skip to main content
10.1145/1328438.1328461acmconferencesArticle/Chapter ViewAbstractPublication PagespoplConference Proceedingsconference-collections
research-article

Back to the future: revisiting precise program verification using SMT solvers

Published: 07 January 2008 Publication History

Abstract

This paper takes a fresh look at the problem of precise verification of heap-manipulating programs using first-order Satisfiability-Modulo-Theories (SMT) solvers. We augment the specification logic of such solvers by introducing the Logic of Interpreted Sets and Bounded Quantification for specifying properties of heap-manipulating programs. Our logic is expressive, closed under weakest preconditions, and efficiently implementable on top of existing SMT solvers. We have created a prototype implementation of our logic over the solvers Simplify and Z3 and used our prototype to verify many programs. Our preliminary experience is encouraging; the completeness and the efficiency of the decisionprocedure is clearly evident in practice and has greatly improved the user experience of the verifier.

References

[1]
I. Balaban, A. Pnueli, and L.D. Zuck. Shape analysis by predicate abstraction. In Verification, Model checking, and Abstract Interpretation (VMCAI '05), LNCS 3385, pages 164--180, 2005.
[2]
T. Ball, R. Majumdar, T. Millstein, and S.K. Rajamani. Automatic predicate abstraction of C programs. In Programming Language Design and Implementation (PLDI '01), pages 203--213, 2001.
[3]
M. Barnett and K.R.M. Leino. Weakest-precondition of unstructured programs. In Program Analysis For Software Tools and Engineering (PASTE'05), pages 82--87, 2005.
[4]
M. Barnett, K.R.M. Leino, and W. Schulte. The Spec# programming system: An overview. In Construction and Analysis of Safe, Secure and Interoperable Smart Devices, LNCS 3362, pages 49--69, 2005.
[5]
J. Berdine, C. Calcagno, B. Cook, D. Distefano, P. O'Hearn, T. Wies, and H. Yang. Shape analysis for composite data structures. In Computer Aided Verification (CAV '07), LNCS 4590, pages 178--192, 2007.
[6]
J. Berdine, C. Calcagno, and P.W. O'Hearn. A decidable fragment of separation logic. In FSTTCS '04: Foundations of Software Technology and Theoretical Computer Science, LNCS 3328, pages 97--109, 2004.
[7]
E. Börger, E. Grädel, and Y. Gurevich. The Classical Decision Problem. Springer-Verlag, 1997.
[8]
S. Chatterjee, S.K. Lahiri, S. Qadeer, and Z. Rakamarić. A reachability predicate for analyzing low-level software. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS '07), LNCS 4424, pages 19--33, 2007.
[9]
E.M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction refinement. In Computer Aided Verification (CAV '00), LNCS 1855, pages 154--169, 2000.
[10]
L. de Moura and N. Bjorner. Efficient Incremental E-matching for SMT Solvers. In Conference on Automated Deduction (CADE '07), LNCS 4603, pages 183--198, 2007.
[11]
R. DeLine and K.R.M. Leino. BoogiePL: A typed procedural language for checking object-oriented programs. Technical Report MSR-TR-2005-70, Microsoft Research, 2005.
[12]
D. Detlefs, G. Nelson, and J.B. Saxe. Simplify: a theorem prover for program checking. J. ACM, 52(3):365--473, 2005.
[13]
E.W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976.
[14]
D. Distefano, P.W. O'Hearn, and H. Yang. A local shape analysis based on separation logic. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS '06), LNCS 3920, pages 287--302, 2006.
[15]
B. Dutertre and L.M. de Moura. A Fast Linear-Arithmetic Solver for DPLL(T). In Computer Aided Verification (CAV '06), LNCS 4144, pages 81--94, 2006.
[16]
C. Flanagan, K.R.M. Leino, M. Lillibridge, G. Nelson, J.B. Saxe, and R. Stata. Extended static checking for Java. In Programming Language Design and Implementation (PLDI'02), pages 234--245, 2002.
[17]
P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In Programming Language Design and Implementation (PLDI '05), pages 213--223. ACM, 2005.
[18]
S. Graf and H. Saïdi. Construction of abstract state graphs with PVS. In Computer-Aided Verification (CAV '97), LNCS 1254, pages 72--83, June 1997.
[19]
T.A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In Principles of Programming Languages (POPL '02), pages 58--70, 2002.
[20]
V. Kuncak and M.C. Rinard. Decision procedures for set-valued fields. Electr. Notes Theor. Comput. Sci., 131:51--62, 2005.
[21]
R.P. Kurshan. Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach. Princeton University Press, 1995.
[22]
S.K. Lahiri and S. Qadeer. Verifying properties of well-founded linked lists. In Principles of Programming Languages (POPL '06), pages 115--126, 2006.
[23]
S.K. Lahiri and S. Qadeer. Back to the Future: Revisiting Precise Program Verification using SMT Solvers. Technical Report MSR-TR-2007-88, Microsoft Research, 2007.
[24]
S.K. Lahiri and S. Qadeer. A decision procedure for well-founded reachability. Technical Report MSR-TR-2007-43, Microsoft Research, 2007.
[25]
T. Lev-Ami, N. Immerman, T.W. Reps, S. Sagiv, S. Srivastava, and G. Yorsh. Simulating reachability using first-order logic with applications to verification of linked data structures. In Conference on Automated Deduction (CADE '05), LNCS 3632, pages 99--115, 2005.
[26]
T. Lev-Ami and S. Sagiv. TVLA: A system for implementing static analyses. In Static Analysis Symposium (SAS '00), LNCS 1824, pages 280--301, 2000.
[27]
S. McPeak and G.C. Necula. Data structure specifications via local equality axioms. In Computer-Aided Verification (CAV '05), LNCS 3576, pages 476--490, 2005.
[28]
Anders Møller and Michael I. Schwartzbach. The pointer assertion logic engine. In Programming Language Design and Implementation (PLDI '01), pages 221--231, 2001.
[29]
Muh. Available at http://muh.sourceforge.net/.
[30]
G. Nelson and D.C. Oppen. Simplification by cooperating decision procedures. ACM Transactions on Programming Languages and Systems (TOPLAS), 2(1):245--257, 1979.
[31]
Greg Nelson. Verifying reachability invariants of linked structures. In Principles of Programming Languages (POPL '83), pages 38--47, 1983.
[32]
Z. Rakamarić, J. Bingham, and A.J. Hu. An inference-rule-based decision procedure for verification of heap-manipulating programs with mutable data and cyclic data structures. In Verification, Model Checking, and Abstract Interpretation (VMCAI '06), LNCS 4349, pages 106--121, 2007.
[33]
S. Ranise and C.G. Zarba. A theory of singly-linked lists and its extensible decision procedure. In Software Engineering and Formal Methods (SEFM '06), pages 206--215, 2006.
[34]
J.C. Reynolds. Separation logic: A logic for shared mutable data structures. In Logic in Computer Science (LICS '02), pages 55--74, 2002.
[35]
Satisfiability Modulo Theories Library (SMT-LIB). Available at http://goedel.cs.uiowa.edu/smtlib/.
[36]
G. Yorsh, A.M. Rabinovich, M. Sagiv, A. Meyer, and A. Bouajjani. A logic of reachable patterns in linked data--structures. In Foundations of Software Science and Computation Structures (FoSSaCS '06), LNCS 3921, pages 94--110, 2006.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
POPL '08: Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
January 2008
448 pages
ISBN:9781595936899
DOI:10.1145/1328438
  • cover image ACM SIGPLAN Notices
    ACM SIGPLAN Notices  Volume 43, Issue 1
    POPL '08
    January 2008
    420 pages
    ISSN:0362-1340
    EISSN:1558-1160
    DOI:10.1145/1328897
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 January 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. SMT solvers
  2. decision procedures
  3. heap-manipulating programs
  4. linked lists
  5. reachability
  6. software verification

Qualifiers

  • Research-article

Conference

POPL08

Acceptance Rates

Overall Acceptance Rate 824 of 4,130 submissions, 20%

Upcoming Conference

POPL '26

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)25
  • Downloads (Last 6 weeks)3
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Axe ’Em: Eliminating Spurious States with Induction AxiomsProceedings of the ACM on Programming Languages10.1145/37048539:POPL(479-508)Online publication date: 9-Jan-2025
  • (2022)Distributed bounded model checkingFormal Methods in System Design10.1007/s10703-021-00385-164:1-3(50-72)Online publication date: 5-Jan-2022
  • (2022)Proof-Guided Underapproximation Widening for Bounded Model CheckingComputer Aided Verification10.1007/978-3-031-13185-1_15(304-324)Online publication date: 7-Aug-2022
  • (2020)Towards a unified proof framework for automated fixpoint reasoning using matching logicProceedings of the ACM on Programming Languages10.1145/34282294:OOPSLA(1-29)Online publication date: 13-Nov-2020
  • (2019)A Decidable Logic for Tree Data-Structures with MeasurementsVerification, Model Checking, and Abstract Interpretation10.1007/978-3-030-11245-5_15(318-341)Online publication date: 11-Jan-2019
  • (2018)FluxACM Transactions on Sensor Networks10.1145/320020214:3-4(1-25)Online publication date: 27-Nov-2018
  • (2018)A fully verified container libraryFormal Aspects of Computing10.1007/s00165-017-0435-130:5(495-523)Online publication date: 1-Sep-2018
  • (2018)A Memory Model for Deductively Verifying Linux Kernel ModulesPerspectives of System Informatics10.1007/978-3-319-74313-4_19(256-275)Online publication date: 18-Jan-2018
  • (2017)Streaming sensor data from dynamically reprogrammable tasks running on mobile devicesProceedings of the 4th ACM International Conference on Systems for Energy-Efficient Built Environments10.1145/3137133.3137139(1-10)Online publication date: 8-Nov-2017
  • (2017)Property-Directed Inference of Universal Invariants or Proving Their AbsenceJournal of the ACM10.1145/302218764:1(1-33)Online publication date: 29-Mar-2017
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media