Satisfiability Modulo Heap-Based Programs
Quang Loc Le1(B) , Jun Sun1 , and Wei-Ngan Chin2
1
Singapore University of Technology and Design,
Singapore, Singapore
lequangloc@gmail.com
2
National University of Singapore,
Singapore, Singapore
Abstract. In this work, we present a semi-decision procedure for a fragment of separation logic with user-defined predicates and Presburger
arithmetic. To check the satisfiability of a formula, our procedure iteratively unfolds the formula and examines the derived disjuncts. In each
iteration, it searches for a proof of either satisfiability or unsatisfiability.
Our procedure is further enhanced with automatically inferred invariants as well as detection of cyclic proof. We also identify a syntactically
restricted fragment of the logic for which our procedure is terminating
and thus complete. This decidable fragment is relatively expressive as it
can capture a range of sophisticated data structures with non-trivial pure
properties, such as size, sortedness and near-balanced. We have implemented the proposed solver and a new system for verifying heap-based
programs. We have evaluated our system on benchmark programs from
a software verification competition.
Keywords: Decision procedures · Satisfiability
Inductive predicates · Cyclic proofs
1
·
Separation logic
·
Introduction
Satisfiability solvers, particularly those based on Satisfiability Modulo Theory
(SMT) technology [3,19], have made tremendous practical advances in the last
decade to the point where they are now widely used in tools for applications as
diverse as bug finding [27], program analyses [4] to automated verification [2].
However, current SMT solvers are based primarily on first-order logic, and do not
yet cater to the needs of resource-oriented logics, such as separation logic [26,40].
Separation logic has recently established a solid reputation for reasoning about
programs that manipulate heap-based data structures. One of its strengths is
the ability to concisely and locally describe program states that hold in separate
regions of heap memory. In particular, a spatial conjunction (i.e., κ1 ∗κ2 ) asserts
that a given heap can be decomposed into two disjoint regions and the formulas,
κ1 and κ2 , hold respectively and separately in the two memory regions. In this
work, we investigate the problem of verifying heap-manipulating programs in the
c Springer International Publishing Switzerland 2016
S. Chaudhuri and A. Farzan (Eds.): CAV 2016, Part I, LNCS 9779, pp. 382–404, 2016.
DOI: 10.1007/978-3-319-41528-4 21
Satisfiability Modulo Heap-Based Programs
383
framework of SMT. We reduce this problem to solving verification conditions
representing precise program semantics [9,10,22,44].
Developing an SMT solver supporting separation logic with inductive predicates and Presburger arithmetic is challenging as the satisfiability problem for
this fragment is undecidable [30,31]. We focus on an expressive fragment which
consists of spatial predicates expressing empty heap assertion (emp), points-to
assertion (x→c(v̄)), and inductive predicate assertions (P(v̄)). Moreover, it may
include pure constraints on data values and capture desired properties of structural heaps (such as size, height, sortedness and even near-balanced tree properties). We thus face the challenge of handling recursive predicates with pure
properties, that are inherently infinite. Furthermore, we would like to support
both satisfiability (SAT) and unsatisfiability (UNSAT) checks.
There have been a number of preliminary attempts in this direction. For
instance, early proposals fixed the set of shape predicates that may be used, for
example, to linked lists (in SeLoger [17,23], and SLLB [34]) or trees (GRIT [36]).
There are few approaches supporting user-defined predicates [14,25,39].
Brotherston et al. recently made an important contribution by introducing SLSAT,
a decision procedure for a fragment of separation logic with arbitrary shape-only
inductive predicates [12]. However, SLSAT is limited to the shape domain, whereas
shape predicates extended with pure properties are often required for automated
verification of functional correctness.
In this paper, we start by proposing a new procedure, called S2SAT,
which combines under-approximation and over-approximation for simultaneously checking SAT and UNSAT properties for a sound and complete theory augmented with inductive predicates. S2SAT takes a set of user-defined predicates and
a logic formula as inputs. It iteratively constructs an unfolding tree by unfolding
the formula in a breadth-first, flow- and context-sensitive manner until either a
symbolic model, or a proof of unsatisfiability or a fixpoint (e.g., a cyclic proof)
is identified. In each iteration, it searches over the leaves of the tree (the disjunction of which is equivalent to the input formula) to check whether there is a
satisfiable leaf (which proves satisfiability) or whether all leaves are unsatisfiable.
In particular, to prove SAT, it considers base disjuncts which are derived from
base-case branches of the predicates. These disjuncts are under-approximations
of the input formula and critical for satisfiability. Disjuncts which have no inductive predicates are precisely decided. To prove UNSAT, S2SAT over-approximates
the leaves prior to prove UNSAT. Our procedure systematically enumerates all
disjuncts derived from a given inductive formula, so it is terminating for SAT.
However, it may not be terminating for UNSAT with those undecidable augmented
logic. To facilitate termination, we propose an approach for fixpoint computation.
This fixpoint computation is useful for domains with finite model semantics i.e.,
collecting semantics for a given formula of such domains is finite. In other words,
the input formula is unsatisfiable when the unfolding goes on forever without
uncovering any models. We have implemented one instantiation of the fixpoint
detection for inductive proving based on cyclic proof [13] s.t. the soundness of
the cyclic proof guarantees the well-foundedness of all reasoning.
384
Q.L. Le et al.
Fig. 1. Motivating example.
To explicitly handle heap-manipulating programs, we propose a separation
logic instantiation of S2SAT, called S2SATSL . Our base theory is a combination of
the aforementioned separation logic predicates except inductive predicates. We
show that our decision procedure for this base theory is sound and complete.
S2SATSL over-approximates formulas with soundly inferred predicate invariants.
In addition, we describe some syntax restrictions such that S2SATSL is always
able to construct a cyclic proof for a restricted formula so that our procedure is
terminating and complete.
To summarize, we make the following technical contributions in this work.
– We introduce cyclic proof into a satisfiability procedure for a base theory
augmented with inductive predicates (refer to Sect. 3).
– We propose a satisfiability procedure for separation logic with user-defined
predicates and Presburger arithmetic (Sect. 4).
– We prove that S2SATSL is: (i) sound for SAT and UNSAT; (ii) and terminating
(i.e., proposing a new decision procedure) for restricted fragments (Sect. 5).
– We present a mechanism to automatically derive sound (over-approximated)
invariants for user-defined predicates (Sect. 6).
– We have implemented the satisfiability solver S2SATSL and the new verification system, called S2td . We evaluated S2SATSL and S2td with benchmarks from
recent competitions. The experimental results show that our system is expressive, robust and efficient (Sect. 7).
Proofs of Lemmas and Theorems presented in this paper are available in the
companion technical report [30].
2
Illustrative Example
We illustrate how our approach works with the example shown in Fig. 1.
Our verification system proves that this program is memory safe and function ERROR() (line 5) is never called. Our system uses symbolic execution in
[6,14] and large-block encoding [8] to provide a semantic encoding of verification conditions. For safety, one of the generated verification conditions is:
Δ0 ≡ ll(n,x)00 ∗test(x,r1 )10 ∧n≥0∧r1 =0. If Δ0 is unsatisfiable, function ERROR() is
never called. In Δ0 , ll and test are Interprocedural Control Flow Graph (ICFG)
Satisfiability Modulo Heap-Based Programs
385
of the functions ll and test. Our system eludes these ICFGs as inductive predicates. For each predicate, a parameter res is appended at the end to model
the return value of the function; for instance, the variables x (in ll) and r1
(in test) of Δ0 are the actual parameters corresponding to res. Each inductive
predicate instance is also labeled with a subscript for the unfolding number and
a superscript for the sequence number, which are used to control the unfolding
in a breadth-first and flow-sensitive manner.
To discharge Δ0 , S2SATSL iteratively derives a series of unfolding trees Ti . An
unfolding tree is a tree such that each node is labeled with an unfolded disjunct, corresponding to a path condition in the program. We say that a leaf
of Ti is closed if it is unsatisfiable; otherwise it is open. During each iteration,
S2SATSL either proves SAT by identifying a satisfiable leaf of Ti which contains
no user-defined predicate instances or proves UNSAT by showing that an overapproximation of all leaves is unsatisfiable. Initially, T0 contains only one node
Δ0 . As Δ0 contains inductive predicates, it is not considered for proving SAT.
S2SATSL then over-approximates Δ0 to a first-order logic formula by substituting each predicate instance with its corresponding sound invariants in order
to prove UNSAT. We assume that ll (resp. test) is annotated with invariant
i≥0 (resp. 0≤res≤1). Hence, the over-approximation of Δ0 is computed as:
π0 ≡n≥0∧0≤r1 ≤1∧n≥0∧r1 =0. Formula π0 is then passed to an SMT solver,
such as Z3 [19], for unsatisfiable checking. As expected, π0 is not unsatisfiable.
Next, S2SATSL selects an open leaf for unfolding to derive T1 . A leaf is selected
in a breadth-first manner; furthermore a predicate instance of the selected leaf
is selected for unfolding if its sequence number is the smallest. With Δ0 , the ll
instance is selected. As so, T1 has two open leaves corresponding to two derived
disjuncts:
Δ11 ≡test(x,r1 )10 ∧n≥0∧r1 =0∧n=0∧x=null
Δ12 ≡x→node(n,r2 )∗ll(n1 ,r2 )01 ∗test(x,r1 )10 ∧n≥0∧r1 =0∧n=0∧n1 =n−1
Since Δ11 and Δ12 include predicate instances, they are not considered for SAT.
To prove UNSAT, S2SATSL computes their over-approximated invariants:
π11 ≡0≤r1 ≤1∧n≥0∧r1 =0∧n=0∧x=null
π12 ≡x=null∧n1 ≥0∧0≤r1 ≤1∧n≥0∧r1 =0∧n=0∧n1 =n−1
As neither π11 nor π12 is unsatisfiable,
selects test of Δ11 for unfolding
∆0
to construct T2 . For efficiency, unfolding is
performed in a context-sensitive manner. A
∆11
∆12
branch is infeasible (and pruned in advance)
if its invariant is inconsistent with the (over∆32 ∆33
approximated) context. For instance, the invariant of the then branch at line 12 of test
is invtesto ≡p=null∧res=1. As invtesto (after
Fig. 2. Unfolding tree T3 .
proper renaming) is inconsistent with π11 , this
branch is infeasible. Similarly, both else branches of test are infeasible. For T3 ,
S2SATSL
386
Q.L. Le et al.
the remaining leaf Δ12 is selected for unfolding. As the test’s unfolding number is smaller than ll’s, test is selected. After the then branch is identified as
infeasible and pruned, T3 is left with two open leaves as shown in Fig. 2, where
infeasible leaves are dotted-lined. Δ32 and Δ33 are as below.
∆32 ≡x→node(n,r2 )∗ll(n1 ,r2 )01 ∧n≥0∧r1 =0∧n=0∧n1 =n−1∧x=null∧n<0∧r1 =0
∆33 ≡x→node(n,r2 )∗ll(n1 ,r2 )01 ∗test(r2 ,r1 )11 ∧n≥0 ∧ r1 =0∧n=0∧n1 =n−1
∧x=null∧n≥0
As Δ32 and Δ33 include inductive predicate instances, SAT checking is not applicable. For UNSAT checking, S2SATSL proves that Δ32 is unsatisfiable (its unsatisfiable cores are underlined as above); and shows that Δ33 can be linked back
to Δ0 (i.e., subsumed by Δ0 ). The latter is shown based on some weakening
and substitution principles (see Sect. 4.2). In particular: (i) Substituting Δ33
with θ=[n2 /n,x1 /x,n/n1 ,x/r2 ] such that predicate instances in the substituted
formula, i.e., Δ33a , and Δ0 are identical; as such, Δ33a is computed as below.
Δ33a ≡x1 →node(n2 ,x)∗ll(n,x)01 ∗test(x,r1 )11 ∧n2 ≥0∧r1 =0∧n2 =0∧n=n2 −1
∧x1 =null∧n2 ≥0
(ii) subtracting identical inductive predicates between Δ33a and Δ0 ; (iii) weakening the remainder of Δ33a (i.e., x1 →node(n2 ,x) is eliminated); (iv) checking validity of the implication between pure of the remainder of Δ33a with
the pure part of the remainder of Δ0 , i.e., n2 ≥0∧r1 =0∧n2 =0∧n=n2 −1∧
x1 =null∧n2 ≥0 =⇒ n≥0∧r1 =0. The back-link between Δ33 and Δ0 establishes
a cyclic proof which then proves Δ0 is unsatisfiable.
Algorithm 1. S2SAT Procedure.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
input : λind
output: SAT or UNSAT
i←0; T0 ←{λind } ;
while true do
(is sat,Ti ) ← UA test(Ti ) ;
if is sat then return SAT ;
else
Ti ←OA test(Ti ) ;
Ti ←link back(Ti ) ;
if is closed(Ti ) then return UNSAT;
else
λind i ←choose bfs(Ti ) ;
i←i+1 ;
Ti ←unfold(λind i );
end
end
end
/* initialize */
/* check SAT */
/* SAT */
/* prune UNSAT */
/* detect fixpoint */
/* UNSAT */
/* choose an open leaf */
Satisfiability Modulo Heap-Based Programs
3
S2SAT
387
Algorithm
In this section, we present S2SAT, a procedure for checking satisfiability of formula with inductive predicates. We start by defining our target formulas. Let L
be a base theory (logic) with the following properties: (i) L is closed under propositional combination and supports boolean variables; (ii) there exists a complete
decision procedure for L. Let Lind be the extension of L with inductive predicate instances defined in a system with a set of predicates P={P1 , ..., Pk }. Each
predicate may be annotated with a sound invariant. We use λ to denote a forind
to denote a formula in the extended theory. Semantically,
mula in
nL and λ
ind
λ ≡ i=0 λi , n≥0.
S2SAT is presented in Algorithm 1. S2SAT takes a formula λind as input, systematically enumerates disjuncts λi and can produce two possible outcomes if it
terminates: SAT with a satisfiable formula λi or UNSAT with a proof. We remark
that non-termination is classified as UNKNOWN.
S2SAT maintains a set of open leaves of the unfolding tree Ti that is derived
from λind . In each iteration, S2SAT selects and unfolds an open leaf so as either to
include more reachable base formulas (with the hope to produce a SAT answer),
or to refine inductive formulas (with the hope to produce an UNSAT answer).
Specially, in each iteration, S2SAT checks whether the formula is SAT at line 3;
whether it is UNSAT at line 6; whether a fixpoint can be established at line 7.
Function UA test searches for a satisfiable base disjunct (i.e., is sat is set to true).
Simultaneously, it marks all unsatisfiable base disjuncts closed. Next, function
OA test uses predicate invariants to over-approximate open leaves of Ti , and
marks those with an unsatisfiable over-approximation closed. After that, function
link back attempts to link remaining open leaves back to interior nodes so as
to form a fixpoint (i.e., a (partial) pre-proof for induction proving). The leaves
which have been linked back are also marked as closed. Whenever all leaves are
closed, S2SAT decides λind as UNSAT (line 8). Otherwise, the choose bfs (line 10)
chooses an open leave in breadth-first manner for unfolding.
Procedure link back takes the unfolding tree Ti as input and checks whether
bud
comp
in Ti via
each open leaf λind ∈Ti matches with one interior node λind
a matching function ffix . ffix is based on weakening and substitution principles [13]. Intuitively, ffix detects the case of (i) the unfolding goes forever if
bud
bud
comp
has no model when λind
has no
we keep unfolding λind ; and (ii) λind
bud
ind
comp
bud
model. If ffix (λ
,Δ
)=true , Δ
is marked closed.
Our procedure systematically enumerates all disjuncts derived from a given
inductive formula, so it is terminating for SAT. However, it may not be terminating for UNSAT with those undecidable augmented logic. In the next paragraph,
we discuss the soundness of the algorithm.
Soundness. When S2SAT terminates, there are the following three cases.
– (case A) S2SAT produces SAT with a base satisfiable λind i ;
388
Q.L. Le et al.
– (case B) S2SAT produces UNSAT with a proof that all leaves of Ti are
unsatisfiable;
– (case C) S2SAT produces UNSAT with a fixpoint: a proof that some leaves of Ti
are unsatisfiable and the remaining leaves are linked back.
Under the assumption that L is both sound and complete, case A can be shown to
be sound straightforwardly. Soundness of case B immediately follows the soundness of OA test. In the following, we describe the cyclic proof instantiation of
link back for fixpoint detection and prove the soundness of case C.
We use CYCLIC to denote the cyclic proof for entailment procedure adapted
from [13]. The following definitions are adapted from their analogues of CYCLIC.
Definition 1 (Pre-Proof ). A pre-proof derived for a formula λind is a pair
(Ti , L) where Ti is an unfolding tree whose root labelled by λind and L is a backlink function assigning every open leaf λind l of Ti to an interior node λind c =
L(λind l ) such that there exists some substitution θ i.e., λind c = λind l [θ]. λind l is
referred as a bud and λind c is referred as its companion.
A path in a pre-proof is a sequence of nodes (λind i )i≥0 .
Definition 2 (Trace). Let (λind i )i≥0 be a path in a pre-proof PP. A trace
following (λind i )i≥0 is a sequence (αi )i≥0 such that, for all i≥0, αi is a predicate
instance P(t̄) in the formula λind i , and either:
1. αi+1 is the subformula according to P(t̄) occurrence in λind i+1 , or
2. λind i [t̄/v̄] where λind i is branches of inductive predicate P(v̄). i is a progressing
point of the trace.
To ensure that pre-proofs correspond to sound proofs, a global soundness condition must be imposed on such pre-proofs as follows.
Definition 3 (Cyclic Proof ). A pre-proof is a cyclic proof if, for every infinite
path (λind i )i≥0 , there is a tail of the path p=(λind i )i≥n such that there is an
infinitely progressing trace following p.
Theorem 1 (Soundness). If there is a cyclic proof of λind 0 , λind 0 is UNSAT.
Proof. We reduce our cyclic proof problem for satisfiability to the cyclic proof
problem for entailment check, i.e., λind 0 ⊢ false of CYCLIC. Assume there is
a cyclic proof PP of λind 0 . From PP we construct the pre-proof PP⊢ for the
sequent λind 0 ⊢ false as follows. For each node (λind i )i≥0 in PP, we replace the
formula λind i by the sequent λind i ⊢ false . Since PP is a cyclic proof, it follows
that for every infinite path (λind i )i≥0 , there is a tail of the path, p=(λind i )i≥n ,
such that there is an infinitely progressing trace following p (Definition 3). Since
formulas in [13] are only traced through the LHS of the sequent and not its
RHS, it is implied that for every infinite path (λind i ⊢false )i≥0 , there is a tail
of the path, p=(λind i ⊢ false )i≥n , such that there is an infinitely progressing
trace following p. Thus, PP⊢ is a cyclic proof (Definition 3 of [13]). As such
λind 0 |=false (Theorem 6 of [13]). In other words, λind 0 is UNSAT.
⊓
⊔
Satisfiability Modulo Heap-Based Programs
389
To sum up, to implement a sound cyclic proof system besides the matching function, a global soundness condition must be established on pre-proofs to
guarantee well-foundedness of all reasoning.
4
Separation Logic Instantiation of
S2SAT
In this section, to explicitly handle heap-manipulating programs, we propose a
separation logic instantiation of S2SAT, called S2SATSL . We start by presenting
SLPA, a fragment of separation logic with inductive predicates and arithmetic.
4.1
A Fragment of Separation Logic
Syntax. The syntax of SLPA formulas is presented in Fig. 3. We use x̄ to denote
a sequence (e.g., v̄ for sequence of variables), and xi to denote the ith element.
Whenever possible, we discard fi of the points-to predicate and use its short
form as x→c(vi ). Note that v1 =v2 and v =null are short forms for ¬(v1 =v2 ) and
¬(v=null), respectively. All free variables are implicitly universally quantified
at the outermost level. To express different scenarios for shape predicates, the
fragment supports disjunction Φ over formulas. Each predicate instance is of
the form P(v̄)ou where o and u are labels used for context- and flow- sensitive
unfolding. In particular, o captures the sequence number and u is the number
of unfolding. For simplicity, we occasionally omit these two numbers if there is
no ambiguity. A formula Δ is a base formula if it does not have any user-defined
predicate instances. Otherwise, Δ is an inductive formula.
User-Defined Predicate. A user-defined predicate P is of the following general
form
pred P(t̄) ≡
n
i=1
(∃w̄i · Δi | πib )
Fig. 3. Syntax.
inv: π;
390
Q.L. Le et al.
where P is predicate name; t̄ is a set of formal parameters; and ∃w̄i · Δi (i ∈ 1...n)
is a branch. Each branch is optionally annotated with a sound invariant πib which
is a pure formula that over-approximates the branch. π is an optionally sound
predicate invariant. It must be a superset of all possible models of the predicate P
via a pure constraint on stack. The default invariant of each inductive predicate is
true . For efficiency, we infer more precise invariants automatically (see Sect. 6).
Inductive branches may be recursive. We assume that the recursion is direct,
i.e., a recursive branch of predicate P includes at least one predicate instance P.
In each branch, we require that variables which are not formal parameters must
be existentially quantified i.e., ∀i ∈ 1...n·FV(Δi )=t̄ and w̄i ∩t̄=∅ where FV(Δ)
are all free variables in the formula Δ.
In the following, we apply SLPA to model two data structures: sorted lists
(sortll) without an annotated invariant and AVL trees (avl) with annotatedinvariant.
pred sortll(root,n,m) ≡ root→node(m, null) ∧ n=1
∨ ∃ q,n1 ,m1 ·root→node(m, q) ∗ sortll(q, n1 , m1 )∧n=n1 +1∧m≤m1
struct c2 { c2 left; c2 right; } // data structure declaration
pred avl(root,n,h) ≡ emp ∧ root=null ∧ n=0 ∧ h=0 | root=null ∧ n=0 ∧ h=0
∨ ∃ l, r, n1 , n2 , h1 , h2 ·root→c2 (l, r) ∗ avl(l, n1 , h1 ) ∗ avl(r, n2 , h2 )∧
n=n1 +n2 +1 ∧ h=max(h1 ,h2 )+1 ∧ −1≤h1 −h2 ≤1 | root=null ∧ n>0 ∧ h>0
inv: n≥0 ∧ h≥0
Semantics. In the following, we discuss the semantics of SLPA. Concrete heap
models assume a fixed finite collection Node, a fixed finite collection Fields, a
disjoint set Loc of locations (heap addresses), a set of non-address values Val ,
such that null ∈ Val and Val ∩ Loc = ∅. Further, we define:
def
Heaps = Loc⇀f in (Node → Fields → Val ∪ Loc)
def
Stacks = Var → Val ∪ Loc
The semantics is given by a forcing relation: s,h |= Φ that forces the stack s
and heap h to satisfy the constraint Φ where h ∈ Heaps, s ∈ Stacks, and Φ is a
formula.
The semantics is presented in Fig. 4. dom(f ) is the domain of function f ;
h1 #h2 denotes that heaps h1 and h2 are disjoint, i.e., dom(h1 ) ∩ dom(h2 ) = ∅;
and h1 ·h2 denotes the union of two disjoint heaps. Inductive predicates are interpreted using the least model semantics [42]. Semantics of pure formulas depend
on stack valuations; it is straightforward and omitted in Fig. 4, for simplicity.
4.2
Implementation of Separation Logic Instantiation
In the following, we describe how S2SATSL is realized. In particular, we show how
the functions UA test, OA test, unfold, and link back are implemented.
Satisfiability Modulo Heap-Based Programs
391
Fig. 4. Semantics.
Deciding Separation Logic Formula. Given an SLPA formula, the functions
UA test and OA test in S2SATSL work similarly, by reducing the formula to a
first-order formula systematically and deciding the first-order formula. In the
following, we define a function called eXPure, which transforms a separation
logic formula into a first-order formula. eXPure is defined over the symbolic heap
as follows:
x1 →c1 (v̄1 )∗...∗xn →cn (v̄n ) ∗ P1 (t̄1 )∗...∗Pm (t̄m ) ∧ π) ≡
∃
w̄·
{xi =null | i∈1...n} ∧ {xi =xj | i, j∈1...n and i=j} ∧
{inv(P, Pj , t¯j ) | j ∈ 1...m} ∧
π
eXPure(∃w̄·
where the reduction at the first line (after ≡) is for points-to predicates, and
the second line is for user-defined predicates. The auxiliary function inv(P, P, v̄)
returns the invariant of the predicate P with a proper renaming.
Next, the auxiliary procedure satp (∃w̄· π) takes a quantified first-order formula as input. It preprocesses the formula and then invokes an SMT solver to
solve it. The preprocessing consists of two steps. First, the existential quantifiers
w̄ are eliminated through a projection Π(π, w̄). Second, remaining existential
quantifiers are skolemized and null is substituted by special number (i.e., zero).
The preprocessed formulas are of the form of linear arithmetic with free function
symbols. These formulas may contain existential (∃) and universal (∀) quantifiers
but no ∃∀ alternation. Hence, they are naively supported by SMT solvers.
Deriving Unfolding Tree. Next, we describe how function unfold works in
S2SATSL . Given a formula, unfold selects one predicate instance for unfolding
as follows.
Γi =unfoldP(P(v̄)ou , πc )
πc ≡eXPure(κ ∗ P(v̄) ∧ π)
o
unfold(∃w̄0 · κ∗P(v̄)u ∧π) {∃w̄0 · κ∗Δi ∧π | Δi ∈Γi }
Predicate instances in κ are sorted by a pair of unfolding number and ordering
number where the former has higher priority. The instance P(v̄)ou is selected if u is
392
Q.L. Le et al.
the smallest number of unfoldings and o is the smallest number among instances
which have the same unfolding number u. The procedure unfold outputs a set of
disjuncts which are combined from branches of the predicate P with the remainder κ∧π. At the middle, the predicate instance is unfolded by the procedure
unfoldP. This auxiliary procedure unfoldP(P(t̄)ou , πc ) unfolds the user-defined
predicate P with actual parameter t̄ under the context πc . It outputs branches
of the predicate P that are not inconsistent with the context. It is formalized as
follows.
b
πcP ≡ Π(πc , v̄)
( m
w̄i′ =fresh(w̄i )
i=1 (∃w̄i · κi ∧πi | πi ), t̄)=lookup(P, P)
∃
′ /w̄ ]
=[
w̄
ρp =[v¯′ /t̄]
ρ∃
ρ
=ρ
(v¯′ , πeq )=freshEQ(v̄)
p ◦ ρi
i
i
i
i
o
′
P
b
unfoldP(P(v̄)u , πc ) {∃w̄i · [ρi ]κi ∧[ρi ]πi ∧πeq | satp (πc ∧[ρi ]πi ∧πeq )=unsat, i∈1...m}
In the first line, the procedure looks up the definition of P and refreshes the
existential quantifiers (using the function fresh(...)). In the second line, formal
parameters are substituted by the corresponding actual arguments. Finally, the
substituted definition is combined and pruned as shown in the RHS of . Function freshEQ(v̄) above refreshes the sequence of variables v̄ and produces
the
equality constraints πeq between the old and new ones, i.e. πeq ≡ vi =vi′ . Let
Q(t̄)ol denote a predicate instance of the derived κi , its unfolding number is set
to u+1 if its corresponding branch Δi is recursive. Otherwise, it is u. Its sequence
number is set to ol +o.
The branch invariant is used as a necessary condition to unfold a branch.
The formalism underlying the pruning process is as follows: given a context Δc
with its over-approximation πc and a branch Δi with its over-approximation
πib , if πc ∧πib is unsatisfiable, so is Δc ∗Δi . Similar to the specialization calculus [15], our unfolding mechanism also prunes infeasible disjuncts while unfolding
user-defined predicates. However, the specialization calculus performs exhaustive
pruning with multiple unfolding that may be highly costly and redundant compared with our one-step unfolding.
Detecting Cyclic Proof. In the following, we implement the matching function
fcyclic , an instantiation of ffix , to form a cyclic proof for fixpoint detection. fcyclic
checks whether there exists a well-founded ordering relation R between Δcomp
and Δbud so as to form an infinite path following the path between these two
nodes. If Δbud matches with Δcomp , Δbud is marked as closed. For global infinitary soundness, fcyclic only considers those Δbud and Δcomp of the restricted form
as: Δcomp ≡Δb1 ∗P1 (t̄1 )0m ∗...∗Pi (t¯i )im , and Δbud ≡Δb2 ∗P1 (t̄′1 )0n ∗...∗Pk (t¯′k )kn , where
k≥i, n>m, Δb1 and Δb2 are base formulas.
Like [13], fcyclic is implemented using the weakening and substitution principle. In particular, it looks for a substitution θ s.t. Δbud θ =⇒ Δcomp .
fcyclic (Δbud ,Δcomp ) is formalized as the procedure Δbud ⊢lb Δcomp whose rules
are presented in Fig. 5. These rules are applied as follows.
– First, existential variables are refreshed ([EX−L], [EX−R] rules).
Satisfiability Modulo Heap-Based Programs
393
Fig. 5. Rules for back-link.
– Second, inductive variables in Δbud are substituted ([SUBST] rule). This substitution is based on well-ordering relations R. Let P(t)km be a predicate
instance in Δcomp and its corresponding subformula in Δbud be R(s,t), then
s, t are inductive variables. Two examples of well-founded relations R are
structural induction for pointer types where R(s,t) iff s is a subterm of t and
natural number induction on integers where R(s,t) iff 0<s<t.
– Third, heaps are exhaustively matched ([PRED−MATCH] and [PTO−MATCH]
rules) and weakened ([PRED−WEAKEN] and [PTO−WEAKEN] rules). Soundness of these rules directly follows from the frame rule [26,40].
– Last, back-link is decided via the implication between pure formulas ([PURE]
rule).
5
Soundness and Termination of
S2SATSL
In the following, we establish the correctness of S2SATSL .
5.1
Soundness
We show that (i) S2SATSL is sound and complete for base formulas; and (ii) the
functions UA test, OA test and link back in S2SATSL are sound. These two tasks
rely on soundness and completeness of the function eXPure over base formulas,
soundness of eXPure over inductive formulas, and soundness of the function
fcyclic .
Lemma 1 (Equiv-Satisfiable
Reduction). Let Δ≡∃w̄·x1 →c1 (v̄1 )∗...
∗xn →cn (v̄n )∧α∧φ be a base formula. Δ is satisfiable iff eXPure(Δ) is
satisfiable.
394
Q.L. Le et al.
The proof is based on structural induction on Δ.
Lemma 2 (Over-Approximated Reduction). Given a formula Δ such that
the invariants of user-defined predicates appearing in Δ are sound, then
∀s, h · s, h|=Δ =⇒ s|=eXPure(Δ)
In the following lemma, we consider the case Γ ={} at line 8 of Algorithm 1.
Lemma 3. Given a formula Δ0 and the matching function fcyclic as presented
in the previous section, Δ0 is UNSAT if Γ ={} (line 8).
To prove this Lemma, in [30] we show that there is a “trace manifold” which
implies the global infinitary soundness (see [11], ch. 7) when a bud is linked back.
Theorem 2 (Soundness). Given a formula Δ and a set of user-defined predicates P,
– Δ is satisfiable if S2SATSL returns SAT.
– if S2SATSL terminates and returns UNSAT, Δ is unsatisfiable.
While the soundness of SAT queries follows Lemma 1, the soundness of UNSAT
queries follows Lemmas 2 and 3. As satisfiability for SLPA is undecidable [30,
31], there is no guarantee that S2SATSL terminates on all inputs. In the next
subsection, we show that S2SATSL terminates for satisfiable formulas in SLPA and
with certain restrictions on the fragment, S2SATSL always terminates.
5.2
Termination
Termination for SAT. In this paragraph, we show that S2SATSL always terminates
when it decides a satisfiable formula. Given a satisfiable formula
Δ≡∃w̄· x1 →c1 (v̄1 )∗...∗xn →cn (v̄n ) ∗P0 (t̄0 )00 ∗...∗Pn (t̄n )n0 ∧ π
There exists a satisfiable base formula Δk such as:
Δk ≡x1 →c1 (v̄1 )∗...∗xn →cn (v̄n ) ∗ ΔPk00 ∗...∗ΔPknn ∧ π
where ΔP
k (k≥0) denotes a base formula derived by unfolding the predicate P k
times and then substituting all predicate instances P by P’s base branch. Let km
be the maximal number among k0 ,..,kn . The breadth-first unfolding manner in
the algorithm S2SAT ensures that S2SATSL identifies Δk before it encounters the
following leaf:
y1 →c1 (t̄1 )∗...∗yi →ci (t̄i ) ∗ P0 (t̄0 )km +1 ∗...∗Pj (t̄j )km +1 ∧ π
We remark that the soundness of cyclic proof ensures that our link back function
only considers infinitely many unfolding traces. Thus, it never links finite many
unfolding traces, i.e., traces connecting the root to satisfiable base leaves, like Δk .
Satisfiability Modulo Heap-Based Programs
395
Decidable Fragment. In the following, we describe universal SLPAind , a fragment
of SLPA, for which we prove that S2SATSL always terminates. Compared to SLPA,
universal SLPAind restricts the set of inductive predicates P as well as the inputs
of S2SATSL .
Definition 4 (SLPAind ). An inductive predicate pred P(t̄)≡Φ is well-founded
SLPAind if it has one induction case with N occurrences of P, and it has the
shape as follows.
Φ ≡ Φ0 ∨ ∃w̄·x1 →c1 (v̄1 )∗...∗xn →cn (v̄n )∗P(w̄1 )∗...∗P(w̄N )∧π
where Φ0 is disjunction of base formulas and the two following restrictions.
1. ∀n∈1...N w̄n ⊆w̄∪{null} and w̄n do not appear in the equalities of π,
2. if ti is a numerical parameter and there exists a well-ordering relation R
such that R(s,ti ,w1i ,..,wmi ) (1≤m≤N ) is a subformula of π, the following
conditions hold.
– ti is constrained separately (i.e., there does not exist j =i and a
subformula φ of π such that {ti , tj }⊆F V (φ) or {ti , wnj }⊆F V (φ) or
{wmi , wnj }⊆F V (φ) ∀m,n∈1...N , and
– ∀n∈1...N , π =⇒ ti >wni or π =⇒ ti <wni .
– if ti ∈F V (Φ0 ) then Φ0 =⇒ ti =k, for some integer k
ti is denoted as inductive parameters.
Restriction 1 guarantees that fcyclic can soundly weaken the heap by discarding
irrelevant points-to predicates and N −1 occurrences of P (when N ≥2) while it
links back. Restriction 2 implies that ti >wi ≥k1 or ti <wi ≤k2 for some integer
k1 , k2 . This ensures that leaf nodes of unfolding trees of an unsatisfiable input
must be UNSAT or linked back.
The above SLPAind fragment is expressive enough to describe a range of data
structures, e.g. sorted lists sortll, lists/trees with size properties, or even AVL
trees avl.
Definition 5 (Universal SLPAind ). Given a separation logic formula
Δ0 ≡x1 →c1 (v̄1 )∗...∗xn →cn (v̄n )∗P1 (t̄1 )∗...∗Pn (t̄n )∧φ0
Δ0 is universal SLPAind if all
if all x̄ of free, arithmetical,
conjunction of φ0,i where φ0,i
xi ≥k1 for some integer k1 ; or
Theorem 3 (Termination).
formulas.
predicates P1 ,..,Pn are well-founded SLPAind , and
inductive variables, with x̄⊆(t̄1 ∪...∪t̄n ), φ0 is a
is either of the following form: (i) true ; or (ii)
(iii) xi ≤k2 for some integer k2 .
S2SATSL
terminates
for
universal
SLPAind
396
6
Q.L. Le et al.
Sound Invariant Inference
In order to perform fully automatic verification without user-provided invariants, S2SATSL supports automatic invariant inference. In this section, we describe
invariant inference from user-defined predicates and predicate branches. While
the former is used for over-approximation, the latter is used for context-sensitive
predicate unfolding. To infer invariants for a set of user-defined predicates, we
first build a dependency graph among the predicates. After that, we process
each group of mutual dependent predicates following a bottom-up manner. For
simplicity, we present the inference for one directly recursive predicate. The
inference for a group of mutual inductive predicates is similar.
Inferring Predicate Invariant. Our invariant inference is based on the principle
of second-order
m abduction [28,45]. Given the predicate P defined by m branches
as P(t̄) ≡ i=1 Δi , we assume a sound invariant of P as an unknown (secondorder) variable I(t̄). After that we prove the lemma P(v̄)⊢I(v̄) via induction;
and simultaneously generate a set of pure relational assumptions using secondorder abduction. The steps to prove the above lemma and generate a set of m
relational assumptions over I are as follows.
1. Unfold LHS of the lemma to generate a set of m subgoals i.e. Δi [v̄/t̄]⊢I(v̄)
where i ∈ 1...m. The original lemma is taken as the induction hypothesis.
2. For each subgoal i, over-approximate its LHS to a pure formula πi and form
an assumption relation πi =⇒ I(v̄). There are two cases to compute πi .
– if Δi is a base formula, then πi ≡eXPure(Δi ).
– if Δi includes k instances P such that Δi ≡Δresti ∗P(v¯1 )∗...∗P(v¯k ), then
we compute πi0 ≡eXPure(Δresti ), πij ≡I(v¯j ), for all j ∈ 1...k, and
k
πi ≡ j=1 πik .
3. Our system applies a least fixed point analysis to the set of gathered relational
assumptions. We use the analyzer LFP presented in [45] to compute these
invariants.
We illustrate this procedure to infer an invariant for sortll. First, our system
introduces an unknown relation I(root,n,m). Second, it generates the below
relational constraints.
root=null∧n=1
=⇒ I(root,n,m)
root=null∧I(Q,N1 ,M1 )∧n=N1 +1∧m≤M1 =⇒ I(root,n,m)
Finally, it analyzes these two constraints and produces the following result:
I(root,n,m)≡root=null∧n≥1
Lemma 4 (Sound Invariant Inference). Given a predicate P(t̄) ≡ Φ, and
R be a set of relational assumptions generated by the steps above. If R has a
solution, i.e., I(v̄)≡π, then we have ∀s, h · s, h |= P(v̄), s |=π.
Proof Sketch: Soundness of Lemma 2 implies that for all i ∈ 1...m, πi is
an over-approximated abstraction of Δi . As such, the soundness of this lemma
immediately follows from the soundness of second-order abduction [28,45]. ⊓
⊔
Satisfiability Modulo Heap-Based Programs
397
Table 1. Exponential time and space satisfiability checks.
Succ-circuit (1–20)
n
Succ-rec (1–20)
SLSAT
S2SATSL n
1 1 ms
21 ms
11 SO
37.46 s
1
0 ms
25 ms
11 1796.4 s 410.92 s
2 2 ms
23 ms
12 SO
170.53 s 2
1 ms
30 ms
12 TO
TO
3 27 ms
30 ms
13 SO
988.29 s 3
4 ms
33 ms
13 TO
TO
4 867 ms 34 ms
14 SO
TO
4
21 ms
39 ms
14 X
TO
5 30 s
0.05 s
15 SO
TO
5
134 ms 52 ms
15 X
TO
6 30 s
0.09 s
16 SO
TO
6
830 ms 76 ms
16 X
TO
7 SO
0.20 s
17 SO
TO
7
5.0 s
0.21 s
17 X
TO
8 SO
0.61 s
18 SO
TO
8
29.5 s
0.87 s
18 X
TO
9 SO
2.21 s
19 SO
TO
9
167.8 s 4.83 s
19 X
TO
10 SO
8.49 s
20 SO
TO
10 1065 s
20 X
TO
SLSAT
S2SATSL n
SLSAT S2SATSL n
45.28 s
SLSAT
S2SATSL
Inferring
mBranch Invariant. Given a predicate P defined by m branches as
P(t̄) ≡ i=1 (∃w̄i · Δi ) inv: π, we compute invariants for each branch of P as
Π(eXPure(Δi ), w̄i ) ∀ i=1...m. For example, with the invariant inferred for the
predicate sortll as above, our system computes its branch invariants π1b for the
base branch and π2b for the inductive branch as below.
π1b ≡Π(eXPure(root→node(m, null) ∧ n=1), {})≡ root=null ∧ n=1
π2b ≡Π(eXPure(root→node(m, q) ∗ sortll(q, n1 , m1 )∧n=n1 +1∧m≤m1 ),
{q,n1 ,m1 }) ≡ root=null ∧ n≥1
Soundness of
branch.
7
eXPure
implies that the branch invariant over-approximates its
Implementation and Evaluation
We have implemented the proposed solver S2SATSL and a new interprocedural
(top-down) program verification tool, called S2td , which uses S2SATSL . We make
use of Omega Calculator [38] to eliminate existential quantifiers, Z3 [19] as a
back-end SMT solver, and FixCalc [37] to find closure form in inferring invariants
for user-defined predicates.
In the following, we evaluate S2SATSL and S2td ’s robustness and efficiency on
a set of benchmarks from the software verification competition SV-COMP [7].
We also present an evaluation of S2SATSL in compositional (modular) program
verification with the HIP/S2 system [14,28] for a range of data structures.
7.1
Robustness and Efficiency
In [12], Brotherston et al. introduced a new and challenging set of satisfiability benchmarks discussed in Proposition 5.13 of [12]. In this Proposition,
Brotherston et al. stated that there exists a family of predicates of size O(n) and
398
Q.L. Le et al.
that SLSAT runs in Ω(2n ) time and space regardless of search strategies. Since
SLSAT relies on bottom-up and context-insensitive fixed point computation, it
has to explore all possible models before answering a query. Their approach is
designed for computing invariants of shape predicates rather than satisfiability
checks. In contrast, S2SATSL performs top-down and context-sensitive searches, as
it is dedicated for satisfiability solving. Moreover, it prunes infeasible disjuncts,
significantly reduces the search space, and provides better support for model
discovery.
We conducted an experiment on comparing SLSAT’s and S2SATSL ’s performance on this set of benchmarks. The results are shown in Table 1. The size n
of succ−circuit∗ (succ−rec∗) benchmarks expresses the breadth (depth, resp.)
of dependency. This set of benchmarks is a part of the User-Defined Predicate
Satisfiability (UDB sat) suite of SL-COMP 2014 [41]. The output is either a
definite answer (sat, unsat) with running time (in milliseconds (ms), or seconds
(s)), or an error. In particular, SO denotes stack overflow; TO denotes timeout
(i.e., tools run longer than 1800 s); and X denotes a fatal error. The experimental results show that S2SATSL is much more robust and also more efficient than
SLSAT. While S2SATSL successfully solved 24 (out of 40) benchmarks, SLSAT was
capable of handling 17 benchmarks. Furthermore, on 17 benchmarks that SLSAT
discharged successfully, S2SATSL outperforms SLSAT, i.e., about 6.75 (3126 s/462 s)
times faster. As shown in the table, S2SATSL ran with neither stack overflow nor
fatal errors over all these challenging benchmarks.
Table 2. Experimental results on complex data structures.
Data structure (pure props)
Singly llist (size)
#Query #UNSAT #SAT Time
666
75
Even llist (size)
139
125
14
2.40
Sorted llist (size, sorted)
217
21
196
0.91
Doubly llist (size)
452
50
402
2.07
Complete tree (size, minheight)
387
33
354
143.98
Heap trees (size, maxelem)
467
67
400
13.87
AVL (height, size, near-balanced)
881
64
817
84.82
BST (height, size, sorted)
341
34
307
2.28
RBT (size, height, color)
1741
217
1524
65.54
55
6
49
0.34
rose-tree
591
1.25
TLL
128
13
115
0.24
Bubble (size, sorted)
300
20
280
1.09
Quick sort (size, sorted)
225
29
196
2.33
Satisfiability Modulo Heap-Based Programs
7.2
399
Modular Verification with S2SATSL
In this subsection, we evaluate S2SATSL in the context of modular program
verification. S2SATSL solver is integrated into the HIP/S2 [14,28,29] system to
prune infeasible program paths in symbolic execution. Furthermore, S2SATSL is
also used by the entailment procedure SLEEK to discharge verification conditions (VC) generated. In particular, when SLEEK deduces a VC to the following
form: Δ ⊢ emp∧πr , the error calculus in SLEEK [29] invokes S2SATSL to discharge
the following queries: Δ and Δ∧¬πr for safety and Δ∧πr for must errors. In
experiments, we have extracted those VCs generated while HIP/S2 verified heapmanipulating programs.
We have evaluated S2SATSL deciding the VCs discussed above. The experimental results are described in Table 2. Each line shows a test on one program.
The first column lists data structures and their pure properties. rose-trees
are trees with nodes that are allowed to have a variable number of children,
stored as doubly-linked lists. TLL is a binary tree whose nodes point to their
parents and all leaf nodes are linked as a singly-linked list. #Query is the number of satisfiability queries sent to S2SATSL for each data structure. The next
two columns report the outputs from S2SATSL . The last column shows the time
(in seconds) taken by the S2SATSL solver. In this experiment, S2SATSL terminated
on all queries. Furthermore it exactly decided all SAT and UNSAT queries. These
experimental results affirm the correctness of our algorithm S2SATSL . They also
show that S2SATSL is expressive, effective, and can be integrated into program
verification systems for discharging satisfiability problems of separation logic
formulas.
7.3
Recursive Program Verification with S2SATSL
We have evaluated and compared our verification system Table 3. Experimental results on recursive
S2td with state-of-the-art ver- programs.
√
√
Tool
#s #e #unk #s✗ #e✗ Points Mins
ification tools on a set of ESBMC [18]
38
40
21
0
3
20
53
SV-COMP benchmarks1 . The UAutomizer [24] 17 23 62 0 0 57
23
48
45
5
4
0
77
26
results are presented in Table 3. SeaHorn [22]
CBMC [16]
33
39
29
1
0
89
90
There are 102 recursive/loop
Smack-corral [1] 33
37
28
0
0
103
105
programs taken from Recursive S2td
41 45
16
0
0
127
25
and HeapReach sub-categories
in the benchmark; timeout is set to 180 s. In each program, there is at least one
user-supplied assertion to model safety properties. The first column identities the
subset of verification systems which competed in both the above
√ sub-categories.
The
next
three
columns
count
the
instances
of
correct
safe
(s
), correct error
√
(e ) and unknown (e.g., timeout). The next two columns capture the number of
false positives (s✗) and false negatives (e✗). We rank these tools based
on their
√
points. Following the SV-COMP competition, we gave +2 for one s , +1 for one
1
http://sv-comp.sosy-lab.org/2016/.
400
Q.L. Le et al.
√
e , 0 for unk, −16 for one s✗, and −32 for one e✗. The last column expresses the
total time in minutes. The results show that the proposed verification approach
is promising; indeed, our system is effective and efficient: it produces the best
correctness with zero false answers within the nearly-shortest time.
8
Related Work
Close to our work is the SeaHorn verification system [22]. While SeaHorn relies
on Z3-PDR to handle inductive predicates on non-heap domains, it is unclear (to
us) how SeaHorn supports induction reasoning for heap-based programs (which
is one contribution of our present work).
Our S2SAT satisfiability procedure is based on unfolding which is similar to the
algorithm in the Leon system [43,44]. Leon, a verifier for functional programs,
adds an unfolding mechanism for inductive predicates into complete theories.
However, Leon only supports classic logic and not structural logic (i.e., separation
logic). Neither does Leon support inductive reasoning. Furthermore, our system
infers sound invariants for inductive predicates to facilitate over-approximation.
Our work is related to work on developing satisfiability solvers in separation
logic. In the following, we summarize the development in this area. Smallfoot
[5] has the first implemented decision procedure for a fragment of separation
logic. This solver was originally customized to work with spatial formulas over
list segments. Based on a fixed equality (disequality) constraint branches of
the list segment, the proposals presented by [17,32] further enhanced decision
procedure for this fragment with equality reasoning. They provided normalization rules with a graph technique [17] and a superposition calculus [32] to infer
(dis)equality constraints on pointers and used these constraints to prune infeasible branches of predicate instances during unfolding. Although these proposals
can decide the formula of that fragment in polynomial time, it is not easy to
extend them to a fragment with general inductive predicates (i.e., the fragment
SLPA). Decision procedures in [33–36] support decidable fragments of separation logic with inter-reachable data structures using SMT. Our proposal extends
these procedures to those fragments with general inductively-defined predicates.
Indeed, our decidable fragment can include more complex data structures, such
as AVL trees.
S2SATSL is closely related to the satisfiability solvers [12,25] which are capable of handling separation logic formulas with general user-defined predicates.
Decision procedures [12,25] are able to handle predicates without pure properties. The former described a decidable fragment of user-defined predicates with
bounded tree width. The problem of deciding separation logic formulas is then
reduced to monadic second-order logic over graphs. The latter, SLSAT, decides
formulas with user-defined predicates via a equi-satisfiable fixed point calculation. The main disadvantage of SLSAT is that it is currently restricted to the
domain of pointer equality and disequality, so that it cannot be used to support
predicates with pure properties from infinite abstract domains.
Using over-approximation in decision procedures is not new. For example,
D’Silva et al. have recently made use of abstract domains inside satisfiability
Satisfiability Modulo Heap-Based Programs
401
solvers [20,21]. In separation logic, satisfiability procedures in HIP/SLEEK [14]
and Dryad [39] decide formulas via a sound reduction that over-approximates
predicate instances. HIP/SLEEK and Dryad are capable of proving the validity of
a wide range of expressive formulas with arbitrary predicates. However, expressivity comes with cost; as these procedures are incomplete, and they do not
address the satisfiability problem. We believe that S2SAT can be integrated into
these systems to improve upon these two shortcomings.
9
Conclusion and Future Work
We have presented a satisfiability procedure for an expressive fragment of separation logic. Given a formula, our procedure examines both under-approximation
(so as to prove SAT) and over-approximation (so as to prove UNSAT). Our procedure was strengthened with invariant generation and cyclic proof detection.
We have also implemented a solver and a new verification system for heapmanipulating programs. We have evaluated them on a range of competition
problems with either complex heap usage patterns or exponential complexity of
time and space.
For future work, we might investigate S2SAT-based decision procedures for
other complete theories (i.e., Presburger, string, bag/set) augmented with inductive predicates. We would also study a more general decidable fragment of separation logic by relaxing the restrictions for termination. Finally, we would like to
improve S2td for array, string and pointer arithmetic reasoning as well as witness
generation for erroneous programs.
Acknowledgements. We wish to thank Christopher M. Poskitt for his helpful comments on the manuscript. Quang Loc and Jun Sun are partially supported by NRF
grant RGNRF1501 and Wei-Ngan by NRF grant NRF2014NCR-NCR001-040.
References
1. Haran, A., Carter, M., Emmi, M., Lal, A., Qadeer, S., Rakamarić, Z.:
SMACK+corral: a modular verifier. In: Baier, C., Tinelli, C. (eds.) TACAS 2015.
LNCS, vol. 9035, pp. 451–454. Springer, Heidelberg (2015)
2. Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., M. Leino, K.R.: Boogie: a modular reusable verifier for object-oriented programs. In: de Boer, F.S.,
Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111,
pp. 364–387. Springer, Heidelberg (2006)
3. Barrett, C., Conway, C.L., Deters, M., Hadarean, L., Jovanović, D., King, T.,
Reynolds, A., Tinelli, C.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV
2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011)
4. Beckman, N.E., Nori, A.V., Rajamani, S.K., Simmons, R.J.: Proofs from tests. In:
ISSTA, pp. 3–14. ACM, New York (2008)
5. Berdine, J., Calcagno, C., W.O’Hearn, P.: A decidable fragment of separation logic.
In: Lodaya, K., Mahajan, M. (eds.) FSTTCS 2004. LNCS, vol. 3328, pp. 97–109.
Springer, Heidelberg (2004)
402
Q.L. Le et al.
6. Berdine, J., Calcagno, C., O’Hearn, P.W.: Symbolic execution with separation
logic. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 52–68. Springer, Heidelberg (2005)
7. Beyer, D.: Reliable and reproducible competition results with benchexec and witnesses (report on SV-COMP 2016). In: Chechik, M., Raskin, J.-F. (eds.) TACAS
2016. LNCS, vol. 9636, pp. 887–904. Springer, Heidelberg (2016). doi:10.1007/
978-3-662-49674-9 55
8. Beyer, D., Cimatti, A., Griggio, A., Keremoglu, M.E., Sebastiani, R.: Software
model checking via large-block encoding. In: Proceedings of 9th International Conference on Formal Methods in Computer-Aided Design, FMCAD 2009, pp. 25–32
(2009)
9. Bjørner, N., Gurfinkel, A., McMillan, K., Rybalchenko, A.: Horn clause solvers for
program verification. In: Blass, A., Dershowitz, N., Finkbeiner, B., Schulte, W.,
Beklemishev, L.D., Beklemishev, L.D. (eds.) Gurevich Festschrift II 2015. LNCS,
vol. 9300, pp. 24–51. Springer, Heidelberg (2015). doi:10.1007/978-3-319-23534-9 2
10. Bjørner, N., McMillan, K.L., Rybalchenko, A.: Program verification as satisfiability
modulo theories. In: SMT, pp. 3–11 (2012)
11. Brotherston. J.: Sequent calculus proof systems for inductive definitions. Ph.D.
thesis, University of Edinburgh, November 2006
12. Brotherston, J., Fuhs, C., Pérez, J.A.N., Gorogiannis, N.: A decision procedure for
satisfiability in separation logic with inductive predicates. In: CSL-LICS 2014, pp.
25:1–25:10. ACM, New York (2014)
13. Brotherston, J., Gorogiannis, N., Petersen, R.L.: A generic cyclic theorem prover.
In: Jhala, R., Igarashi, A. (eds.) APLAS 2012. LNCS, vol. 7705, pp. 350–367.
Springer, Heidelberg (2012)
14. Chin, W., David, C., Nguyen, H., Qin, S.: Automated verification of shape, size
and bag properties via user-defined predicates in separation logic. SCP 77(9),
1006–1036 (2012)
15. Chin, W.-N., Gherghina, C., Voicu, R., Le, Q.L., Craciun, F., Qin, S.: A specialization calculus for pruning disjunctive predicates to support verification. In:
Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 293–309.
Springer, Heidelberg (2011)
16. Clarke, E., Kroning, D., Lerda, F.: A tool for checking ANSI-C programs. In:
Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176.
Springer, Heidelberg (2004)
17. Cook, B., Haase, C., Ouaknine, J., Parkinson, M., Worrell, J.: Tractable reasoning
in a fragment of separation logic. In: Katoen, J.-P., König, B. (eds.) CONCUR
2011. LNCS, vol. 6901, pp. 235–249. Springer, Heidelberg (2011)
18. Cordeiro, L., Fischer, B.: Verifying multi-threaded software using smt-based
context-bounded model checking. In: Proceedings of the 33rd International Conference on Software Engineering, ICSE 2011, pp. 331–340. ACM, New York (2011)
19. de Moura, L., Bjørner, N.S.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R.,
Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg
(2008)
20. D’Silva, V., Haller, L., Kroening, D.: Satisfiability solvers are static analysers. In:
Miné, A., Schmidt, D. (eds.) SAS 2012. LNCS, vol. 7460, pp. 317–333. Springer,
Heidelberg (2012)
21. D’Silva, V., Haller, L., Kroening, D.: Abstract satisfaction. In: Proceedings of the
41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2014, pp. 139–150. ACM, New York (2014)
Satisfiability Modulo Heap-Based Programs
403
22. Gurfinkel, A., Kahsai, T., Komuravelli, A., Navas, J.A.: The seahorn verification
framework. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206,
pp. 343–361. Springer, Heidelberg (2015)
23. Haase, C., Ishtiaq, S., Ouaknine, J., Parkinson, M.J.: SeLoger: a tool for graphbased reasoning in separation logic. In: Sharygina, N., Veith, H. (eds.) CAV 2013.
LNCS, vol. 8044, pp. 790–795. Springer, Heidelberg (2013)
24. Heizmann, M., Hoenicke, J., Podelski, A.: Software model checking for people who
love automata. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp.
36–52. Springer, Heidelberg (2013)
25. Iosif, R., Rogalewicz, A., Simacek, J.: The tree width of separation logic with
recursive definitions. In: Bonacina, M.P. (ed.) CADE 2013. LNCS, vol. 7898, pp.
21–38. Springer, Heidelberg (2013)
26. Ishtiaq, S., O’Hearn, P.: BI as an assertion language for mutable data structures.
In: ACM POPL, pp. 14–26, London, January 2001
27. Jose, M., Majumdar, R.: Cause clue clauses: error localization using maximum
satisfiability. In: PLDI, pp. 437–446. ACM, New York (2011)
28. Le, Q.L., Gherghina, C., Qin, S., Chin, W.-N.: Shape analysis via second-order biabduction. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 52–68.
Springer, Heidelberg (2014)
29. Le, Q.L., Sharma, A., Craciun, F., Chin, W.-N.: Towards complete specifications
with an error calculus. In: Brat, G., Rungta, N., Venet, A. (eds.) NFM 2013. LNCS,
vol. 7871, pp. 291–306. Springer, Heidelberg (2013)
30. Le, Q.L., Sun, J., Chin, W.-N.: Satisfiability modula heap-based programs. Technical report (2016). http://loc.bitbucket.org/papers/satsl-cav16.pdf
31. Makoto, T., Le, Q.L., Chin, W.-N.: Presburger arithmetic and separation logic
with inductive definitions. Technical report, May 2016
32. Navarro Pérez, J.A., Rybalchenko, A.: Separation logic + superposition calculus =
heap theorem prover. In: Proceedings of the 32nd ACM SIGPLAN Conference on
Programming Language Design and Implementation (PLDI), pp. 556–566 (2011)
33. Navarro Pérez, J.A., Rybalchenko, A.: Separation logic modulo theories. In: Shan,
C. (ed.) APLAS 2013. LNCS, vol. 8301, pp. 90–106. Springer, Heidelberg (2013)
34. Piskac, R., Wies, T., Zufferey, D.: Automating separation logic using SMT. In:
Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 773–789. Springer,
Heidelberg (2013)
35. Piskac, R., Wies, T., Zufferey, D.: Automating separation logic with trees and data.
In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 711–728. Springer,
Heidelberg (2014)
36. Piskac, R., Wies, T., Zufferey, D., Piskac, R., Wies, T., Zufferey, D.: Automating
separation logic with trees and data. In: Biere, A., Bloem, R. (eds.) CAV 2014.
LNCS, vol. 8559, pp. 711–728. Springer, Heidelberg (2014)
37. Popeea, C., Chin, W.-N.: Inferring disjunctive postconditions. In: Okada, M.,
Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 331–345. Springer, Heidelberg
(2008)
38. Pugh, W.: The omega test: a fast practical integer programming algorithm for
dependence analysis. Commun. ACM 8, 102–114 (1992)
39. Qiu, X., Garg, P., Ştefănescu, A., Madhusudan, P.: Natural proofs for structure,
data, and separation. In: PLDI, pp. 231–242. ACM, New York (2013)
40. Reynolds, J., Logic, S.: A logic for shared mutable data structures. In: Proceedings
of the 17th Annual IEEE Symposium on Logic in Computer Science, pp. 55–74
(2002)
404
Q.L. Le et al.
41. Sighireanu, M., Cok, D.R.: Report on SL-COMP 2014. In: JSAT (2016)
42. Sims, É.-J.: Extending separation logic with fixpoints and postponed substitution.
Theor. Comput. Sci. 351(2), 258–275 (2006)
43. Suter, P., Dotta, M., Kuncak, V.: Decision procedures for algebraic data types
with abstractions. In: Proceedings of the 37th Annual ACM SIGPLAN-SIGACT
Symposium on Principles of Programming Languages, POPL 2010, pp. 199–210.
ACM, New York (2010)
44. Suter, P., Köksal, A.S., Kuncak, V.: Satisfiability modulo recursive programs. In:
Yahav, E. (ed.) Static Analysis. LNCS, vol. 6887, pp. 298–315. Springer, Heidelberg
(2011)
45. Trinh, M.-T., Le, Q.L., David, C., Chin, W.-N.: Bi-abduction with pure properties
for specification inference. In: Shan, C. (ed.) APLAS 2013. LNCS, vol. 8301, pp.
107–123. Springer, Heidelberg (2013)