Verification Condition Generation for Permission Logics with Abstract Predicates and Abstraction Functions [chapter]

Stefan Heule, Ioannis T. Kassios, Peter Müller, Alexander J. Summers
<span title="">2013</span> <i title="Springer Berlin Heidelberg"> <a target="_blank" rel="noopener" href="" style="color: black;">Lecture Notes in Computer Science</a> </i> &nbsp;
predicates are the primary abstraction mechanism for program logics based on access permissions, such as separation logic and implicit dynamic frames. In addition to abstract predicates, it is useful to also support classical abstraction functions, for instance, to encode side-effect-free methods of the program and use them in specifications. However, combining abstract predicates and abstraction functions in a verification condition generator leads to subtle interactions, which complicate
more &raquo; ... ning about heap modifications. Such complications may compromise soundness or cause divergence of the prover in the context of automated verification. In this paper, we present an encoding of abstract predicates and abstraction functions in the verification condition generator Boogie. Our encoding is sound and handles recursion in a way that is suitable for automatic verification using SMT solvers. It is implemented in the automatic verifier Chalice. class List { var value: int; var next: List; predicate valid { acc(value) && acc(next) && (next = null ⇒ next.valid) } function length(): int requires valid; ensures result > 0; { unfolding valid in next = null ? 1 : 1 + next.length() } function itemAt(i: int): int implementation of a singly-linked list. Methods have preconditions (keyword requires) and postconditions (keyword ensures). In addition to regular methods, Chalice supports side-effect-free functions, which may be used in specifications. An access permission to a field o.f is denoted by acc(o.f ), which corresponds to o.f → _ in separation logic. The Chalice conjunction && treats permissions multiplicatively (i.e., requiring the sum of the permissions in each conjunct), similarly to the separating conjunction * of separation logic. The recursive abstract predicate valid represents the memory locations of the list structure. The unfold and fold ghost statements replace a predicate by its body and vice versa. The ghost expression construct unfolding. . .in is intuitively analogous to an unfold-fold block and can be used in functions and in specifications, where statements cannot occur. Abstract Predicates. Enumerating all locations for which a method requires or returns permissions is not possible for recursive data structures. For instance, a method that traverses a linked list, such as method itemAt in Fig. 1 would require permission to access this.value,,, and so on. To solve this problem, Parkinson and Bierman [23] introduced abstract predicates. The definition of an abstract predicate declares a predicate body that may contain permissions to concrete heap locations, constraints on their values, and possibly further predicate instances. Due to this recursion, abstract predicates potentially represent permission to an unbounded number of heap locations. For instance, the abstract predicate valid in Fig. 1 represents the permissions for value, next and, if next is non-null, the permissions in next.valid. Just as with permissions to field locations, a method may require predicate instances from
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="">doi:10.1007/978-3-642-39038-8_19</a> <a target="_blank" rel="external noopener" href="">fatcat:tqhn6lp4nzejvn4bhzsjkv2wli</a> </span>
<a target="_blank" rel="noopener" href="" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href=""> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> </button> </a>