Post on 01-Jan-2016
Verifying Properties of Verifying Properties of Well-Founded Linked ListsWell-Founded Linked Lists
Verifying Properties of Verifying Properties of Well-Founded Linked ListsWell-Founded Linked Lists
Shuvendu K. Lahiri Shaz Qadeer
Software Reliability ResearchSoftware Reliability Research
Microsoft ResearchMicrosoft Research
– 2 –
Motivation for analyzing linked listsMotivation for analyzing linked lists
Verify control, memory, and API safety of low-Verify control, memory, and API safety of low-level systems codelevel systems code Integers Arrays Singly linked lists Doubly linked lists (acyclic and cyclic)
– 3 –
Motivation for analyzing linked listsMotivation for analyzing linked lists
Verify control, memory, and API safety of low-Verify control, memory, and API safety of low-level systems codelevel systems code Integers Arrays Singly linked lists Doubly linked lists (acyclic and cyclic)
Establish properties about linking structure and Establish properties about linking structure and contentcontent Absence of null dereference, memory leaks All elements of a list have data value 0 List1 and List2 are disjoint
– 4 –
Example: Acyclic linked list iteration Example: Acyclic linked list iteration
//@ requires hd != null//@ requires hd != null
//@ ensures //@ ensures v v R(hd): v.data = 0 R(hd): v.data = 0
void acyclic_simple(Cell hd) {void acyclic_simple(Cell hd) {
Cell iter = hd;Cell iter = hd;
while (iter != null) {while (iter != null) {
iter.data = 0;iter.data = 0;
iter = iter.next;iter = iter.next;
}}
}}
– 5 –
ProblemProblem
Existing program analyses either lack scalability Existing program analyses either lack scalability or precision for such programs/propertiesor precision for such programs/properties
– 6 –
Reasoning in first-order logicReasoning in first-order logic
Can support many theories important for Can support many theories important for program verificationprogram verification Uninterpreted functions, linear arithmetic, arrays,
quantifiers Reason about programs with a mix of scalar
variables, arithmetic, arrays
Powerful analysis enginesPowerful analysis engines Pioneering work by Nelson-Oppen[’79] Recent advances in SAT-based theorem provers
– 7 –
Program verification and first-order logicProgram verification and first-order logic
Automated software verification toolsAutomated software verification tools SLAM, BLAST, MAGIC,… ESC/JAVA, Boogie,..
Perform symbolic reasoning for first-order logic Perform symbolic reasoning for first-order logic Theorem provers to discharge verification
conditions Operations for abstract interpretation (predicate
abstraction, join, ..) Automatic abstraction-refinement
– 8 –
Linked lists and reachLinked lists and reach
Class Cell {Class Cell {
int data;int data;
Cell next;Cell next;
};};
RR(u(u) = Set of cells reachable from ) = Set of cells reachable from uu using using nextnext field field
= {u, u.next, u.next.next,…} = {u, u.next, u.next.next,…}
xx
RR((xx))
– 9 –
Example Example
Acyclic linked list iterationAcyclic linked list iteration
//@ requires hd != null//@ requires hd != null
//@ ensures //@ ensures v v R(hd): v.data = 0 R(hd): v.data = 0
void acyclic_simple(Cell hd) {void acyclic_simple(Cell hd) {
Cell iter = hd;Cell iter = hd;
while (iter != null) {while (iter != null) {
iter.data = 0;iter.data = 0;
iter = iter.next;iter = iter.next;
}}
}}
hdhd iteriter
Visited = Visited = R(hd)\ R(iter)R(hd)\ R(iter)
Loop invariantLoop invariantu u Visited: Visited: u.data = 0u.data = 0
– 10 –
Reachability predicateReachability predicate
Need to reason about Need to reason about reachability reachability predicate predicate e.g. u R(x): u.data = 0
Need axioms to relate the field Need axioms to relate the field nextnext and and RR
However, reachability can’t be modeled in first-However, reachability can’t be modeled in first-order logicorder logic Finite first-order axiomatization of reachability
impossible
– 11 –
Motivation for this workMotivation for this work
Simple axioms may suffice for many examples
Provide a first-order axiomatization of Provide a first-order axiomatization of ReachReach Necessarily incomplete First investigated by Nelson [POPL’83]
Enable list manipulating programs (also Enable list manipulating programs (also containing integers, arrays etc.) to be containing integers, arrays etc.) to be analyzed uniformlyanalyzed uniformly Can leverage first-order reasoning Predicate abstraction,… Abstraction refinement
– 12 –
Example Example
Acyclic linked list iterationAcyclic linked list iteration
//@ requires hd != null//@ requires hd != null
//@ ensures //@ ensures v v R(hd): v.data = 0 R(hd): v.data = 0
void acyclic_simple(Cell hd) {void acyclic_simple(Cell hd) {
Cell iter = hd;Cell iter = hd;
while (iter != null) {while (iter != null) {
iter.data = 0;iter.data = 0;
iter = iter.next;iter = iter.next;
}}
}}
hdhd iteriter
Visited = Visited = R(hd)\ R(iter)R(hd)\ R(iter)
Loop invariantLoop invariantu u Visited: Visited: u.data = 0u.data = 0
Axiom for Axiom for reach:reach:u, u, v : v : v v R(u) R(u)
(v = u (v = u ( (u.next u.next null null v v R(u.next))R(u.next))))
– 13 –
Example Example
Acyclic linked list iterationAcyclic linked list iteration
//@ requires hd != null//@ requires hd != null
//@ ensures //@ ensures v v R(hd): v.data = 0 R(hd): v.data = 0
void acyclic_simple(Cell hd) {void acyclic_simple(Cell hd) {
Cell iter = hd;Cell iter = hd;
while (iter != null) {while (iter != null) {
iter.data = 0;iter.data = 0;
iter = iter.next;iter = iter.next;
}}
}}
Loop invariantLoop invariantu u Visited: Visited: u.data = 0u.data = 0
Axiom for Axiom for reach:reach:u, u, v : v : v v R(u) R(u)
(v = u (v = u ( (u.next u.next null null v v R(u.next))R(u.next))))
Axiom sufficient to
prove the
Axiom sufficient to
prove the
example
example
hdhd iteriter
Visited = Visited = R(hd)\ R(iter)R(hd)\ R(iter)
– 14 –
Rest of the talkRest of the talk
How toHow to Handle cyclic lists Handle destructive updates Generate first-order axioms for Reach
Well-founded linked listsWell-founded linked lists How it makes the above tasks amenable
ResultsResults
Deciding ground fragment with Deciding ground fragment with ReachReach predicate predicate
– 15 –
Part1: Cyclic List TraversalPart1: Cyclic List Traversal
Cyclic linked list iterationCyclic linked list iteration
//@ requires hd points to a cyclic list//@ requires hd points to a cyclic list
//@ ensures //@ ensures v v R(hd): v.data = 0 R(hd): v.data = 0
void cyclic_simple(Cell hd) {void cyclic_simple(Cell hd) {
hd.data = 0;hd.data = 0;
iter = hd.next;iter = hd.next;
while (iter != hd) {while (iter != hd) {
iter.data = 0;iter.data = 0;
iter = iter.next;iter = iter.next;
}}
}}
iteriter
Visited = ? Visited = ?
hdhd
No way to express No way to express VisitedVisited using R aloneusing R alone
R for every cell in the cycle R for every cell in the cycle contains all the cells in the cyclecontains all the cells in the cycle
– 16 –
Cyclic List TraversalCyclic List Traversal
Cyclic linked list iterationCyclic linked list iteration
//@ requires hd points to a cyclic list//@ requires hd points to a cyclic list
//@ ensures //@ ensures v v R(hd): v.data = 0 R(hd): v.data = 0
void cyclic_simple(Cell hd) {void cyclic_simple(Cell hd) {
hd.data = 0;hd.data = 0;
iter = hd.next;iter = hd.next;
while (iter != hd) {while (iter != hd) {
iter.data = 0;iter.data = 0;
iter = iter.next;iter = iter.next;
}}
}}
iteriter
Visited = ? Visited = ?
hdhd
Proving even null-dereference Proving even null-dereference is non-trivialis non-trivial
– 17 –
ObservationObservation
Usually, every cycle of “next” has at least one Usually, every cycle of “next” has at least one distinguished celldistinguished cell Usually, the “head” of the list This cell breaks the symmetry in the list
For each linking field “f”, a subset of fields in For each linking field “f”, a subset of fields in the heap are headsthe heap are heads Denoted by Hf
Cells denoted by Always includes null
– 18 –
New Predicates Rf and Bf New Predicates Rf and Bf
Hf = Set of head cells for field f
RRff(u) (u) Set of cells u, u.f, u.f.f,…,
until the first cell in H
BBff(u) (u) The first cell from the
sequence u.f, u.f.f, …, that belongs to H
The “block” for u
xx yy
RRff(x)(x)
RRff(z)(z)
zz
xx
yy
BBff(x) = null(x) = null
BBff(x) = y(x) = yBBff(y) = x(y) = xBBff(z) = x(z) = x
– 19 –
Well-founded heapWell-founded heap
Given Hf, a set of “head” cells for a field f
Well-founded field Well-founded field ff For any cell u, the sequence u.f, u.f.f, …, intersects
with a cell in Hf
Well-founded heapWell-founded heap Every linking field f is well-founded wrt to Hf
i.e., every f cycle has at least one Hf cell
– 20 –
Programming methodologyProgramming methodology
Programmer must supply Programmer must supply HHff
Every mutation of the linking field Every mutation of the linking field ff is is required to preserve well-foundednessrequired to preserve well-foundedness
Restricted to programs maninpulating well Restricted to programs maninpulating well founded heaps onlyfounded heaps only Almost all list programs obey this restriction
– 21 –
Cyclic List TraversalCyclic List Traversal
Cyclic linked list iterationCyclic linked list iteration
//@ requires hd points to a cyclic list//@ requires hd points to a cyclic list
//@ ensures //@ ensures v v R(hd): v.data = 0 R(hd): v.data = 0
void cyclic_simple(Cell hd) {void cyclic_simple(Cell hd) {
hd.data = 0;hd.data = 0;
iter = hd.next;iter = hd.next;
while (iter != hd) {while (iter != hd) {
iter.data = 0;iter.data = 0;
iter = iter.next;iter = iter.next;
}}
}}
iteriter
hdhd
Visited = ?Visited = ?
– 22 –
Cyclic List TraversalCyclic List Traversal
Cyclic linked list iterationCyclic linked list iteration
//@ requires hd //@ requires hd H H B(hd) = hd B(hd) = hd
//@ ensures //@ ensures v v R(hd): v.data = 0 R(hd): v.data = 0
void cyclic_simple(Cell hd) {void cyclic_simple(Cell hd) {
hd.data = 0;hd.data = 0;
iter = hd.next;iter = hd.next;
while (iter != hd) {while (iter != hd) {
iter.data = 0;iter.data = 0;
iter = iter.next;iter = iter.next;
}}
}}
iteriter
R(iter)R(iter)
hdhd
Visited Visited = (iter = hd) = (iter = hd) ? R(iter) ? R(iter) : R(hd) \ R(iter): R(hd) \ R(iter)
Loop invariant:Loop invariant: u u Visited: Visited: u.data = 0u.data = 0 B(iter) = hdB(iter) = hd
– 23 –
Axioms RequiredAxioms Required
Axiom for RAxiom for R
v v R (u) R (u) (v = u (v = u (u.next (u.next H H v v RR (u.next))(u.next))
v v RR (u) (u) (v = u (v = u (u.next (u.next null null v v RR (u.next))(u.next))
Axiom for BAxiom for B
BB (u) = u.next (u) = u.next H ? u.next : BH ? u.next : B (u.next)(u.next)
Able to prove the example (similar to acyclic case) with Able to prove the example (similar to acyclic case) with these axiomsthese axioms
– 24 –
Part 2: Destructive updatesPart 2: Destructive updates
x.f := y
IssuesIssues R, B need to be updated
Since f is updated Destructive updates may make the heap ill-
foundedFlag such programs as bad
– 25 –
Updates to R, B (some cases)Updates to R, B (some cases)
x.f := y
yy
uxx
yy
uxx
RR (u) = R(u) = R (u) \ R(u) \ R (x) (x) {x} RR (y) (y)
BB (u) = B(u) = B (y) (y)
RR (u) = R(u) = R (u) \ R(u) \ R (x) (x) {x}
BB (u) = y(u) = y
– 26 –
Ensuring well-foundednessEnsuring well-foundedness
x.f := y
yy
xx
Orphan cycle: Cycle with no H cells
Add Add assertassert ( x ( x RR (y) (y) y y H ) before each H ) before each x.f := yx.f := y
– 27 –
Updating cells in HfUpdating cells in Hf
Hf is a program variable now
HHff.Add(x).Add(x) Adds the cell pointed to by x to Hf
Useful when creating a cycle for the first time
HHff.Remove(x).Remove(x) Removes the cell pointed to by x to Hf
Remove one head when two cycles with a head each are fused
Updates to RUpdates to Rff, B, Bf f still remain quantifier-freestill remain quantifier-free
– 28 –
Summary: InstrumentationSummary: Instrumentation
Quantifier-free updates to auxiliary variables Quantifier-free updates to auxiliary variables R, BR, B Similar to acyclic case [Dong & Su ‘95] Very difficult to update R for cyclic lists in general
Instrumentation captures “well-foundedness” Instrumentation captures “well-foundedness” preciselyprecisely The instrumented program goes wrong (violates
an assertion) iff the source program
1. goes wrong (violates some assertions), or
2. heap of the source program becomes not well-founded
– 29 –
Part 3: Axioms RequiredPart 3: Axioms Required
Base axiom for RBase axiom for R
v v RR (u) (u) (v = u (v = u (u.next (u.next H H v v RR (u.next))(u.next))
Base axiom for BBase axiom for BB (u) = u.next H ? u.next : B (u.next)
Fundamental axiomsFundamental axioms The axioms capture the intended meaning of R and B
in any finite and well-founded state of the program
– 30 –
Generating new axiomsGenerating new axioms
Not possible to express finiteness and well-foundedness in first-order logic
Derive new axioms from the base axiomsDerive new axioms from the base axioms Using induction
For well-founded heapsFor well-founded heaps We provide an induction principle to generate
derived axioms from base axioms
– 31 –
Induction principleInduction principle
Proposed axiom: u. P(u) To prove P(u) for any cell u in a finite well-
founded heap
Base CaseBase Case u.f H P(u) Establish for all u at a distance 1 from H cells
Induction StepInduction Step1. u.f H (P(u.f) P(u))
2. u.f has a shorter distance to H than u (well-founded induction)
– 32 –
Some derived axiomsSome derived axioms
TransitivityTransitivity R (u,v) R (v,w) R (u,w)
AntisymmetryAntisymmetry R (u,v) R (v,u) u = v
BlockBlock R (u,v) v H u = v
Bounded distinctnessBounded distinctness All cells in the set {u, u.f,…,} until the first H cell
are distinct from each other Instantiate this for bounded sizes (e.g. 1)
u.f H u u.f
– 33 –
Derived AxiomsDerived Axioms
Set of axioms are fairly fundamental properties Set of axioms are fairly fundamental properties and fairly intuitiveand fairly intuitive Can be easily proved from the base axioms using
the induction principle
Suffice for a large set of examplesSuffice for a large set of examples Otherwise derive new axioms using the base
axioms and induction
– 34 –
Benefits of well-founded listsBenefits of well-founded lists
1.1. Set of required axioms almost similar to Set of required axioms almost similar to acyclic caseacyclic case
2.2. Allows us to update Allows us to update RRff, B, Bff relations using relations using simple quantifier-free formulassimple quantifier-free formulas
3.3. Provides an induction principle to establish Provides an induction principle to establish derived axioms easilyderived axioms easily
– 35 –
Experimental setupExperimental setup
InstrumentationAdd R, B
+ Updates+ Assertions
VC Generator(UCLID)
Theorem Prover(UCLID)
Axioms for R, B
AnnotatedSource
Program
Proved/Failure
– 36 –
UCLIDUCLID
Verification system for systems modeled in Verification system for systems modeled in first-order logicfirst-order logic Bryant, Lahiri, Seshia, CAV’02
1.1. Checking verification conditionsChecking verification conditions Uses quantifier instantiation Uses various decision procedures for
uninterpreted functions, arrays, arithmetic
2.2. Inferring loop invariants with indexed Inferring loop invariants with indexed predicate abstractionpredicate abstraction
– 37 –
ExamplesExamples
Simple_cyclicSimple_cyclic List traversal
ReverseReverse In place reversal of an acyclic list
Sorted_insertSorted_insert Inserts a cell in a sorted list Requires arithmetic reasoning
Set_unionSet_union Merges two equivalence classes implemented as cyclic lists
Dlist_removeDlist_remove Removes a cell from a cyclic doubly linked list
– 38 –
ExperimentsExperiments
Proving Verification Conditions (VCs)Proving Verification Conditions (VCs) Most examples take < 1 s
Loop Invariant synthesis using indexed Loop Invariant synthesis using indexed predicate abstractionpredicate abstraction
– 39 –
Synthesizing invariants by indexed predicate abstractionSynthesizing invariants by indexed predicate abstraction
Flanagan & Qadeer POPL’02 Lahiri & Bryant VMCAI ‘04
PrinciplePrinciple Provide a set of predicates P over state variables + “index
variables” XIntuitively X contains heap cells, or indices into arrays
e.g. P = {Rnext(u,v), Bnext (u) = v, a[i] < a[j] + 1, …}
X = {u,v,i,j,…}
TheoremTheorem Indexed predicate abstraction constructs the strongest loop
invariant of the form X: (P)
is a Boolean combination of predicates in P
– 40 –
Synthesizing invariants in UCLIDSynthesizing invariants in UCLID
//@requires null //@requires null H Hnextnext
//@requires B//@requires Bnext next (l) = null(l) = null
//@ensures B//@ensures Bnext next (res) = null(res) = null
//@ensures R//@ensures Rnextnext(res) = R(res) = R00next next (l)(l)
Cell reverse (Cell l){Cell reverse (Cell l){
Cell curr = l;Cell curr = l;
Cell res = null;Cell res = null;
while (curr != null){while (curr != null){
Cell tmp = curr.next;Cell tmp = curr.next;
curr.next = res;curr.next = res;
res = curr;res = curr;
curr = tmp;curr = tmp;
}}
return res;return res;
}}
PredicatesPredicates
X = {X = {uu}}
P = {P = {
uu = null, = null, uu = curr, = curr, uu = res, = res, uu = l = l00, ,
curr = null, l = lcurr = null, l = l00, ,
RRnextnext(curr,(curr,uu), ),
RRnextnext(res,(res,uu), ),
RRnextnext(l,(l,uu), ),
HHnextnext((uu),),
RR00nextnext(l(l00,,uu), ),
BBnextnext((uu) = null) = null
}}
Tool constructs loop invariant in 0.57 Tool constructs loop invariant in 0.57 secsec
– 41 –
Results with Predicate AbstractionResults with Predicate Abstraction Predicates provided manuallyPredicates provided manually
ExampleExample #-Predicates (#-index)#-Predicates (#-index) UCLID UCLID
time (s)time (s)
simple_cyclicsimple_cyclic 15 (1)15 (1) 0.120.12
reversereverse 12 (1)12 (1) 0.570.57
set_unionset_union 24 (1)24 (1) 0.660.66
sorted_insertsorted_insert 21 (2)21 (2) 17.3217.32
dlist_removedlist_remove -- 1.231.23
Used Barcelogic tool for theorem provingUsed Barcelogic tool for theorem proving
Note: Results significantly improved from paperNote: Results significantly improved from paper
– 42 –
Decision procedure for ground fragmentDecision procedure for ground fragment Deciding ground formulas over
Rf(u,v), ~Rf(u,v), u = f(v), u ≠ v, u Hf, u Hf, u =
Bf (v)
Reduce dependency on derived axiomsReduce dependency on derived axioms A complete framework when VCs are quantifier-
free Solving quantifier-free queries after instantiating
quantifiers
ResultResult Checking satisfiability of a conjunction NP-
complete
– 43 –
Related workRelated work
First-order axiomatization of reachabilityFirst-order axiomatization of reachability Nelson ’83, Lev-Ami et al. ’05
First-order reasoning without reachabilityFirst-order reasoning without reachability Necula & McPeak ’05
Shape analysis with 3-valued logicShape analysis with 3-valued logic Sagiv et al. ’99, … TVLA
Predicate abstraction for listsPredicate abstraction for lists Dams et al. ’03, Balaban et al. ’05, Manevich et al. ’05, Bingham
’06
Separation logicSeparation logic O’Hearn et al. ’01, Reynolds ’02,
– 44 –
Conclusions Conclusions
Two new predicates R, B for well-founded Two new predicates R, B for well-founded heapsheaps
Instrumentation of source program with Instrumentation of source program with auxiliary variables for the predicatesauxiliary variables for the predicates
First-order axiomatizationFirst-order axiomatization New induction principle Simpler derived axioms
ImplementationImplementation Leverage first-order theorem provers Indexed predicate abstraction provides a uniform
scheme for synthesizing invariants