges and Directions
"... Modern program analysis and modelbased tools are increasingly complex and multifaceted software systems. However, at their core is invariably a component using a logic for describing states and transformations between system states. Logic inferences engines are then critical for the functionality ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Modern program analysis and modelbased tools are increasingly complex and multifaceted software systems. However, at their core is invariably a component using a logic for describing states and transformations between system states. Logic inferences engines are then critical for the functionality of these systems. A commonly adapted approach has been to use a custom solver, built and tailored for the specific application. Custom solvers come with custom limitations: extending and scaling these often require a high investment. Taking as a starting point the solver Z3, developed at Microsoft Research; we describe how an efficient, scalable and expressive solver for Satisfiability Modulo Theories (SMT) is part of changing this landscape. Tools can now use the SMT solver with advantage to solve logicrelated problems at a relatively highlevel of abstraction while attaining scalability and features that custom solvers would have to duplicate. We summarize 10 current applications of the Z3 solver and relate these to 10 main technological enabling factors. With every application there is a new opportunity, and with every solution there is a new challenge problem. Thus, we also summarize 10 challenges and 10 aspiring directions in the context of Z3 in particular, and for SMT solvers in general.
Recursive proofs for inductive tree datastructures
 In POPL’12 (2012), ACM
"... Abstract We develop logical mechanisms and procedures to facilitate the verification of full functional properties of inductive tree datastructures using recursion that are sound, incomplete, but terminating. Our contribution rests in a new extension of firstorder logic with recursive definitions ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
Abstract We develop logical mechanisms and procedures to facilitate the verification of full functional properties of inductive tree datastructures using recursion that are sound, incomplete, but terminating. Our contribution rests in a new extension of firstorder logic with recursive definitions called Dryad, a syntactical restriction on preand postconditions of recursive imperative programs using Dryad, and a systematic methodology for accurately unfolding the footprint on the heap uncovered by the program that leads to finding simple recursive proofs using formula abstraction and calls to SMT solvers. We evaluate our methodology empirically and show that several complex tree datastructure algorithms can be checked against full functional specifications automatically, given preand postconditions. This results in the first automatic terminating methodology for proving a wide variety of annotated algorithms on tree datastructures correct, including maxheaps, treaps, redblack trees, AVL trees, binomial heaps, and Btrees.
Efficient Decision Procedures for Heaps using STRAND
"... The Strand [10] logic allows expressing structural properties of heaps combined with the data stored in the nodes of the heap. A semantic fragment of Strand as well as a syntactically defined subfragment of it are known to be decidable [10]. The known decision procedure works by combining a decisi ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
The Strand [10] logic allows expressing structural properties of heaps combined with the data stored in the nodes of the heap. A semantic fragment of Strand as well as a syntactically defined subfragment of it are known to be decidable [10]. The known decision procedure works by combining a decision procedure for MSO on trees (implemented by the tool Mona) and a decision procedure for the quantifierfree fragment of the datatheory (say, integers, and implemented using a solver like Z3). The known algorithm for deciding the syntactically defined decidable fragment (which is the same as the one for the semantically defined decidable fragment) involves solving large MSO formulas over trees, whose solution is the main bottleneck in obtaining efficient algorithms. In this paper, we focus on the syntactically defined decidable fragment of Strand, and obtain a new and more efficient algorithm. Using a set of experiments obtained from verification conditions of heapmanipulating programs, we show the practical benefits of the new algorithm.
The complexity of abduction for separated heap abstraction
 In SAS’11
, 2011
"... Abstract. Abduction, the problem of discovering hypotheses that support a conclusion, has mainly been studied in the context of philosophical logic and Artificial Intelligence. Recently, it was used in a compositional program analysis based on separation logic that discovers (partial) pre/post speci ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Abduction, the problem of discovering hypotheses that support a conclusion, has mainly been studied in the context of philosophical logic and Artificial Intelligence. Recently, it was used in a compositional program analysis based on separation logic that discovers (partial) pre/post specifications for unannotated code which approximates memory requirements. Although promising practical results have been obtained, completeness issues and the computational hardness of the problem have not been studied. We consider a fragment of separation logic that is representative of applications in program analysis, and we study the complexity of searching for feasible solutions to abduction. We show that standard entailment is decidable in polynomial time, while abduction ranges from NPcomplete to polynomial time for different subproblems. 1
SatisfiabilityBased Program REASONING AND PROGRAM SYNTHESIS
, 2010
"... Program reasoning consists of the tasks of automatically and statically verifying correctness and inferring properties of programs. Program synthesis is the task of automatically generating programs. Both program reasoning and synthesis are theoretically undecidable, but the results in this disserta ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Program reasoning consists of the tasks of automatically and statically verifying correctness and inferring properties of programs. Program synthesis is the task of automatically generating programs. Both program reasoning and synthesis are theoretically undecidable, but the results in this dissertation show that they are practically tractable. We show that there is enough structure in programs written by human developers to make program reasoning feasible, and additionally we can leverage program reasoning technology for automatic program synthesis. This dissertation describes expressive and efficient techniques for program reasoning and program synthesis. Our techniques work by encoding the underlying inference tasks as solutions to satisfiability instances. A core ingredient in the reduction of these problems to finite satisfiability instances is the assumption of templates. Templates are userprovided hints about the structural form of the desired artifact, e.g., invariant, pre and postcondition templates for reasoning; or program templates for synthesis. We propose novel algorithms, parameterized by suitable templates, that reduce the inference of these artifacts to satisfiability. We show that fixedpoint computation—the key technical challenge in program reasoning— is encodable as SAT instances. We also show that program synthesis can be viewed as generalized
DKAL and Z3: A logic embedding experiment
 In To appear in Essays in honor of Yuri Gurevich’s 70th birthday, LNCS
, 2010
"... succinctly expressible logic for distributed authorization. DKAL uses a combination of modal and intuitionistic propositional logic. Modalities are used for qualifying assertions made by different principals and intuitionistic logic captures very elegantly assertions about basic information. Further ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
succinctly expressible logic for distributed authorization. DKAL uses a combination of modal and intuitionistic propositional logic. Modalities are used for qualifying assertions made by different principals and intuitionistic logic captures very elegantly assertions about basic information. Furthermore, a nontrivial and useful fragment known as the primal infon logic is amenable to efficient lineartime saturation. In this paper we experiment with an embedding of the full DKAL logic into the stateoftheart Satisfiability Modulo Theories solver Z3 codeveloped by the second author. Z3 supports classical firstorder semantics of formulas, so it is not possible to directly embed DKAL into Z3. We therefore use an indirect encoding. The one experimented with in this paper uses the instantiationbased support for quantifiers in Z3. Z3 offers the feature to return a potential ground countermodel when the saturation procedure ends up with a satisfiable set of ground assertions. We develop an algorithm that extracts a DKAL model from the propositional model, in order to provide root causes for nonderivability. 1
Automating proofs of datastructure properties in imperative programs
 CoRR
"... We consider the problem of automated reasoning about dynamically manipulated data structures. The stateoftheart methods are limited to the unfoldandmatch (U+M) paradigm, where predicates are transformed via (un)folding operations induced from their definitions before being treated as uninterp ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We consider the problem of automated reasoning about dynamically manipulated data structures. The stateoftheart methods are limited to the unfoldandmatch (U+M) paradigm, where predicates are transformed via (un)folding operations induced from their definitions before being treated as uninterpreted. However, proof obligations from verifying programs with iterative loops and multiple function calls often do not succumb to this paradigm. Our contribution is a proof method which – beyond U+M – performs automatic formula rewriting by treating previously encountered obligations in each proof path as possible induction hypotheses. This enables us, for the first time, to systematically reason about a wide range of obligations, arising from practical program verification. We demonstrate the power of our proof rules on commonly used lemmas, thereby close the remaining gaps in existing stateoftheart systems. Another impact, probably more important, is that our method regains the power of compositional reasoning, and shows that the usage of userprovided lemmas is no longer needed for the existing set of benchmarks. This not only removes the burden of coming up with the appropriate lemmas, but also significantly boosts up the verification process, since lemma applications, coupled with unfolding, often induce very large search space. 1.
A Framework for Inductive Proofs of Data Structures
"... We consider the problem of automated program verification with emphasis on reasoning about dynamically manipulated data structures. We begin with an existing specification language which has two key features: (a) the use of explicit heap variables, and (b) user defined recursive properties in a wrap ..."
Abstract
 Add to MetaCart
(Show Context)
We consider the problem of automated program verification with emphasis on reasoning about dynamically manipulated data structures. We begin with an existing specification language which has two key features: (a) the use of explicit heap variables, and (b) user defined recursive properties in a wrapper logic language. The language provides a newlevel of expressiveness for specifying properties of heap manipulations. The main contribution, however, is an algorithm to automatically prove verification conditions when formulas in the specification language are used as assertions in programs. More precisely, we consider verification of heap manipulating programs that combines user written modular contracts and loop invariants with completely automated theorem proving of the resulting verification conditions. The key feature of the algorithm is the ability to automatically employ induction proof steps with respect to dynamically generated induction hypotheses. Though necessarily still incomplete, the algorithm provides a new level of automation. 1.