Safety and Liveness in Concurrent Pointer Programs

  • Dino Distefano
  • Joost-Pieter Katoen
  • Arend Rensink
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4111)


The incorrect use of pointers is one of the most common source of software errors. Concurrency has a similar characteristic. Proving the correctness of concurrent pointer manipulating programs, let alone algorithmically, is a highly non-trivial task. This paper proposes an automated verification technique for concurrent programs that manipulate linked lists. Key issues of our approach are: automata (with fairness constraints), heap abstractions that are tailored to the program and property to be checked, first-order temporal logic, and a tableau-based model-checking algorithm.


Model Check Temporal Logic Program Variable Pointer Program Separation Logic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bardin, S., Finkel, A., Nowak, D.: Towards symbolic verification of programs handling pointers. In: AVIS 2004 (2004)Google Scholar
  2. 2.
    Barr, A.: Find the Bug in this Java Program. Addison-Wesley, Reading (2005)Google Scholar
  3. 3.
    Basin, D., Matthews, S., Vigano, L.: Labelled modal logics: quantifiers. J. of Logic, Language and Information 7(3), 237–263 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Berdine, J., Calcagno, C., O’Hearn, P.W.: A decidable fragment of separation logic. In: Lodaya, K., Mahajan, M. (eds.) FSTTCS 2004. LNCS, vol. 3328, pp. 97–109. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Berdine, J., Calcagno, C., O’Hearn, P.W.: Symbolic execution with separation logic. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 52–68. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Bergstra, J., Ponse, A., Smolka, S.A. (eds.): Handbook of Process Algebra. Elsevier, Amsterdam (2001)zbMATHGoogle Scholar
  7. 7.
    Bouajjani, A., Habermehl, P., Moro, P., Vojnar, T.: Verifying programs with dynamic 1-selector-linked list structures in regular model checking. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 13–29. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Bozga, M., Iosif, R., Lakhnech, Y.: Storeless semantics and alias logic. In: PEPM, pp. 55–65. ACM Press, New York (2003)Google Scholar
  9. 9.
    Bozga, M., Iosif, R., Lakhnech, Y.: On logics of aliasing. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 344–360. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Burstall, R.: Some techniques for proving correctness of programs which alter data structures. Machine Intelligence 6, 23–50 (1971)zbMATHGoogle Scholar
  11. 11.
    Cardelli, L., Gardner, P., Ghelli, G.: A spatial logic for querying graphs. In: Widmayer, P., Triguero, F., Morales, R., Hennessy, M., Eidenbenz, S., Conejo, R. (eds.) ICALP 2002. LNCS, vol. 2380, pp. 597–610. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Cardelli, L., Gordon, A.D.: Anytime, anywhere: modal logics for mobile ambients. In: POPL, pp. 365–377. ACM Press, New York (2000)CrossRefGoogle Scholar
  13. 13.
    Chase, D.R., Wegman, M., Zadeck, F.: Analysis of pointers and structures. In: PLDI, pp. 296–310. ACM Press, New York (1990)Google Scholar
  14. 14.
    Chong, S., Rugina, R.: Static analysis of accessed regions in recursive data structures. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 463–482. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Cook, S.A., Oppen, D.: An assertion language for data structures. In: POPL, pp. 160–166. ACM Press, New York (1975)Google Scholar
  16. 16.
    Deutsch, A.: Interprocedural may-alias analysis for pointers: beyond k-limiting. In: PLDI, pp. 230–241. ACM Press, New York (1994)Google Scholar
  17. 17.
    Distefano, D.: A parametric model for the analysis of mobile ambients. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 401–417. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Distefano, D., Katoen, J.-P., Rensink, A.: Who is pointing when to whom? – On the automated verification of linked list structures. In: Lodaya, K., Mahajan, M. (eds.) FSTTCS 2004. LNCS, vol. 3328, pp. 250–262. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Distefano, D., Rensink, A., Katoen, J.-P.: Who is pointing when to whom? – On the automated verification of linked list structures CTIT Tech. Rep. 03-12 (2003)Google Scholar
  20. 20.
    Distefano, D., Rensink, A., Katoen, J.-P.: Model checking birth and death. In: TCS, pp. 435–447. Kluwer, Dordrecht (2002)Google Scholar
  21. 21.
    Fitting, M.: On quantified modal logic. Fundamenta Informatica 39(1), 5–121 (1999)MathSciNetGoogle Scholar
  22. 22.
    Fradet, P., Gaugne, R., Le Métayer, D.: Static detection of pointer errors: an axiomatisation and a checking algorithm. In: Riis Nielson, H. (ed.) ESOP 1996. LNCS, vol. 1058, pp. 125–140. Springer, Heidelberg (1996)Google Scholar
  23. 23.
    van Glabbeek, R.J.: The linear time-branching time spectrum I. In: [6], ch. 1, pp. 3–101 (2001)Google Scholar
  24. 24.
    Ishtiaq, S., O’Hearn, P.W.: BI as an assertion language for mutable data structures. In: POPL, pp. 14–26. ACM Press, New York (2001)Google Scholar
  25. 25.
    Jensen, J., Jørgensen, M., Schwartzbach, M., Klarlund, N.: Automatic verification of pointer programs using monadic second-order logic. In: PLDI, pp. 226–236. ACM Press, New York (1997)CrossRefGoogle Scholar
  26. 26.
    Jones, N.D., Muchnick, S.S.: Flow analysis and optimization of Lisp-like structures, ch. 4. In: Muchnick, S.S., Jones, N.D. (eds.) Program Flow Analysis: Theory and Applications, ch. 4, pp. 102–131. Prentice-Hall, Englewood Cliffs (1981)Google Scholar
  27. 27.
    Lichtenstein, O., Pnueli, A.: Checking that finite state concurrent programs satisfy their linear specification. In: POPL, pp. 97–107. ACM Press, New York (1985)Google Scholar
  28. 28.
    Nelson, G.: Verifying reachability invariants of linked structures. In: POPL, pp. 38–47. ACM Press, New York (1983)Google Scholar
  29. 29.
    Manevich, R., Yahav, E., Ramalingam, G., Sagiv, M.: Predicate abstraction and canonical abstraction for singly-linked lists. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 181–198. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  30. 30.
    Milner, R. (ed.): A Calculus of Communication Systems. LNCS, vol. 92. Springer, Heidelberg (1980)Google Scholar
  31. 31.
    Montanari, U., Pistore, M.: An introduction to history-dependent automata. ENTCS 10 (1998)Google Scholar
  32. 32.
    Møller, A., Schwartzbach, M.: The pointer assertion logic engine. In: PLDI, pp. 213–221. ACM Press, New York (2001)Google Scholar
  33. 33.
    Morris, J.: Assignment and linked data structures. In: Th. Found. of Progr. Meth., Reidel, pp. 25–34 (1981)Google Scholar
  34. 34.
    O’Hearn, P.W., Yang, H., Reynolds, J.C.: Separation and information hiding. In: POPL, pp. 268–280. ACM Press, New York (2004)CrossRefGoogle Scholar
  35. 35.
    Pnueli, A.: The temporal logic of programs. In: FOCS, pp. 46–57. IEEE CS Press, Los Alamitos (1977)Google Scholar
  36. 36.
    Rensink, A.: Canonical graph shapes. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 401–415. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  37. 37.
    Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: LICS, pp. 55–74. IEEE CS Press, Los Alamitos (2002)Google Scholar
  38. 38.
    Sagiv, M., Reps, T., Wilhelm, R.: Solving shape-analysis problems in languages with destructive updating. ACM TOPLAS 20(1), 1–50 (1998)CrossRefGoogle Scholar
  39. 39.
    Séméria, L., Sato, K., de Micheli, G.: Resolution of dynamic memory allocation and pointers for the behavioural synthesis from C. In: DATE, pp. 312–319. ACM Press, New York (2000)CrossRefGoogle Scholar
  40. 40.
    Yahav, E., Reps, T., Sagiv, M., Wilhelm, R.: Verifying temporal heap properties specified via evolution logic. In: Degano, P. (ed.) ESOP 2003 and ETAPS 2003. LNCS, vol. 2618, pp. 204–222. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  41. 41.
    Yavuz-Kahveci, T., Bultan, T.: Automated verification of concurrent linked lists with counters. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 69–82. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Dino Distefano
    • 1
  • Joost-Pieter Katoen
    • 2
    • 3
  • Arend Rensink
    • 3
  1. 1.Dept. of Computer Science, Queen MaryUniversity of LondonUnited Kingdom
  2. 2.Software Modeling and Verification GroupRWTH AachenGermany
  3. 3.Formal Methods and ToolsUniversity of TwenteThe Netherlands

Personalised recommendations