UltimateAutomizer
1. Introduction
UltimateAutomizer is a software verifier that implements an automata-based approach for the verification of safety and liveness properties. UltimateAutomizer is one toolchain of the Ultimate software analysis framework. Learn more inrfomation at the website.
UltimateAutomizer can verify the following program properties:
- the correctness of the user-defined assertion,
- error function unreachability,
- valid memory deallocations, pointer dereferences and memory tracking (to search such errors as buffer over-reads and over-writes, null pointer dereferences, uses after free and memory leaks),
- absence of integer overflows,
- program termination.
2. Approach and Example
UltimateAutomizer verifies a C program by first executing several program transformations and then performing an interpolation based variant of trace abstraction. The workflow of UltimateAutomizer is shown in the following picture. In the first step, it translates the C program into a Boogie program. Next, the Boogie program is translated into an interprocedural control flow graph. As an optimization, it does not label the edges with single program statements but with loop-free code blocks of the program.
From the right of the following picture, we can see that the program is represented by an automaton that accepts all error traces of the program. An error trace is a labeling of an initial path in the control flow graph which leads to the error location. If all error traces are infeasible with respect to the semantics of the programming language, the program is correct. The CEGAR algorithm is depicted below.
The abstraction of Program P is a nested word automaton that accepts all error traces of the program. We iteratively construct a set of automata A1∪A2∪...∪An which accepts only infeasible traces. The algorithm terminates if the inclusion P ⊆ A1∪A2∪...∪An holds or a feasible error trace was found.
The following example illustrates how UltimateAutomizer uses automata-theoretic to prove program correctness.
Moreover, note that UltimateAutomizer has its own boogie dialect, which deviates from the original Boogie specification as follows.
- It extended Boogie by structs (see an example that illustrates the extension).
- It extended Boogie by reals (according to the extension proposed by Rustan)
- Some other deviations can be seen at the Wiki.
Ultimate Automizer uses the following techniques:
- CEGAR
- Predicate Abstraction
- Bit-Precise Analysis
- Lazy Abstraction
- Nested interpolants
- Automata-Based Analysis
- Concurrency Support
- Ranking Functions
3. Project and Architecture
UltimateAutomizer is one toolchain of the Ultimate software analysis framework, which is implemented in JAVA.
- For parsing C programs, it use the C parser of the Eclipse CDT project.
- Ultimate software analysis framework provides has own translators to transform C code to Boogie code, and own converters to convert boogie code to CFG.
- UltimateAutomizer use several SMT solvers. For the unification of predicates, the simplification of formulas and the Hoare triple checks we use Z3, because this solver can handle several SMT theories in combination with quantifiers.
- UltimateAutomizer use CVC4, MathSAT, SMTInterpol, and Z3, for the analysis of error traces. These solvers each provide interpolants or unsatisfiable cores, which both can be used by Ultimate to extract predicates from infeasible traces.
- The termination analysis is performed by the ULTIMATE Büchi Automizer.
- For the interprocedural analysis, it use nested word automata; The operations on nested word automata are implemented in the Ultimate Automata Library.
- Ultimate also provides support for violation witnesses and correctness witnesses.
4. Installation and Usage
Automizer is developed on top of the open-source program analysis framework Ultimate. Ultimate is mainly developed at the University of Freiburg and received contributions from more than 50 people. The framework and Automizer are written in Java, licensed under LGPLv3, and their source code is available on Github.
UltimateAutomizer is highly automated and required little manual effort. The user only needs to provide a .prp file that contains program properties, and specifies whether the program is written for a 32bit or 64bit architecture.
Here I try to provide a regular installation step for UltimateAutomizer on the Linux system (If you use Mac, you can try it on a virtual machine). Note that if you don't want to install UltimateAutomizer on your system, you can try the web interface of UltimateAutomizer, in which you can verify C programs.
1. You require a working version of Python2.7. Its executable should be present in your PATH variable.
2. You need to install Java development environment 1.8. Note that Java JRE is not sufficient. Moreover, currently Java >= 1.8 will not work. You can use the following command to install JDK 1.8 and JRE 1.8.
sudo apt install openjdk-8-jre-headless
sudo apt install openjdk-8-jdk-headless
3. Download the releases version of UltimateAutomizer from here: https://github.com/ultimate-pa/ultimate/releases
4. Extract the package and enter the directory of UAutomizer. For example, use the following instruction.
unzip ./UltimateAutomizer-linux.zip cd UAutomizer-linux
5. Add the UAutomizer-linux directory to the PATH environment variable.
export PATH=path_to/UAutomizer-linux/:$PATH
6. This Ultimate tool should be called by the Python wrapper script Ultimate.py. The script supports the input parameters should be invoked as follows.
./Ultimate.py --spec <propfile> --file <inputfile> --architecture <architecture>
where
- <propfile> is a property file, usually with the ending *.prp,
- <inputfile> is a C program,
- <architecture> is either '32bit' or '64bit' (without quotes).
Additional information can be found by invoking
./Ultimate.py --help
The output of the Ultimate tool is written to the file "Ultimate.log" in the current working directory and the result is written to stdout.
If the property specified in the property file does not hold, a human readable counterexample is written to UltimateCounterExample.errorpath. Ultimate writes for many properties a violation or correctness witness to the file witness.graphml.
7. Choosing the right parameters (i.e., Property files and Architecture).
You can use property files as defined by the following. For example, you can creat a new file namely PropertyMemSafety.prp, then copy the following rules into that file.
- PropertyMemSafety.prp: The result is 'TRUE' iff all pointer dereferences are valid, all deallocations are valid, and all allocated memory is eventually freed.
CHECK( init(main()), LTL(G valid-free) )
CHECK( init(main()), LTL(G valid-deref) )
CHECK( init(main()), LTL(G valid-memtrack) )
- PropertyOverflow.prp: The result is 'TRUE' iff no operations on signed integers results in an overflow. (Operations on unsigned integers are not checked as their behaviour is always defined by the C standard.)
CHECK( init(main()), LTL(G ! overflow) )
- PropertyTermination.prp: The result is 'TRUE' iff every program execution reaches the end of the program, i.e., iff all program executions are finite.
CHECK( init(main()), LTL(F end) )
For each of this property files (except Termination.prp) Ultimate also checks if all ACSL specifications (e.g., "//@ assert x > 0") are valid.
The architecture parameter specifies whether the program is written for an ILP32 (32bit) or an LP64 (64bit) architecture.
8. Now, Let's run an example. For example, I have a file namely test.c in the folder ~/UAutomizer-linux/test. This example is not MemorySafety as a pointer to a variable is only valid as long as the variable is in scope.
//$ vim test.c
#include<stdio.h>
void foo(int **a)
{
int b = 1;
*a = &b;
}
int main()
{
int *c;
foo(&c);
printf("%d\n",*c);
}
Use the following command to verify these code, I use can use property files namely PropertyMemSafety.prp and the architecture parameter specifies whether the program is written for 64bit architecture.
../Ultimate.py --spec PropertyMemSafety.prp --architecture 64bit --file test.c
9. Check the result. The wrapper script provides output to stdout that indicates whether the checked property is violated or not. The output can be one of the following:
- TRUE: The property holds.
- FALSE(P): Generally means that the property is violated. P specifies which property is violated.
- UNKNOWN: Ultimate is not able to decide whether the property is satisfied or not.
- ERROR: MSG: Indicates an abnormal termination of Ultimate due to some error. MSG usually describes the error.
For this example, UltimateAutomizer give the result FALSE (valid-deref)
Add the parameter --full-output if you require more detail.
../Ultimate.py --spec PropertyMemSafety.prp --architecture 64bit --file test.c --full-output
5. Related Publication and Slides
Ultimate Automizer won the overall ranking at the SV-COMP 2017, 2016. Moreover, Ultimate Automizer was second in the overall ranking at the SV-COMP 2020, 2018, 2015, and third in the at the SV-COMP 2019. Its publication of Competition Contribution are shown as follows.
UltimateAutomizer is a software model checker that implements an approach based on automata, as shown in the following.
[9] Matthias Heizmann, Jochen Hoenicke, Andreas Podelski: Nested interpolants. POPL 2010:471-482
Some related Slides are shown as follows.
- Ultimate Automizer Poster, April 2014, at TACAS 2014 and Dagstuhl Seminar 14171
- Ultimate Automizer with Unsatisfiable Cores, April 2014, at TACAS 2014
- Nested Interpolants, January 2010, at POPL 2010.
- Refinement of Trace Abstraction, August 2009, at SAS 2009, presented by Jochen Hoenicke.