UltimateAutomizer程序验证工具总结

UltimateAutomizer是一款采用自动机理论的软件验证工具,能验证C程序的安全性和活性属性,包括用户定义断言的正确性、错误函数不可达性等。它在SV-COMP竞赛中多次获得佳绩,使用了CEGAR、谓词抽象和位精确分析等技术。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

UltimateAutomizer

 

1. Introduction

UltimateAutomizer is a software verifier that implements an automata-based approach for the verification of safety and liveness properties. UltimateAutomizer is one toolchain of the Ultimate software analysis framework. Learn more inrfomation at the website.

 

UltimateAutomizer can verify the following program properties:

  • the correctness of the user-defined assertion,
  • error function unreachability,
  • valid memory deallocations, pointer dereferences and memory tracking (to search such errors as buffer over-reads and over-writes, null pointer dereferences, uses after free and memory leaks),
  • absence of integer overflows,
  • program termination.

 

2. Approach and Example

UltimateAutomizer verifies a C program by first executing several program transformations and then performing an interpolation based variant of trace abstraction. The workflow of UltimateAutomizer is shown in the following picture. In the first step, it translates the C program into a Boogie program. Next, the Boogie program is translated into an interprocedural control flow graph. As an optimization, it does not label the edges with single program statements but with loop-free code blocks of the program.

From the right of the following picture, we can see that the program is represented by an automaton that accepts all error traces of the program. An error trace is a labeling of an initial path in the control flow graph which leads to the error location. If all error traces are infeasible with respect to the semantics of the programming language, the program is correct. The CEGAR algorithm is depicted below.

 

The abstraction of Program P is a nested word automaton that accepts all error traces of the program. We iteratively construct a set of automata A1∪A2∪...∪An which accepts only infeasible traces. The algorithm terminates if the inclusion P ⊆ A1∪A2∪...∪An holds or a feasible error trace was found.

The following example illustrates how UltimateAutomizer uses automata-theoretic to prove program correctness.

 

Moreover, note that UltimateAutomizer has its own boogie dialect, which deviates from the original Boogie specification as follows.

 

Ultimate Automizer uses the following techniques:

 

 

3. Project and Architecture

UltimateAutomizer is one toolchain of the Ultimate software analysis framework, which is implemented in JAVA.

  • For parsing C programs, it use the C parser of the Eclipse CDT project.
  • Ultimate software analysis framework provides has own translators to transform C code to Boogie code, and own converters to convert boogie code to CFG.
  • UltimateAutomizer use several SMT solvers. For the unification of predicates, the simplification of formulas and the Hoare triple checks we use Z3, because this solver can handle several SMT theories in combination with quantifiers.
  • UltimateAutomizer use CVC4, MathSAT, SMTInterpol, and Z3, for the analysis of error traces. These solvers each provide interpolants or unsatisfiable cores, which both can be used by Ultimate to extract predicates from infeasible traces.
  • The termination analysis is performed by the ULTIMATE Büchi Automizer.
  • For the interprocedural analysis, it use nested word automata; The operations on nested word automata are implemented in the Ultimate Automata Library.
  • Ultimate also provides support for violation witnesses and correctness witnesses.

 

 

4. Installation and Usage

Automizer is developed on top of the open-source program analysis framework Ultimate. Ultimate is mainly developed at the University of Freiburg and received contributions from more than 50 people. The framework and Automizer are written in Java, licensed under LGPLv3, and their source code is available on Github.

UltimateAutomizer is highly automated and required little manual effort. The user only needs to provide a .prp file that contains program properties, and specifies whether the program is written for a 32bit or 64bit architecture.

Here I try to provide a regular installation step for UltimateAutomizer on the Linux system (If you use Mac, you can try it on a virtual machine). Note that if you don't want to install UltimateAutomizer on your system, you can try the web interface of UltimateAutomizer, in which you can verify C programs.

 

1. You require a working version of Python2.7. Its executable should be present in your PATH variable.

 

2. You need to install Java development environment 1.8. Note that Java JRE is not sufficient. Moreover, currently Java >= 1.8 will not work. You can use the following command to install JDK 1.8 and JRE 1.8.

sudo apt install openjdk-8-jre-headless 

sudo apt install openjdk-8-jdk-headless

3. Download the releases version of UltimateAutomizer from here: https://github.com/ultimate-pa/ultimate/releases

 

4. Extract the package and enter the directory of UAutomizer. For example, use the following instruction.

unzip ./UltimateAutomizer-linux.zip cd UAutomizer-linux

 

5. Add the UAutomizer-linux directory to the PATH environment variable.

export PATH=path_to/UAutomizer-linux/:$PATH

 

6. This Ultimate tool should be called by the Python wrapper script Ultimate.py. The script supports the input parameters should be invoked as follows.

./Ultimate.py --spec <propfile> --file <inputfile> --architecture <architecture>

where

  • <propfile> is a property file, usually with the ending *.prp,
  • <inputfile> is a C program,
  • <architecture> is either '32bit' or '64bit' (without quotes).

 

Additional information can be found by invoking

./Ultimate.py --help

 

The output of the Ultimate tool is written to the file "Ultimate.log" in the current working directory and the result is written to stdout.

If the property specified in the property file does not hold, a human readable counterexample is written to UltimateCounterExample.errorpath. Ultimate writes for many properties a violation or correctness witness to the file witness.graphml.

 

7. Choosing the right parameters (i.e., Property files and Architecture).

You can use property files as defined by the following. For example, you can creat a new file namely PropertyMemSafety.prp, then copy the following rules into that file.

  • PropertyMemSafety.prp: The result is 'TRUE' iff all pointer dereferences are valid, all deallocations are valid, and all allocated memory is eventually freed.
CHECK( init(main()), LTL(G valid-free) ) 
CHECK( init(main()), LTL(G valid-deref) ) 
CHECK( init(main()), LTL(G valid-memtrack) )
  • PropertyOverflow.prp: The result is 'TRUE' iff no operations on signed integers results in an overflow. (Operations on unsigned integers are not checked as their behaviour is always defined by the C standard.)
CHECK( init(main()), LTL(G ! overflow) )
  • PropertyTermination.prp: The result is 'TRUE' iff every program execution reaches the end of the program, i.e., iff all program executions are finite.
CHECK( init(main()), LTL(F end) )

For each of this property files (except Termination.prp) Ultimate also checks if all ACSL specifications (e.g., "//@ assert x > 0") are valid.

The architecture parameter specifies whether the program is written for an ILP32 (32bit) or an LP64 (64bit) architecture.

 

8. Now, Let's run an example. For example, I have a file namely test.c in the folder ~/UAutomizer-linux/test. This example is not MemorySafety as a pointer to a variable is only valid as long as the variable is in scope.

//$ vim test.c

#include<stdio.h>

void foo(int **a)
{
	int b = 1;
	*a = &b;
}

int main()
{
	int *c;
	foo(&c);
	printf("%d\n",*c);
}

Use the following command to verify these code, I use can use property files namely PropertyMemSafety.prp and the architecture parameter specifies whether the program is written for 64bit architecture.

../Ultimate.py --spec PropertyMemSafety.prp --architecture 64bit --file test.c

 

9. Check the result. The wrapper script provides output to stdout that indicates whether the checked property is violated or not. The output can be one of the following:

  • TRUE: The property holds.
  • FALSE(P): Generally means that the property is violated. P specifies which property is violated.
  • UNKNOWN: Ultimate is not able to decide whether the property is satisfied or not.
  • ERROR: MSG: Indicates an abnormal termination of Ultimate due to some error. MSG usually describes the error.

For this example, UltimateAutomizer give the result FALSE (valid-deref)

 

Add the parameter --full-output if you require more detail.

../Ultimate.py --spec PropertyMemSafety.prp --architecture 64bit --file test.c --full-output

 

 

5. Related Publication and Slides

 

Ultimate Automizer won the overall ranking at the SV-COMP 2017, 2016. Moreover, Ultimate Automizer was second in the overall ranking at the SV-COMP 2020, 2018, 2015, and third in the at the SV-COMP 2019. Its publication of Competition Contribution are shown as follows.

[1] Heizmann M , Chen Y F , Dietsch D , et al. Ultimate Automizer and the Search for Perfect Interpolants[M]// Tools and Algorithms for the Construction and Analysis of Systems. Springer, Cham, 2018.

[2] Heizmann M , Chen Y W , Dietsch D , et al. Ultimate Automizer with an On-Demand Construction of Floyd-Hoare Automata[C]// International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, Berlin, Heidelberg, 2017.

[3] Heizmann M , Dietsch D , Greitschus M , et al. Ultimate Automizer with Two-track Proofs[C]// International Conference on Tools & Algorithms for the Construction & Analysis of Systems. Springer Berlin Heidelberg, 2016.

[4] Heizmann M , Dietsch D , Leike J , et al. Ultimate Automizer with Array Interpolation[C]// International Conference on Tools & Algorithms for the Construction & Analysis of Systems. Springer, Berlin, Heidelberg, 2015.

[5] Heizmann, Matthias et al. “Ultimate Automizer with Unsatisfiable Cores - (Competition Contribution).” TACAS 2014.

[6] Heizmann M , Jürgen Christ, Dietsch D , et al. Ultimate Automizer with SMTInterpol[J]. lecture notes in computer science, 2013, 7795:641-643.

 

UltimateAutomizer is a software model checker that implements an approach based on automata, as shown in the following.

[7] Matthias Heizmann, Jochen Hoenicke, Andreas Podelski: Software Model Checking for People Who Love Automata. CAV 2013:36-52

[8] Matthias Heizmann, Jürgen Christ, Daniel Dietsch, Evren Ermis, Jochen Hoenicke, Markus Lindenmann, Alexander Nutz, Christian Schilling, Andreas Podelski: Ultimate Automizer with SMTInterpol - (Competition Contribution). TACAS 2013:641-643

[9] Matthias Heizmann, Jochen Hoenicke, Andreas Podelski: Nested interpolants. POPL 2010:471-482

[10] Matthias Heizmann, Jochen Hoenicke, Andreas Podelski: Refinement of Trace Abstraction. SAS 2009:69-85

 

Some related Slides are shown as follows.

 

资源下载链接为: https://pan.quark.cn/s/9648a1f24758 Java JDK(Java Development Kit)是Java编程语言的核心组件,为开发和运行Java程序提供了必要的工具和环境。JDK 8是Oracle公司推出的一个重要版本,它引入了许多新特性和改进,极大地提升了开发效率和代码质量,对开发者来说具有极高的实用价值。 本次提供的“jdk-8u251-macosx-x64.dmg”安装包是专为Mac OS X系统设计的64位版本,其中不仅包含了Java运行环境(JRE),还涵盖了丰富的开发工具,方便用户在Mac平台上进行Java程序的开发与运行。 JDK 8的关键更新和特性如下: Lambda表达式:这是JDK 8的一项重大语法创新,允许开发者使用简洁的匿名函数替代复杂的多行回调代码,从而使代码更加简洁、易读且高效。 方法引用与构造器引用:与Lambda表达式配合使用,可以更直观地引用已有的方法或构造器,进一步减少冗余代码,提升代码的可维护性。 Stream API:这是一个用于处理集合的新API,采用声明式处理方式,使集合操作(如过滤、映射和归约等)更加高效且易于理解。 日期和时间API的改进:JDK 8对日期和时间API进行了重构,引入了java.time包,包含LocalDate、LocalTime和LocalDateTime等类,替代了原有的java.util.Date和java.util.Calendar,使日期和时间的处理更加友好和灵活。 Optional类:为解决null对象导致的空指针异常问题,JDK 8引入了Optional类,它是一个容器对象,可以表示一个值存在或不存在,从而有效避免空指针异常。 接口的默认方法和静态方法:接口现在可以定义默认方法(使用default关键字)和静态方法。默认方法允许在不破坏向后
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值