Deciding Assertions in Programs with References

Modular analysis of procedures using summaries is a key technique to improve scalability of software model checking. Existing software model checkers do not fully exploit procedural structure for modular analysis. In the SLAM project, modular analysis using procedure summaries is done on a Boolean Program model, which contains only boolean types. We extend Boolean Programs to include reference types, and show that modular analysis using procedure summaries is still possible. As a consequence, we obtain an algorithm for deciding assertions in programs where the lengths of the paths in the heap are bounded, even though the heap size is potentially unbounded. Even in programs with unbounded paths in the heap, the result provides a way to separate reasoning about the finite backbone of the heap from the reasoning about unbounded data structures. We have implemented this algorithm in the ZING model checker, which supports a rich input language with references as well as concurrent threads. Our algorithm improved the performance of the model checker by 30-35% on a concurrent transaction management program with 7000 lines of code, 57 dynamic allocation sites, and several million reachable states and found a subtle concurrency bug. On parameterized examples artificially constructed to demonstrate the benefits of summarization, the algorithm improves performance asymptotically as expected. The implementation is robust —on hundreds of small examples in the SLAM and ZING regression suites, the implementation produces correct results.