Bounded model checking of pointer programs

Authors:
Witold Charatonik;Lilia Georgieva;Patrick Maier
Affiliations:
Instytut Informatyki, Uniwersytet Wrocławski;School of Math. and Comp. Sci, Heriot-Watt Univ;Max-Planck-Institut für Informatik
Venue:
CSL'05 Proceedings of the 19th international conference on Computer Science Logic
Year:
2005

Citing 10
Cited 2

Graph types

POPL '93 Proceedings of the 20th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
The pointer assertion logic engine

Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation
Finding bugs with a constraint solver

Proceedings of the 2000 ACM SIGSOFT international symposium on Software testing and analysis
Parametric shape analysis via 3-valued logic

ACM Transactions on Programming Languages and Systems (TOPLAS)
Symbolic Model Checking without BDDs

TACAS '99 Proceedings of the 5th International Conference on Tools and Algorithms for Construction and Analysis of Systems
Two-variable logic with counting is decidable

LICS '97 Proceedings of the 12th Annual IEEE Symposium on Logic in Computer Science
Guarded Fixed Point Logic

LICS '99 Proceedings of the 14th Annual IEEE Symposium on Logic in Computer Science
The Description Logic Handbook

The Description Logic Handbook
Consistent Partial Model Checking

Electronic Notes in Theoretical Computer Science (ENTCS)
A decidable fragment of separation logic

FSTTCS'04 Proceedings of the 24th international conference on Foundations of Software Technology and Theoretical Computer Science

On the complexity of the Bernays-Schönfinkel class with datalog

LPAR'10 Proceedings of the 17th international conference on Logic for programming, artificial intelligence, and reasoning
Two-Variable Logic with Counting and Trees

LICS '13 Proceedings of the 2013 28th Annual ACM/IEEE Symposium on Logic in Computer Science

Quantified Score

Hi-index	0.00

Visualization

Abstract

We propose a bounded model checking procedure for programs manipulating dynamically allocated pointer structures. Our procedure checks whether a program execution of length n ends in an error (e.g. a NULL dereference) by testing if the weakest precondition of the error condition together with the initial condition of the program (e.g. program variable x points to a circular list) is satisfiable. We express error conditions as formulas in the 2-variable fragment of the Bernays-Schönfinkel class with equality. We show that this fragment is closed under computing weakest preconditions. We express the initial conditions by unary relations which are defined by monadic Datalog programs. Our main contribution is a small model theorem for the 2-variable fragment of the Bernays-Schönfinkel class extended with least fixed points expressible by certain monadic Datalog programs. The decidability of this extension of first-order logic gives us a bounded model checking procedure for programs manipulating dynamically allocated pointer structures. In contrast to SAT-based bounded model checking, we do not bound the size of the heap a priori, but allow for pointer structures of arbitrary size. Thus, we are doing bounded model checking of infinite state transition systems.