Ultimate Taipan with Dynamic Block Encoding - (Competition Contribution)

. Ultimate Taipan is a software model checker that uses trace abstraction and abstract interpretation to prove correctness of programs. In contrast to previous versions, Ultimate Taipan now uses dynamic block encoding to obtain the best precision possible when evaluating transition formulas of large block encoded programs.


Verification Approach
Ultimate Taipan (or Taipan for brevity) is a software model checker which combines trace abstraction [9,10] and abstract interpretation [5]. The algorithm of Taipan [8] iteratively refines an abstraction of a input program by analyzing counterexamples (cf. CEGAR [4]).
The initial abstraction of the program is an automaton with the same graph structure as the program's control flow graph, where program locations are states, transitions are labeled with program statements, and error locations are accepting. Thus, the language of the automaton consists of all traces, i.e., sequences of statements, that, if executable, lead to an error. In each iteration, the algorithm chooses a trace from the language of the current automaton and constructs a path program from it. A path program is a projection of the (abstraction of the) program to the trace. The algorithm then uses abstract interpretation to compute fixpoints for the path program. If the fixpoints of the path program are sufficient to prove correctness, i.e., the error location is unreachable, at least the chosen trace and all other traces that are covered by the path program are infeasible. The computed fixpoints constitute a proof of correctness for the path program and can be represented as a set of state assertions. From this set of state assertions, the abstraction is refined by constructing a new automaton whose language only consists of infeasible traces and then subtracting it from the current abstraction using an automatatheoretic difference operation. If abstract interpretation was unable to prove correctness of the path program, the algorithm obtains a proof of infeasibility of the trace using either interpolating SMT solvers or a combination of unsatisfiable cores and strongest post or weakest pre [6]. If the currently analyzed trace is feasible,    the trace represents a program execution that can reach the error. If the current automaton becomes empty after a difference operation, all potential error traces have been proven to be infeasible.

Dynamic Block Encoding.
Large block encoding [1] is a technique to reduce the number of locations in a control flow graph. As Taipan relies on trace abstraction, the number of locations determines the performance of the automata operations, which impact the overall performance significantly. It is therefore beneficial to use a strong block encoding that removes as many locations as possible. Unfortunately, the resulting transitions can lead to a loss of precision during the application of an abstract post operator. Consider the example program and its control flow graph with different block encodings shown in Fig. 1. Each control flow graph consists of a set of program locations LOC , an initial location ( 3 in Fig. 1), a set of error locations ({ 6 } in Fig. 1), and a transition relation → ⊆ LOC × TF × LOC which defines the transitions between the locations and labels each transition with a transition formula from the set of transition formulas TF . Transition formulas encode the semantics of the program as first-order logic formulas over various SMT theories. In Ultimate, a transition formula ψ is a tuple (ϕ, IN , OUT , AUX , pv ) where ϕ is a closed formula over the three disjoined sets of input (IN ), output (OUT ), and auxiliary (AUX ) variables, and pv : IN ∪ OUT → V is an injective function that maps variables occurring in ϕ to program variables. We write output variables as primed variables and input variables as unprimed variables.
Taipan computes a fixpoint for each location of a control flow graph by (repeatedly) applying an abstract post operator post # to these transition formulas. To this end, an abstract domain D = (A, α, γ, , , ∇, post # ) is used, where A is a complete lattice representing all possible abstract states containing the designated abstract states and ⊥, α is an abstraction function, γ is a concretization function, is a join operator, is a meet operator, ∇ is a widening operator, and post # : A × TF → A is an abstract transformer which computes an abstract post state σ from a given abstract pre-state σ and a transition formula ψ. Taipan uses a combination of octagons [11] and sets of divisibility congruences [7] as abstract domain, but for brevity we explain the example using intervals.
In rows 1 to 3 of Table 1, we apply post # of the interval domain in sequence to each of the transition formulas from Fig. 1b. In rows 4a and 4b we apply  }, effectively rendering the constraint useless. The second and third way may succeed, depending on the ordering of conjuncts. In general, the ordering is important, but in our example, it does not matter as long as b = a is not first.
In Taipan, we solve this problem by introducing the notion of expressibility to an abstract domain. We augment each abstract domain with an expressibility predicate ex which decides for each non-logical symbol of a transition formula (i.e., each relation, function application, variable, and constant) whether it can be represented in the domain. For example, the interval domain can represent all relations that contain at most one variable, while octagons can represent all relations of the form ±x ± y ≤ c. We then apply post # on conjuncts of a transition formula in an order induced by ex , thus effectively choosing a new dynamic block encoding. For post # (σ, ϕ), our algorithm computes σ by first converting the formula ϕ to DNF s.t. ϕ = ϕ 0 ∨ ϕ 1 ∨ . . . ∨ ϕ n . For each disjunct we compute post # (σ, ϕ i ) = σ i as follows: 1. Partition the conjuncts in two classes. The first class contains conjuncts for which ex is true, the second for which ex is false. 2. Compute the abstract post for the conjunction of all expressible conjuncts first: ex (ϕ k i ) post # (σ, ϕ k i ) = σ . 3. Compute the abstract post for all non-expressible conjuncts successively using the post state of the k-th application as pre-state of the k + 1-th application, and the post state of the last application as final result σ i for the disjunct ϕ i : The result for post # (σ, ψ) is then n i=0 σ i = σ . where prop.prp is the SV-COMP property file, input.c is the C file that should be analyzed, 32bit or 64bit is the architecture of the input file, and --full-output enables writing all output instead of just the status of the property to stdout. The complete output of Taipan is also written to the file Ultimate.log. Depending on the status of the property, a violation [3] or correctness [2] witness may be written to the file witness.graphml. The benchmarking tool BenchExec 8 supports Taipan through the tool-info module ultimatetaipan.py. Taipan participates in all categories, as specified by its SV-COMP benchmark definition 9 file utaipan.xml.