1 Overview
2 Verification Approach
-
\(I(s_n)\) and \(T(s_n, s_{n+1})\) as the formulae over program’s state variable set \(s_i\) constraining the initial states and transition relations of M;
-
\(\phi (s)\) as the formula encoding states satisfying a required safety property;
-
\(\psi (s)\) as the formula encoding states satisfying the completeness threshold, i.e. states corresponding to termination. \(\psi (s)\) will contain unwindings no deeper than the maximum number of loop-iterations occurring in the program.
2.1 Invariant Inference Based on Interval Analysis
main
function while updates the intervals, merging them if necessary. When loops are found, an widening operation is applied, in order to accelerate the generation process [7].3 Strengths and Weaknesses
MemSafety
and ConcurrencySafety
categories and are mainly due to: (1) our non-relational abstract domain, (2) an internal bug in ESBMC (since corrected) which did not track variables going out of scope, and (3) an incomplete modelling of some pthread functions. ESBMC’s performance has improved greatly since SV-COMP’18 (v4.60): the number of errors detected has increased by \(36\%\) and the number of correct-true results increased by \(32\%\). The biggest improvements are reflected in the categories ReachSafety
and FalsificationOverall
.4 Tool Setup and Configuration
esbmc-wrapper.py
script1, one must set the architecture (i.e., 32 or 64-bit), the competition strategy (k-induction, falsification or incremental BMC), the property file path, and the benchmark path, as:
-a
sets the architecture, -p
sets the property file path, and -s
sets the strategy, in this case, kinduction
for k-induction.--no-div-by-zero-check
, which disables the division by zero check (required by SV-COMP); --k-induction
, which enables the k-induction; --floatbv
, which enables floating-point SMT encoding; --unlimited-k-steps
, which removes the upper limit of iteration steps in the k-induction algorithm; --witness-output
, which sets the witness output path; --force-malloc-success
, which sets that all dynamic allocations succeed (also an SV-COMP requirement); and --interval-analysis
, which enables the invariant generation. In addition, ESBMC-kind sets further options depending on the property that needs to be checked: --no-pointer-check
and --no-bounds-check
for reachability verification; --memory-leak-check
for memory verification; and --overflow-check
for overflow verification. The Benchexec tool info module is named esbmc.py
and the benchmark definition file is esbmc-kind.xml
. For SV-COMP’19, ESBMC-kind uses Boolector v2.4.1 [8] and competes in all categories with C programs.5 Software Project
BUILDING
(including the description of all dependencies). ESBMC is a joint project with the Federal University of Amazonas (Brazil), University of Southampton (UK), University of Manchester (UK), and University of Stellenbosch (South Africa).