1

Simulating Reachability using First-Order Logic with Applications to Verification

of Linked Data Structures

Tal Lev-Ami1, Neil Immerman2, Tom Reps3, Mooly Sagiv1, Siddharth Srivastava2 and Greta Yorsh1

1 Tel Aviv University2 University of Massachusetts-Amherst3 University of Wisconsin-Madison CADE 2005

2

Applications of TC in verification

Transitive closure is natural for reasoning about linked data structures

Element (v) of a list (pointed to by x)w. x(w)n*(w,v)

Acyclicity v1,v2. n(v1,v2) n*(v2,v1)

Unreachable objects (garbage)v2.v1. Var(v1) f*(v1,v2)

Deadlocks

3

Automated reasoning for FOL

Powerful tools available for automated reasoning in FOL (with equality)

ResolutionSPASS, Vampire, …

Nelson-OppenSimplify, Zapato, …

…

Prove, disprove (or diverge)

4

What about FOL+TC?

No known tools for automated reasoning in full FOL+TC

No surprise – TC is very powerful, even small fragments of FOL become undecidable with the addition of TC

C2,

No R.E. axiomatization of TC in FOL

5

Agenda

Verifying heap-manipulating programs

Initial axiomatization

Induction axiom scheme

Automating axiom instantiation

Conclusion

6

Verifying heap-manipulating programs

Heap objects: Individuals

Reference variables: Unary relation symbolsx(v), y(v) – if v is pointed to by x, y

Fields: Binary relation symbolsn(v,w) – the n field of v points to w

7

Reflexive transitive closure

n*(v1,v2)

v2 is reachable from v1 by following 0 or more n-fields

n*(v1,v2) is the least fixed point of ntc in

v1,v2.ntc(v1,v2)↔(v1=v2)w.n(v1,w)ntc(w,v2)

or

v1,v2.ntc(v1,v2)↔(v1=v2)w.ntc(v1,w)n(w,v2)

8

Verification example

A list pointed to by x

A list pointed to by y

Show that xy the lists are disjoint

9

Premise

Unary reachability (shorthand) v. rz,n(v) ↔w.z(w)n*(w,v)

No heap sharingv,v1,v2.n(v1,v)n(v2,v)v1=v2

No incoming edges to x and yv,w. x(v) y(v) n(w, v)

x and y are unique and differentv1,v2.x(v1)x(v2)v1=v2

v1,v2.y(v1)y(v2)v1=v2

v. (x(v)y(v))

10

Goal

The lists pointed to by x and y are disjointv. rx,n(v) ry,n(v)

11

Approximating TC in FOL

Extend vocabulary with new binary relation symbol ntc

Replace all occurrences of n* with ntc

Add ‘Natural’ axiomsv1,v2.ntc(v1,v2)↔(v1=v2)w.n(v1,w)ntc(w,v2)

v1,v2.ntc(v1,v2)↔(v1=v2)w.ntc(v1,w)n(w,v2)

The problem – minimalityLeast fixed point is not expressible in FOL

12

TC-models

TC-model - a model M s.t. if n and ntc are in the vocabulary of M, then

(ntc)M = (nM)*, i.e., M interprets ntc as the reflexive, transitive closure of its interpretation of n

A set of axioms (axiomatization) isTC-valid - if is true in every TC-model.

TC-complete - if for every formula that is true in all TC-models,

13

Approximating TC in FOL

Natural axiomatization is TC-complete for acyclic finite models

Not TC-complete otherwise

Negative occurrences of TC are the problemTC-valid formulas with only positive occurrences of TC are implied from the natural axiomatization

14

Problems: cycles

n

n*=ntc n* ntc

ntc

ntc

ntc

n ntc

ntc

ntc

n ntc

ntc

ntc

n ntc

ntc

ntc

ntc

ntc

ntc

TC-model

u1

u2

u3

u4

v1,v2.ntc(v1,v2)↔(v1=v2)w.n(v1,w)ntc(w,v2)

v1,v2.ntc(v1,v2)↔(v1=v2)w.ntc(v1,w)n(w,v2)

15

n*=ntc

…n n n nx

…n n n ny

n*ntc

x …n n n

…n …n n n ny

TC-model

Problems: infinite models

16

Problems: infinite models

Existing FOL theorem provers cannot be restricted to finite models

Finiteness is not FOL expressible

17

Induction axiom scheme

IND[P,Z,n] = (w. Z(w) P(w)) (w1,w2. P(w1) n(w1,w2) P(w2)) (w1,w2. Z(w1) ntc(w1,w2) P(w2))

IncompleteComplete axiomatization is non-R.E.

How to choose Z and P?

18

Choosing axiom instantiations

Hard to find Z and P to instantiate IND directly

Introduce new axiom schemes provable from IND in FOL

Add enough axioms to to prove target formula

Used in practice to prove interesting examples

19

Ideas towards solution

Reasoning about edges toward reasoning about paths

Reasoning about one type of paths toward reasoning about another type

20

Coloring axioms

Start with transitivityw1,w2,w3. ntc(w1,w2)ntc(w2,w3) ntc(w1,w3)

Add instances of coloring axiom schemesNoExit

NewStart

21

A

NoExit

NoExit[A,n] = (w1,w2. A(w1) n(w1,w2) A(w2)) (w1,w2. A(w1) ntc(w1,w2) A(w2))

22

n*=ntc

…n n n ny

…n n n nx

n*ntc

y …n n n

…n …n n n nx

TC-model

23

Example RevisitedTwo lists pointed to by x and y respectively

NoExit[rx,n,n]

Axiom Premise v1,v2. rx,n(v1)n(v1,v2) rx,n(v2)

w

n

u

v

¬ntc

ntcx

u’ntc

n

=

=

24

Example revisitedTwo lists pointed to by x and y respectively

NoExit[rx,n,n]

Axiom Premise v1,v2. rx,n(v1)n(v1,v2) rx,n(v2)

v1,v2. rx,n(v1) ntc(v1,v2) rx,n(v2)

disjointness: v. rx,n(v) ry,n(v)

25

f

A

g

NewStart

26

gtc

ftc

gtc

gtc

f

A

g

NewStart

w1,w2. A(w1)A(w2)g(w1,w2)f(w1,w2)

27

gtc

ftc

gtc

gtc

f

A

g

NewStart

NewStart[A,g,f] = (w1,w2. A(w1)A(w2)g(w1,w2)f(w1,w2)) w1,w2. gtc(w1,w2)ftc(w1,w2)

w.A(w)gtc(w1,w)gtc(w,w2)

28

NewStart

Important when updating fieldsProve no fields changed within A

Prove no incoming or no outgoing paths to A

Conclude no paths changed within A

29

Instantiating coloringaxiom schemes

Coloring axioms are effective only if they can be automatically instantiated

Verification of imperative programs

Use boolean combinations of program variables and unary reachability

Exponential number of axioms

30

Incremental algorithm

Axioms are built as PremiseConclusionBoth closed formulas

Try to prove Premise and only then introduce Conclusion

Try boolean combinations in BFS

31

Prototype implementation

Used to automatically prove partial correctness (given loop invariants) of several interesting programs

Destructive reversal of singly linked list

Destructive append

Simple mark & sweep garbage collector

Use SPASS as underlying theorem prover

32

Completeness

TC-complete with respect to a theory

Finiteness is expressible with TC

TC-complete axiomatization implies FINITE-VALIDITY is decidable

No R.E. TC-complete axioms with respect to logic with 2 binary relation symbols encoding partial functions

33

Related work

Nelson’s axiomatization [Nelson ‘83]Incomplete and follows from INDMark & Sweep

Updating transitive closure using FO [Dong, Su ‘95], [Hesse ‘03] Induction [Bundy ’01]Inductionless induction [Lankford ‘81] [Comon ‘01]Decidable logics with TC (e.g. MSO)

34

Future work

New axioms

FinitenessEND[n]: v. w. ntc(v, w)

(u. n(w, u)) (u. n(w, u)ntc(u, w))

Fragments of FOL where axiomatization is possible

Integration with TVLA

35

Thank you