Simulating reachability using first-order logic with applications to verification of linked data structures

This paper shows how to harness existing theorem provers for first-order logic to automatically verify safety properties of imperative programs that perform dynamic storage allocation and destructive updating of pointer-valued structure fields. One of the main obstacles is specifying and proving the (absence) of reachability properties among dynamically allocated cells. The main technical contributions are methods for simulating reachability in a conservative way using first-order formulas–the formulas describe a superset of the set of program states that would be specified if one had a precise way to express reachability. These methods are employed for semi-automatic program verification (i.e., using programmer-supplied loop invariants) on programs such as mark-and-sweep garbage collection and destructive reversal of a singly linked list. (The mark-and-sweep example has been previously reported as being beyond the capabilities of ESC/Java.)

💡 Research Summary

The paper addresses a long‑standing obstacle in the automatic verification of low‑level, pointer‑rich programs: the inability of first‑order logic (FO) to express reachability properties that arise from dynamic memory allocation and destructive updates of pointer fields. Existing theorem provers and SMT solvers excel at reasoning about FO formulas, but they cannot directly capture statements such as “there exists a path from node x to node y”. To bridge this gap, the authors propose a conservative simulation technique that approximates reachability using only FO constructs.

The core idea is to define a superset of the concrete reachable states rather than the exact set. By constructing FO predicates that over‑approximate the transitive closure of pointer relations, any program state that truly satisfies the intended reachability condition will also satisfy the FO formula, while spurious states may be admitted. This guarantees no false negatives (if the verification succeeds, the property holds in the actual program) at the cost of possible false positives, which can be eliminated by strengthening loop invariants.

Implementation proceeds in two steps. First, the heap is modeled as a directed graph: each pointer field becomes a binary predicate, e.g., next(x,y) meaning that object x’s next field points to y. Second, a dedicated “reachability predicate” reach(x,y) is introduced and defined by a finite set of FO axioms that mimic the transitive closure:

• Base axiom: next(x,y) → reach(x,y).
• Inductive axiom (conservative): reach(x,z) ∧ next(z,y) → reach(x,y).

Because FO does not support true recursion, the inductive axiom is instantiated only up to a bounded depth chosen by the user or automatically inferred. The resulting finite formula over‑approximates all possible paths, ensuring that any real path is represented.

Since fully automatic invariant discovery for such programs remains out of reach, the approach relies on programmer‑supplied loop invariants expressed in FO. These invariants capture essential safety conditions (e.g., “all live objects are marked”, “the list head always reaches every node”). The verification condition generator feeds the program’s transition relations, the conservative reachability axioms, and the supplied invariants to an off‑the‑shelf FO theorem prover (Z3, CVC4, etc.). The prover checks that the invariants are preserved across loop bodies and that the safety property follows from them.

The paper validates the methodology on two classic benchmarks that have resisted previous verification attempts:

1. Mark‑and‑Sweep Garbage Collection – The algorithm marks all objects reachable from a set of roots and then sweeps away unmarked objects. Expressing “reachable from a root” is precisely a reachability problem. Using the conservative reach predicate together with an invariant stating “every marked object is reachable from a root”, the authors successfully prove that no reachable object is reclaimed. This example had been reported as beyond the capabilities of ESC/Java, highlighting the power of the new approach.

2. Destructive Reversal of a Singly‑Linked List – The reversal algorithm repeatedly rewires the next pointers, and its correctness hinges on preserving the list’s connectivity without losing nodes. The authors model both the original next relation and the evolving one, supply an invariant that the set of nodes reachable from the new head equals the set reachable from the old head, and verify that the algorithm never creates dangling pointers or loses elements.

In both cases the verification is semi‑automatic: the user provides concise FO invariants, the rest is handled automatically by the theorem prover. The experiments demonstrate that the conservative simulation does not explode the search space; the generated formulas remain tractable for modern SMT solvers.

Key contributions of the paper are:

• A general, FO‑only method for conservatively simulating reachability, applicable to any pointer‑based data structure.
• A clear separation between the over‑approximation (handled automatically) and the precision (provided by user invariants), enabling practical verification without extending the underlying logic.
• Successful application to non‑trivial, dynamically‑allocated programs that were previously out of reach for automated tools.
• An analysis of the trade‑off between precision and automation, showing that modest invariants suffice to eliminate spurious counterexamples introduced by the over‑approximation.

The authors conclude by outlining future work: integrating abstract interpretation to tighten the over‑approximation, developing automatic invariant synthesis (potentially via machine learning), and extending the technique to concurrent settings where reachability across threads becomes even more subtle. Overall, the paper demonstrates that, with a clever conservative encoding, first‑order logic can serve as a practical foundation for verifying safety properties of programs that manipulate linked data structures.