Abstract. Research on the automatic verification of heap-manipulating programs (HMPs) — programs that manipulate unbounded linked data structures via pointers — has blossomed recently, with many different approaches all showing leaps in performance and expressiveness. A year ago, we proposed a small logic for specifying predicates about HMPs and demonstrated that an inference-rule-based decision procedure could be performance-competitive, and in many cases superior to other methods known at the time. That work, however, was a proof-ofconcept, with a logic fragment too small to verify most real programs. In this work, we generalize our previous results to be practically useful: we allow the data in heap nodes to be mutable, we allow more than a single pointer field, and we add new primitives needed to verify cyclic structures. Each of these extensions necessitates new or changed inference rules, with the concomitant changes to the proofs and decision procedure. Yet, our new decision procedure, with the more general logic, actually runs as fast as our previous results. With these generalizations, we can automatically verify many more HMP examples, including three small container functions from the Linux kernel. 1

Abstract. This paper presents a novel shape analysis algorithm with local reasoning that is designed to analyze heap structures with structural invariants, such as doubly-linked lists. The algorithm abstracts and analyzes one single heap cell at a time. In order to maintain the structural invariants, the analysis uses a local heap abstraction that models the sub-heap consisting of one cell and its immediate neighbors. The proposed algorithm can successfully analyze standard doublylinked list manipulations. 1

We present a generic algorithm that provides a unifying scheme for the comparison of abstraction refinement algorithms. It is centered around the notion of refinement cue which generalizes counterexamples. It is demonstrated how the essential features of several refinement algorithms can be captured as instances. We argue that the generic algorithm does not limit the completeness of instances, and show that the proposed generalization of counterexamples is necessary for completeness — thus addressing a shortcoming of more limited notions of counterexample-guided refinement. 1

Abstract not found

Abstract. We present a novel approach to the verification of concurrent pointer– manipulating programs which operate on singly–linked lists. By abstracting from chains (i.e., non–interrupted sublists) in the heap, we obtain a finite–state representation of all possible executions of a given program. The combination of a simple pointer logic for expressing heap properties and of temporal operators then allows us to employ standard LTL model checking techniques. The usability of this approach is demonstrated by establishing correctness properties of a producer/consumer system and of a concurrent garbage collector. 1

We first present a general purpose assertion language for expressing properties of data structures. Its predicates model the heap as an array and pointers as variables over memory indices. The key point is that these predicates can be user-defined in a general manner using recursive rules. Consequently, these predicates can be defined to an arbitrary level of expressiveness, ranging from low-level properties of the memory allocation policy, to abstract properties of complex data structures such as AVL trees. We then present a proof method for these predicates. First, both the assertion predicates and the program semantics are represented in the framework of Constraint Logic Programming. Then we present proof rules, which include a novel use of coinduction, which allow for the consistent reasoning about both recursion in assertions and loops in programs. We finally argue that this proof methodology is intuitive and expressive, and that the proof method is amenable to a practical implementation.

We present a novel approach to the verification of concurrent pointer– manipulating programs which operate on singly–linked lists. By abstracting from chains (i.e., non–interrupted sublists) in the heap, we obtain a finite–state representation of all possible executions of a given program. The combination of a simple pointer logic for expressing heap properties and of temporal operators then allows us to employ standard LTL model checking techniques. The usability of this approach is demonstrated by establishing correctness properties of a producer/consumer system and of a concurrent garbage collector.