Post on 05-Feb-2016
description
1
Simulating Reachability using First-Order Logic with Applications to Verification
of Linked Data Structures
Tal Lev-Ami1, Neil Immerman2, Tom Reps3, Mooly Sagiv1, Siddharth Srivastava2 and Greta Yorsh1
1 Tel Aviv University2 University of Massachusetts-Amherst3 University of Wisconsin-Madison CADE 2005
2
Applications of TC in verification
Transitive closure is natural for reasoning about linked data structures
Element (v) of a list (pointed to by x)w. x(w)n*(w,v)
Acyclicity v1,v2. n(v1,v2) n*(v2,v1)
Unreachable objects (garbage)v2.v1. Var(v1) f*(v1,v2)
Deadlocks
3
Automated reasoning for FOL
Powerful tools available for automated reasoning in FOL (with equality)
ResolutionSPASS, Vampire, …
Nelson-OppenSimplify, Zapato, …
…
Prove, disprove (or diverge)
4
What about FOL+TC?
No known tools for automated reasoning in full FOL+TC
No surprise – TC is very powerful, even small fragments of FOL become undecidable with the addition of TC
C2,
No R.E. axiomatization of TC in FOL
5
Agenda
Verifying heap-manipulating programs
Initial axiomatization
Induction axiom scheme
Automating axiom instantiation
Conclusion
6
Verifying heap-manipulating programs
Heap objects: Individuals
Reference variables: Unary relation symbolsx(v), y(v) – if v is pointed to by x, y
Fields: Binary relation symbolsn(v,w) – the n field of v points to w
7
Reflexive transitive closure
n*(v1,v2)
v2 is reachable from v1 by following 0 or more n-fields
n*(v1,v2) is the least fixed point of ntc in
v1,v2.ntc(v1,v2)↔(v1=v2)w.n(v1,w)ntc(w,v2)
or
v1,v2.ntc(v1,v2)↔(v1=v2)w.ntc(v1,w)n(w,v2)
8
Verification example
A list pointed to by x
A list pointed to by y
Show that xy the lists are disjoint
9
Premise
Unary reachability (shorthand) v. rz,n(v) ↔w.z(w)n*(w,v)
No heap sharingv,v1,v2.n(v1,v)n(v2,v)v1=v2
No incoming edges to x and yv,w. x(v) y(v) n(w, v)
x and y are unique and differentv1,v2.x(v1)x(v2)v1=v2
v1,v2.y(v1)y(v2)v1=v2
v. (x(v)y(v))
10
Goal
The lists pointed to by x and y are disjointv. rx,n(v) ry,n(v)
11
Approximating TC in FOL
Extend vocabulary with new binary relation symbol ntc
Replace all occurrences of n* with ntc
Add ‘Natural’ axiomsv1,v2.ntc(v1,v2)↔(v1=v2)w.n(v1,w)ntc(w,v2)
v1,v2.ntc(v1,v2)↔(v1=v2)w.ntc(v1,w)n(w,v2)
The problem – minimalityLeast fixed point is not expressible in FOL
12
TC-models
TC-model - a model M s.t. if n and ntc are in the vocabulary of M, then
(ntc)M = (nM)*, i.e., M interprets ntc as the reflexive, transitive closure of its interpretation of n
A set of axioms (axiomatization) isTC-valid - if is true in every TC-model.
TC-complete - if for every formula that is true in all TC-models,
13
Approximating TC in FOL
Natural axiomatization is TC-complete for acyclic finite models
Not TC-complete otherwise
Negative occurrences of TC are the problemTC-valid formulas with only positive occurrences of TC are implied from the natural axiomatization
14
Problems: cycles
n
n*=ntc n* ntc
ntc
ntc
ntc
n ntc
ntc
ntc
n ntc
ntc
ntc
n ntc
ntc
ntc
ntc
ntc
ntc
TC-model
u1
u2
u3
u4
v1,v2.ntc(v1,v2)↔(v1=v2)w.n(v1,w)ntc(w,v2)
v1,v2.ntc(v1,v2)↔(v1=v2)w.ntc(v1,w)n(w,v2)
15
n*=ntc
…n n n nx
…n n n ny
n*ntc
x …n n n
…n …n n n ny
TC-model
Problems: infinite models
16
Problems: infinite models
Existing FOL theorem provers cannot be restricted to finite models
Finiteness is not FOL expressible
17
Induction axiom scheme
IND[P,Z,n] = (w. Z(w) P(w)) (w1,w2. P(w1) n(w1,w2) P(w2)) (w1,w2. Z(w1) ntc(w1,w2) P(w2))
IncompleteComplete axiomatization is non-R.E.
How to choose Z and P?
18
Choosing axiom instantiations
Hard to find Z and P to instantiate IND directly
Introduce new axiom schemes provable from IND in FOL
Add enough axioms to to prove target formula
Used in practice to prove interesting examples
19
Ideas towards solution
Reasoning about edges toward reasoning about paths
Reasoning about one type of paths toward reasoning about another type
20
Coloring axioms
Start with transitivityw1,w2,w3. ntc(w1,w2)ntc(w2,w3) ntc(w1,w3)
Add instances of coloring axiom schemesNoExit
NewStart
21
A
NoExit
NoExit[A,n] = (w1,w2. A(w1) n(w1,w2) A(w2)) (w1,w2. A(w1) ntc(w1,w2) A(w2))
22
n*=ntc
…n n n ny
…n n n nx
n*ntc
y …n n n
…n …n n n nx
TC-model
23
Example RevisitedTwo lists pointed to by x and y respectively
NoExit[rx,n,n]
Axiom Premise v1,v2. rx,n(v1)n(v1,v2) rx,n(v2)
w
n
u
v
¬ntc
ntcx
u’ntc
n
=
=
24
Example revisitedTwo lists pointed to by x and y respectively
NoExit[rx,n,n]
Axiom Premise v1,v2. rx,n(v1)n(v1,v2) rx,n(v2)
v1,v2. rx,n(v1) ntc(v1,v2) rx,n(v2)
disjointness: v. rx,n(v) ry,n(v)
25
f
A
g
NewStart
26
gtc
ftc
gtc
gtc
f
A
g
NewStart
w1,w2. A(w1)A(w2)g(w1,w2)f(w1,w2)
27
gtc
ftc
gtc
gtc
f
A
g
NewStart
NewStart[A,g,f] = (w1,w2. A(w1)A(w2)g(w1,w2)f(w1,w2)) w1,w2. gtc(w1,w2)ftc(w1,w2)
w.A(w)gtc(w1,w)gtc(w,w2)
28
NewStart
Important when updating fieldsProve no fields changed within A
Prove no incoming or no outgoing paths to A
Conclude no paths changed within A
29
Instantiating coloringaxiom schemes
Coloring axioms are effective only if they can be automatically instantiated
Verification of imperative programs
Use boolean combinations of program variables and unary reachability
Exponential number of axioms
30
Incremental algorithm
Axioms are built as PremiseConclusionBoth closed formulas
Try to prove Premise and only then introduce Conclusion
Try boolean combinations in BFS
31
Prototype implementation
Used to automatically prove partial correctness (given loop invariants) of several interesting programs
Destructive reversal of singly linked list
Destructive append
Simple mark & sweep garbage collector
Use SPASS as underlying theorem prover
32
Completeness
TC-complete with respect to a theory
Finiteness is expressible with TC
TC-complete axiomatization implies FINITE-VALIDITY is decidable
No R.E. TC-complete axioms with respect to logic with 2 binary relation symbols encoding partial functions
33
Related work
Nelson’s axiomatization [Nelson ‘83]Incomplete and follows from INDMark & Sweep
Updating transitive closure using FO [Dong, Su ‘95], [Hesse ‘03] Induction [Bundy ’01]Inductionless induction [Lankford ‘81] [Comon ‘01]Decidable logics with TC (e.g. MSO)
34
Future work
New axioms
FinitenessEND[n]: v. w. ntc(v, w)
(u. n(w, u)) (u. n(w, u)ntc(u, w))
Fragments of FOL where axiomatization is possible
Integration with TVLA
35
Thank you