ABSTRACT
This paper takes a fresh look at the problem of precise verification of heap-manipulating programs using first-order Satisfiability-Modulo-Theories (SMT) solvers. We augment the specification logic of such solvers by introducing the Logic of Interpreted Sets and Bounded Quantification for specifying properties of heap-manipulating programs. Our logic is expressive, closed under weakest preconditions, and efficiently implementable on top of existing SMT solvers. We have created a prototype implementation of our logic over the solvers Simplify and Z3 and used our prototype to verify many programs. Our preliminary experience is encouraging; the completeness and the efficiency of the decisionprocedure is clearly evident in practice and has greatly improved the user experience of the verifier.
- I. Balaban, A. Pnueli, and L.D. Zuck. Shape analysis by predicate abstraction. In Verification, Model checking, and Abstract Interpretation (VMCAI '05), LNCS 3385, pages 164--180, 2005. Google Scholar
Digital Library
- T. Ball, R. Majumdar, T. Millstein, and S.K. Rajamani. Automatic predicate abstraction of C programs. In Programming Language Design and Implementation (PLDI '01), pages 203--213, 2001. Google Scholar
Digital Library
- M. Barnett and K.R.M. Leino. Weakest-precondition of unstructured programs. In Program Analysis For Software Tools and Engineering (PASTE'05), pages 82--87, 2005. Google Scholar
Digital Library
- M. Barnett, K.R.M. Leino, and W. Schulte. The Spec# programming system: An overview. In Construction and Analysis of Safe, Secure and Interoperable Smart Devices, LNCS 3362, pages 49--69, 2005. Google Scholar
Digital Library
- J. Berdine, C. Calcagno, B. Cook, D. Distefano, P. O'Hearn, T. Wies, and H. Yang. Shape analysis for composite data structures. In Computer Aided Verification (CAV '07), LNCS 4590, pages 178--192, 2007. Google Scholar
Digital Library
- J. Berdine, C. Calcagno, and P.W. O'Hearn. A decidable fragment of separation logic. In FSTTCS '04: Foundations of Software Technology and Theoretical Computer Science, LNCS 3328, pages 97--109, 2004. Google Scholar
Digital Library
- E. Börger, E. Grädel, and Y. Gurevich. The Classical Decision Problem. Springer-Verlag, 1997.Google Scholar
Cross Ref
- S. Chatterjee, S.K. Lahiri, S. Qadeer, and Z. Rakamarić. A reachability predicate for analyzing low-level software. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS '07), LNCS 4424, pages 19--33, 2007. Google Scholar
Digital Library
- E.M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction refinement. In Computer Aided Verification (CAV '00), LNCS 1855, pages 154--169, 2000. Google Scholar
Digital Library
- L. de Moura and N. Bjorner. Efficient Incremental E-matching for SMT Solvers. In Conference on Automated Deduction (CADE '07), LNCS 4603, pages 183--198, 2007. Google Scholar
Digital Library
- R. DeLine and K.R.M. Leino. BoogiePL: A typed procedural language for checking object-oriented programs. Technical Report MSR-TR-2005-70, Microsoft Research, 2005.Google Scholar
- D. Detlefs, G. Nelson, and J.B. Saxe. Simplify: a theorem prover for program checking. J. ACM, 52(3):365--473, 2005. Google Scholar
Digital Library
- E.W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976. Google Scholar
Digital Library
- D. Distefano, P.W. O'Hearn, and H. Yang. A local shape analysis based on separation logic. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS '06), LNCS 3920, pages 287--302, 2006. Google Scholar
Digital Library
- B. Dutertre and L.M. de Moura. A Fast Linear-Arithmetic Solver for DPLL(T). In Computer Aided Verification (CAV '06), LNCS 4144, pages 81--94, 2006. Google Scholar
Digital Library
- C. Flanagan, K.R.M. Leino, M. Lillibridge, G. Nelson, J.B. Saxe, and R. Stata. Extended static checking for Java. In Programming Language Design and Implementation (PLDI'02), pages 234--245, 2002. Google Scholar
Digital Library
- P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In Programming Language Design and Implementation (PLDI '05), pages 213--223. ACM, 2005. Google Scholar
Digital Library
- S. Graf and H. Saïdi. Construction of abstract state graphs with PVS. In Computer-Aided Verification (CAV '97), LNCS 1254, pages 72--83, June 1997. Google Scholar
Digital Library
- T.A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In Principles of Programming Languages (POPL '02), pages 58--70, 2002. Google Scholar
Digital Library
- V. Kuncak and M.C. Rinard. Decision procedures for set-valued fields. Electr. Notes Theor. Comput. Sci., 131:51--62, 2005. Google Scholar
Digital Library
- R.P. Kurshan. Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach. Princeton University Press, 1995. Google Scholar
Digital Library
- S.K. Lahiri and S. Qadeer. Verifying properties of well-founded linked lists. In Principles of Programming Languages (POPL '06), pages 115--126, 2006. Google Scholar
Digital Library
- S.K. Lahiri and S. Qadeer. Back to the Future: Revisiting Precise Program Verification using SMT Solvers. Technical Report MSR-TR-2007-88, Microsoft Research, 2007.Google Scholar
- S.K. Lahiri and S. Qadeer. A decision procedure for well-founded reachability. Technical Report MSR-TR-2007-43, Microsoft Research, 2007.Google Scholar
- T. Lev-Ami, N. Immerman, T.W. Reps, S. Sagiv, S. Srivastava, and G. Yorsh. Simulating reachability using first-order logic with applications to verification of linked data structures. In Conference on Automated Deduction (CADE '05), LNCS 3632, pages 99--115, 2005. Google Scholar
Digital Library
- T. Lev-Ami and S. Sagiv. TVLA: A system for implementing static analyses. In Static Analysis Symposium (SAS '00), LNCS 1824, pages 280--301, 2000. Google Scholar
Digital Library
- S. McPeak and G.C. Necula. Data structure specifications via local equality axioms. In Computer-Aided Verification (CAV '05), LNCS 3576, pages 476--490, 2005. Google Scholar
Digital Library
- Anders Møller and Michael I. Schwartzbach. The pointer assertion logic engine. In Programming Language Design and Implementation (PLDI '01), pages 221--231, 2001. Google Scholar
Digital Library
- Muh. Available at http://muh.sourceforge.net/.Google Scholar
- G. Nelson and D.C. Oppen. Simplification by cooperating decision procedures. ACM Transactions on Programming Languages and Systems (TOPLAS), 2(1):245--257, 1979. Google Scholar
Digital Library
- Greg Nelson. Verifying reachability invariants of linked structures. In Principles of Programming Languages (POPL '83), pages 38--47, 1983. Google Scholar
Digital Library
- Z. Rakamarić, J. Bingham, and A.J. Hu. An inference-rule-based decision procedure for verification of heap-manipulating programs with mutable data and cyclic data structures. In Verification, Model Checking, and Abstract Interpretation (VMCAI '06), LNCS 4349, pages 106--121, 2007. Google Scholar
Digital Library
- S. Ranise and C.G. Zarba. A theory of singly-linked lists and its extensible decision procedure. In Software Engineering and Formal Methods (SEFM '06), pages 206--215, 2006. Google Scholar
Digital Library
- J.C. Reynolds. Separation logic: A logic for shared mutable data structures. In Logic in Computer Science (LICS '02), pages 55--74, 2002. Google Scholar
Digital Library
- Satisfiability Modulo Theories Library (SMT-LIB). Available at http://goedel.cs.uiowa.edu/smtlib/.Google Scholar
- G. Yorsh, A.M. Rabinovich, M. Sagiv, A. Meyer, and A. Bouajjani. A logic of reachable patterns in linked data--structures. In Foundations of Software Science and Computation Structures (FoSSaCS '06), LNCS 3921, pages 94--110, 2006. Google Scholar
Digital Library
Index Terms
Back to the future: revisiting precise program verification using SMT solvers
Recommendations
Back to the future: revisiting precise program verification using SMT solvers
POPL '08This paper takes a fresh look at the problem of precise verification of heap-manipulating programs using first-order Satisfiability-Modulo-Theories (SMT) solvers. We augment the specification logic of such solvers by introducing the Logic of Interpreted ...
Efficient Verification of Sequential and Concurrent C Programs
There has been considerable progress in the domain of software verification over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques such as predicate abstraction. ...
Decidable logics combining heap structures and data
POPL '11We define a new logic, STRAND, that allows reasoning with heap-manipulating programs using deductive verification and SMT solvers. STRAND logic ("STRucture ANd Data" logic) formulas express constraints involving heap structures and the data they contain;...







Comments