Abstract
The correctness of many algorithms and data structures depends on reachability properties, that is, on the existence of chains of references between objects in the heap. Reasoning about reachability is difficult for two main reasons. First, any heap modification may affect an unbounded number of reference chains, which complicates modular verification, in particular, framing. Second, general graph reachability is not supported by first-order SMT solvers, which impedes automatic verification.
In this paper, we present a modular specification and verification technique for reachability properties in separation logic. For each method, we specify reachability only locally within the fragment of the heap on which the method operates. We identify relative convexity, a novel relation between the heap fragments of a client and a callee, which enables (first-order) reachability framing, that is, extending reachability properties from the heap fragment of a callee to the larger fragment of its client, enabling precise procedure-modular reasoning. Our technique supports practically important heap structures, namely acyclic graphs with a bounded outdegree as well as (potentially cyclic) graphs with at most one path (modulo cycles) between each pair of nodes. The integration into separation logic allows us to reason about reachability and other properties in a uniform way, to verify concurrent programs, and to automate our technique via existing separation logic verifiers. We demonstrate that our verification technique is amenable to SMT-based verification by encoding a number of benchmark examples into the Viper verification infrastructure.
Supplemental Material
- Sheldon B. Akers Jr. 1978. Binary Decision Diagrams. IEEE Trans. Comput. 27, 6 (1978), 509–516.Google Scholar
Digital Library
- Clark Barrett, Pascal Fontaine, and Cesare Tinelli. 2017. The SMT-LIB Standard: Version 2.6. Technical Report. Department of Computer Science, The University of Iowa. Available at www.SMT-LIB.org .Google Scholar
- John Tang Boyland. 2003. Checking Interference with Fractional Permissions. In SAS (Lecture Notes in Computer Science), Vol. 2694. Springer, 55–72.Google Scholar
- Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. 2009. Introduction to Algorithms, 3rd Edition. MIT Press.Google Scholar
Digital Library
- G. A. Croes. 1958. A Method for Solving Traveling-Salesman Problems. Operations Research 6, 6 (1958), 791–812.Google Scholar
Digital Library
- Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In TACAS (Lecture Notes in Computer Science), C. R. Ramakrishnan and Jakob Rehof (Eds.), Vol. 4963. Springer, 337–340.Google Scholar
- David Detlefs, Greg Nelson, and James B. Saxe. 2005. Simplify: A Theorem Prover for Program Checking. Journal of the ACM 52, 3 (2005), 365–473.Google Scholar
Digital Library
- Guozhu Dong and Jianwen Su. 1995. Incremental and Decremental Evaluation of Transitive Closure by First-Order Queries. Inf. Comput. 120 (1995), 101–106.Google Scholar
Digital Library
- Michael L. Fredman, Robert Sedgewick, Daniel Dominic Sleator, and Robert E. Tarjan. 1986. The pairing heap: A new form of self-adjusting heap. Algorithmica 1 (1986), 111–129.Google Scholar
Digital Library
- Shachar Itzhaky, Anindya Banerjee, Neil Immerman, Ori Lahav, Aleksandar Nanevski, and Mooly Sagiv. 2014. Modular Reasoning About Heap Paths via Effectively Propositional Formulas. In POPL, Suresh Jagannathan and Peter Sewell (Eds.). ACM, 385–396.Google Scholar
- Shachar Itzhaky, Anindya Banerjee, Neil Immerman, Aleksandar Nanevski, and Mooly Sagiv. 2013. Effectively-Propositional Reasoning about Reachability in Linked Data Structures. In CAV, Natasha Sharygina and Helmut Veith (Eds.). Springer Berlin Heidelberg, 756–772.Google Scholar
- Siddharth Krishna, Dennis E. Shasha, and Thomas Wies. 2018. Go with the flow: compositional abstractions for concurrent data structures. PACMPL 2, POPL (2018), 37:1–37:31.Google Scholar
Digital Library
- C. Y. Lee. 1959. Representation of switching circuits by binary-decision programs. The Bell System Technical Journal 38, 4 (1959), 985–999.Google Scholar
Cross Ref
- K. Rustan M. Leino. 2008. This is Boogie 2. (2008). https://www.microsoft.com/en- us/research/publication/this- is- boogie- 2-2/Google Scholar
- K. Rustan M. Leino and Rosemary Monahan. 2009. Reasoning about comprehensions with first-order SMT solvers. In SAC, Sung Y. Shin and Sascha Ossowski (Eds.). ACM, 615–622.Google Scholar
- Tal Lev-Ami, Neil Immerman, Thomas W. Reps, Mooly Sagiv, Siddharth Srivastava, and Greta Yorsh. 2009. Simulating reachability using first-order logic with applications to verification of linked data structures. Logical Methods in Computer Science 5, 2 (2009).Google Scholar
- Shen Lin. 1965. Computer solutions of the traveling salesman problem. The Bell System Technical Journal 44, 10 (1965), 2245–2269.Google Scholar
Cross Ref
- Michal Moskal. 2009. Programming with triggers. ACM International Conference Proceeding Series (2009).Google Scholar
Digital Library
- Peter Müller. 2018. The Binomial Heap Verification Challenge in Viper. In Principled Software Development, Peter Müller and Ina Schaefer (Eds.). Springer-Verlag, 203–219.Google Scholar
- Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016a. Automatic Verification of Iterated Separating Conjunctions using Symbolic Execution. In CAV (LNCS), Swarat Chaudhuri and Azadeh Farzan (Eds.), Vol. 9779. Springer-Verlag, 405–425.Google Scholar
- Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016b. Viper: A Verification Infrastructure for Permission-Based Reasoning. In VMCAI (LNCS), Barbara Jobstmann and K. Rustan M. Leino (Eds.), Vol. 9583. Springer-Verlag, 41–62.Google Scholar
- Matthew J. Parkinson and Gavin M. Bierman. 2005. Separation logic and abstraction. In POPL, Jens Palsberg and Martín Abadi (Eds.). ACM, 247–258.Google Scholar
- Matthew J. Parkinson and Alexander J. Summers. 2011. The Relationship between Separation Logic and Implicit Dynamic Frames. In ESOP, Gilles Barthe (Ed.). 439–458.Google Scholar
- Ruzica Piskac, Thomas Wies, and Damien Zufferey. 2014. GRASShopper - Complete Heap Verification with Mixed Specifications. In TACAS (Lecture Notes in Computer Science), Erika Ábrahám and Klaus Havelund (Eds.), Vol. 8413. Springer, 124–139.Google Scholar
- John C. Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In IEEE Symposium on Logic in Computer Science (LICS ’02). IEEE Computer Society, 55–74.Google Scholar
- Lui Sha, Ragunathan Rajkumar, and John P. Lehoczky. 1990. Priority inheritance protocols: an approach to real-time synchronization. IEEE Trans. Comput. 39, 9 (1990), 1175–1185.Google Scholar
Digital Library
- Jan Smans, Bart Jacobs, and Frank Piessens. 2012. Implicit Dynamic Frames. ACM Transactions on Programming Languages and Systems 34, 1, Article 2 (2012), 58 pages.Google Scholar
Digital Library
- Robert Endre Tarjan. 1975. Efficiency of a Good But Not Linear Set Union Algorithm. Journal of the ACM 22, 2 (1975), 215–225.Google Scholar
Digital Library
- Arshavir Ter-Gabrielyan, Alexander J. Summers, and Peter Müller. 2019a. Modular Verification of Heap Reachability Properties in Separation Logic. Technical Report. Department of Computer Science, ETH Zurich, Switzerland. arXiv: 1908.05799Google Scholar
- Arshavir Ter-Gabrielyan, Alexander J. Summers, and Peter Müller. 2019b. Modular Verification of Heap Reachability Properties in Separation Logic (Artifact). Google Scholar
Digital Library
- Hongseok Yang. 2001a. An example of local reasoning in BI pointer logic: the Schorr-Waite graph marking algorithm. In Proceedings of the SPACE Workshop.Google Scholar
- Hongseok Yang. 2001b. Local Reasoning for Stateful Programs. Ph.D. Dissertation. Advisor(s) Uday S. Reddy.Google Scholar
Index Terms
Modular verification of heap reachability properties in separation logic
Recommendations
Higher-Order Separation Logic in Isabelle/HOLCF
We formalize higher-order separation logic for a first-order imperative language with procedures and local variables in Isabelle/HOLCF. The assertion language is modeled in such a way that one may use any theory defined in Isabelle/HOLCF to construct ...
Modular reasoning about heap paths via effectively propositional formulas
POPL '14: Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming LanguagesFirst order logic with transitive closure, and separation logic enable elegant interactive verification of heap-manipulating programs. However, undecidabilty results and high asymptotic complexity of checking validity preclude complete automatic ...
Verifying executable object-oriented specifications with separation logic
ECOOP'10: Proceedings of the 24th European conference on Object-oriented programmingSpecifications of Object-Oriented programs conventionally employ Boolean expressions of the programming language for assertions. Programming errors can be discovered by checking at runtime whether an assertion, such as a precondition or class invariant, ...






Comments