A Logic of Reachable Patterns in Linked Data-Structures

TL;DR

This paper introduces a new decidable logic for verifying invariants of programs manipulating dynamic pointer-based data structures, enabling automatic correctness proofs for low-level heap operations.

Contribution

It presents a novel logic that can express complex properties of pointer structures, including disjointness and mutations, with proven decidability and practical application to program verification.

Findings

Decidability of the proposed logic is established.

The logic can express properties of arbitrary data-structures and pointer fields.

Application demonstrated in verifying program correctness with heap mutations.

Abstract

We define a new decidable logic for expressing and checking invariants of programs that manipulate dynamically-allocated objects via pointers and destructive pointer updates. The main feature of this logic is the ability to limit the neighborhood of a node that is reachable via a regular expression from a designated node. The logic is closed under boolean operations (entailment, negation) and has a finite model property. The key technical result is the proof of decidability. We show how to express precondition, postconditions, and loop invariants for some interesting programs. It is also possible to express properties such as disjointness of data-structures, and low-level heap mutations. Moreover, our logic can express properties of arbitrary data-structures and of an arbitrary number of pointer fields. The latter provides a way to naturally specify postconditions that relate the fields on entry to a procedure to the fields on exit. Therefore, it is possible to use the logic to automatically prove partial correctness of programs performing low-level heap mutations.