Modular Verification with Shared Abstractions

1. Modular Verification with Shared Abstractions Uri Juhasz Noam Rinetzky Arnd Poetzsch-Heffter Mooly Sagiv Eran Yahav

2. research problem • Goal: Hoare style verification of ADTs, where ADT instances may have a shared representation • 2 Lists Data Structures with shared list of node objects • 2 PairIterators sharing an Iterator • We aim for a program analysis • problem: a mutation of the shared state via one ADT instance may change the “logical” state of the other instances

3. Class Integer { private int val =0; public void inc() { this.val++; } public int val() { return this.val; } } Class Client { Integer i = new Integer(); Wrapper w= new Wrapper(i); assert(w.val() == 0); i.inc(); assert(w.val() == 1); } Example Class Wrapper { Integer wi; Wrapper(Integer in) { this.wi=in; } int val() { return this.wi.val(); } }

4. things change!

5. things change! If someone is going to pull the rug out fromunder your feet you better know how to jump

6. Class Integer { private int val =0; public void inc() { this.val++; } public int val() { return this.val; } } Class Client { Integer i = new Integer(); Wrapper w= new Wrapper(i); assert(w.val() == 0); i.inc(); assert(w.val() == 1); } Running Example Class Wrapper { Integer wi; Wrapper(Integer in) { this.wi=in; } int val() { return this.wi.val(); } }

7. Concrete Heap Client The state before the call i.inc() w Wrapper i wi Integer val=0

8. Concrete + Model Heap Client The state before the call i.inc() Abstract value (model field) in blue w Wrapper wv=0 i rep wv =rep.v wi Integer val=0 v=0 v=val

9. call Client The state before the call i.inc() Abstract value (model field) in blue w Wrapper wv=0 i rep wv =rep.v Integer val=0 v=val

10. entry Client The state after the call, at entry to the Integer code ( inc() ) Abstract value (model field) in blue w Wrapper wv=0 i rep wv =rep.v v=0 val=0 v=val Concrete value (private field) in black

11. Exit 1/2 Client The state after the body of the Integer method has finished, before it returns control to the client. Abstract value (model field) in blue w Wrapper wv=0 i rep wv =rep.v v=0 val=1 v=val (Modified) concrete value (private field) in red

12. Exit 2/2 Client The state after the body of the Integer method has finished, before it returns control to the client. Abstract value (model field) in blue w Wrapper wv=0 i rep wv =rep.v v=1 val=1 v=val (Modified) abstract value (model field) in red

13. Return 1/2 Client The state after updating abstract values, before return to the client. w Wrapper wv=0 i rep wv =rep.v v=1 v=val (modified) abstract value (model field) in red

14. Return 2/2 Client The state after updating abstract values, before return to the client. (modified) abstract value (model field) in red w Wrapper wv=1 i rep wv =rep.v v=1 v=val

15. summary maintain a DAG of components • component ~ an ADT instance • every component has an abstract state • maintain dependencies between components, such that the dependencies reflect the sharing • Reference model fields • update abstract value of model fields when shared part is changed • delay update of effected model fields • wait until they are “back in context”

16. Concrete + Model Heap

17. Representing shared ADTs example: representing 2 ADTs (x and z) sharing a third one (y). Matthew’s approach [POPL’05] Uri’s approach x x z z y y S(y) P(x,y) P(x,y) Q(z,y) Q(z,y) S(y)

18. Thank You