Programs with Lists Are Counter Automata
Lecture Notes in Computer Science
We address the verification problem of programs manipulating oneselector linked data structures. We propose a new automated approach for checking safety and termination for these programs. Our approach is based on using counter automata as accurate abstract models: control states correspond to abstract heap graphs where list segments without sharing are collapsed, and counters are used to keep track of the number of elements in these segments. This allows to apply automatic analysis techniques
... nd tools for counter automata in order to verify list programs. We show the effectiveness of our approach, in particular by verifying automatically termination of some sorting programs. Then, for data-insensitive programs (i.e., programs not accessing nor modifying the data stored in lists as, e.g., a list reversal program), a natural abstraction consists in mapping each sequence of elements between two sharing points into an abstract sequence of some (fixed) bounded size. However, for each given value of the bound, this abstraction is obviously not precise in general. In order to define a precise abstraction, we need in fact to reason about the size of each sequence between two sharing points. This leads to the idea of using counters in order to keep this information in the abstract model (and therefore to use counter automata as abstract models). In fact, considering counter automata-based models has several advantages. Not only does it allow to define accurate abstractions, it allows us also to handle quantitative properties depending on the sizes of some parts of the heap. Thus, we can handle programs with integer variables whose value is somehow related to the contents of the lists (e.g., to their length). Moreover, it provides a powerful way for checking termination which typically requires reasoning about decreasing values (e.g., the size of the part of the list to be treated). A first contribution of the paper is to define an abstraction mapping from datainsensitive programs to counter automata for which we prove that the (concrete) program and its abstraction are bisimilar. This result is interesting since it means that our abstraction preserves all properties of the class of data-insensitive programs. The control states of the built automaton correspond to abstract shapes (heap graphs where sequences between shared points are reduced to single vertices), and each transition corresponds to the execution of a program statement. It represents a modification in the shape together with a modification on the counters (attached to vertices abstracting sequences between sharing nodes). The control structure of the built counter automata can be arbitrary in general. However, it turns out that these automata have an important property: we prove that if we consider the evolution of the sum of all counters, the effect of executing any control loop is to increment this sum by a constant which depends on the program. We use this fact to establish a new decidability result for list programs: for every given (data-insensitive) list program, if the control structure of the generated counter automaton has no nested loops, the verification problems of safety properties and termination are both decidable. Subsequently, we go further by considering the issue of data-sensitivity. We consider the class of programs manipulating objects ranging over a potentially infinite data domain supplied with an ordering relation, and we assume that the only allowed operation on these data values is the comparison w.r.t. this ordering relation. This class of programs includes, for instance, sorting programs. We extend our previous abstraction principle to the heap graphs of these programs by taking into account (in addition to the size) some information about the order of the elements in the abstracted sequences between sharing points, and we provide a construction which associates with each program a counter automaton-based abstract model. We show that this abstraction is sound w.r.t. the choice of ordering predicates. Finally, we show the application of our approach on three examples of programs (list reversal, insertion sort, and bubble sort). We have derived systematically their counter automata models, and then we used (1) our ARMC tool  (and some compile-time techniques) for checking safety properties, and (2) the Terminator tool based on  for termination. * − → m 0 and n 2 * − → p 0 , for some m 0 ∈ [m] and some p 0 ∈ [p]. Since either n 1 * − → n 2 , or n 2 * − → n 1 , there must exist a node in [n] with two distinct direct successors, which contradicts the well-formedness of S. The argument for V /∼ is straightforward.