Modular verification of heap reachability properties in separation logic

Ter-Gabrielyan, Arshavir; Summers, Alexander J.; Müller, Péter

doi:10.1145/3360547

Cited by 8 publications

(3 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, reasoning about reachability in unbounded graphs with two successors per node is undecidable [17]. Recent work by Ter-Gabrielyan et al [41] shows how to deal with modular framing of pairwise reachability specifications in an imperative setting. Their framing notion has parallels to our notion of interface composition, but allows subgraphs to change the paths visible to their context.…”

Section: Related Workmentioning

confidence: 99%

Local Reasoning for Global Graph Properties

Krishna

Summers

Wies

2020

Programming Languages and Systems

Self Cite

View full text Add to dashboard Cite

Separation logics are widely used for verifying programs that manipulate complex heap-based data structures. These logics build on so-called separation algebras, which allow expressing properties of heap regions such that modifications to a region do not invalidate properties stated about the remainder of the heap. This concept is key to enabling modular reasoning and also extends to concurrency. While heaps are naturally related to mathematical graphs, many ubiquitous graph properties are non-local in character, such as reachability between nodes, path lengths, acyclicity and other structural invariants, as well as data invariants which combine with these notions. Reasoning modularly about such graph properties remains notoriously difficult, since a local modification can have side-effects on a global property that cannot be easily confined to a small region. In this paper, we address the question: What separation algebra can be used to avoid proof arguments reverting back to tedious global reasoning in such cases? To this end, we consider a general class of global graph properties expressed as fixpoints of algebraic equations over graphs. We present mathematical foundations for reasoning about this class of properties, imposing minimal requirements on the underlying theory that allow us to define a suitable separation algebra. Building on this theory we develop a general proof technique for modular reasoning about global graph properties over program heaps, in a way which can be integrated with existing separation logics. To demonstrate our approach, we present local proofs for two challenging examples: a priority inheritance protocol and the non-blocking concurrent Harris list. S. Krishna et al. 1 method acquire(p: Node, r: Node) { 2 if (r.next == null) { 3 r.next := p; update(p, -1, r.curr_prio) 4 } else { 5 p.next := r; update(r, -1, p.curr_prio) 6 } 7 } 8 method update(n: Node, from: Int, to: Int) { 9 n.prios := n.prios \ {from} 10 if (to >= 0) n.prios := n.prios ∪ {to} 11 from := n.curr_prio 12 n.curr_prio := max(n.prios ∪ {n.def_prio}) 13 to := n.curr_prio; 14 if (from != to && n.next != null) { 15 update(n.next, from, to) 16 } 17 }

show abstract

Section: Related Workmentioning

confidence: 99%

Local Reasoning for Global Graph Properties

Krishna

Summers

Wies

2020

Programming Languages and Systems

Self Cite

View full text Add to dashboard Cite

show abstract

“…Though, the verification of specifications that rely on inductive properties of the pure graph then resorts back to classical first-order reasoning and is difficult to automate. An exception is [45] which uses SMT solvers to frame binary reachability relations in graphs that are described by iterated separating conjunctions. However, the technique is restricted to such reachability properties only.…”

Section: Related Workmentioning

confidence: 99%

Make Flows Small Again: Revisiting the Flow Framework

Meyer

Wies

Wolff

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We present a new flow framework for separation logic reasoning about programs that manipulate general graphs. The framework overcomes problems in earlier developments: it is based on standard fixed point theory, guarantees least flows, rules out vanishing flows, and has an easy to understand notion of footprint as needed for soundness of the frame rule. In addition, we present algorithms for automating the frame rule, which we evaluate on graph updates extracted from linearizability proofs for concurrent data structures. The evaluation demonstrates that our algorithms help to automate key aspects of these proofs that have previously relied on user guidance or heuristics.

show abstract

“…A method for automatically handling updates affecting unbounded heap regions is proposed in [60], however, their method is tailored towards reachability. Being Hoare triples, our futures are not restricted to a specific class of properties.…”

Section: Related Workmentioning

confidence: 99%

A Concurrent Program Logic with a Future and History

Meyer,

Wies,

Wolff

2022

Preprint

View full text Add to dashboard Cite

Verifying fine-grained optimistic concurrent programs remains an open problem. Modern program logics provide abstraction mechanisms and compositional reasoning principles to deal with the inherent complexity. However, their use is mostly confined to pencil-and-paper or mechanized proofs. We devise a new separation logic geared towards the lacking automation. While local reasoning is known to be crucial for automation, we are the first to show how to retain this locality for (i) reasoning about inductive properties without the need for ghost code, and (ii) reasoning about computation histories in hindsight. We implemented our new logic in a tool and used it to automatically verify challenging concurrent search structures that require inductive properties and hindsight reasoning, such as the Harris set. 1 struct N = { val key: K; var next: N } 2 3 val tail = new N { key = ∞; next = tail } 4 val head = new N { key = −∞; next = tail } 5 6 procedure traverse( : K, : N, ln: N, : N): (N * N * N) { 7 val tn = .next 8 val tmark = is_marked(tn) 9 if (tmark) return traverse( , , ln, tn) 10 else if ( .key < ) return traverse( , , tn, tn) 11 else return ( , ln, ) 12 } 13 procedure find( : K): N * N { 14 val hn = head.next 15 val , ln, := traverse( , head, hn, hn) 16 if ((ln == || CAS( .next, ln, )) 17 && !is_marked( .next)) return ( , ) 18 else return find( ) 19 } 20 21 procedure search( : K) : Bool { 22 val _, = find( ) 23 return .key == 24 } −∞ 3 4 6 7 1 5 9 ∞ head ln 1 * next ( ) = ln * mark(ln) .next := * next ( ) = and the right update chunk is described by 2 * next ( ) = * mark( ) * next ( ) = tn .next := tn * next ( ) = tn .1 is derived inductively during the traversal of the marked segment from to using the same process that we are about to describe for deriving . The future 2 can be easily proved in isolation. In particular the precondition mark( ) implies C( ) = . Hence, the keyset invariant C( ) ⊆ KS( )

show abstract

Modular verification of heap reachability properties in separation logic

Cited by 8 publications

References 24 publications

Local Reasoning for Global Graph Properties

Local Reasoning for Global Graph Properties

Make Flows Small Again: Revisiting the Flow Framework

A Concurrent Program Logic with a Future and History

Contact Info

Product

Resources

About