103 research outputs found
A Notion of Dynamic Interface for Depth-Bounded Object-Oriented Packages
Programmers using software components have to follow protocols that specify
when it is legal to call particular methods with particular arguments. For
example, one cannot use an iterator over a set once the set has been changed
directly or through another iterator. We formalize the notion of dynamic
package interfaces (DPI), which generalize state-machine interfaces for single
objects, and give an algorithm to statically compute a sound abstraction of a
DPI. States of a DPI represent (unbounded) sets of heap configurations and
edges represent the effects of method calls on the heap. We introduce a novel
heap abstract domain based on depth-bounded systems to deal with potentially
unboundedly many objects and the references among them. We have implemented our
algorithm and show that it is effective in computing representations of common
patterns of package usage, such as relationships between viewer and label,
container and iterator, and JDBC statements and cursors
On Verifying Complex Properties using Symbolic Shape Analysis
One of the main challenges in the verification of software systems is the
analysis of unbounded data structures with dynamic memory allocation, such as
linked data structures and arrays. We describe Bohne, a new analysis for
verifying data structures. Bohne verifies data structure operations and shows
that 1) the operations preserve data structure invariants and 2) the operations
satisfy their specifications expressed in terms of changes to the set of
objects stored in the data structure. During the analysis, Bohne infers loop
invariants in the form of disjunctions of universally quantified Boolean
combinations of formulas. To synthesize loop invariants of this form, Bohne
uses a combination of decision procedures for Monadic Second-Order Logic over
trees, SMT-LIB decision procedures (currently CVC Lite), and an automated
reasoner within the Isabelle interactive theorem prover. This architecture
shows that synthesized loop invariants can serve as a useful communication
mechanism between different decision procedures. Using Bohne, we have verified
operations on data structures such as linked lists with iterators and back
pointers, trees with and without parent pointers, two-level skip lists, array
data structures, and sorted lists. We have deployed Bohne in the Hob and Jahob
data structure analysis systems, enabling us to combine Bohne with analyses of
data structure clients and apply it in the context of larger programs. This
report describes the Bohne algorithm as well as techniques that Bohne uses to
reduce the ammount of annotations and the running time of the analysis
IST Austria Technical Report
We present a new decidable logic called TREX for expressing constraints about imperative tree data structures. In particular, TREX supports a transitive closure operator that can express reachability constraints, which often appear in data structure invariants. We show that our logic is closed under weakest precondition computation, which enables its use for automated software verification. We further show that satisfiability of formulas in TREX is decidable in NP. The low complexity makes it an attractive alternative to more expensive logics such as monadic second-order logic (MSOL) over trees, which have been traditionally used for reasoning about tree data structures
Context-Aware Separation Logic
Separation logic is often praised for its ability to closely mimic the
locality of state updates when reasoning about them at the level of assertions.
The prover only needs to concern themselves with the footprint of the
computation at hand, i.e., the part of the state that is actually being
accessed and manipulated. Modern concurrent separation logics lift this local
reasoning principle from the physical state to abstract ghost state. For
instance, these logics allow one to abstract the state of a fine-grained
concurrent data structure by a predicate that provides a client the illusion of
atomic access to the underlying state. However, these abstractions
inadvertently increase the footprint of a computation: when reasoning about a
local low-level state update, one needs to account for its effect on the
abstraction, which encompasses a possibly unbounded portion of the low-level
state. Often this gives the reasoning a global character.
We present context-aware separation logic (CASL) to provide new opportunities
for local reasoning in the presence of rich ghost state abstractions. CASL
introduces the notion of a context of a computation, the part of the concrete
state that is only affected on the abstract level. Contexts give rise to a new
proof rule that allows one to reduce the footprint by the context, provided the
computation preserves the context as an invariant. The context rule complements
the frame rule of separation logic by enabling more local reasoning in cases
where the predicate to be framed is known in advance. We instantiate our
developed theory for the flow framework, which enables local reasoning about
global properties of heap graphs. We then use the instantiation to obtain a
fully local proof of functional correctness for a sequential binary search tree
implementation that is inspired by fine-grained concurrent search structures
Make flows small again: revisiting the flow framework
We present a new flow framework for separation logic reasoning about programs
that manipulate general graphs. The framework overcomes problems in earlier
developments: it is based on standard fixed point theory, guarantees least
flows, rules out vanishing flows, and has an easy to understand notion of
footprint as needed for soundness of the frame rule. In addition, we present
algorithms for automating the frame rule, which we evaluate on graph updates
extracted from linearizability proofs for concurrent data structures. The
evaluation demonstrates that our algorithms help to automate key aspects of
these proofs that have previously relied on user guidance or heuristics
Embedding Hindsight Reasoning in Separation Logic
Proving linearizability of concurrent data structures remains a key challenge
for verification. We present temporal interpolation as a new proof principle to
conduct such proofs using hindsight arguments within concurrent separation
logic. Temporal reasoning offers an easy-to-use alternative to prophecy
variables and has the advantage of structuring proofs into easy-to-discharge
hypotheses. To hindsight theory, our work brings the formal rigor and proof
machinery of concurrent program logics. We substantiate the usefulness of our
development by verifying the linearizability of the Logical Ordering (LO-)tree
and RDCSS. Both of these involve complex proof arguments due to
future-dependent linearization points. The LO-tree additionally features
complex structure overlays. Our proof of the LO-tree is the first formal proof
of this data structure. Interestingly, our formalization revealed an unknown
bug and an existing informal proof as erroneous
- …