Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Simulating Reachability using First-Order Logic with Applications to Verification of Linked Data Structures Tal Lev-Ami 1, Neil Immerman 2, Tom Reps.

Published byErick Griffin Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Simulating Reachability using First-Order Logic with Applications to Verification of Linked Data Structures Tal Lev-Ami 1, Neil Immerman 2, Tom Reps."— Presentation transcript:

1 1 Simulating Reachability using First-Order Logic with Applications to Verification of Linked Data Structures Tal Lev-Ami 1, Neil Immerman 2, Tom Reps 3, Mooly Sagiv 1, Siddharth Srivastava 2 and Greta Yorsh 1 1 Tel Aviv University 2 University of Massachusetts-Amherst 3 University of Wisconsin-Madison CADE 2005

2 2 Applications of TC in verification Transitive closure is natural for reasoning about linked data structures Element (v) of a list (pointed to by x)  w. x(w)  n*(w,v) Acyclicity  v 1,v 2. n(v 1,v 2 )   n*(v 2,v 1 ) Unreachable objects (garbage)  v 2.  v 1. Var(v 1 )   f*(v 1,v 2 ) Deadlocks

3 3 Automated reasoning for FOL Powerful tools available for automated reasoning in FOL (with equality) Resolution SPASS, Vampire, … Nelson-Oppen Simplify, Zapato, … … Prove, disprove (or diverge)

4 4 What about FOL+TC? No known tools for automated reasoning in full FOL+TC No surprise – TC is very powerful, even small fragments of FOL become undecidable with the addition of TC C 2,  No R.E. axiomatization of TC in FOL

5 5 Agenda Verifying heap-manipulating programs Initial axiomatization Induction axiom scheme Automating axiom instantiation Conclusion

6 6 Verifying heap-manipulating programs Heap objects: Individuals Reference variables: Unary relation symbols x(v), y(v) – if v is pointed to by x, y Fields: Binary relation symbols n(v,w) – the n field of v points to w

7 7 Reflexive transitive closure n*(v 1,v 2 ) v 2 is reachable from v 1 by following 0 or more n-fields n*(v 1,v 2 ) is the least fixed point of n tc in  v 1,v 2.n tc (v 1,v 2 )↔(v 1 =v 2 )  w.n(v 1,w)  n tc (w,v 2 ) or  v 1,v 2.n tc (v 1,v 2 )↔(v 1 =v 2 )  w.n tc (v 1,w)  n(w,v 2 )

8 8 Verification example A list pointed to by x A list pointed to by y Show that x  y  the lists are disjoint

9 9 Premise Unary reachability (shorthand)  v. r z,n (v) ↔  w.z(w)  n*(w,v) No heap sharing  v,v 1,v 2.n(v 1,v)  n(v 2,v)  v 1 =v 2 No incoming edges to x and y  v,w. x(v)  y(v)   n(w, v) x and y are unique and different  v 1,v 2.x(v 1 )  x(v 2 )  v 1 =v 2  v 1,v 2.y(v 1 )  y(v 2 )  v 1 =v 2  v.  (x(v)  y(v))

10 10 Goal The lists pointed to by x and y are disjoint  v. r x,n (v)  r y,n (v)

11 11 Approximating TC in FOL Extend vocabulary with new binary relation symbol n tc Replace all occurrences of n* with n tc Add ‘Natural’ axioms  v 1,v 2.n tc (v 1,v 2 )↔(v 1 =v 2 )  w.n(v 1,w)  n tc (w,v 2 )  v 1,v 2.n tc (v 1,v 2 )↔(v 1 =v 2 )  w.n tc (v 1,w)  n(w,v 2 ) The problem – minimality Least fixed point is not expressible in FOL

12 12 TC-models TC-model - a model M s.t. if n and n tc are in the vocabulary of M, then (n tc ) M = (n M )*, i.e., M interprets n tc as the reflexive, transitive closure of its interpretation of n A set of axioms (axiomatization)  is TC-valid - if  is true in every TC-model. TC-complete - if for every formula  that is true in all TC-models,   

13 13 Approximating TC in FOL Natural axiomatization is TC-complete for acyclic finite models Not TC-complete otherwise Negative occurrences of TC are the problem TC-valid formulas with only positive occurrences of TC are implied from the natural axiomatization

14 14 Problems: cycles n n*=n tc n*  n tc n tc n n n TC-model u1u1 u2u2 u3u3 u4u4  v 1,v 2.n tc (v 1,v 2 )↔(v 1 =v 2 )  w.n(v 1,w)  n tc (w,v 2 )  v 1,v 2.n tc (v 1,v 2 )↔(v 1 =v 2 )  w.n tc (v 1,w)  n(w,v 2 )

15 15 n*=n tc … nnnn x … nnnn y n*  n tc x … nnn … n … nnnn y TC-model Problems: infinite models

16 16 Problems: infinite models Existing FOL theorem provers cannot be restricted to finite models Finiteness is not FOL expressible

17 17 Induction axiom scheme IND[P,Z,n] = (  w. Z(w)  P(w))  (  w 1,w 2. P(w 1 )  n(w 1,w 2 )  P(w 2 ))  (  w 1,w 2. Z(w 1 )  n tc (w 1,w 2 )  P(w 2 )) Incomplete Complete axiomatization is non-R.E. How to choose Z and P?

18 18 Choosing axiom instantiations Hard to find Z and P to instantiate IND directly Introduce new axiom schemes provable from IND in FOL Add enough axioms to  to prove target formula Used in practice to prove interesting examples

19 19 Ideas towards solution Reasoning about edges toward reasoning about paths Reasoning about one type of paths toward reasoning about another type

20 20 Coloring axioms Start with transitivity  w 1,w 2,w 3. n tc (w 1,w 2 )  n tc (w 2,w 3 )  n tc (w 1,w 3 ) Add instances of coloring axiom schemes NoExit NewStart

21 21 A NoExit NoExit[A,n] = (  w 1,w 2. A(w 1 )  n(w 1,w 2 )  A(w 2 ))  (  w 1,w 2. A(w 1 )  n tc (w 1,w 2 )  A(w 2 ))

22 22 n*=n tc … nnnn y … nnnn x n*  n tc y … nnn … n … nnnn x TC-model

23 23 Example Revisited Two lists pointed to by x and y respectively NoExit[  r x,n,n] Axiom Premise  v 1,v 2.  r x,n (v 1 )  n(v 1,v 2 )   r x,n (v 2 ) w n u v ¬n tc n tc x u’ n tc n = =

24 24 Example revisited Two lists pointed to by x and y respectively NoExit[  r x,n,n] Axiom Premise  v 1,v 2.  r x,n (v 1 )  n(v 1,v 2 )   r x,n (v 2 )  v 1,v 2.  r x,n (v 1 )  n tc (v 1,v 2 )   r x,n (v 2 )  disjointness:  v. r x,n (v)  r y,n (v)

25 25 f A g NewStart

26 26 g tc  f tc g tc f A g NewStart  w 1,w 2. A(w 1 )  A(w 2 )  g(w 1,w 2 )  f(w 1,w 2 )

27 27 g tc  f tc g tc f A g NewStart NewStart[A,g,f] = (  w 1,w 2. A(w 1 )  A(w 2 )  g(w 1,w 2 )  f(w 1,w 2 ))   w 1,w 2. g tc (w 1,w 2 )  f tc (w 1,w 2 )   w.  A(w)  g tc (w 1,w)  g tc (w,w 2 )

28 28 NewStart Important when updating fields Prove no fields changed within A Prove no incoming or no outgoing paths to A Conclude no paths changed within A

29 29 Instantiating coloring axiom schemes Coloring axioms are effective only if they can be automatically instantiated Verification of imperative programs Use boolean combinations of program variables and unary reachability Exponential number of axioms

30 30 Incremental algorithm Axioms are built as Premise  Conclusion Both closed formulas Try to prove Premise and only then introduce Conclusion Try boolean combinations in BFS

31 31 Prototype implementation Used to automatically prove partial correctness (given loop invariants) of several interesting programs Destructive reversal of singly linked list Destructive append Simple mark & sweep garbage collector Use SPASS as underlying theorem prover

32 32 Completeness TC-complete with respect to a theory Finiteness is expressible with TC TC-complete axiomatization implies FINITE-VALIDITY is decidable No R.E. TC-complete axioms with respect to logic with 2 binary relation symbols encoding partial functions

33 33 Related work Nelson’s axiomatization [Nelson ‘83] Incomplete and follows from IND Mark & Sweep Updating transitive closure using FO [Dong, Su ‘95], [Hesse ‘03] Induction [Bundy ’01] Inductionless induction [Lankford ‘81] [Comon ‘01] Decidable logics with TC (e.g. MSO)

34 34 Future work New axioms Finiteness END[n]:  v.  w. n tc (v, w)  (  u.  n(w, u))  (  u. n(w, u)  n tc (u, w)) Fragments of FOL where axiomatization is possible Integration with TVLA

35 35 Thank you

Download ppt "1 Simulating Reachability using First-Order Logic with Applications to Verification of Linked Data Structures Tal Lev-Ami 1, Neil Immerman 2, Tom Reps."

Similar presentations

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.

Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
The Theory of NP-Completeness

The Theory of NP-Completeness
1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer,

1 A Logic of Reachable Patterns in Linked Data-Structures Greta Yorsh joint work with Alexander Rabinovich, Mooly Sagiv Tel Aviv University Antoine Meyer,
1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.

1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
1 Finite Model Theory Lecture 10 Second Order Logic.

1 Finite Model Theory Lecture 10 Second Order Logic.
Solving Partial Order Constraints for LPO termination.

Solving Partial Order Constraints for LPO termination.
1 Deciding separation formulas with SAT Ofer Strichman Sanjit A. Seshia Randal E. Bryant School of Computer Science, Carnegie Mellon University.

1 Deciding separation formulas with SAT Ofer Strichman Sanjit A. Seshia Randal E. Bryant School of Computer Science, Carnegie Mellon University.
The Theory of NP-Completeness

The Theory of NP-Completeness
Implicit Typing in Lambda Logic Copyright, 2005 Michael Beeson ESHOL Workshop LPAR-12 Jamaica, 2005.

Implicit Typing in Lambda Logic Copyright, 2005 Michael Beeson ESHOL Workshop LPAR-12 Jamaica, 2005.
Chapter 11: Limitations of Algorithmic Power

Chapter 11: Limitations of Algorithmic Power

Similar presentations

Ads by Google