VeriMAP: A Tool for Verifying Programs through Transformations

We present VeriMAP, a tool for the verification of C programs based on the transformation of constraint logic programs, also called constrained Horn clauses. VeriMAP makes use of Constraint Logic Programming (CLP) as a metalanguage for representing: (i) the operational semantics of the C language, (ii) the program, and (iii) the property to be verified. Satisfiability preserving transformations of the CLP representations are then applied for generating verification conditions and checking their satisfiability. VeriMAP has an interface with various solvers for reasoning about constraints that express the properties of the data (in particular, integers and arrays). Experimental results show that VeriMAP is competitive with respect to state-of-the-art tools for program verification. 1 The Transformational Approach to Verification Program verification techniques based on Constraint Logic Programming (CLP), or equivalently constrained Horn clauses (CHC), have gained increasing popularity during the last years [2,4,9,18]. Indeed, CLP has been shown to be a powerful, flexible metalanguage for specifying the program syntax, the operational semantics, and the proof rules for many different programming languages and program properties. Moreover, the use of the CLP-based techniques allows one to enhance the reasoning capabilities provided by Horn clause logic by taking advantage of the many special purpose solvers that are available for various data domains, such as integers, arrays, and other data structures. Several verification tools, such as ARMC [19], Duality [16], ELDARICA [13], HSF [8], TRACER [14], μZ [12], implement reasoning techniques within CLP (or CHC) by following approaches based on interpolants, satisfiability modulo theories, counterexample-guided abstraction refinement, and symbolic execution of CLP programs. Our tool for program verification, called VeriMAP, is based on transformation techniques for CLP programs [5,4]. The current version of the VeriMAP can be ? Supported by the National Group of Computing Science (GNCS-INDAM). used for verifying safety properties of C programs that manipulate integers and arrays. We assume that: (i) a safety property of a program P is defined by a pair 〈φinit , φerror〉 of formulas, and (ii) safety holds iff no execution of P starting from an initial configuration that satisfies φinit , terminates in a final configuration that satisfies φerror . From the CLP representation of the given C program and of the property, VeriMAP generates a set of verification conditions (VC’s) in the form of CLP clauses. The VC generation is performed by a transformation that consists in specializing (with respect to the given C program and property) a CLP program that defines the operational semantics of the C language and the proof rules for verifying safety. Then, the CLP program made out of the generated VC’s is transformed by applying unfold/fold transformation rules [6]. This transformation ‘propagates’ the constraints occurring in the CLP clauses and derives equisatisfiable, easier to analyze VC’s. During constraint propagation VeriMAP makes use of constraint solvers for linear (integer or rational) arithmetic and array formulas. In a subsequent phase the transformed VC’s are processed by a lightweight analyzer that basically consists in a bounded unfolding of the clauses. Since safety is in general undecidable, the analyzer may not be able to detect the satisfiability or the unsatisfiability of the VC’s and, if this is the case, the verification process continues by iterating the transformation and the propagation of the constraints in the VC’s. The main advantage of the transformational approach to program verification over other approaches is that it allows one to construct highly parametric, configurable verification tools. In fact, one could modify VeriMAP so as to deal with other programming languages, different language features, and different properties to be proved. This modification can be done by reconfiguring the individual modules of the tool, and in particular, (i) by replacing the CLP clauses that define the language semantics and proof rules, (ii) by designing a suitable strategy for specializing the language semantics and proof rules so as to automatically generate the VC’s for any given program and property, (iii) by designing suitable strategies for transforming the VC’s by plugging-in different constraint solvers and replacement rules (which are clause rewriting rules) depending on the theories of the data structures that are used, (iv) by replacing the lightweight analyzer currently used in VeriMAP by other, more precise analyzers available for CLP programs. These module reconfigurations may require considerable effort (and this is particularly true for the design of the strategies of Point (iii)), but then, by composing the different module versions we get, we will have at our disposal a rich variety of powerful verification procedures. Another interesting feature of the transformational approach is that at each step of the transformation, we get a set of VC’s which is equisatisfiable with respect to the initial set. This feature allows us both (i) to compose together various verification strategies, each one being expressed by a sequence of transformations, and (ii) to use VeriMAP as a front-end for other verifiers (such as those we have mentioned above) that can take as input VC’s in the form of CLP clauses. Finally, the use of satisfiability preserving transformations eases