1 / 35

1 Tel Aviv University 2 University of Massachusetts-Amherst 3 University of Wisconsin-Madison

Simulating Reachability using First-Order Logic with Applications to Verification of Linked Data Structures. Tal Lev-Ami 1 , Neil Immerman 2 , Tom Reps 3 , Mooly Sagiv 1 , Siddharth Srivastava 2 and Greta Yorsh 1. 1 Tel Aviv University 2 University of Massachusetts-Amherst

tobit
Download Presentation

1 Tel Aviv University 2 University of Massachusetts-Amherst 3 University of Wisconsin-Madison

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Simulating Reachability using First-Order Logic with Applications to Verification of Linked Data Structures Tal Lev-Ami1, Neil Immerman2, Tom Reps3, Mooly Sagiv1, Siddharth Srivastava2 and Greta Yorsh1 1 Tel Aviv University 2 University of Massachusetts-Amherst 3 University of Wisconsin-Madison CADE 2005

  2. Applications of TC in verification • Transitive closure is natural for reasoning about linked data structures • Element (v) of a list (pointed to by x) • w. x(w)n*(w,v) • Acyclicity •  v1,v2.n(v1,v2)  n*(v2,v1) • Unreachable objects (garbage) • v2.v1. Var(v1)  f*(v1,v2) • Deadlocks

  3. Automated reasoning for FOL • Powerful tools available for automated reasoning in FOL (with equality) • Resolution • SPASS, Vampire, … • Nelson-Oppen • Simplify, Zapato, … • … • Prove, disprove (or diverge)

  4. What about FOL+TC? • No known tools for automated reasoning in full FOL+TC • No surprise – TC is very powerful, even small fragments of FOL become undecidable with the addition of TC • C2,  • No R.E. axiomatization of TC in FOL

  5. Agenda • Verifying heap-manipulating programs • Initial axiomatization • Induction axiom scheme • Automating axiom instantiation • Conclusion

  6. Verifying heap-manipulating programs • Heap objects: Individuals • Reference variables: Unary relation symbols • x(v), y(v) – if v is pointed to by x, y • Fields: Binary relation symbols • n(v,w) – the n field of v points to w

  7. Reflexive transitive closure • n*(v1,v2) • v2 is reachable from v1 by following 0 or more n-fields • n*(v1,v2) is the least fixed point of ntc in • v1,v2.ntc(v1,v2)↔(v1=v2)w.n(v1,w)ntc(w,v2) or • v1,v2.ntc(v1,v2)↔(v1=v2)w.ntc(v1,w)n(w,v2)

  8. Verification example • A list pointed to by x • A list pointed to by y • Show that • xy the lists are disjoint

  9. Premise • Unary reachability (shorthand) • v. rz,n(v) ↔w.z(w)n*(w,v) • No heap sharing • v,v1,v2.n(v1,v)n(v2,v)v1=v2 • No incoming edges to x and y • v,w. x(v)  y(v) n(w, v) • x and y are unique and different • v1,v2.x(v1)x(v2)v1=v2 • v1,v2.y(v1)y(v2)v1=v2 • v. (x(v)y(v))

  10. Goal • The lists pointed to by x and y are disjoint • v. rx,n(v) ry,n(v)

  11. Approximating TC in FOL • Extend vocabulary with new binary relation symbol ntc • Replace all occurrences of n* with ntc • Add ‘Natural’ axioms • v1,v2.ntc(v1,v2)↔(v1=v2)w.n(v1,w)ntc(w,v2) • v1,v2.ntc(v1,v2)↔(v1=v2)w.ntc(v1,w)n(w,v2) • The problem – minimality • Least fixed point is not expressible in FOL

  12. TC-models • TC-model - a model M s.t. • if n and ntc are in the vocabulary of M, then • (ntc)M = (nM)*, i.e., M interprets ntc as the reflexive, transitive closure of its interpretation of n • A set of axioms (axiomatization)  is • TC-valid - if is true in every TC-model. • TC-complete - if for every formula  that is true in all TC-models,  

  13. Approximating TC in FOL • Natural axiomatization is TC-complete for acyclic finite models • Not TC-complete otherwise • Negative occurrences of TC are the problem • TC-valid formulas with only positive occurrences of TC are implied from the natural axiomatization

  14. Problems: cycles ntc ntc ntc ntc ntc u1 u3 ntc ntc n n ntc n ntc n ntc ntc u2 u4 ntc ntc ntc ntc n*  ntc n*=ntc TC-model v1,v2.ntc(v1,v2)↔(v1=v2)w.n(v1,w)ntc(w,v2) v1,v2.ntc(v1,v2)↔(v1=v2)w.ntc(v1,w)n(w,v2)

  15. Problems: infinite models x … n n n … … n n n n n y … n n n n TC-model x n*=ntc … n n n n y n*ntc

  16. Problems: infinite models • Existing FOL theorem provers cannot be restricted to finite models • Finiteness is not FOL expressible

  17. Induction axiom scheme • IND[P,Z,n] = (w. Z(w)  P(w))  (w1,w2. P(w1)  n(w1,w2)  P(w2))  (w1,w2. Z(w1)  ntc(w1,w2)  P(w2)) • Incomplete • Complete axiomatization is non-R.E. • How to choose Z and P?

  18. Choosing axiom instantiations • Hard to find Z and P to instantiate IND directly • Introduce new axiom schemes provable from IND in FOL • Add enough axioms to  to prove target formula • Used in practice to prove interesting examples

  19. Ideas towards solution • Reasoning about edges toward reasoning about paths • Reasoning about one type of paths toward reasoning about another type

  20. Coloring axioms • Start with transitivity • w1,w2,w3. ntc(w1,w2)ntc(w2,w3) ntc(w1,w3) • Add instances of coloring axiom schemes • NoExit • NewStart

  21. NoExit A • NoExit[A,n] = (w1,w2. A(w1)  n(w1,w2)  A(w2))  (w1,w2. A(w1)  ntc(w1,w2)  A(w2))

  22. y … n n n … … n n n n n x … n n n n TC-model y n*=ntc … n n n n x n*ntc

  23. u’ n = ntc ntc w u x = ¬ntc n v Example Revisited • Two lists pointed to by x and y respectively • NoExit[rx,n,n] • Axiom Premise v1,v2. rx,n(v1)n(v1,v2) rx,n(v2)

  24. Example revisited • Two lists pointed to by x and y respectively • NoExit[rx,n,n] • Axiom Premise v1,v2. rx,n(v1)n(v1,v2) rx,n(v2) v1,v2. rx,n(v1)  ntc(v1,v2) rx,n(v2)  disjointness: v. rx,n(v) ry,n(v)

  25. NewStart A g f

  26. gtc gtc NewStart A g f gtc ftc w1,w2. A(w1)A(w2)g(w1,w2)f(w1,w2)

  27. gtc gtc NewStart A g f gtc ftc • NewStart[A,g,f] = (w1,w2. A(w1)A(w2)g(w1,w2)f(w1,w2))  w1,w2. gtc(w1,w2)ftc(w1,w2)  w.A(w)gtc(w1,w)gtc(w,w2)

  28. NewStart • Important when updating fields • Prove no fields changed within A • Prove no incoming or no outgoing paths to A • Conclude no paths changed within A

  29. Instantiating coloringaxiom schemes • Coloring axioms are effective only if they can be automatically instantiated • Verification of imperative programs • Use boolean combinations of program variables and unary reachability • Exponential number of axioms

  30. Incremental algorithm • Axioms are built as PremiseConclusion • Both closed formulas • Try to prove Premise and only then introduce Conclusion • Try boolean combinations in BFS

  31. Prototype implementation • Used to automatically prove partial correctness (given loop invariants) of several interesting programs • Destructive reversal of singly linked list • Destructive append • Simple mark & sweep garbage collector • Use SPASS as underlying theorem prover

  32. Completeness • TC-complete with respect to a theory • Finiteness is expressible with TC • TC-complete axiomatization implies FINITE-VALIDITY is decidable • No R.E. TC-complete axioms with respect to logic with 2 binary relation symbols encoding partial functions

  33. Related work • Nelson’s axiomatization [Nelson ‘83] • Incomplete and follows from IND • Mark & Sweep • Updating transitive closure using FO [Dong, Su ‘95], [Hesse ‘03] • Induction [Bundy ’01] • Inductionless induction [Lankford ‘81] [Comon ‘01] • Decidable logics with TC (e.g. MSO)

  34. Future work • New axioms • Finiteness • END[n]: v. w. ntc(v, w)  (u. n(w, u))  (u. n(w, u)ntc(u, w)) • Fragments of FOL where axiomatization is possible • Integration with TVLA

  35. Thank you

More Related