A Logic of Reachable Patterns in Linked DataStructures - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

A Logic of Reachable Patterns in Linked DataStructures

Description:

Arbitrary size and structure of the heap. Destructive updates of fields. Invariants involve reachability in linked data-structures ... – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 38
Provided by: thom178
Category:

less

Transcript and Presenter's Notes

Title: A Logic of Reachable Patterns in Linked DataStructures


1
A Logic of Reachable Patternsin Linked
Data-Structures
  • Greta Yorsh
  • joint work with
  • Alexander Rabinovich, Mooly Sagiv
  • Tel Aviv University
  • Antoine Meyer, Ahmed Bouajjani
  • LIAFA, Univ. of Paris 7

2
Heap-Manipulating Programs
  • Imperative programming languages
  • Arbitrary size and structure of the heap
  • Destructive updates of fields
  • Invariants involve reachability in linked
    data-structures
  • Temporary violations of data-structure invariants

3
Modeling Heaps
  • Model heaps using directed labelled graphs
  • heap objects as nodes
  • pointer variables as unique labels on nodes
  • x v means v is pointed-to by x
  • pointer fields as labels on edges
  • means w is pointed-to by the n field
    of v

4
Specification Language
  • Natural for reasoning about linked
    data-structures
  • reachability
  • Useful
  • data-structure invariants
  • loop invariants / characterization of abstraction
  • pre- and post-conditions
  • low-level mutations
  • verification conditions
  • Decidable for validity/satisfiability

5
Decidability with Reachability
  • Limit the properties
  • Guarded fixpoint logic Gradel et al, LICS99
  • EADTC Immerman et al., CSL04
  • LR Benedikt et. al., ESOP99
  • Limit the graphs
  • MSO on trees Rabin69

6
Using MSO on Trees
  • Supports reachability
  • Decidable on trees Rabin69
  • But
  • Non-elementary complexity
  • How to specify postconditions for procedures that
    mutate fields ?
  • e.g., in-place reversal of a singly-linked list
  • What about programs that temporarily manipulate
    non-trees ?
  • What about programs which manipulate non-trees ?

7
The Idea
  • Balance between complex properties and complex
    graphs
  • Allow regular properties of arbitrary graphs
  • disjointness
  • cyclicity
  • reversal
  • sharing

8
Logic of Reachable Patterns (LRP)
  • A logic for reasoning about heap-manipulating
    programs and recursive data-structures
  • Allows regular properties of arbitrary heaps
  • disjointness, cyclicity, reversal, sharing
  • arbitrary number of binary relations
  • Closed under negation
  • Finite model property
  • Bounded model property
  • Decidable
  • non-trivial proof of tree-like model property
  • Useful for verification

8
9
Syntax of LRP
  • Arbitrary boolean combinations of reachability
    constraints cRp
  • ? v0,v1,..., vn.R(c,v0)?p(v0,v1,...vn)
  • Routing expression R
  • R c ?c R1.R2 (R1R2)
    R ? ?
  • Pattern p
  • with designated free variable v0 (central node)
  • of the form N(v0,v1,...vn)??(v0,v1,...vn)
  • N is neighborhood formula
  • ? is quantifier free formula

with additional restrictions
9
10
Interesting Heap Properties
  • c ?R? p ? ?( c R ?p )
  • shorthand
  • x? ?y
  • y is reachable from x
  • x? ?x
  • x is cyclic
  • x . ?y
  • disjoint objects reachable from x by following
    f-path are disjoint from objects reachable from y
    by following a f-path

11
Unshared Lists
  • List pointed-to by x is not shared
  • x unsf
  • where
  • unsf (v0) ? (v1 v0) ? (v2 v0) ? (v1
    v2)

12
Tree
  • Tree rooted at x
  • x ( ) (unsleft,right ?
    unsleft ? unsright)
  • ? ? x ? ( ) ? x
  • where
  • unsf(v0) ? (v1 v0) ? (v2 v0) ? (v1
    v2)
  • unsf,g(v0) ? ?((v1 v0) ? (v2 v0))

13
Doubly-linked Lists
  • Doubly-linked list pointed-to by x
  • x dllf,b
  • where
  • dllf,b (v0) ? (v0 v1) ? (v1 v0)

13
14
List with head pointers
  • head p
  • where p (v0) ? (v1 v0) ? (v1 head)

14
15
Well-Formed Heaps
  • ?c?Var,f?Fields c detf ? null ? ?
    null
  • all fields are deterministic
  • detf(v0) ? (v0 v1) ? (v0 v2) ? (v1
    v2)
  • node for NULL

16
Reversal of Singly-linked List
  • Node reverse(Node x)
  • Node y null
  • while (x ! null)
  • Node t x.n
  • x.n y
  • y x
  • x t
  • return y

17
Reversal of Singly-linked List
  • precondition
  • x? ?null
  • postcondition
  • y? ?null ? x invn,n
  • where invn,n ? (v0 v1) ? (v1 v0)

18
Loop Invariant for Reverse
  • the list reachable from x is the same as it was
    on entry to the method
  • x samen,n
  • where samen,n(v0) ? (v0 v1) ? (v0
    v1)
  • the list reachable from y is reversed
  • y ? ? null ? x ( . ?y )
    invn,n
  • the original edge n outgoing of y is to x
  • y ? ? x

y
x
x
19
Specification of Append
class List List n null ... List
append(List a, List b) _at_requires acyclic(a)
disjoint(a, b) _at_ensures postappend(a,b) if
(a null) return b List d a while
(d.n ! null) d d.n d.n b return
a
  • precondition
  • a? ? null
  • ? ? ( a? . ? b )
  • postcondition
  • ? a? ?last
  • ? last? ?null
  • ? last? ?b
  • ? a( . ? last) samen,n'
  • ? b samen,n'
  • Only the n-field of the last location reachable
    from a on entry is modified and it points to b
  • If b acyclic before append, then the result of
    append is acyclic

samen,n ? (v0 v1)?(v0 v1)
20
Verification using LRP
  • Verification condition generation in LRP
  • if pre and post conditions and loop invariants
    are in LRP then it is possible to generate
    verification condition formula in LRP
  • Modular analysis
  • pre and post conditions in LRP
  • no need for loop invariants
  • use abstract domain with ? in LRP
  • Abstract domain of LRP formulas


20
21
Example
  • x0 ? ?n0 ? z0
  • ? x0 ? ?n0 ? y1
  • ? samex0,n0,n1 ? x0x1
  • ? x1 ? ?n2 ? null
  • ? samey1,n1,n2
  • ?y1y2?x1x2
  • ? y2 ? (?n2 ) ? z2
  • ? x0 ! null
  • ? x1 ! null
  • 0 x ? ?n ? z
  • 1 y x-gtn
  • 2 x-gtn NULL
  • y ? ? ? z

x
z
y
22
Decidability of LRP
  • Validity and satisfiability are decidable
  • closed under negation
  • it is sufficient to show that the satisfiability
    of LRP is decidable
  • Proof
  • reduction to MSO on trees
  • based on non-trivial proof of model property

22
23
Observation
  • (almost) all extra edges have one of their
    endpoints labeled with a constant
  • encode extra edges using unary relations

head
f
f
f
f
f
f
f
24
Model Property of LRP
  • If ? has a model then ? has a model in Bk
  • Bk is a set of graphs for which removing all
    edges to and from constants results in a graph in
    Ak
  • Ak is a set of graphs for which Gaifman graph is
  • a tree with at most k additional edges
  • k is linear in the size of ?

24
25
Gaifman graph of S
graph S
A0
A1
A2
A4
25
26
Gaifman graph of S
graph S
null
x
null
A0
B0
n
x
f
A1
B0
b
x
A2
B0
r
l
A4
B0
f
f
f
f
f
x
26
27
Model Property of LRP
  • If ? has a model then ? has a model in Bk
  • ? is of the form ?? ? ??
  • S ? ?
  • S0 ? ?? and S0 ? Bk
  • but S0 ? ??
  • S1 ? ?? and S1 ? Bk
  • ...
  • Sm ? ?? and Sm ? Bk
  • Sm ? ??

t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
27
28
Model Property of LRP
  • If ? has a model then ? has a model in Bk
  • ? is of the form ?? ? ??
  • from S ? ? construct Sm s.t. Sm ? ? and Sm ? Bk
  • every step ti is defined by a pattern

t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
28
29
Example
  • t???s ? x???z ? x???y ? x(?.?y)invf,b ?
    x?detf

30
Example
t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
t
x
y
z
s
31
Example
t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
t
x
y
s
32
Example
t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
t
x
y
s
33
Example
t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
t
x
y
z
s
34
Model Property of LRP
  • If ? has a model then ? has a model in Bk
  • ? is of the form ?? ? ??
  • from S ? ? construct Sm s.t. Sm ? ? and Sm ? Bk
  • every step ti is defined by a pattern
  • preserves hi
  • preserves Bk

t???s ? x???z ? x???y ? x(?.?y)invf,b ?
x?detf
34
35
Restrictions on Patterns
  • Syntactically restrict pattern p in cRp
  • Restrict positive equality formulas
  • p(v0) ? N(v0, v1, ..., vn) ? (v1 v2)
  • N is a conjunction of edge formulas
  • distance between v1 and v2 in N is at most 2
  • Restrict positive edge formulas
  • p(v0) ? N(v0, v1, ... vn) ? (v1 v2)
  • N is a conjunction of edge formulas
  • distance between v1 and v2 in N is at most 1

35
36
Reduction LRP to MSO on trees
  • For every ? in LRP
  • we can construct a formula tr(?) such that
  • ? is satisfiable (over graphs )
  • if and only if
  • tr(?) is satisfiable over trees

Bk
36
37
Other Decidable Fragments
  • Allow reachability constraints ?Rp where ?
    positive quantifier-free formulas
  • Allow positive universal quantifications over
    constants and fields
  • not closed under negation
  • useful for modular specification

38
Undecidability Result
  • Without restrictions on patterns, the logic
    becomed undecidable
  • Idea enforce existence of edges
  • c1 p
  • where p(v) ? (v u) ? (v v1) ? (u u1)
    ? (v1 u1)

n
b
b
n
39
More Related Work
  • Modal Logics
  • have tree model property (no equality)
  • Hybrid Logics
  • equality only between named nodes
  • cannot express deterministic edge
  • Description Logics
  • DL with nominals, deterministic roles and inverse
    roles is undecidable

40
Summary
  • LRP is useful
  • data-structure invariants (reachability)
  • loop invariants
  • verification conditions
  • Satisfiability and validity of LRP formulas are
    decidable
  • model property
  • worst case complexity is doubly-exponential

41
Principles
  • Arbitrary structure of the heap
  • Regular properties
  • restrict quantification no alternations
  • allow arbitrary boolean combinations of
    reachability constraints
  • use regular expressions to define reachability
  • syntactically limit the patterns
  • Proof approach
  • model property
  • structure simulation

41
Write a Comment
User Comments (0)
About PowerShow.com