Effectively-Propositional Reasoning about Reachability in Linked Data Structures

  • Shachar Itzhaky
  • Anindya Banerjee
  • Neil Immerman
  • Aleksandar Nanevski
  • Mooly Sagiv
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8044)


This paper proposes a novel method of harnessing existing SAT solvers to verify reachability properties of programs that manipulate linked-list data structures. Such properties are essential for proving program termination, correctness of data structure invariants, and other safety properties. Our solution is complete, i.e., a SAT solver produces a counterexample whenever a program does not satisfy its specification. This result is surprising since even first-order theorem provers usually cannot deal with reachability in a complete way, because doing so requires reasoning about transitive closure.

Our result is based on the following ideas: (1) Programmers must write assertions in a restricted logic without quantifier alternation or function symbols. (2) The correctness of many programs can be expressed in such restricted logics, although we explain the tradeoffs. (3) Recent results in descriptive complexity can be utilized to show that every program that manipulates potentially cyclic, singly- and doubly-linked lists and that is annotated with assertions written in this restricted logic, can be verified with a SAT solver.

We implemented a tool atop Z3 and used it to show the correctness of several linked list programs.


Theorem Prover Transitive Closure Atomic Formula Relation Symbol Descriptive Complexity 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    SMTLIB: Satisfiability modulo theories library, http://smtlib.cs.uiowa.edu/docs.html
  2. 2.
  3. 3.
    Bouajjani, A., Drăgoi, C., Enea, C., Sighireanu, M.: Accurate invariant checking for programs manipulating lists and arrays with infinite data. In: Chakraborty, S., Mukund, M. (eds.) ATVA 2012. LNCS, vol. 7561, pp. 167–182. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  4. 4.
    de Moura, L., Bjørner, N.S.: Z3: An efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Demetrescu, C., Italiano, G.F.: Decremental all-pairs shortest paths. In: Encyclopedia of Algorithms (2008)Google Scholar
  6. 6.
    Dong, G., Su, J.: Incremental maintenance of recursive views using relational calculus/sql. SIGMOD Record 29, 44–51 (2000)CrossRefGoogle Scholar
  7. 7.
    Flanagan, C., Saxe, J.B.: Avoiding exponential explosion: generating compact verification conditions. In: POPL (2001)Google Scholar
  8. 8.
    Frade, M., Pinto, J.: Verification conditions for source-level imperative programs. Computer Science Review 5(3), 252–277 (2011)CrossRefGoogle Scholar
  9. 9.
    Henriksen, J., Jensen, J., Jørgensen, M., Klarlund, N., Paige, B., Rauhe, T., Sandholm, A.: Mona: Monadic second-order logic in practice. In: Brinksma, E., Steffen, B., Cleaveland, W.R., Larsen, K.G., Margaria, T. (eds.) TACAS 1995. LNCS, vol. 1019, pp. 89–110. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  10. 10.
    Hesse, W.: Dynamic computational complexity. PhD thesis, Dept. of Computer Science, University of Massachusetts, Amherst, MA (2003)Google Scholar
  11. 11.
    Immerman, N., Rabinovich, A., Reps, T., Sagiv, M., Yorsh, G.: The boundary between decidability and undecidability for transitive-closure logics. In: Marcinkowski, J., Tarlecki, A. (eds.) CSL 2004. LNCS, vol. 3210, pp. 160–174. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. 12.
    Kautz, H., Selman, B.: Knowledge compilation and theory approximation. J. ACM 43(2), 193–224 (1996)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Lahiri, S.K., Qadeer, S.: Back to the future: revisiting precise program verification using smt solvers. In: POPL (2008)Google Scholar
  14. 14.
    Lev-Ami, T., Immerman, N., Reps, T.W., Sagiv, M., Srivastava, S., Yorsh, G.: Simulating reachability using first-order logic with applications to verification of linked data structures. Logical Methods in Computer Science 5(2) (2009)Google Scholar
  15. 15.
    Madhusudan, P., Parlato, G., Qiu, X.: Decidable logics combining heap structures and data. In: POPL (2011)Google Scholar
  16. 16.
    McCarthy, J.: Towards a mathematical science of computation. In: IFIP Congress, pp. 21–28 (1962)Google Scholar
  17. 17.
    Møller, A., Schwartzbach, M.I.: The pointer assertion logic engine. In: PLDI (2001)Google Scholar
  18. 18.
    Nelson, G.: Verifying reachability invariants of linked structures. In: POPL (1983)Google Scholar
  19. 19.
    Piskac, R., de Moura, L.M., Bjørner, N.: Deciding effectively propositional logic using dpll and substitution sets. J. Autom. Reasoning 44(4), 401–424 (2010)CrossRefMATHGoogle Scholar
  20. 20.
    Reps, T.W., Sagiv, M., Loginov, A.: Finite differencing of logical formulas for static analysis. ACM Trans. Program. Lang. Syst. 32(6) (2010)Google Scholar
  21. 21.
    Rinetzky, N., Bauer, J., Reps, T.W., Sagiv, S., Wilhelm, R.: A semantics for procedure local heaps and its abstractions. In: POPL (2005)Google Scholar
  22. 22.
    Yorsh, G., Rabinovich, A.M., Sagiv, M., Meyer, A., Bouajjani, A.: A logic of reachable patterns in linked data-structures. J. Log. Algebr. Program 73(1-2), 111–142 (2007)MathSciNetCrossRefMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Shachar Itzhaky
    • 1
  • Anindya Banerjee
    • 2
  • Neil Immerman
    • 3
  • Aleksandar Nanevski
    • 2
  • Mooly Sagiv
    • 1
  1. 1.Tel Aviv UniversityTel AvivIsrael
  2. 2.IMDEA Software InstituteMadridSpain
  3. 3.University of MassachusettsAmherstUSA

Personalised recommendations