A Better Logic and Decision Procedure for Predicate Abstraction of Heap-Manipulating Programs

Heap-manipulating programs (HMP), which manipulate unbounded linked data structures via pointers, are a major frontier for software model checking. In recent work, we proposed a small logic and inference-rule-based decision procedure and demonstrated their potential by verifying, via predicate abstraction, some simple HMPs. In this work, we generalize and improve our previous results to be practically useful: we allow more than a single pointer field, we permit updating the data stored in heap nodes, we add new primitives and inference rules for cyclic structures, and we greatly improve the performance of our implementation. Experimentally, we are able to verify many more HMP examples, including three small container functions from the Linux kernel. On the theoretical front, we prove NP-hardness for a small fragment of our logic, completeness of our inference rules for a large fragment, and soundness for the full logic.