A Logic of Reachable Patterns in Linked DataStructures

1
A Logic of Reachable Patternsin Linked
Data-Structures

• Greta Yorsh
• joint work with
• Alexander Rabinovich, Mooly Sagiv
• Tel Aviv University
• Antoine Meyer, Ahmed Bouajjani
• LIAFA, Univ. of Paris 7

2
Heap-Manipulating Programs

• Imperative programming languages
• Arbitrary size and structure of the heap
• Destructive updates of fields
• Invariants involve reachability in linked
  data-structures
• Temporary violations of data-structure invariants

3
Modeling Heaps

• Model heaps using directed labelled graphs
• heap objects as nodes
• pointer variables as unique labels on nodes
• x v means v is pointed-to by x
• pointer fields as labels on edges
• means w is pointed-to by the n field
  of v

4
Specification Language

• Natural for reasoning about linked
  data-structures
• reachability
• Useful
• data-structure invariants
• loop invariants / characterization of abstraction
• pre- and post-conditions
• low-level mutations
• verification conditions
• Decidable for validity/satisfiability

5
Decidability with Reachability

• Limit the properties
• Guarded fixpoint logic Gradel et al, LICS99
• EADTC Immerman et al., CSL04
• LR Benedikt et. al., ESOP99
• Limit the graphs
• MSO on trees Rabin69

6
Using MSO on Trees

• Supports reachability
• Decidable on trees Rabin69
• But
• Non-elementary complexity
• How to specify postconditions for procedures that
  mutate fields ?
• e.g., in-place reversal of a singly-linked list
• What about programs that temporarily manipulate
  non-trees ?
• What about programs which manipulate non-trees ?

7
The Idea

• Balance between complex properties and complex
  graphs
• Allow regular properties of arbitrary graphs
• disjointness
• cyclicity
• reversal
• sharing

8
Logic of Reachable Patterns (LRP)

• A logic for reasoning about heap-manipulating
  programs and recursive data-structures
• Allows regular properties of arbitrary heaps
• disjointness, cyclicity, reversal, sharing
• arbitrary number of binary relations
• Closed under negation
• Finite model property
• Bounded model property
• Decidable
• non-trivial proof of tree-like model property
• Useful for verification

8
9
Syntax of LRP

• Arbitrary boolean combinations of reachability
  constraints cRp
• ? v0,v1,..., vn.R(c,v0)?p(v0,v1,...vn)
• Routing expression R
• R c ?c R1.R2 (R1R2)
  R ? ?
• Pattern p
• with designated free variable v0 (central node)
• of the form N(v0,v1,...vn)??(v0,v1,...vn)
• N is neighborhood formula
• ? is quantifier free formula

with additional restrictions
9
10
Interesting Heap Properties

• c ?R? p ? ?( c R ?p )
• shorthand
• x? ?y
• y is reachable from x
• x? ?x
• x is cyclic
• x . ?y
• disjoint objects reachable from x by following
  f-path are disjoint from objects reachable from y
  by following a f-path

11
Unshared Lists

• List pointed-to by x is not shared
• x unsf
• where
• unsf (v0) ? (v1 v0) ? (v2 v0) ? (v1
  v2)

12
Tree

• Tree rooted at x
• x ( ) (unsleft,right ?
  unsleft ? unsright)
• ? ? x ? ( ) ? x
• where
• unsf(v0) ? (v1 v0) ? (v2 v0) ? (v1
  v2)
• unsf,g(v0) ? ?((v1 v0) ? (v2 v0))

13
Doubly-linked Lists

• Doubly-linked list pointed-to by x
• x dllf,b
• where
• dllf,b (v0) ? (v0 v1) ? (v1 v0)

13
14
List with head pointers

• head p
• where p (v0) ? (v1 v0) ? (v1 head)

14
15
Well-Formed Heaps

• ?c?Var,f?Fields c detf ? null ? ?
  null
• all fields are deterministic
• detf(v0) ? (v0 v1) ? (v0 v2) ? (v1
  v2)
• node for NULL

16
Reversal of Singly-linked List

• Node reverse(Node x)
• Node y null
• while (x ! null)
• Node t x.n
• x.n y
• y x
• x t
• return y

17
Reversal of Singly-linked List

• precondition
• x? ?null
• postcondition
• y? ?null ? x invn,n
• where invn,n ? (v0 v1) ? (v1 v0)

18
Loop Invariant for Reverse

• the list reachable from x is the same as it was
  on entry to the method
• x samen,n
• where samen,n(v0) ? (v0 v1) ? (v0
  v1)
• the list reachable from y is reversed
• y ? ? null ? x ( . ?y )
  invn,n
• the original edge n outgoing of y is to x
• y ? ? x

y
x
x
19
Specification of Append
class List List n null ... List
append(List a, List b) _at_requires acyclic(a)
disjoint(a, b) _at_ensures postappend(a,b) if
(a null) return b List d a while
(d.n ! null) d d.n d.n b return
a

• precondition
• a? ? null
• ? ? ( a? . ? b )

• postcondition
• ? a? ?last
• ? last? ?null
• ? last? ?b
• ? a( . ? last) samen,n'
• ? b samen,n'

• Only the n-field of the last location reachable
  from a on entry is modified and it points to b
• If b acyclic before append, then the result of
  append is acyclic

samen,n ? (v0 v1)?(v0 v1)
20
Verification using LRP

• Verification condition generation in LRP
• if pre and post conditions and loop invariants
  are in LRP then it is possible to generate
  verification condition formula in LRP
• Modular analysis
• pre and post conditions in LRP
• no need for loop invariants
• use abstract domain with ? in LRP
• Abstract domain of LRP formulas

20
21
Example

• x0 ? ?n0 ? z0
• ? x0 ? ?n0 ? y1
• ? samex0,n0,n1 ? x0x1
• ? x1 ? ?n2 ? null
• ? samey1,n1,n2
• ?y1y2?x1x2
• ? y2 ? (?n2 ) ? z2
• ? x0 ! null
• ? x1 ! null

• 0 x ? ?n ? z
• 1 y x-gtn
• 2 x-gtn NULL
• y ? ? ? z

x
z
y
22
Decidability of LRP

• Validity and satisfiability are decidable
• closed under negation
• it is sufficient to show that the satisfiability
  of LRP is decidable
• Proof
• reduction to MSO on trees
• based on non-trivial proof of model property

22
23
Observation

• (almost) all extra edges have one of their
  endpoints labeled with a constant
• encode extra edges using unary relations

head
f
f
f
f
f
f
f
24
Model Property of LRP

• If ? has a model then ? has a model in Bk
• Bk is a set of graphs for which removing all
  edges to and from constants results in a graph in
  Ak
• Ak is a set of graphs for which Gaifman graph is
• a tree with at most k additional edges
• k is linear in the size of ?

24
25
Gaifman graph of S
graph S
A0
A1
A2
A4
25
26
Gaifman graph of S
graph S
null
x
null
A0
B0
n
x
f
A1
B0
b
x
A2
B0
r
l
A4
B0
f
f
f
f
f
x
26
27
Model Property of LRP

• If ? has a model then ? has a model in Bk
• ? is of the form ?? ? ??
• S ? ?
• S0 ? ?? and S0 ? Bk
• but S0 ? ??
• S1 ? ?? and S1 ? Bk
• ...
• Sm ? ?? and Sm ? Bk
• Sm ? ??

t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
27
28
Model Property of LRP

• If ? has a model then ? has a model in Bk
• ? is of the form ?? ? ??
• from S ? ? construct Sm s.t. Sm ? ? and Sm ? Bk
• every step ti is defined by a pattern

t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
28
29
Example

• t???s ? x???z ? x???y ? x(?.?y)invf,b ?
  x?detf

30
Example
t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
t
x
y
z
s
31
Example
t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
t
x
y
s
32
Example
t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
t
x
y
s
33
Example
t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
t
x
y
z
s
34
Model Property of LRP

• If ? has a model then ? has a model in Bk
• ? is of the form ?? ? ??
• from S ? ? construct Sm s.t. Sm ? ? and Sm ? Bk
• every step ti is defined by a pattern
• preserves hi
• preserves Bk

t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
34
35
Restrictions on Patterns

• Syntactically restrict pattern p in cRp
• Restrict positive equality formulas
• p(v0) ? N(v0, v1, ..., vn) ? (v1 v2)
• N is a conjunction of edge formulas
• distance between v1 and v2 in N is at most 2
• Restrict positive edge formulas
• p(v0) ? N(v0, v1, ... vn) ? (v1 v2)
• N is a conjunction of edge formulas
• distance between v1 and v2 in N is at most 1

35
36
Reduction LRP to MSO on trees

• For every ? in LRP
• we can construct a formula tr(?) such that
• ? is satisfiable (over graphs )
• if and only if
• tr(?) is satisfiable over trees

Bk
36
37
Other Decidable Fragments

• Allow reachability constraints ?Rp where ?
  positive quantifier-free formulas
• Allow positive universal quantifications over
  constants and fields
• not closed under negation
• useful for modular specification

38
Undecidability Result

• Without restrictions on patterns, the logic
  becomed undecidable
• Idea enforce existence of edges
• c1 p
• where p(v) ? (v u) ? (v v1) ? (u u1)
  ? (v1 u1)

n
b
b
n
39
More Related Work

• Modal Logics
• have tree model property (no equality)
• Hybrid Logics
• equality only between named nodes
• cannot express deterministic edge
• Description Logics
• DL with nominals, deterministic roles and inverse
  roles is undecidable

40
Summary

• LRP is useful
• data-structure invariants (reachability)
• loop invariants
• verification conditions
• Satisfiability and validity of LRP formulas are
  decidable
• model property
• worst case complexity is doubly-exponential

41
Principles

• Arbitrary structure of the heap
• Regular properties
• restrict quantification no alternations
• allow arbitrary boolean combinations of
  reachability constraints
• use regular expressions to define reachability
• syntactically limit the patterns
• Proof approach
• model property
• structure simulation

41