SMACK+Corral: A Modular Verifier - (Competition Contribution)

SMACK and Corral are two components of a modular toolchain for verifying C programs. Together they exploit state-of-the-art compiler technologies and theorem provers to simplify and dispatch verification conditions. 1 Verification Approach SMACK [3] is a translator from the LLVM compiler’s intermediate representation (IR) into the Boogie intermediate verification language (IVL) [1]. Sourcing LLVM exploits a number of frontends, optimizations, and analyses. Targeting Boogie exploits a canonical platform which simplifies verifier implementations. Corral [2] is a verifier for the Boogie IVL which views programs as control flow over any SMT-encodable expression language. Corral delegates semantic reasoning to SMT solvers, and in minimizing syntactic program assumptions, it is compatible with any theory supported by the underlying solvers. SMACK+Corral leverages multiple theories to encode various C-language features. We can model memory in array theory, non-linear operations with uninterpreted functions, fixed-width words in bitvector theory, and arbitrary-length words in linear arithmetic. Though we make no attempt to generate inductive invariants, we can use any invariant generator as a pre-pass; if proved sound, the resulting invariants are injected into the program as assumptions which help Corral narrow its search. 2 Software Architecture Figure 1 depicts the SMACK+Corral architecture. We leverage the LLVM1 compiler’s Clang C language family frontend to generate LLVM IR, an assembly-like language in single static assignment (SSA) form targeted by frontends for a diverse spectrum of languages (e.g., Java, JavaScript, Haskell, Erlang, Fortran) which is a convenient representation for code optimization. We then exploit LLVM to perform several code optimizations including control-flow graph simplification, constant propagation, and memory-to-register promotion. Collectively these optimizations can substantially simplify the source C program with fewer control locations and memory operations. ? Partially supported by NSF award CCF 1346756 and a Microsoft Research SEIF award. 1 http://llvm.org and http://clang.llvm.org