Techniques for proving programs with pointers A. Tikhomirov

Why is it important? Every program works not only with stack but stores intermediate data in heap and use pointers to operate with heap. Common program verification techniques couldn’t work with pointers and heap. 2

SEPARATION LOGIC John C. Reynolds, Peter O’Hearn 3

Fail using Hoare Logic Structure of Hoare Logic assignment judgment couldn't work with heap. int x = 5; int *y = &x; // *y = 5 x = 3; // *y = 3 Hoare logic doesn’t specify holding of *y 4 FAIL

Separation Logic Representing the Heap Assertions empty heap singleton heap separating conjunction separating implication 5

Separation Logic Asserts that x points to an adjacent pair of cells containing u, v (x stores address α and the heap maps α into u and (α +1) into v) 6

Singleton heap Reference pointer to some cell Asserts that x points to an adjacent pair of sells containing 1 and y. 7

Separating conjunction 8 The separating conjunction constructs a heap property from two disjoint heaps

Logical conjunction Could be ambiguous in heap, x and y could be aliases,or disjoint. 9

Lists List representation 10

Frame rule Frame rule: This rule holds as long as free variables in s not mentioned in R. 11

Allocation Allocation rule (local): Allocation rule (global): 12

Deallocation Dispose rule (local): Dispose rule (global): 13

Heap write (mutation) Mutation forward rule (local): Mutation forward rule (global): 14

Examples of Operational Semantics 15 Allocation x := cons(y, z) Heap lookup y := [x+1] Mutation [x + 1] := 3 Deallocation dispose(x+1) Store: [x:3, y:40, z:17] Heap: empty Store: [x:37, y:40, z:17] Heap: [37:40, 38:17] Store: [x:37, y:17, z:17] Heap: [37:40, 38:3] Store: [x:37, y:17, z:17] Heap: [37:40, 38:17] Store: [x:37, y:17, z:17] Heap: [37:40]

Example: Swap Function in which the contents of two heap cells are swapped: t1 := [v1] t2 := [v2] [v1] := t2 [v2] := t1 16

Example: Swap void swap (int* v1, int* v2) { t1:= [v1] t2 := [v2] [v1] := t2 [v2] := t1 } 17 // {v1 > v1’ * v2 > v2’} // {t1 = v1’ & v1 > v1’ * v2 > v2’} // {t1 = v1’ & t2 = v2’ & v1 > v1’ * v2 > v2’} // {t1 = v1’ & t2 = v2’ & v1 > v2’ * v2 > v2’} // {t1 = v1’ & t2 = v2’ & v1 > v2’ * v2 > v1’}

Example: Doubly Indirect References Mutating the value of a double indirect reference (a pointer to a pointer): 18

Example: Doubly Indirect References void write (int** p, int v) { t:= [p] [t] := v } 19 // {p > w * w > —} // {p > w}Frame rule – begin // {t = w & p > w}Mutation // {t = w & p > w * w > —} Frame rule — end // {t = w & w > —}Frame rule — begin // {t = w & w > v}Mutation // {t = W & p > w * w > v}Frame rule — end // {p > w * w > v}Remove extra stack assertion

Example: Doubly Indirect References Attempting to aggressively apply Frame rule to entire block would result in a stuck proof. void write (int** p, int v) { // {p > w * w > —} // {p > w}Frame rule – begin t:= [p] // {t = w & p > w}Mutation [t] := v // {??}Stuck – no mapping for w // {t = W & p > w * w > v}Frame rule — end } 20

Example: DeleteTree 21 void deleteTree (t) { local i,j; if (t != nil) { i = [t] j = [t+1] deleteTree(j) deleteTree(i) dispose(t) } // {tree(t)} // {tree(t) ^ t != nil} // { ∃ x,y. t > (x,y) * tree(x) * tree(y)} // {emp} // {t > (i,j) * tree(i) * tree(j)} // {t > (i,j) * tree(i)} // {t > (i,j) * nil} // {emp}

Example: List reverse 22 list reverse (x) { y = nil; while (x != nil) { t := [x]; x := [y]; y := x; x := t; } return y; } // {list(x)} // {list(y)} // {list(x) * list(y)} // {x != nil ^ list(x) * list(y)} // {x > t ^ list(t) * list(y)} // {x > y ^ list(x) * list(y)} // {list(t) * list(x)} // {list(t) * list(y)} // {list(x) * list(y)} // {x = nil ^ list(x) * list(y)}

Conclusion Extension of Hoare logic – Could use verification tools, that work with Hoare logic For automatic proving – Assertions – Pre and post-conditions 23

SHAPE ANALYSIS Reinhard Wilhelm, Mooly Sagiv, Thomas Reps 24

Shape Analysis Somewhat constrained view of programs Static code analysis Program verification 25

Destructive Reverse 26

Input to reverse (a) lists of length at least 2 (b) list of length 1 27

Input to reverse List structure of size from 0 to 4 28

Graph interpretation Rectangle box containing p represent pointer variable p Ovals – abstract locations – solid – represents exactly one heap cell – dotted – represent one or more heap cells Edge – label c between locations m and m’ – solid – c component of m will point to m’ – dotted - c component of m may point to m’ 29

3-value logic solid means “always holds” absent means “never hold” dotted means “don’t know” 30

Execution states (a) – shape arise before executing x=x->n (b) & – (c) after executing x=x->n on shape (a) 31

Insert algorithm The same list structure 32

Execution States (1) 33 y = x; while (y->n != NULL) {y = y->n}

Execution States (2) 34 t = malloc(); t -> data = n

Execution States (3) 35 e = y->n;

Execution States (4) 36 t->n = NULL; t->n = e;

Execution States (5) 37 y->n = NULL;

Execution States (6) 38 y->n = t;

Conclusion Code analysis – NULL-pointers; – May-Alias; – Must-Alias; – Sharing; – Reachability; – Disjointness; – Cyclicity; – Shape; 39