VeriAbs : Verification by Abstraction and Test Generation (Competition Contribution)

VeriAbs is a strategy selection based reachability verifier for C code. It analyzes the structure of loops, and intervals of inputs to choose one of the four verification strategies implemented in VeriAbs. In this paper, we present VeriAbs version 1.4 with updates in three strategies. We add an array verification technique called full-program induction, and enhance the existing techniques of loop pruning, k-path interval analysis, and disjunctive loop summarization. These changes have improved the verification of programs with arrays, and unstructured loops and unstructured control flows.


Verification Approach
VeriAbs is a reachability checker for C code that employs a portfolio of techniques and works by smartly selecting a sequence of techniques for each problem instance. Specifically, it performs structural and interval analysis of the input code to determine a sequence of suitable verification techniques, or a strategy [2]. An earlier version of the tool appeared in [9]. Figure 1 shows the architecture with this year's enhancements in dashed lines. When the input program contains unstructured loops, VeriAbs performs fuzz testing in parallel with k-induction. If the program does not contain unstructured loops but loops manipulating arrays, VeriAbs applies array abstraction techniques like loop shrinking, loop pruning, and full-program induction [7] in sequence. If the program contains inputs of very short ranges, VeriAbs applies explicit state model checking, and loop invariant generation using program behaviour, syntax and counter-examples in parallel [2]. Otherwise VeriAbs applies k-path interval analysis, loop abstraction, loop summarization, bounded model checking, and k-induction in the order presented in the architecture. If any technique successfully (in)validates the encoded properties, the tool reports the result, generates the witness, and exits. We next explain the enhancements made to VeriAbs this year.

Tool Enhancements
Full-Program Induction. VeriAbs applies full-program induction as presented in [7] to programs manipulating arrays of a symbolic size N given as a parameter. It takes as input  It uses weakest pre-condition computation to infer formulas pre(N) over the variables and arrays whose values were computed by P N−1 and subsequently read in ∂P N . Base case is checked for pre(N) and it is subsequently used to strengthen the pre-and post-conditions in the inductive step. The technique, thus, inducts over the entire program via the parameter N, in place of inducting over individual loops by using specialized predicates as in [6]. Full-program induction does not rely on inductive invariants for each loop in the program.

Fig. 2. Example
k-Path Interval Analysis. VeriAbs implements a k-path interval analysis which is an extension of the standard nonrelational interval domain [2]. It maintains the path-wise data ranges of variables along a configurable k number of paths at each program point, thus matching the precision of relational domains. When the number of paths at the join point exceeds k, a subset of paths are merged to maintain k paths at the join point. In previous versions, arbitrary subsets of paths were merged. For SV-COMP 2020, the join operation identifies variables of interest (VOIs) with respect to the given property to decide which paths to merge such that VOIs can retain precise values. Consider the example shown in Figure 2 with a valid property at line 12 to be analyzed with k=2 and the VOI d. It can be seen that three paths -P1, P2 and P3 join at line number 9. The enhanced join operation merges paths P1 and P2 so that the resultant paths are as follows: This information at the join point helps validate the property. Earlier, the join operation could merge the path P3 with P1 or P2, leading to an imprecise interval -[0,31] of d at the join point, resulting in spurious property violation. Our implementation considers variables used in the encoded property as the VOIs.
Loop Pruning is an array abstraction technique that defines a set of criteria (and a resulting set of program transformation rules) which if satisfied by loops processing arrays, it is sufficient to analyze the first few elements instead of the entire array [14]. In this version, pruning has been extended to programs containing nested loops and multidimensional arrays. By structural analysis, we identify if elements of the multidimensional array are processed uniformly in loops. If yes, we compute reduced dimensions of the array (for example, a[m][m] may be reduced to a[4] [4]). We have also refined the pruning criteria to improve its applicability over multidimensional and dynamically allocated arrays, 56 additional SV-COMP'20 ReachSafety benchmarks are solved by the current implementation of array pruning as compared to the previous version.
Disjunctive Loop Summarization. VeriAbs analyses interleavings of unique paths within a loop to produce its disjunctive summary to find errors and proofs [2]. In the current version, VeriAbs extends this technique in the following situations: (a) while it earlier restricted affine transformations to identity matrices, we now allow diagonal matrices with finite monoid [4]; (b) we use the approach of generating flattenings as shown in [4] for loops which are flattable; (c) we use VeriAbs' general philosophy of deriving over-approximate summaries using the techniques in [12], when precise disjunctive summary is not derivable.

Software Architecture
VeriAbs is primarily developed in Java and Perl. It implements all program analyses (except full-program induction) and program transformers in Prism [13], the TCS Research program analysis framework. It transforms programs processing multidimensional or dynamically allocated arrays in loops to equivalent programs with symbolically sized 1D arrays. This transformed program is consumed by VAJRA v1.0 [7], the tool that implements full-program induction. VAJRA uses LLVM v6.0.0 [15] compiler infrastructure for program transformations and Z3 SMT solver v4.8.7 [10] for checking the validity of Hoare triples and for computing weakest pre-conditions. For BMC VeriAbs uses the C Bounded Model Checker (CBMC) v5. 10 [8] with the Glucose Syrup SAT solver v4.0 [3]. For fuzz testing we enhance American Fuzzy Lop [16] to allow test case mutation within valid data ranges generated by k-path interval analysis for better path coverage. VeriAbs uses k-induction with continuously refined invariants as implemented in CPAchecker v1.8 [5] for an improved precision over our existing light weight implementation of k-induction.
In this version, we additionally derive disjunctive invariants for correctness witnesses using abstract acceleration and abstract interpretation, and add them to the control flow automaton generated by CPAchecker. If all implemented techniques fail, we use techniques implemented in Ultimate Automizer v3204b741 [11] to generate correctness witnesses.

Strengths and Weaknesses
The main strengths of VeriAbs are (1) strategy selection that correlates strengths of verification techniques and input code properties, and (2) a portfolio of sound techniques. Weaknesses: (1) long strategies -the lengths of strategies executed by VeriAbs in the worst case can be ten techniques, thus time consuming. Hence, smarter and shorter strategies are needed. (2) Nonlinear expressions in loops -loop abstractions in VeriAbs assign non-deterministic values to variables modified in such expressions. (3) Multidimensional arrays in loops manipulating noncontiguous locations -these are limitations of loop shrinking and pruning. These weaknesses are not limitations of the state-of-the-art, and appropriate techniques if integrated into VeriAbs can be easily invoked by the strategy selector to enable verification of such programs.

Tool Setup and Configuration
The VeriAbs SV-COMP 2020 executable is available for download at https://gitlab.com/ sosy-lab/sv-comp/archives-2019/tree/master/2020/veriabs.zip. To install the tool, download the archive, extract its contents, and then follow the installation instructions in VeriAbs/IN-STALL.txt. To execute VeriAbs, the user needs to specify the property file of the respective verification category using the --property-file option and the -64 option for programs with a 64 bit architecture. The witness is generated in the current working directory as witness.graphml. A sample command is as follows: VeriAbs/scripts/veriabs <-64> --property-file ALL.prp example.c VeriAbs participated in the ReachSafety and the SoftwareSystems-ReachSafety categories of SV-COMP 2020. The BenchExec wrapper script for the tool is veriabs.py and the benchmark description file is veriabs.xml.

Software Project and Contributors
VeriAbs is maintained by some members of the Foundations of Computing group at TCS Research [1]. They can be contacted at veriabs.tool@tcs.com. We are thankful to the developers of American Fuzzy Lop, CBMC, CPAchecker, Glucose Syrup, LLVM, UAutomizer and Z3 for allowing us to use the tools within VeriAbs.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.