Simulating reachability using first-order logic with applications to verification of linked data structures

TL;DR

This paper presents a method to verify safety properties of imperative programs with dynamic memory allocation by simulating reachability in first-order logic, enabling the use of theorem provers for complex pointer-based structures.

Contribution

It introduces techniques for conservative simulation of reachability in first-order logic, facilitating semi-automatic verification of pointer-manipulating programs.

Findings

Successfully verified garbage collection and list reversal algorithms

Demonstrated the approach surpasses previous tools like ESC/Java

Enabled automatic reasoning about complex data structures

Abstract

This paper shows how to harness existing theorem provers for first-order logic to automatically verify safety properties of imperative programs that perform dynamic storage allocation and destructive updating of pointer-valued structure fields. One of the main obstacles is specifying and proving the (absence) of reachability properties among dynamically allocated cells. The main technical contributions are methods for simulating reachability in a conservative way using first-order formulas--the formulas describe a superset of the set of program states that would be specified if one had a precise way to express reachability. These methods are employed for semi-automatic program verification (i.e., using programmer-supplied loop invariants) on programs such as mark-and-sweep garbage collection and destructive reversal of a singly linked list. (The mark-and-sweep example has been previously reported as being beyond the capabilities of ESC/Java.)