Petr Peringer

Predator: a practical tool for checking manipulation of dynamic data structures using separation logic

Predator is a new open source tool for verification of sequential C programs with dynamic linked data structures. The tool is based on separation logic with inductive predicates although it uses a graph description of heaps. Predator currently handles various forms of lists, including singly-linked as well as doubly-linked lists that may be circular, hierarchically nested and that may have various additional pointer links. Predator is implemented as a gcc plug-in and it is capable of handling lists in the form they appear in real system code, especially the Linux kernel, including a limited support of pointer arithmetic. Collaboration on further development of Predator is welcome.

Byte-Precise Verification of Low-Level List Manipulation

We propose a new approach to shape analysis of programs with linked lists that use low-level memory operations. Such operations include pointer arithmetic, safe usage of invalid pointers, block operations with memory, reinterpretation of the memory contents, address alignment, etc. Our approach is based on a new representation of sets of heaps, which is to some degree inspired by works on separation logic with higher-order list predicates, but it is graph-based and uses a more fine-grained (byte-precise) memory model in order to support the various low-level memory operations. The approach was implemented in the Predator tool and successfully validated on multiple non-trivial case studies that are beyond the capabilities of other current fully automated shape analysis tools.

An easy to use infrastructure for building static analysis tools

This paper deals with design and implementation of an easy to use infrastructure for building static analyzers. The infrastructure provides an abstraction layer called a Code Listener over existing source code parsers like, for example, GCC or Sparse. It is distributed as a C++ library that can be used to build static analyzers in the form of GCC plug-ins. The interface exposed to analyzers is, however, completely independent of GCC, which allows one to run the same analyzer on top of different code parsers without a need to change anything in the analyzer. We describe the key design principles of the infrastructure and briefly introduce its application programming interface that is available to analyzers. The infrastructure is already used in research prototypes Predator and Forester, implementing advanced shape analyses, intended to operate on real industrial code.

From Low-Level Pointers to High-Level Containers

We propose a method that transforms a C program manipulating containers using low-level pointer statements into an equivalent program where the containers are manipulated via calls of standard high-level container operations like push_back or pop_front. The input of our method is a C program annotated by a special form of shape invariants which can be obtained from current automatic shape analysers after a slight modification. The resulting program where the low-level pointer statements are summarized into high-level container operations is more understandable and among other possible benefits better suitable for program analysis. We have implemented our approach and successfully tested it through a number of experiments with list-based containers, including experiments with simplification of program analysis by separating shape analysis from analysing data-related properties.

Predator: A Shape Analyzer Based on Symbolic Memory Graphs

Predator is a shape analyzer that uses the abstract domain of symbolic memory graphs in order to support various forms of low-level memory manipulation commonly used in optimized C code. This paper briefly describes the verification approach taken by Predator and its strengths and weaknesses revealed during its participation in the Software Verification Competition (SV-COMP’14).

Predator Shape Analysis Tool Suite

The paper presents a tool suite centered around the Predator shape analyzer for low-level C code based on the notion of symbolic memory graphs. Its architecture, optimizations, extensions, inputs, options, and outputs are covered.

Tools for creation of multimodels

The process of creating complex models often requires different modelling methods and tools to be integrated. This paper provides a concise description of an object‐oriented environment for creating composite models. The proposed approach is based on using simulation abstractions as basic model building blocks. The basic environment is built up of a Prolog interpreter, SIMLIB and object‐oriented Petri nets.