skip to main content
10.1145/1328438.1328461acmconferencesArticle/Chapter ViewAbstractPublication PagespoplConference Proceedingsconference-collections
research-article

Back to the future: revisiting precise program verification using SMT solvers

Published:07 January 2008Publication History

ABSTRACT

This paper takes a fresh look at the problem of precise verification of heap-manipulating programs using first-order Satisfiability-Modulo-Theories (SMT) solvers. We augment the specification logic of such solvers by introducing the Logic of Interpreted Sets and Bounded Quantification for specifying properties of heap-manipulating programs. Our logic is expressive, closed under weakest preconditions, and efficiently implementable on top of existing SMT solvers. We have created a prototype implementation of our logic over the solvers Simplify and Z3 and used our prototype to verify many programs. Our preliminary experience is encouraging; the completeness and the efficiency of the decisionprocedure is clearly evident in practice and has greatly improved the user experience of the verifier.

References

  1. I. Balaban, A. Pnueli, and L.D. Zuck. Shape analysis by predicate abstraction. In Verification, Model checking, and Abstract Interpretation (VMCAI '05), LNCS 3385, pages 164--180, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. T. Ball, R. Majumdar, T. Millstein, and S.K. Rajamani. Automatic predicate abstraction of C programs. In Programming Language Design and Implementation (PLDI '01), pages 203--213, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. M. Barnett and K.R.M. Leino. Weakest-precondition of unstructured programs. In Program Analysis For Software Tools and Engineering (PASTE'05), pages 82--87, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. M. Barnett, K.R.M. Leino, and W. Schulte. The Spec# programming system: An overview. In Construction and Analysis of Safe, Secure and Interoperable Smart Devices, LNCS 3362, pages 49--69, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. J. Berdine, C. Calcagno, B. Cook, D. Distefano, P. O'Hearn, T. Wies, and H. Yang. Shape analysis for composite data structures. In Computer Aided Verification (CAV '07), LNCS 4590, pages 178--192, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. J. Berdine, C. Calcagno, and P.W. O'Hearn. A decidable fragment of separation logic. In FSTTCS '04: Foundations of Software Technology and Theoretical Computer Science, LNCS 3328, pages 97--109, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. E. Börger, E. Grädel, and Y. Gurevich. The Classical Decision Problem. Springer-Verlag, 1997.Google ScholarGoogle ScholarCross RefCross Ref
  8. S. Chatterjee, S.K. Lahiri, S. Qadeer, and Z. Rakamarić. A reachability predicate for analyzing low-level software. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS '07), LNCS 4424, pages 19--33, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. E.M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction refinement. In Computer Aided Verification (CAV '00), LNCS 1855, pages 154--169, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. L. de Moura and N. Bjorner. Efficient Incremental E-matching for SMT Solvers. In Conference on Automated Deduction (CADE '07), LNCS 4603, pages 183--198, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. R. DeLine and K.R.M. Leino. BoogiePL: A typed procedural language for checking object-oriented programs. Technical Report MSR-TR-2005-70, Microsoft Research, 2005.Google ScholarGoogle Scholar
  12. D. Detlefs, G. Nelson, and J.B. Saxe. Simplify: a theorem prover for program checking. J. ACM, 52(3):365--473, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. E.W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. D. Distefano, P.W. O'Hearn, and H. Yang. A local shape analysis based on separation logic. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS '06), LNCS 3920, pages 287--302, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. B. Dutertre and L.M. de Moura. A Fast Linear-Arithmetic Solver for DPLL(T). In Computer Aided Verification (CAV '06), LNCS 4144, pages 81--94, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. C. Flanagan, K.R.M. Leino, M. Lillibridge, G. Nelson, J.B. Saxe, and R. Stata. Extended static checking for Java. In Programming Language Design and Implementation (PLDI'02), pages 234--245, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In Programming Language Design and Implementation (PLDI '05), pages 213--223. ACM, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. S. Graf and H. Saïdi. Construction of abstract state graphs with PVS. In Computer-Aided Verification (CAV '97), LNCS 1254, pages 72--83, June 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. T.A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In Principles of Programming Languages (POPL '02), pages 58--70, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. V. Kuncak and M.C. Rinard. Decision procedures for set-valued fields. Electr. Notes Theor. Comput. Sci., 131:51--62, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. R.P. Kurshan. Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach. Princeton University Press, 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. S.K. Lahiri and S. Qadeer. Verifying properties of well-founded linked lists. In Principles of Programming Languages (POPL '06), pages 115--126, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. S.K. Lahiri and S. Qadeer. Back to the Future: Revisiting Precise Program Verification using SMT Solvers. Technical Report MSR-TR-2007-88, Microsoft Research, 2007.Google ScholarGoogle Scholar
  24. S.K. Lahiri and S. Qadeer. A decision procedure for well-founded reachability. Technical Report MSR-TR-2007-43, Microsoft Research, 2007.Google ScholarGoogle Scholar
  25. T. Lev-Ami, N. Immerman, T.W. Reps, S. Sagiv, S. Srivastava, and G. Yorsh. Simulating reachability using first-order logic with applications to verification of linked data structures. In Conference on Automated Deduction (CADE '05), LNCS 3632, pages 99--115, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. T. Lev-Ami and S. Sagiv. TVLA: A system for implementing static analyses. In Static Analysis Symposium (SAS '00), LNCS 1824, pages 280--301, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. S. McPeak and G.C. Necula. Data structure specifications via local equality axioms. In Computer-Aided Verification (CAV '05), LNCS 3576, pages 476--490, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Anders Møller and Michael I. Schwartzbach. The pointer assertion logic engine. In Programming Language Design and Implementation (PLDI '01), pages 221--231, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Muh. Available at http://muh.sourceforge.net/.Google ScholarGoogle Scholar
  30. G. Nelson and D.C. Oppen. Simplification by cooperating decision procedures. ACM Transactions on Programming Languages and Systems (TOPLAS), 2(1):245--257, 1979. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Greg Nelson. Verifying reachability invariants of linked structures. In Principles of Programming Languages (POPL '83), pages 38--47, 1983. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Z. Rakamarić, J. Bingham, and A.J. Hu. An inference-rule-based decision procedure for verification of heap-manipulating programs with mutable data and cyclic data structures. In Verification, Model Checking, and Abstract Interpretation (VMCAI '06), LNCS 4349, pages 106--121, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. S. Ranise and C.G. Zarba. A theory of singly-linked lists and its extensible decision procedure. In Software Engineering and Formal Methods (SEFM '06), pages 206--215, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. J.C. Reynolds. Separation logic: A logic for shared mutable data structures. In Logic in Computer Science (LICS '02), pages 55--74, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Satisfiability Modulo Theories Library (SMT-LIB). Available at http://goedel.cs.uiowa.edu/smtlib/.Google ScholarGoogle Scholar
  36. G. Yorsh, A.M. Rabinovich, M. Sagiv, A. Meyer, and A. Bouajjani. A logic of reachable patterns in linked data--structures. In Foundations of Software Science and Computation Structures (FoSSaCS '06), LNCS 3921, pages 94--110, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Back to the future: revisiting precise program verification using SMT solvers

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!