Algorithmic Details behind the Predator Shape Analyser
Kamil Dudka, Petr Muller, Petr Peringer, Veronika Šoková, Tomáš Vojnar
TL;DR
Predator tackles the verification of pointer-heavy, low-level C code by introducing Symbolic Memory Graphs ($SMG$) and an abstract interpretation framework that can handle unbounded linked data structures, pointer arithmetic, and memory reinterpretation. The core ideas are complemented by a robust join/abstraction mechanism, 0/1 abstract objects, and reinterpretation operators that preserve soundness while enabling scalable analysis. PredatorHP augments the core verifier with multiple specialized hunters to reduce false positives and improve throughput, leveraging parallel exploration. Empirical results on NSRP, lvm2, and SV-COMP benchmarks show Predator achieving strong termination properties and high accuracy, with PredatorHP reducing false alarms and accelerating analysis in many scenarios.
Abstract
This chapter, which is an extended and revised version of the conference paper 'Predator: Byte-Precise Verification of Low-Level List Manipulation', concentrates on a detailed description of the algorithms behind the Predator shape analyser based on abstract interpretation and symbolic memory graphs. Predator is particularly suited for formal analysis and verification of sequential non-recursive C code that uses low-level pointer operations to manipulate various kinds of linked lists of unbounded size as well as various other kinds of pointer structures of bounded size. The tool supports practically relevant forms of pointer arithmetic, block operations, address alignment, or memory reinterpretation. We present the overall architecture of the tool, along with selected implementation details of the tool as well as its extension into so-called Predator Hunting Party, which utilises multiple concurrently-running Predator analysers with various restrictions on their behaviour. Results of experiments with Predator within the SV-COMP competition as well as on our own benchmarks are provided.