Abstract
We develop powerful and general techniques to mechanically verify realistic programs that manipulate heap-represented graphs. These graphs can exhibit well-known organization principles, such as being a directed acyclic graph or a disjoint-forest; alternatively, these graphs can be totally unstructured. The common thread for such structures is that they exhibit deep intrinsic sharing and can be expressed using the language of graph theory. We construct a modular and general setup for reasoning about abstract mathematical graphs and use separation logic to define how such abstract graphs are represented concretely in the heap. We develop a Localize rule that enables modular reasoning about such programs, and show how this rule can support existential quantifiers in postconditions and smoothly handle modified program variables. We demonstrate the generality and power of our techniques by integrating them into the Verified Software Toolchain and certifying the correctness of seven graph-manipulating programs written in CompCert C, including a 400-line generational garbage collector for the CertiCoq project. While doing so, we identify two places where the semantics of C is too weak to define generational garbage collectors of the sort used in the OCaml runtime. Our proofs are entirely machine-checked in Coq.
Highlights
Over the last fifteen years, separation logic has facilitated great strides in verifying programs that manipulate tree-shaped data structures. [Appel et al 2014; Bengtson et al 2012; Berdine et al 2005; Chin et al 2010; Chlipala 2011; Jacobs et al 2011]
Either we must reinvent a very large wheelÐcombined, Verified Software Toolchain (VST) and CompCert are about 840k LOCÐor we must dance within their constraints
We put the complete definition of forward_relation, with its twelve constructors, in the extended online version of our paper. We have such relations for all the key functions in our garbage collector (GC), and our final correctness proof shows that composing these relations together yields the high-level correctness propertyÐa kind of graph isomorphismÐthat is required by CertiCoq
Summary
Over the last fifteen years, separation logic has facilitated great strides in verifying programs that manipulate tree-shaped data structures. [Appel et al 2014; Bengtson et al 2012; Berdine et al 2005; Chin et al 2010; Chlipala 2011; Jacobs et al 2011]. Hobor closely-related examples such as garbage collectors [Ericsson et al 2017; McCreight et al 2010] These kinds of examples tend to require a large number of custom predicates and subtle reasoning, which generally does not carry over to the verification of other graph-manipulating programs. Our techniques are general in that they handle a diverse range of programs, and modular in that they encourage code reuse (e.g. facts about reachability) and separation of concerns (e.g. between abstract mathematical graphs and concrete representations in the heap). We develop a mathematical graph library that is general enough to reason about a wide variety of algorithms and expressive enough to describe the behavior of these algorithms in real machines. An extended version of this paper featuring three appendices is available online [Wang et al 2019]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
