Certifying graph-manipulating C programs via localizations within data structures

Wang, Shengyi; Cao, Qinxiang; Mohan, Anshuman; Hobor, Aquinas

doi:10.1145/3360597

Cited by 8 publications

(14 citation statements)

References 46 publications

(54 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In recent work, Wang et al present a Coq-mechanised proof of graph algorithms in C, based on a substantial library of graph-related lemmas, both for mathematical and heap-based graphs [43]. They prove rich functional properties, integrated with the VST tool.…”

Section: Related Workmentioning

confidence: 99%

Local Reasoning for Global Graph Properties

Krishna

Summers

Wies

2020

Programming Languages and Systems

View full text Add to dashboard Cite

Separation logics are widely used for verifying programs that manipulate complex heap-based data structures. These logics build on so-called separation algebras, which allow expressing properties of heap regions such that modifications to a region do not invalidate properties stated about the remainder of the heap. This concept is key to enabling modular reasoning and also extends to concurrency. While heaps are naturally related to mathematical graphs, many ubiquitous graph properties are non-local in character, such as reachability between nodes, path lengths, acyclicity and other structural invariants, as well as data invariants which combine with these notions. Reasoning modularly about such graph properties remains notoriously difficult, since a local modification can have side-effects on a global property that cannot be easily confined to a small region. In this paper, we address the question: What separation algebra can be used to avoid proof arguments reverting back to tedious global reasoning in such cases? To this end, we consider a general class of global graph properties expressed as fixpoints of algebraic equations over graphs. We present mathematical foundations for reasoning about this class of properties, imposing minimal requirements on the underlying theory that allow us to define a suitable separation algebra. Building on this theory we develop a general proof technique for modular reasoning about global graph properties over program heaps, in a way which can be integrated with existing separation logics. To demonstrate our approach, we present local proofs for two challenging examples: a priority inheritance protocol and the non-blocking concurrent Harris list. S. Krishna et al. 1 method acquire(p: Node, r: Node) { 2 if (r.next == null) { 3 r.next := p; update(p, -1, r.curr_prio) 4 } else { 5 p.next := r; update(r, -1, p.curr_prio) 6 } 7 } 8 method update(n: Node, from: Int, to: Int) { 9 n.prios := n.prios \ {from} 10 if (to >= 0) n.prios := n.prios ∪ {to} 11 from := n.curr_prio 12 n.curr_prio := max(n.prios ∪ {n.def_prio}) 13 to := n.curr_prio; 14 if (from != to && n.next != null) { 15 update(n.next, from, to) 16 } 17 }

show abstract

Section: Related Workmentioning

confidence: 99%

Local Reasoning for Global Graph Properties

Krishna

Summers

Wies

2020

Programming Languages and Systems

View full text Add to dashboard Cite

show abstract

“…The CertiGraph library presented in [73] supports only directed graphs, and, as we have seen, bakes direction-reliant idioms such as src and dst deep into its development. Our challenge is to add support for undirected graphs atop of this.…”

Section: Undirectedness In a Directed Worldmentioning

confidence: 99%

“…Here V/E are the carrier types of vertices/edges, vvalid/evalid place restrictions specifying whether a vertex/edge is valid 1 , and src/dst : E → V map edges to their source/destination. Labels are allowed on vertices and edges, and a soundness condition allows custom application-specific restrictions [73]. Mathematical graphs connect to graphs in computer memory via spatial predicates in separation logic.…”

Section: Extensions To Certigraphmentioning

confidence: 99%

“…We wish to develop general and reusable techniques for verifying graphmanipulating programs written in real programming languages. This is a significant challenge, and so we choose to leverage and/or extend three large existing proof developments to state and prove the full functional correctness of our code in Coq: CompCert; the Verified Software Toolchain [4] (VST) separation logic [59] deductive verifier; and our own previous efforts [73], hereafter dubbed the CertiGraph project. Our primary extensions are to the third, and include: §2.1 pure/abstract reasoning for graphs with edge labels, (e.g., a distinguished edge-label value for "infinity" that indicates invalid/absent edges); §2.2 spatial representations and associated reasoning for edge-labeled graphs (several flavors of adjacency matrices as well as edge lists); §2.3 pure reasoning for undirected graphs (e.g., notions of connectedness).…”

Section: Introductionmentioning

confidence: 99%

“…Our verification of Kruskal proves that we can reason about two graphs simultaneously: a directed graph with vertex labels for union-find and an undirected graph with edge labels for which we are building a spanning forest. In addition to our verification of Dijkstra, Prim, and Kruskal, we develop increased lemma support for the preexisting CertiGraph union-find example [73]. Our extension to "base VST" (e.g., verifications without graphs) primarily consists of our verified binary heap.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Functional Correctness of C Implementations of Dijkstra’s, Kruskal’s, and Prim’s Algorithms

Mohan

Leow

Hobor

2021

Computer Aided Verification

Self Cite

View full text Add to dashboard Cite

We develop machine-checked verifications of the full functional correctness of C implementations of the eponymous graph algorithms of Dijkstra, Kruskal, and Prim. We extend Wang et al.’s CertiGraph platform to reason about labels on edges, undirected graphs, and common spatial representations of edge-labeled graphs such as adjacency matrices and edge lists. We certify binary heaps, including Floyd’s bottom-up heap construction, heapsort, and increase/decrease priority.Our verifications uncover subtle overflows implicit in standard textbook code, including a nontrivial bound on edge weights necessary to execute Dijkstra’s algorithm; we show that the intuitive guess fails and provide a workable refinement. We observe that the common notion that Prim’s algorithm requires a connected graph is wrong: we verify that a standard textbook implementation of Prim’s algorithm can compute minimum spanning forests without finding components first. Our verification of Kruskal’s algorithm reasons about two graphs simultaneously: the undirected graph undergoing MSF construction, and the directed graph representing the forest inside union-find. Our binary heap verification exposes precise bounds for the heap to operate correctly, avoids a subtle overflow error, and shows how to recycle keys to avoid overflow.

show abstract

Verified sequential Malloc/Free

Appel

Naumann

2020

Proceedings of the 2020 ACM SIGPLAN International Symposium on Memory Management

View full text Add to dashboard Cite

Certifying graph-manipulating C programs via localizations within data structures

Cited by 8 publications

References 46 publications

Local Reasoning for Global Graph Properties

Local Reasoning for Global Graph Properties

Functional Correctness of C Implementations of Dijkstra’s, Kruskal’s, and Prim’s Algorithms

Verified sequential Malloc/Free

Contact Info

Product

Resources

About