1

Verifying Temporal Heap Properties Specified via Evolution Logic

Eran Yahav, Tom Reps, Mooly Sagiv and Reinhard Wilhelm

http://www.cs.tau.ac.il/~yahave

ESOP 2003

2

Introduction

Goals: specify and verify temporal properties of

sequential and concurrent heap manipulating programs

specify the way objects evolve across program execution

focus on Java-like programssupport the following

Java-like Concurrency Dynamic allocation/deallocation of objects Dynamic allocation/deallocation of threads

3

Relate memory locations across program configurations

Allow specification relating to allocation and deallocation of objects

Example: concurrent GC Safety – only objects not reachable from the roots are

collected Liveness – all garbage objects are eventually collected

Propositional temporal logic is not enoughMotivate use of more expressive specification

language

Spatial and Temporal Properties

spatial temporal

4

Spatial and Temporal Properties

L1: while (x != null) {L2: e = xL3: x = x.nL4: e.n = nullL5: free(e) }

n

x

n

at[L1]

Every object is eventually pointed-to by x

…n

x

n

x

at[L1] at[L1]

…

5

Spatial and Temporal Properties

Every allocated object is eventually deallocated

Every allocated request is eventually assigned handler thread

An object is eventually removed from pointer-based data structure

Each opened file remains open until used…

6

Challenges

Varying domains Set of objects in the heap likely to change

during program execution• Dynamic allocation and deallocation

• No a priori bound on number of objects/threads

Progress Abstraction of transitions/traces Progress may be lost under abstraction

7

Plan

Program Configurations and TracesSpecification

Evolution Temporal Logic (ETL) Meaning of ETL formulae

Verification Reducing ETL to FOTC

• Representing ETL Traces via FO Structures• Compiling ETL formulae to FOTC formulae

Abstract Interpretation Prototype implementation

Summary

8

Program Configurations

A concrete program configuration encodes global store program-location of every thread status of locks and threads

First-order logical structures used to represent program configurations

9

Concrete Configuration

n

x

n

at[L3]

e

10

Concrete Configuration

at[l_C]

rval[f]

held_byblocked

at[l_1]

rval[f]

at[l_0]at[l_0]

at[l_1]

rval[f]

blocked

11

Program Traces

Infinite sequence of program configurationsEach step is a single program actionIndividuals may vary between configurations

Dynamic allocation / deallocation

…x x x e e x

at[L1] at[L2] at[L3] at[L4] at[L5] at[L1]

e x x

12

Evolution Temporal Logic (ETL)

Based on first-order linear temporal logic v.(v), v.(v), TC X,U,,

State formulae may include free variables Relate memory locations across configurations (worlds) v. x(v)e(v)

Special operators v object v allocated v object v deallocated

Predicates represent properties of interest For heap references – x(v),n(v1,v2),… for threads and locks – blocked(t,l), held_by(l,t),…

13

ETL Examples

Every object is eventually pointed-to by x v.x(v)

Every allocated object is eventually deallocated (v.v v)

Every allocated request is eventually assigned handler thread r:request. r t:thread. handles(t,r)

An object v is eventually removed from a pointer-based data structure s … u:s(u) n*(u,v)…

14

ETL Semantics

Infinite sequence of configurations World locality

An individual may exist in at most one world Equality is world-local

Evolution Explicit representation of evolution relation of

individuals across worlds Explicitly represent allocated and deallocated

individuals

15

ETL Traces

deallocatedobject evolution edge

…xat[L1]

xat[L2]

xat[L1]

xat[L3]

e eat[L4]

x eat[L5]

x

16

Meaning of ETL formulae

…xat[L1]

xat[L2]

xat[L1]

xat[L3]

e eat[L4]

x eat[L5]

x

x(v)

x(v)v.

v.

17

Temporally Separable Properties

Properties which do not relate individuals of different configurations

Temporal operators only over closed FO formulae

Corresponds to propositional temporal logic v.x(v)v’.n(v,v’) P, P=v.x(v)v’.n(v,v’)

P

…x x x e x

at[L1] at[L2] at[L3] at[L5] at[L1]

e x…

18

Spatially Separable Properties

Universally quantified propositional specification

Each object should obey the specification separately Typestate verification

Examples: v.x(v) f:file. (read(f) closed(f))

…xat[L1]

xat[L2]

xat[L1]

xat[L3]

e eat[L4]

x eat[L5]

x

19

ETL Traces as FO Structures

…xat[L1]

xat[L2]

xat[L1]

xat[L3]

e eat[L4]

x eat[L5]

x

20

ETL Traces as FO Structures

…x x xx e e x e x

at[L1] at[L2] at[L1]at[L3] at[L4] at[L5]

deallocationobject world

existence edge

evolution edge

succ succ succ succ succ

21

ETL Traces as FO Structures

…xat[L1]

xat[L2]

xat[L1]

xat[L3]

e eat[L4]

x eat[L5]

x

22

Representing ETL Traces via First-order Structures

Explicitly encode possible worlds and accessibility relation World individuals Successor edges relate worlds Each non-world individual exists in at most one world Existence predicate relates non-world individuals to the

world in which they existDesignated predicates

succ(w1,w2) exists(o,w) evolves(o1,o2)

Adapted from Lewis’s “counterpart semantics”

23

Extracting ETL properties

ETL properties compiled into plain FOTC formulae

ETL trace encoded as FO structureEvaluate ETL over ETL-trace by evaluating

corresponding FOTC formula over FO structure

24

All is well, but…

ETL traces are infiniteNumber of traces for a program is possibly

infinite

25

Abstract Interpretation

(Over-) Approximate possibly infinite set of infinite traces by finite set of finite abstract traces

Successive Approximations Compute the greatest fixed point Start with an abstract trace representing initial

configuration with all possible suffixes Repeatedly refine the results by exploring longer finite

prefixes Longer abstract trace represents fewer concrete traces

Evaluate property over abstract traces in the fixed point

Use 3-valued logical structures for abstract traces

26

Canonic Abstraction

xat[L1]

currWorld

xat[L1]

xat[L2]

succx

at[L3]e

succ …

succ

currWorld

succx

at[L2]x

at[L3]e

succ

27

Abstraction Example

rval[v]

rval[v]

rval[v]

heldBy

blocked

blocked

rval[v]

rval[v]

rval[v]

succsucc

rval[v]

rval[v]

rval[v]

heldBy

rval[v]

rval[v]

rval[v]

heldBy

blockedt0

at[l_1]

at[l_1]

at[l_1]

t0at[l_1]

at[l_1]

at[l_c]

t0at[l_1]

t0at[l_1]

at[l_1]at[l_1]

at[l_c] at[l_c]

currWorldinitialWorld

rval[v]

succ

rval[v]

heldBy

rval[v]

rval[v]

blockedat[l_1] at[l_1]

at[l_2]at[l_c]

t0at[l_1]

rval[v]

t0at[l_1]

rval[v]

blockedblocked

initialWorld

rval[v]

rval[v]

at[l_1]

at[l_1]

t0at[l_1]

rval[v]

succsucc

currWorld

…succ

succ succ

28

Growing Abstract Traces

Partial Concretization (Focus)Apply update

Append new configuration to abstract trace New configuration reflects update effect Add

• Successor edge into new configuration• Evolution edges into evolved individuals

Update currWorld predicate

Abstraction

29currWorld

xat[L1]

succ

concretization abstraction

update

…

xat[L1]

xat[L2] at[L3]

xat[L3]

x …

xat[L1] at[L2] at[L3]

xat[L3]

x …x e

xat[L1] at[L2] at[L3]

xat[L4]

x …x e

currWorld

currWorld

currWorld

…

xat[L1] at[L3]

xat[L3]

x …

xat[L1] at[L2] at[L3]

xat[L3]

x …x e

xat[L1] at[L3]

xat[L4]

x …e

at[L2]x

at[L2]x

currWorld

currWorld

currWorld

currWorld

xat[L1]

succxat[L2]

succ

30

Greatest Fixed Point

xat[L1]

succ

…

xat[L1]

xat[L2] at[L3]

xat[L3]

x …

xat[L1] at[L2] at[L3]

xat[L3]

x …x e

xat[L1] at[L2] at[L3]

xat[L4]

x …x e

31

Greatest Fixed Point

…

xat[L1]

xat[L2] at[L3]

xat[L3]

x …

xat[L1] at[L2] at[L3]

xat[L3]

x …x e

xat[L1] at[L2] at[L3]

xat[L4]

x …x e

xat[L1]

succxat[L2]

succ

32

Recording History

Improve precisionadd predicates for subformulae of the ETL

formulaRecord state of subformulae satisfaction

over the traceTailor abstraction according to property of

interest

33

Progress

Progress may be lost under abstractionCommon for liveness to require

augmentation with progress information Can express progress measure for linked data

structures in ETL e.g., progress of a linked data structure

traversal• Number of items reachable from a program variable

decreases

34

Implementation

Manually Convert ETL to FOTC

Define instrumentation predicates for temporal subformulae

Let TVLA do the restProperties proved

Termination of linked list manipulation Response (fair/unfair)

Takes a lot of time

35

In the paper…

SoundnessTechnicalities

Transworld Equality Instrumentation predicates

36

Related Work

Model Checking Birth and Death / Distefano,Rensink,Katoen [TCS ‘02] Decidable temporal logic Allows referring to moment of allocation and

deallocation Does not allow relationships between objects Simple abstraction – collapse all non-reachable

objects

37

Summary

ETL allows specification of heap evolution properties

Automatically verify ETL properties Represent ETL traces via FO structures Represent ETL properties as FOTC formulae Evaluate FOTC formula over 3-valued FO

structures representing sets of tracesCommon for liveness properties to require

reduction or progress monitors Progress expressed as ETL formulae

38

Future Work

More precise and efficient algorithms for verifying ETL Tableau-like verification method

ETL subclasses Already used spatially separable properties for

memory management properties [SAS’03]

39

http://www.cs.tau.ac.il/~yahave

40

http://www.cs.tau.ac.il/~yahave

41

ETL Examples

v.x(v) v. e(v)vv.x(v)v.x(v)

42

ETL to FOTC

43

Subtle Issues

Fairness We can express explicit scheduling queue Other notions of fairness under dynamic allocation? Reduction

Constant domain semantics Requires user to specify existence or use

syntactically different quantifiers for global/local quantification

Monotone domain semantics Easy to understand, a viable alternative

44

Progress

xat[L1]

currWorld

succx

at[L2]

succx

at[L3]e

succxat[L4]

esucc

45

ExampleWhile (x != null) {

e = xx = x.ne.n = nullfree(e)

}

n

e

n

x

e

n

x

n

x e

n

x

n

e x

e x

Empty list

…

e = x

x = x.nx = x.n

e.n = null e.n = null

free(e)

46

Why not Constant Domains?

Requires user to explicitly specify existence or use syntactically different quantifiers for

global/local quantification

Explicit evolution edges allow to abstract away from implementation details Can handle various allocation semantics Can handle copy-garbage-collector

47

ETL to FOTC

vw0 initialWorld(w0) exists(w0,v) w,v’ succ*(w0,w) evolution*(v,v’) exists(w,v’) P(v)

48

Growing Abstract Traces

currWorld

currWorld

xat[L1]

succ

xat[L1]

succx

at[L2]

succ