Benchmark Verification Tasks

All verification tasks are available for web browsing and for download via the following GIT repository: (for SV-COMP 2018 visit the tag 'svcomp18'): https://gitlab.com/sosy-lab/benchmarking/sv-benchmarks

This edition of the competition on software verification is based on the following categories of verification tasks. The verification tasks were contributed by several research and development groups. After the submission deadline for verification tasks, a group of people (organizer and participants) were working on improving the quality of the verification tasks. That means that after the sets were made public, some programs were removed (not qualified, no property encoded, unknown architecture), and some programs got technically improved (CIL simplifications, compiler warnings, memory model). These changes have improved the overall quality of the final set of programs for the competition, and have not changed the intended verification result; all changes are tracked in the public repository.
Thanks to all participants that contributed programs, sent patches, and commented on the sets.

As announced in the rules and definitions, the verification tasks are not necessarily preprocessed with CIL (which was a restriction for the first SV-COMP). For each category, we specify whether its verification tasks assume a 32-bit or a 64-bit architecture.

For illustration, a structured overview shows the categories. Rankings will be provided for the first- and second-level categories, and Falsification, which is not shown in the figure.

1. ReachSafety

This category consists of the following sub-categories.

ReachSafety-Arrays

Contains verification tasks for which treatment of arrays is necessary in order to determine reachability.

Verification tasks consist of the programs that match

array-examples/*_false-unreach-call*.i
array-examples/*_true-unreach-call*.i

array-industry-pattern/*_false-unreach-call*.i
array-industry-pattern/*_true-unreach-call*.i

reducercommutativity/*_false-unreach-call*.i
reducercommutativity/*_true-unreach-call*.i

array-tiling/*_false-unreach-call*.i
array-tiling/*_true-unreach-call*.i

array-programs/*_false-unreach-call*.i
array-programs/*_true-unreach-call*.i

with the specification

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

and the following parameter:

Architecture: 32 bit

ReachSafety-BitVectors

Contains verification tasks for which treatment of bit-operations is necessary.

Verification tasks consist of the programs that match

bitvector/*_false-unreach-call*.i
bitvector/*_true-unreach-call*.i
bitvector/*_false-unreach-call*.BV.c.cil.c
bitvector/*_true-unreach-call*.c.cil.c
bitvector-regression/*_false-unreach-call*.c
bitvector-regression/*_true-unreach-call*.c
bitvector-loops/*_false-unreach-call*.i
# bitvector-loops/*_true-unreach-call*.i

with the specification

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

and the following parameter:

Architecture: 32 bit

ReachSafety-ControlFlow

Contains programs for which the correctness depends mostly on the control-flow structure and integer variables. There is no particular focus on pointers, data structures, and concurrency.

Verification tasks consist of the programs that match

ntdrivers-simplified/*_false-unreach-call*.cil.c
ntdrivers-simplified/*_true-unreach-call*.cil.c
ssh-simplified/*_false-unreach-call*.cil.c
ssh-simplified/*_true-unreach-call*.cil.c
locks/*_false-unreach-call*.c
locks/*_true-unreach-call*.c

ntdrivers/*_false-unreach-call*.i.cil.c
ntdrivers/*_true-unreach-call*.i.cil.c
ssh/*_false-unreach-call*.i.cil.c
ssh/*_true-unreach-call*.i.cil.c

with the specification

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

and the following parameter:

Architecture: 32 bit

ReachSafety-ECA

Contains programs that represent event-condition-action systems.

Verification tasks consist of the programs that match

eca-rers2012/*_false-unreach-call*.c
eca-rers2012/*_true-unreach-call*.c
psyco/*_false-unreach-call*.c
psyco/*_true-unreach-call*.c

with the specification

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

and the following parameter:

Architecture: 32 bit

ReachSafety-Floats

Contains verification tasks for checking programs with floating-point arithmetics.

Verification tasks consist of the programs that match

floats-cdfpl/*_false-unreach-call*.i
floats-cdfpl/*_true-unreach-call*.i
floats-cbmc-regression/*_true-unreach-call*.i
float-benchs/*_false-unreach-call*.c
float-benchs/*_true-unreach-call*.c
floats-esbmc-regression/*_true-unreach-call*.i
floats-esbmc-regression/*_false-unreach-call*.i

with the specification

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

and the following parameter:

Architecture: 32 bit

ReachSafety-Heap

Contains verification tasks that require the analysis of data structures on the heap, pointer aliases, and function pointers.

Verification tasks consist of the programs that match

heap-manipulation/*_false-unreach-call*.i
heap-manipulation/*_true-unreach-call*.i
list-properties/*_false-unreach-call*.i
list-properties/*_true-unreach-call*.i

ldv-regression/*_false-unreach-call*.i
ldv-regression/*_true-unreach-call*.i
ldv-regression/test[0-9][0-9]_false-unreach-call*.c
ldv-regression/test[0-9][0-9]_true-unreach-call*.c
ddv-machzwd/*_false-unreach-call*.i
ddv-machzwd/*_true-unreach-call*.i

forester-heap/*_false-unreach-call*.i
forester-heap/*_true-unreach-call*.i

list-ext-properties/*_false-unreach-call*.i
list-ext2-properties/*-unreach-call*.i

ldv-sets/*_false-unreach-call*.i
ldv-sets/*_true-unreach-call*.i

with the specification

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

and the following parameter:

Architecture: 32 bit

ReachSafety-Loops

Contains verification tasks for which loop analysis is necessary.

Verification tasks consist of the programs that match

loops/*_false-unreach-call*.i
loops/*_true-unreach-call*.i
loop-acceleration/*_false-unreach-call*.i
loop-acceleration/*_true-unreach-call*.i
loop-crafted/*_false-unreach-call*.i
loop-crafted/*_true-unreach-call*.i

loop-invgen/*_false-unreach-call*.i
loop-invgen/*_true-unreach-call*.i
loop-lit/*_true-unreach-call*.i
loop-lit/*_false-unreach-call*.i
loop-new/*_true-unreach-call*.i
loop-industry-pattern/*_true-unreach-call*.c

loops/heavy_true-unreach-call.c
loops/compact_false-unreach-call.c
loops/heavy_false-unreach-call.c

with the specification

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

and the following parameter:

Architecture: 32 bit

ReachSafety-ProductLines

Contains programs that represents 'products' and 'product simulators' that are derived using different configurations of product lines.

Verification tasks consist of the programs that match

product-lines/elevator*_false-unreach-call*.c
product-lines/elevator*_true-unreach-call*.c
product-lines/email*_false-unreach-call*.c
product-lines/email*_true-unreach-call*.c
product-lines/minepump*_false-unreach-call*.c
product-lines/minepump*_true-unreach-call*.c

with the specification

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

and the following parameter:

Architecture: 32 bit

ReachSafety-Recursive

Contains verification tasks for which recursive analysis is necessary.

Verification tasks consist of the programs that match

recursive/*_false-unreach-call*.c
recursive/*_true-unreach-call*.c
recursive-simple/*_false-unreach-call*.c
recursive-simple/*_true-unreach-call*.c

with the specification

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

and the following parameter:

Architecture: 32 bit

ReachSafety-Sequentialized

Contains sequentialized concurrent programs that were derived from SystemC programs. The programs were transformed to pure C programs by incorporating the scheduler into the C code.

Verification tasks consist of the programs that match

systemc/*_false-unreach-call*.cil.c
systemc/*_true-unreach-call*.cil.c
seq-mthreaded/*_false-unreach-call.*.c
seq-mthreaded/*_true-unreach-call.*.c
seq-pthread/*_false-unreach-call*.i
seq-pthread/*_true-unreach-call*.i

with the specification

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

and the following parameter:

Architecture: 32 bit

2. MemSafety

This category consists of the following sub-categories.

MemSafety-Arrays

Contains verification tasks for checking memory safety of array-based programs.

Verification tasks consist of the programs that match

array-memsafety/*_false-valid-deref*.i
# array-memsafety/*_false-valid-free*.i
# array-memsafety/*_false-valid-memtrack*.i
array-memsafety/*_true-valid-memsafety*.i

array-examples/*_false-valid-deref*.i
#array-examples/*_true-valid-memsafety*.i

with the specification

CHECK( init(main()), LTL(G valid-free) )
CHECK( init(main()), LTL(G valid-deref) )
CHECK( init(main()), LTL(G valid-memtrack) )

and the following parameter:

Architecture: 32 bit

MemSafety-Heap

Contains verification tasks for checking memory safety of programs.

Verification tasks consist of the programs that match

memsafety/*_false-valid-deref*.i
memsafety/*_false-valid-free*.i
memsafety/*_false-valid-memtrack*.i
memsafety/*_true-valid-memsafety*.i
memsafety-ext/*_true-valid-memsafety*.i
memsafety-ext2/*_false-valid-deref*.i
memsafety-ext2/*_false-valid-memtrack*.i
memsafety-ext2/*_true-valid-memsafety*.i
list-ext-properties/*_false-valid-deref*.i
list-ext-properties/*_false-valid-free*.i
list-ext-properties/*_false-valid-memtrack*.i
list-ext-properties/*_true-valid-memsafety*.i
# memory-alloca/*_false-valid-deref*.i
# memory-alloca/*_false-valid-free*.i
# memory-alloca/*_false-valid-memtrack*.i
memory-alloca/*_true-valid-memsafety*.i
ldv-memsafety/*_false-valid-deref*.c
ldv-memsafety/*_true-valid-memsafety*.c
ldv-memsafety/*_false-valid-deref*.i
ldv-memsafety/*_false-valid-free*.i
ldv-memsafety/*_false-valid-memtrack*.i
ldv-memsafety/*_true-valid-memsafety*.i
ldv-memsafety-bitfields/*_true-valid-memsafety*.i
ldv-memsafety-bitfields/*_false-valid-deref*.i
ldv-memsafety-bitfields/*_false-valid-free*.i

with the specification

CHECK( init(main()), LTL(G valid-free) )
CHECK( init(main()), LTL(G valid-deref) )
CHECK( init(main()), LTL(G valid-memtrack) )

and the following parameter:

Architecture: 32 bit

MemSafety-LinkedLists

Contains verification tasks for checking memory safety of programs.

Verification tasks consist of the programs that match

heap-manipulation/*_true-valid-memsafety*.i
heap-manipulation/*_false-valid-deref*.i
heap-manipulation/*_false-valid-memtrack*.i
forester-heap/*_false-valid-memtrack*.i
list-properties/*_true-valid-memsafety*.i
list-properties/*_false-valid-memtrack*.i
ddv-machzwd/*_true-valid-memsafety*.i
ddv-machzwd/*_false-valid-memtrack*.i
forester-heap/*_true-valid-memsafety*.i
forester-heap/*_false-valid-deref*.i

with the specification

CHECK( init(main()), LTL(G valid-free) )
CHECK( init(main()), LTL(G valid-deref) )
CHECK( init(main()), LTL(G valid-memtrack) )

and the following parameter:

Architecture: 32 bit

MemSafety-Other

Contains verification tasks for checking memory safety of programs.

Verification tasks consist of the programs that match

loop-acceleration/*_false-valid-deref*.i
ntdrivers/*_false-valid-deref*.i.cil.c
ntdrivers-simplified/*_true-valid-memsafety*.cil.c
locks/*_true-valid-memsafety*.c

with the specification

CHECK( init(main()), LTL(G valid-free) )
CHECK( init(main()), LTL(G valid-deref) )
CHECK( init(main()), LTL(G valid-memtrack) )

and the following parameter:

Architecture: 32 bit

3. ConcurrencySafety

This category consists of the following sub-categories.

ConcurrencySafety-Main

Contains concurrency problems.

Verification tasks consist of the programs that match

pthread/*_false-unreach-call*.i
pthread/*_true-unreach-call*.i
pthread-atomic/*_false-unreach-call*.i
pthread-atomic/*_true-unreach-call*.i
pthread-ext/*_false-unreach-call*.i
pthread-ext/*_true-unreach-call*.i
pthread-wmm/*_false-unreach-call*.i
pthread-wmm/*_true-unreach-call*.i
pthread-lit/*_false-unreach-call*.i
pthread-lit/*_true-unreach-call*.i
ldv-races/*_true-unreach-call*.i
ldv-races/*_false-unreach-call*.i
pthread-complex/*_false-unreach-call*.i
pthread-complex/*_true-unreach-call*.i
pthread-driver-races/*_true-unreach-call*.i
pthread-driver-races/*_false-unreach-call*.i
pthread-C-DAC/*_true-unreach-call*.i
pthread-C-DAC/*_false-unreach-call*.i

with the specification

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

and the following parameter:

Architecture: 32 bit

4. NoOverflows

This category consists of the following sub-categories.

NoOverflows-BitVectors

Contains verification tasks for checking if variables of type signed integers overflow.

Verification tasks consist of the programs that match

signedintegeroverflow-regression/*_false-no-overflow*.c.i
signedintegeroverflow-regression/*_true-no-overflow*.c.i

termination-crafted/*_false-no-overflow*.c
termination-crafted/*_true-no-overflow*.c

termination-crafted-lit/*_false-no-overflow*.c
termination-crafted-lit/*_true-no-overflow*.c

termination-numeric/*_false-no-overflow*.c
termination-numeric/*_true-no-overflow*.c

with the specification

CHECK( init(main()), LTL(G ! overflow) )

and the following parameter:

Architecture: 64 bit

NoOverflows-Other

Contains verification tasks for checking if variables of type signed integers overflow.

Verification tasks consist of the programs that match

recursive/*_false-no-overflow*.c
recursive/*_true-no-overflow*.c
recursive-simple/*_false-no-overflow*.c
recursive-simple/*_true-no-overflow*.c
bitvector/*_false-no-overflow*.i
bitvector/*_true-no-overflow*.i

with the specification

CHECK( init(main()), LTL(G ! overflow) )

and the following parameter:

Architecture: 32 bit

5. Termination

This category consists of the following sub-categories.

Termination-MainControlFlow

Contains programs for which termination should be decided.

Verification tasks consist of the programs that match

termination-crafted/*_false-termination*.c
termination-crafted/*_true-termination*.c
termination-crafted-lit/*_false-termination*.c
termination-crafted-lit/*_true-termination*.c
termination-numeric/*_true-termination*.c
termination-restricted-15/*_true-termination*.c
termination-restricted-15/*_false-termination*.c

with the specification

CHECK( init(main()), LTL(F end) )

and the following parameter:

Architecture: 64 bit

Termination-MainHeap

Contains programs for which termination should be decided.

Verification tasks consist of the programs that match

termination-libowfat/*_true-termination*.c.i
termination-memory-alloca/*_false-termination*.c.i
termination-memory-alloca/*_true-termination*.c.i
termination-memory-linkedlists/*_false-termination*.c.i
termination-memory-linkedlists/*_true-termination*.c.i
termination-15/*_true-termination*.c.i
termination-15/*_false-termination*.c.i
termination-recursive-malloc/*_true-termination*.c.i

with the specification

CHECK( init(main()), LTL(F end) )

and the following parameter:

Architecture: 64 bit

Termination-Other

Contains programs for which termination should be decided.

Verification tasks consist of the programs that match

# from ReachSafety-Arrays
array-examples/*_true-termination*.i
array-industry-pattern/*_true-termination*.i

# from ReachSafety-BitVectors
bitvector/*_false-termination*.i
bitvector/*_true-termination*.i
bitvector/*_false-termination*.BV.c.cil.c
bitvector/*_true-termination*.c.cil.c
bitvector-regression/*_true-termination*.c
bitvector-loops/*_true-termination*.i

# from ReachSafety-ControlFlow
ntdrivers-simplified/*_true-termination*.cil.c
ssh-simplified/*_false-termination*.cil.c
ssh-simplified/*_true-termination*.cil.c
locks/*_false-termination*.c
ssh-simplified/s3_clnt_3.cil_true-unreach-call_true-termination.c
ntdrivers/*_true-termination*.i.cil.c

# from ReachSafety-ECA
eca-rers2012/*_false-termination*.c
psyco/*_false-termination.c

# from ReachSafety-Floats
floats-cdfpl/*_true-termination*.i
floats-cbmc-regression/*_true-termination*.i

# from ReachSafety-Heap
ldv-regression/*_true-termination*.i
ldv-regression/*_false-termination*.i
ldv-regression/test[0-9][0-9]*_true-termination*.c
list-ext-properties/*_true-termination*.i
list-ext2-properties/*_false-termination*.i
ldv-sets/*_true-termination*.i

# from ReachSafety-Loops
loops/*_false-termination*.i
loops/*_true-termination*.i
loop-acceleration/*_true-termination*.i
loop-acceleration/*_false-termination*.i
loop-invgen/*_false-termination*.i
loop-invgen/*_true-termination*.i
loop-lit/*_true-termination*.i
loop-lit/*_false-termination*.i
loop-new/*_true-termination*.i

# from ReachSafety-ProductLines
product-lines/*_true-termination*.c
product-lines/*_false-termination*.c

# from ReachSafety-Recursive
recursive/*_false-termination*.c
recursive/*_true-termination*.c
recursive-simple/*_true-termination*.c

# from ReachSafety-Sequentialized
systemc/*_false-termination*.cil.c
seq-mthreaded/*_true-termination*.c
seq-pthread/*_true-termination*.i

# from ReachSafety-Arrays
reducercommutativity/*_true-termination*.i

# from MemSafety-Arrays
array-memsafety/*_true-termination*.i

# from MemSafety-Heap
memsafety/*_true-termination*.i
memsafety/*_false-termination*.i
memsafety-ext/*_false-termination*.i
ldv-memsafety/*_true-termination*.c
ldv-memsafety/*_true-termination*.i
ldv-memsafety-bitfields/*_true-termination*.i


# from Concurrency
pthread-atomic/*_true-termination*.i


# from NoOverflows-BitVectors
# is 64bit and needs own category 
# signedintegeroverflow-regression/*true-termination*.c.i

with the specification

CHECK( init(main()), LTL(F end) )

and the following parameter:

Architecture: 32 bit

6. SoftwareSystems

This category consists of several sets of verification tasks. Each of these sets is an own subcategory. While the categories above are collections of rather `academic', or synthetisized, example verification tasks, this category aims to represent verification tasks from real software systems.

Systems_BusyBox_MemSafety

Contains problems from the software system BusyBox.

Verification tasks consist of the programs that match

busybox-1.22.0/*_false-valid-deref*.i
#busybox-1.22.0/*_false-valid-free*.i
busybox-1.22.0/*_false-valid-memtrack*.i
busybox-1.22.0/*_true-valid-memsafety*.i

with the specification

CHECK( init(main()), LTL(G valid-free) )
CHECK( init(main()), LTL(G valid-deref) )
CHECK( init(main()), LTL(G valid-memtrack) )

and the following parameter:

Architecture: 64 bit

Systems_BusyBox_Overflows

Verification tasks consist of the programs that match


with the specification


and the following parameter:

Architecture: 

Systems_DeviceDriversLinux64_ReachSafety

Contains problems that require the analysis of pointer aliases and function pointers.

Verification tasks consist of the programs that match

ldv-linux-3.0/*_false-unreach-call*.i
ldv-linux-3.0/*_true-unreach-call*.i
ldv-linux-3.4-simple/*_false-unreach-call*.c
ldv-linux-3.4-simple/*_true-unreach-call*.c
ldv-linux-3.7.3/*_false-unreach-call*.c
ldv-linux-3.7.3/*_true-unreach-call*.c
ldv-commit-tester/*_false-unreach-call*.c
ldv-commit-tester/*_true-unreach-call*.c
ldv-consumption/*_false-unreach-call*.c
ldv-consumption/*_true-unreach-call*.c
ldv-linux-3.12-rc1/*_false-unreach-call*.c
ldv-linux-3.12-rc1/*_true-unreach-call*.c
ldv-linux-3.16-rc1/*_false-unreach-call*.c
ldv-linux-3.16-rc1/*_true-unreach-call*.c
ldv-validator-v0.6/*_false-unreach-call*.c
ldv-validator-v0.8/*_false-unreach-call*.c
ldv-linux-4.2-rc1/*_false-unreach-call*.c
ldv-linux-4.2-rc1/*_true-unreach-call*.c
ldv-challenges/*_false-unreach-call*.c
ldv-challenges/*_true-unreach-call*.c
ldv-linux-3.14/*_false-unreach-call*.c
ldv-linux-3.14/*_true-unreach-call*.c
ldv-linux-4.0-rc1-mav/*_false-unreach-call*.c
ldv-linux-4.0-rc1-mav/*_true-unreach-call*.c

with the specification

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

and the following parameter:

Architecture: 64 bit

7. Overall

The category Overall contains all verification tasks of all above categories. Each above-mentioned main category is an own subcategory in category Overall. (The weighting schema is explained on the rules page.)

8. Falsification

The category Falsification consists of all verification tasks with safety properties and the results "correct TRUE" and "incorrect TRUE" are not counted. (The weighting schema is the same as for Overall.)