Abstract
We develop powerful and general techniques to mechanically verify realistic programs that manipulate heap-represented graphs. These graphs can exhibit well-known organization principles, such as being a directed acyclic graph or a disjoint-forest; alternatively, these graphs can be totally unstructured. The common thread for such structures is that they exhibit deep intrinsic sharing and can be expressed using the language of graph theory. We construct a modular and general setup for reasoning about abstract mathematical graphs and use separation logic to define how such abstract graphs are represented concretely in the heap. We develop a Localize rule that enables modular reasoning about such programs, and show how this rule can support existential quantifiers in postconditions and smoothly handle modified program variables. We demonstrate the generality and power of our techniques by integrating them into the Verified Software Toolchain and certifying the correctness of seven graph-manipulating programs written in CompCert C, including a 400-line generational garbage collector for the CertiCoq project. While doing so, we identify two places where the semantics of C is too weak to define generational garbage collectors of the sort used in the OCaml runtime. Our proofs are entirely machine-checked in Coq.
Supplemental Material
- Abhishek Anand, Andrew Appel, Greg Morrisett, Zoe Paraskevopoulou, Randy Pollack, Olivier Savary Belanger, Matthieu Sozeau, and Matthew Weaver. 2017. CertiCoq: A verified compiler for Coq. In The Third International Workshop on Coq for Programming Languages (CoqPL).Google Scholar
- Andrew W. Appel. 2012. Verified Software Toolchain. In NASA Formal Methods - 4th International Symposium, NFM 2012, Norfolk, VA, USA, April 3-5, 2012. Proceedings. 2. Google Scholar
Digital Library
- Andrew W. Appel, Robert Dockins, Aquinas Hobor, Lennart Beringer, Josiah Dodds, Gordon Stewart, Sandrine Blazy, and Xavier Leroy. 2014. Program Logics for Certified Compilers. Cambridge University Press, New York, NY, USA.Google Scholar
Digital Library
- Andrew W. Appel and David McAllester. 2001. An Indexed Model of Recursive Types for Foundational Proof-Carrying Code. ACM Transactions on Programming Languages and Systems 23(5) (2001), 657–683.Google Scholar
- Andrew W. Appel, Paul-André Melliès, Christopher D. Richards, and Jerôme Vouillon. 2007. A Very Modal Model of a Modern, Major, General Type System. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’07). 109–122.Google Scholar
Digital Library
- Gertrud Bauer and Tobias Nipkow. 2002. The 5 colour theorem in Isabelle/Isar. In International Conference on Theorem Proving in Higher Order Logics. Springer, 67–82.Google Scholar
Cross Ref
- Bernhard Beckert, Reiner Hähnle, and Peter H. Schmitt. 2007. Verification of Object-oriented Software: The KeY Approach. Springer-Verlag, Berlin, Heidelberg.Google Scholar
Digital Library
- Jesper Bengtson, Jonas Braband Jensen, and Lars Birkedal. 2012. Charge! - A Framework for Higher-Order Separation Logic in Coq. In Interactive Theorem Proving - Third International Conference, ITP 2012, Princeton, NJ, USA, August 13-15, 2012. Proceedings. 315–331.Google Scholar
- Josh Berdine, Cristiano Calcagno, and Peter W. O’Hearn. 2005. Smallfoot: Modular Automatic Assertion Checking with Separation Logic. In FMCO. 115–137.Google Scholar
- R. Bornat, C. Calcagno, and P. O’Hearn. 2004. Local reasoning, separation and aliasing. In SPACE, Vol. 4.Google Scholar
- Richard Bornat, Cristiano Calcagno, and Hongseok Yang. 2006. Variables as Resource in Separation Logic. ENTCS 155 (2006), 247–276.Google Scholar
Digital Library
- Ricky W Butler and Jon A Sjogren. 1998. A PVS Graph Theory Library. Technical Report.Google Scholar
- Arthur Charguéraud. 2010. Program verification through characteristic formulae. In Proceeding of the 15th ACM SIGPLAN international conference on Functional programming, ICFP 2010, Baltimore, Maryland, USA, September 27-29, 2010. 321–332. Google Scholar
Digital Library
- Arthur Charguéraud. 2011. Characteristic formulae for the verification of imperative programs. In Proceeding of the 16th ACM SIGPLAN international conference on Functional Programming, ICFP 2011, Tokyo, Japan, September 19-21, 2011. 418–430. Google Scholar
Digital Library
- Arthur Charguéraud and François Pottier. 2019. Verifying the Correctness and Amortized Complexity of a Union-Find Implementation in Separation Logic with Time Credits. J. Autom. Reasoning 62, 3 (2019), 331–365. Google Scholar
Digital Library
- Ran Chen, Cyril Cohen, Jean-Jacques Lévy, Stephan Merz, and Laurent Théry. 2018. Formal Proofs of Tarjan’s Algorithm in Why3, Coq, and Isabelle. CoRR abs/1810.11979 (2018). arXiv: 1810.11979 http://arxiv.org/abs/1810.11979Google Scholar
- C. J. Cheney. 1970. A nonrecursive list compacting algorithm. Commun. ACM 13, 11 (1970), 677–678. Google Scholar
Digital Library
- Wei Ngan Chin, Cristina David, Huu Hai Nguyen, and Shengchao Qin. 2010. Automated verification of shape, size and bag properties via user-defined predicates in separation logic. Science of Computer Programming 77(9) (2010), 1,006–1,036.Google Scholar
- Adam Chlipala. 2011. Mostly-automated verification of low-level programs in computational separation logic. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, San Jose, CA, USA, June 4-8, 2011. 234–245.Google Scholar
Digital Library
- Ching-Tsun Chou. 1994. A Formal Theory of Undirected Graphs in Higher-Order Logic. In Higher Order Logic Theorem Proving and Its Applications. Springer, 144–157.Google Scholar
- Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford S. Stein. 2009. Introduction to algorithms, 3rd edition. MIT Press and McGraw-Hill.Google Scholar
Digital Library
- Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings. 337–340. Google Scholar
- Dino Distefano and Matthew J. Parkinson. 2008. jStar: towards practical verification for java. In Proceedings of the 23rd Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2008, October 19-23, 2008, Nashville, TN, USA. 213–226. Google Scholar
Digital Library
- Robert Dockins, Aquinas Hobor, and Andrew W. Appel. 2009. A Fresh Look at Separation Algebras and Share Accounting. In Programming Languages and Systems, 7th Asian Symposium, APLAS 2009, Seoul, Korea, December 14-16, 2009. Proceedings. 161–177.Google Scholar
- Catherine Dubois, Sourour Elloumi, Benoit Robillard, and Clément Vincent. 2015. Graphes et couplages en Coq. In Vingt-sixièmes Journées Francophones des Langages Applicatifs (JFLA 2015).Google Scholar
- Jean Duprat. 2001. A Coq toolkit for graph theory. Rapport de recherche 15 (2001).Google Scholar
- Adam Sandberg Ericsson, Magnus O. Myreen, and Johannes Åman Pohjola. 2017. A Verified Generational Garbage Collector for CakeML. In Interactive Theorem Proving - 8th International Conference, ITP 2017, Brasília, Brazil, September 26-29, 2017, Proceedings. 444–461. Google Scholar
Digital Library
- Peter Gammie, Antony L Hosking, and Kai Engelhardt. 2015. Relaxing safely: verified on-the-fly garbage collection for x86-TSO. In ACM SIGPLAN Notices, Vol. 50. ACM, 99–109.Google Scholar
Digital Library
- Philippa Gardner, Sergio Maffeis, and Gareth David Smith. 2012. Towards a program logic for JavaScript. In Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, Philadelphia, Pennsylvania, USA, January 22-28, 2012. 31–44. Google Scholar
Digital Library
- Georges Gonthier. 2005. A computer-checked proof of the four colour theorem.Google Scholar
- Armaël Guéneau, Jacques-Henri Jourdan, Arthur Charguéraud, and François Pottier. 2019. Formal proof and analysis of an incremental cycle detection algorithm. In Interactive Theorem Proving - 9th International Conference, ITP 2019, Portland, USA, September 8-13, 2019, Proceedings.Google Scholar
- Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, and Michael Norrish. 2017. Verified Characteristic Formulae for CakeML. In Programming Languages and Systems - 26th European Symposium on Programming, ESOP 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings. 584–610. Google Scholar
Digital Library
- Jason Hickey, Anil Madhavapeddy, and Yaron Minsky. 2014. Real World OCaml. OReilly.Google Scholar
- Aquinas Hobor and Jules Villard. 2013. The ramifications of sharing in data structures. In Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’13). 523–536.Google Scholar
Digital Library
- Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Frank Piessens. 2011. VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java. In NASA Formal Methods - Third International Symposium, NFM 2011, Pasadena, CA, USA, April 18-20, 2011. Proceedings. 41–55.Google Scholar
Cross Ref
- Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017. Interactive proofs in higher-order concurrent separation logic. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, Paris, France, January 18-20, 2017. 205–217. http://dl.acm.org/citation.cfm?id=3009855Google Scholar
Digital Library
- Neelakantan R. Krishnaswami. 2011. Verifying Higher-Order Imperative Programs with Higher-Order Separation Logic. Ph.D. Dissertation.Google Scholar
- Ramana Kumar, Magnus O. Myreen, Michael Norrish, and Scott Owens. 2014. CakeML: a verified implementation of ML. In The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21, 2014. 179–192. Google Scholar
Digital Library
- Peter Lammich and René Neumann. 2015. A Framework for Verifying Depth-First Search Algorithms. In Proceedings of the 2015 Conference on Certified Programs and Proofs, CPP 2015, Mumbai, India, January 15-17, 2015. 137–146. Google Scholar
Digital Library
- Peter Lammich and S. Reza Sefidgar. 2019. Formalizing Network Flow Algorithms: A Refinement Approach in Isabelle/HOL. J. Autom. Reasoning 62, 2 (2019), 261–280. Google Scholar
Digital Library
- K. Rustan M. Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In Logic for Programming, Artificial Intelligence, and Reasoning - 16th International Conference, LPAR-16, Dakar, Senegal, April 25-May 1, 2010, Revised Selected Papers. 348–370. Google Scholar
Cross Ref
- Xavier Leroy. 2006. Formal certification of a compiler back-end or: programming a compiler with a proof assistant. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2006, Charleston, South Carolina, USA, January 11-13, 2006. 42–54.Google Scholar
Digital Library
- Andrew McCreight, Tim Chevalier, and Andrew Tolmach. 2010. A certified framework for compiling and executing garbage-collected languages. In ACM Sigplan Notices, Vol. 45. ACM, 273–284.Google Scholar
Digital Library
- Andrew McCreight, Zhong Shao, Chunxiao Lin, and Long Li. 2007. A general framework for certifying garbage collectors and their mutators. In ACM SIGPLAN Notices, Vol. 42. ACM, 468–479.Google Scholar
Digital Library
- Tobias Nipkow. 2016. Verified analysis of functional data structures. In 1st International Conference on Formal Structures for Computation and Deduction (FSCD 2016). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik.Google Scholar
- Benedikt Nordhoff and Peter Lammich. 2012. Dijkstra’s Shortest Path Algorithm. Archive of Formal Proofs (Jan. 2012). http://isa-afp.org/entries/Dijkstra_Shortest_Path.shtml , Formal proof development.Google Scholar
- Lars Noschinski. 2015a. Formalizing Graph Theory and Planarity Certificates. Ph.D. Dissertation. Universität München.Google Scholar
- Lars Noschinski. 2015b. A Graph Library for Isabelle. Mathematics in Computer Science 9, 1 (2015), 23–39. Google Scholar
- Peter O’Hearn, John Reynolds, and Hongseok Yang. 2001. Local Reasoning about Programs that Alter Data Structures. In Computer Science Logic, Laurent Fribourg (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 1–19.Google Scholar
- Peter W. O’Hearn. 2012. A Primer on Separation Logic (and Automatic Program Verification and Analysis). Software Safety and Security 33 (2012), 286–318.Google Scholar
- Erez Petrank and Chris Hawblitzel. 2010. Automated Verification of Practical Garbage Collectors. Logical Methods in Computer Science 6 (2010).Google Scholar
- Filip Pizlo, Lukasz Ziarek, Petr Maj, Antony L Hosking, Ethan Blanton, and Jan Vitek. 2010. Schism: fragmentation-tolerant real-time garbage collection. ACM Sigplan Notices 45, 6 (2010), 146–159.Google Scholar
Digital Library
- Azalea Raad, Jules Villard, and Philippa Gardner. 2015. CoLoSL: Concurrent Local Subjective Logic. In Programming Languages and Systems - 24th European Symposium on Programming, ESOP 2015, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2015, London, UK, April 11-18, 2015. Proceedings. 710–735. Google Scholar
Cross Ref
- John C. Reynolds. 2003. A Short Course on Separation Logic. (2003). http://www.cs.cmu.edu/afs/cs.cmu.edu/project/fox19/member/jcr/wwwaac2003/notes7.ps .Google Scholar
- Tom Ridge. 2005. Graphs and Trees in Isabelle/HOL. (2005).Google Scholar
- Ilya Sergey, Aleksandar Nanevski, and Anindya Banerjee. 2015. Mechanized Verification of Fine-grained Concurrent Programs. In PLDI. 77–87.Google Scholar
- Tetsuo Tamai. 2000. Formal treatment of a family of fixed-point problems on graphs by CafeOBJ. In Formal Engineering Methods, 2000. ICFEM 2000. Third IEEE International Conference on. IEEE, 67–74.Google Scholar
Cross Ref
- Alfred Tarski. 1955. A lattice-theoretical fixpoint theorem and its applications. Pacific Journal of Mathematics 5 (1955), 285–309.Google Scholar
Cross Ref
- Shengyi Wang, Qinxiang Cao, Anshuman Mohan, and Aquinas Hobor. 2019. Extended Autoquack. https://www.comp.nus. edu.sg/~hobor/Publications/2019/autoquack_extended_oopsla19.pdfGoogle Scholar
- Wai Wong. 1991. A Simple Graph Theory And Its Application In Railway Signaling. In HOL Theorem Proving System and Its Applications, 1991., International Workshop on the. 395–409. Google Scholar
Cross Ref
- Mitsuharu Yamamoto, Shin-ya Nishizaki, Masami Hagiya, and Yozo Toda. 1995. Formalization of planar graphs. In International Conference on Theorem Proving in Higher Order Logics. Springer, 369–384.Google Scholar
Cross Ref
- Mitsuharu Yamamoto, Koichi Takahashi, Masami Hagiya, Shin-ya Nishizaki, and Tetsuo Tamai. 1998. Formalization of graph search algorithms and its applications. In International Conference on Theorem Proving in Higher Order Logics. Springer, 479–496.Google Scholar
Cross Ref
- Hongseok Yang. 2001. Local Reasoning for Stateful Programs. Ph.D. Dissertation. University of Illinois.Google Scholar
Index Terms
Certifying graph-manipulating C programs via localizations within data structures
Recommendations
Certifying the synthesis of heap-manipulating programs
Automated deductive program synthesis promises to generate executable programs from concise specifications, along with proofs of correctness that can be independently verified using third-party tools. However, an attempt to exercise this promise using ...
Interactive proofs in higher-order concurrent separation logic
POPL '17: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming LanguagesWhen using a proof assistant to reason in an embedded logic -- like separation logic -- one cannot benefit from the proof contexts and basic tactics of the proof assistant. This results in proofs that are at a too low level of abstraction because they ...
Interactive proofs in higher-order concurrent separation logic
POPL '17When using a proof assistant to reason in an embedded logic -- like separation logic -- one cannot benefit from the proof contexts and basic tactics of the proof assistant. This results in proofs that are at a too low level of abstraction because they ...






Comments