verifying properties of well-founded linked lists verifying properties of well-founded linked lists...

Verifying Properties of Verifying Properties of Well-Founded Linked ListsWell-Founded Linked Lists

Verifying Properties of Verifying Properties of Well-Founded Linked ListsWell-Founded Linked Lists

Shuvendu K. Lahiri Shaz Qadeer

Software Reliability ResearchSoftware Reliability Research

Microsoft ResearchMicrosoft Research

– 2 –

Motivation for analyzing linked listsMotivation for analyzing linked lists

Verify control, memory, and API safety of low-Verify control, memory, and API safety of low-level systems codelevel systems code Integers Arrays Singly linked lists Doubly linked lists (acyclic and cyclic)

– 3 –

Motivation for analyzing linked listsMotivation for analyzing linked lists

Verify control, memory, and API safety of low-Verify control, memory, and API safety of low-level systems codelevel systems code Integers Arrays Singly linked lists Doubly linked lists (acyclic and cyclic)

Establish properties about linking structure and Establish properties about linking structure and contentcontent Absence of null dereference, memory leaks All elements of a list have data value 0 List1 and List2 are disjoint

– 4 –

Example: Acyclic linked list iteration Example: Acyclic linked list iteration

//@ requires hd != null//@ requires hd != null

//@ ensures //@ ensures v v R(hd): v.data = 0 R(hd): v.data = 0

void acyclic_simple(Cell hd) {void acyclic_simple(Cell hd) {

Cell iter = hd;Cell iter = hd;

while (iter != null) {while (iter != null) {

iter.data = 0;iter.data = 0;

iter = iter.next;iter = iter.next;

}}

}}

– 5 –

ProblemProblem

Existing program analyses either lack scalability Existing program analyses either lack scalability or precision for such programs/propertiesor precision for such programs/properties

– 6 –

Reasoning in first-order logicReasoning in first-order logic

Can support many theories important for Can support many theories important for program verificationprogram verification Uninterpreted functions, linear arithmetic, arrays,

quantifiers Reason about programs with a mix of scalar

variables, arithmetic, arrays

Powerful analysis enginesPowerful analysis engines Pioneering work by Nelson-Oppen[’79] Recent advances in SAT-based theorem provers

– 7 –

Program verification and first-order logicProgram verification and first-order logic

Automated software verification toolsAutomated software verification tools SLAM, BLAST, MAGIC,… ESC/JAVA, Boogie,..

Perform symbolic reasoning for first-order logic Perform symbolic reasoning for first-order logic Theorem provers to discharge verification

conditions Operations for abstract interpretation (predicate

abstraction, join, ..) Automatic abstraction-refinement

– 8 –

Linked lists and reachLinked lists and reach

Class Cell {Class Cell {

int data;int data;

Cell next;Cell next;

};};

RR(u(u) = Set of cells reachable from ) = Set of cells reachable from uu using using nextnext field field

= {u, u.next, u.next.next,…} = {u, u.next, u.next.next,…}

xx

RR((xx))

– 9 –

Example Example

Acyclic linked list iterationAcyclic linked list iteration








}}

}}

hdhd iteriter

Visited = Visited = R(hd)\ R(iter)R(hd)\ R(iter)

Loop invariantLoop invariantu u Visited: Visited: u.data = 0u.data = 0

– 10 –

Reachability predicateReachability predicate

Need to reason about Need to reason about reachability reachability predicate predicate e.g. u R(x): u.data = 0

Need axioms to relate the field Need axioms to relate the field nextnext and and RR

However, reachability can’t be modeled in first-However, reachability can’t be modeled in first-order logicorder logic Finite first-order axiomatization of reachability

impossible

– 11 –

Motivation for this workMotivation for this work

Simple axioms may suffice for many examples

Provide a first-order axiomatization of Provide a first-order axiomatization of ReachReach Necessarily incomplete First investigated by Nelson [POPL’83]

Enable list manipulating programs (also Enable list manipulating programs (also containing integers, arrays etc.) to be containing integers, arrays etc.) to be analyzed uniformlyanalyzed uniformly Can leverage first-order reasoning Predicate abstraction,… Abstraction refinement

– 12 –

Example Example









}}

}}

hdhd iteriter



Axiom for Axiom for reach:reach:u, u, v : v : v v R(u) R(u)

(v = u (v = u ( (u.next u.next null null v v R(u.next))R(u.next))))

– 13 –

Example Example









}}

}}


Axiom for Axiom for reach:reach:u, u, v : v : v v R(u) R(u)

(v = u (v = u ( (u.next u.next null null v v R(u.next))R(u.next))))

Axiom sufficient to

prove the

Axiom sufficient to

prove the

example

example

hdhd iteriter


– 14 –

Rest of the talkRest of the talk

How toHow to Handle cyclic lists Handle destructive updates Generate first-order axioms for Reach

Well-founded linked listsWell-founded linked lists How it makes the above tasks amenable

ResultsResults

Deciding ground fragment with Deciding ground fragment with ReachReach predicate predicate

– 15 –

Part1: Cyclic List TraversalPart1: Cyclic List Traversal

Cyclic linked list iterationCyclic linked list iteration

//@ requires hd points to a cyclic list//@ requires hd points to a cyclic list


void cyclic_simple(Cell hd) {void cyclic_simple(Cell hd) {

hd.data = 0;hd.data = 0;

iter = hd.next;iter = hd.next;

while (iter != hd) {while (iter != hd) {



}}

}}

iteriter

Visited = ? Visited = ?

hdhd

No way to express No way to express VisitedVisited using R aloneusing R alone

R for every cell in the cycle R for every cell in the cycle contains all the cells in the cyclecontains all the cells in the cycle

– 16 –

Cyclic List TraversalCyclic List Traversal










}}

}}

iteriter

Visited = ? Visited = ?

hdhd

Proving even null-dereference Proving even null-dereference is non-trivialis non-trivial

– 17 –

ObservationObservation

Usually, every cycle of “next” has at least one Usually, every cycle of “next” has at least one distinguished celldistinguished cell Usually, the “head” of the list This cell breaks the symmetry in the list

For each linking field “f”, a subset of fields in For each linking field “f”, a subset of fields in the heap are headsthe heap are heads Denoted by Hf

Cells denoted by Always includes null

– 18 –

New Predicates Rf and Bf New Predicates Rf and Bf

Hf = Set of head cells for field f

RRff(u) (u) Set of cells u, u.f, u.f.f,…,

until the first cell in H

BBff(u) (u) The first cell from the

sequence u.f, u.f.f, …, that belongs to H

The “block” for u

xx yy

RRff(x)(x)

RRff(z)(z)

zz

xx

yy

BBff(x) = null(x) = null

BBff(x) = y(x) = yBBff(y) = x(y) = xBBff(z) = x(z) = x

– 19 –

Well-founded heapWell-founded heap

Given Hf, a set of “head” cells for a field f

Well-founded field Well-founded field ff For any cell u, the sequence u.f, u.f.f, …, intersects

with a cell in Hf

Well-founded heapWell-founded heap Every linking field f is well-founded wrt to Hf

i.e., every f cycle has at least one Hf cell

– 20 –

Programming methodologyProgramming methodology

Programmer must supply Programmer must supply HHff

Every mutation of the linking field Every mutation of the linking field ff is is required to preserve well-foundednessrequired to preserve well-foundedness

Restricted to programs maninpulating well Restricted to programs maninpulating well founded heaps onlyfounded heaps only Almost all list programs obey this restriction

– 21 –











}}

}}

iteriter

hdhd

Visited = ?Visited = ?

– 22 –



//@ requires hd //@ requires hd H H B(hd) = hd B(hd) = hd








}}

}}

iteriter

R(iter)R(iter)

hdhd

Visited Visited = (iter = hd) = (iter = hd) ? R(iter) ? R(iter) : R(hd) \ R(iter): R(hd) \ R(iter)

Loop invariant:Loop invariant: u u Visited: Visited: u.data = 0u.data = 0 B(iter) = hdB(iter) = hd

– 23 –

Axioms RequiredAxioms Required

Axiom for RAxiom for R

v v R (u) R (u) (v = u (v = u (u.next (u.next H H v v RR (u.next))(u.next))

v v RR (u) (u) (v = u (v = u (u.next (u.next null null v v RR (u.next))(u.next))

Axiom for BAxiom for B

BB (u) = u.next (u) = u.next H ? u.next : BH ? u.next : B (u.next)(u.next)

Able to prove the example (similar to acyclic case) with Able to prove the example (similar to acyclic case) with these axiomsthese axioms

– 24 –

Part 2: Destructive updatesPart 2: Destructive updates

x.f := y

IssuesIssues R, B need to be updated

Since f is updated Destructive updates may make the heap ill-

foundedFlag such programs as bad

– 25 –

Updates to R, B (some cases)Updates to R, B (some cases)

x.f := y

yy

uxx

yy

uxx

RR (u) = R(u) = R (u) \ R(u) \ R (x) (x) {x} RR (y) (y)

BB (u) = B(u) = B (y) (y)

RR (u) = R(u) = R (u) \ R(u) \ R (x) (x) {x}

BB (u) = y(u) = y

– 26 –

Ensuring well-foundednessEnsuring well-foundedness

x.f := y

yy

xx

Orphan cycle: Cycle with no H cells

Add Add assertassert ( x ( x RR (y) (y) y y H ) before each H ) before each x.f := yx.f := y

– 27 –

Updating cells in HfUpdating cells in Hf

Hf is a program variable now

HHff.Add(x).Add(x) Adds the cell pointed to by x to Hf

Useful when creating a cycle for the first time

HHff.Remove(x).Remove(x) Removes the cell pointed to by x to Hf

Remove one head when two cycles with a head each are fused

Updates to RUpdates to Rff, B, Bf f still remain quantifier-freestill remain quantifier-free

– 28 –

Summary: InstrumentationSummary: Instrumentation

Quantifier-free updates to auxiliary variables Quantifier-free updates to auxiliary variables R, BR, B Similar to acyclic case [Dong & Su ‘95] Very difficult to update R for cyclic lists in general

Instrumentation captures “well-foundedness” Instrumentation captures “well-foundedness” preciselyprecisely The instrumented program goes wrong (violates

an assertion) iff the source program

1. goes wrong (violates some assertions), or

2. heap of the source program becomes not well-founded

– 29 –

Part 3: Axioms RequiredPart 3: Axioms Required

Base axiom for RBase axiom for R

v v RR (u) (u) (v = u (v = u (u.next (u.next H H v v RR (u.next))(u.next))

Base axiom for BBase axiom for BB (u) = u.next H ? u.next : B (u.next)

Fundamental axiomsFundamental axioms The axioms capture the intended meaning of R and B

in any finite and well-founded state of the program

– 30 –

Generating new axiomsGenerating new axioms

Not possible to express finiteness and well-foundedness in first-order logic

Derive new axioms from the base axiomsDerive new axioms from the base axioms Using induction

For well-founded heapsFor well-founded heaps We provide an induction principle to generate

derived axioms from base axioms

– 31 –

Induction principleInduction principle

Proposed axiom: u. P(u) To prove P(u) for any cell u in a finite well-

founded heap

Base CaseBase Case u.f H P(u) Establish for all u at a distance 1 from H cells

Induction StepInduction Step1. u.f H (P(u.f) P(u))

2. u.f has a shorter distance to H than u (well-founded induction)

– 32 –

Some derived axiomsSome derived axioms

TransitivityTransitivity R (u,v) R (v,w) R (u,w)

AntisymmetryAntisymmetry R (u,v) R (v,u) u = v

BlockBlock R (u,v) v H u = v

Bounded distinctnessBounded distinctness All cells in the set {u, u.f,…,} until the first H cell

are distinct from each other Instantiate this for bounded sizes (e.g. 1)

u.f H u u.f

– 33 –

Derived AxiomsDerived Axioms

Set of axioms are fairly fundamental properties Set of axioms are fairly fundamental properties and fairly intuitiveand fairly intuitive Can be easily proved from the base axioms using

the induction principle

Suffice for a large set of examplesSuffice for a large set of examples Otherwise derive new axioms using the base

axioms and induction

– 34 –

Benefits of well-founded listsBenefits of well-founded lists

1.1. Set of required axioms almost similar to Set of required axioms almost similar to acyclic caseacyclic case

2.2. Allows us to update Allows us to update RRff, B, Bff relations using relations using simple quantifier-free formulassimple quantifier-free formulas

3.3. Provides an induction principle to establish Provides an induction principle to establish derived axioms easilyderived axioms easily

– 35 –

Experimental setupExperimental setup

InstrumentationAdd R, B

+ Updates+ Assertions

VC Generator(UCLID)

Theorem Prover(UCLID)

Axioms for R, B

AnnotatedSource

Program

Proved/Failure

– 36 –

UCLIDUCLID

Verification system for systems modeled in Verification system for systems modeled in first-order logicfirst-order logic Bryant, Lahiri, Seshia, CAV’02

1.1. Checking verification conditionsChecking verification conditions Uses quantifier instantiation Uses various decision procedures for

uninterpreted functions, arrays, arithmetic

2.2. Inferring loop invariants with indexed Inferring loop invariants with indexed predicate abstractionpredicate abstraction

– 37 –

ExamplesExamples

Simple_cyclicSimple_cyclic List traversal

ReverseReverse In place reversal of an acyclic list

Sorted_insertSorted_insert Inserts a cell in a sorted list Requires arithmetic reasoning

Set_unionSet_union Merges two equivalence classes implemented as cyclic lists

Dlist_removeDlist_remove Removes a cell from a cyclic doubly linked list

– 38 –

ExperimentsExperiments

Proving Verification Conditions (VCs)Proving Verification Conditions (VCs) Most examples take < 1 s

Loop Invariant synthesis using indexed Loop Invariant synthesis using indexed predicate abstractionpredicate abstraction

– 39 –

Synthesizing invariants by indexed predicate abstractionSynthesizing invariants by indexed predicate abstraction

Flanagan & Qadeer POPL’02 Lahiri & Bryant VMCAI ‘04

PrinciplePrinciple Provide a set of predicates P over state variables + “index

variables” XIntuitively X contains heap cells, or indices into arrays

e.g. P = {Rnext(u,v), Bnext (u) = v, a[i] < a[j] + 1, …}

X = {u,v,i,j,…}

TheoremTheorem Indexed predicate abstraction constructs the strongest loop

invariant of the form X: (P)

is a Boolean combination of predicates in P

– 40 –

Synthesizing invariants in UCLIDSynthesizing invariants in UCLID

//@requires null //@requires null H Hnextnext

//@requires B//@requires Bnext next (l) = null(l) = null

//@ensures B//@ensures Bnext next (res) = null(res) = null

//@ensures R//@ensures Rnextnext(res) = R(res) = R00next next (l)(l)

Cell reverse (Cell l){Cell reverse (Cell l){

Cell curr = l;Cell curr = l;

Cell res = null;Cell res = null;

while (curr != null){while (curr != null){

Cell tmp = curr.next;Cell tmp = curr.next;

curr.next = res;curr.next = res;

res = curr;res = curr;

curr = tmp;curr = tmp;

}}

return res;return res;

}}

PredicatesPredicates

X = {X = {uu}}

P = {P = {

uu = null, = null, uu = curr, = curr, uu = res, = res, uu = l = l00, ,

curr = null, l = lcurr = null, l = l00, ,

RRnextnext(curr,(curr,uu), ),

RRnextnext(res,(res,uu), ),

RRnextnext(l,(l,uu), ),

HHnextnext((uu),),

RR00nextnext(l(l00,,uu), ),

BBnextnext((uu) = null) = null

}}

Tool constructs loop invariant in 0.57 Tool constructs loop invariant in 0.57 secsec

– 41 –

Results with Predicate AbstractionResults with Predicate Abstraction Predicates provided manuallyPredicates provided manually

ExampleExample #-Predicates (#-index)#-Predicates (#-index) UCLID UCLID

time (s)time (s)

simple_cyclicsimple_cyclic 15 (1)15 (1) 0.120.12

reversereverse 12 (1)12 (1) 0.570.57

set_unionset_union 24 (1)24 (1) 0.660.66

sorted_insertsorted_insert 21 (2)21 (2) 17.3217.32

dlist_removedlist_remove -- 1.231.23

Used Barcelogic tool for theorem provingUsed Barcelogic tool for theorem proving

Note: Results significantly improved from paperNote: Results significantly improved from paper

– 42 –

Decision procedure for ground fragmentDecision procedure for ground fragment Deciding ground formulas over

Rf(u,v), ~Rf(u,v), u = f(v), u ≠ v, u Hf, u Hf, u =

Bf (v)

Reduce dependency on derived axiomsReduce dependency on derived axioms A complete framework when VCs are quantifier-

free Solving quantifier-free queries after instantiating

quantifiers

ResultResult Checking satisfiability of a conjunction NP-

complete

– 43 –

Related workRelated work

First-order axiomatization of reachabilityFirst-order axiomatization of reachability Nelson ’83, Lev-Ami et al. ’05

First-order reasoning without reachabilityFirst-order reasoning without reachability Necula & McPeak ’05

Shape analysis with 3-valued logicShape analysis with 3-valued logic Sagiv et al. ’99, … TVLA

Predicate abstraction for listsPredicate abstraction for lists Dams et al. ’03, Balaban et al. ’05, Manevich et al. ’05, Bingham

’06

Separation logicSeparation logic O’Hearn et al. ’01, Reynolds ’02,

– 44 –

Conclusions Conclusions

Two new predicates R, B for well-founded Two new predicates R, B for well-founded heapsheaps

Instrumentation of source program with Instrumentation of source program with auxiliary variables for the predicatesauxiliary variables for the predicates

First-order axiomatizationFirst-order axiomatization New induction principle Simpler derived axioms

ImplementationImplementation Leverage first-order theorem provers Indexed predicate abstraction provides a uniform

scheme for synthesizing invariants

verifying properties of well-founded linked lists verifying properties of well-founded linked lists...

Documents