scripts/cpa.sh -heap 3000M -noout -disable-java-assertions -predicateAnalysis-PredAbsRefiner-ABEl -setprop cpa.predicate.handlePointerAliasing=false -64 -timelimit 900s -stats -spec test/programs/benchmarks/ldv-linux-3.0/ALL.prp test/programs/benchmarks/ldv-linux-3.0/usb_urb-drivers-net-usb-catc.ko_false-unreach-call.cil.out.i.pp.i -------------------------------------------------------------------------------- Running CPAchecker with Java heap of size 3000M. Using the following resource limits: CPU-time limit of 900s (ResourceLimitChecker.fromConfiguration, INFO) CPAchecker 1.4-svn (OpenJDK 64-Bit Server VM 1.7.0_65) started (CPAchecker.run, INFO) line 9167: Dead code detected: Goto: while_break (CFACreationUtils.addEdgeToCFA, INFO) Dead code detected: Label while_break is not reachable. (CFAFunctionBuilder.leave, INFO) line 9252: Dead code detected: Goto: while_break (CFACreationUtils.addEdgeToCFA, INFO) Dead code detected: Label while_break is not reachable. (CFAFunctionBuilder.leave, INFO) Inline assembler ignored, analysis is probably unsound! (CFABuilder.createCFA, WARNING) Handling of pointer aliasing is disabled, analysis is unsound if aliased pointers exist. (PredicateCPA:PathFormulaManagerImpl., WARNING) Using predicate analysis with SMTInterpol 2.1-174-ga199d47-comp and JFactory 1.21. (PredicateCPA:PredicateCPA., INFO) Using refinement for predicate analysis with PredicateAbstractionRefinementStrategy strategy. (PredicateCPA:PredicateCPARefiner., INFO) The following configuration options were specified but are not used: cpa.predicate.memoryAllocationsAlwaysSucceed cpa.predicate.maxPreFilledAllocationSize (CPAchecker.printConfigurationWarnings, WARNING) Starting analysis ... (CPAchecker.runAlgorithm, INFO) Program contains array, or pointer (multiple level of indirection), or field (enable handleFieldAccess and handleFieldAliasing) access; analysis is imprecise in case of aliasing. (PredicateCPA:CtoFormulaConverter.makeVariableUnsafe, WARNING) Assuming external function ldv_initialize to be a constant function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function usb_register_driver to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function mod_timer to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function _raw_spin_lock_irqsave to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function usb_submit_urb to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function _raw_spin_unlock_irqrestore to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function dev_get_drvdata to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function dev_set_drvdata to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function unregister_netdev to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function free_netdev to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function usb_set_interface to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function alloc_etherdev_mqs to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function __raw_spin_lock_init to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function init_timer_key to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function ldv_undefined_pointer to be a constant function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function usb_control_msg to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function dev_warn to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function memset to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function crc32_le to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function register_netdev to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function ldv_check_return_value to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function usb_unlink_urb to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function warn_slowpath_null to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function consume_skb to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function del_timer_sync to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function usb_kill_urb to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function strncpy to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function snprintf to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Assuming external function usb_deregister to be a pure function. (PredicateCPA:ExpressionToFormulaVisitor.visit, INFO) Error path found, starting counterexample check with CPACHECKER. (CounterexampleCheckAlgorithm.checkCounterexample, INFO) Using the following resource limits: CPU-time limit of 900s (CounterexampleCheck:ResourceLimitChecker.fromConfiguration, INFO) Dereferencing of a non-pointer in expression *(dev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@5bb478eb: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(catc) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@427cde4c: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(urb) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@438c12a2: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(dev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@60cf78bb: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(catc) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@6543173e: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(v) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@19cb0da5: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(intf) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@2fb01f4f: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(intf) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@653452a7: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(urb) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@7be06ffc: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(dev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@7e9264d1: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(dev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@6347ac37: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(dev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@570259af: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(netdev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@53b4d4f: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(dev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@3db32a26: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(urb) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@681684ab: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(lock) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@2da58db8: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(dev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@3d5786a: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(usbdev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@1faa59d2: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(dev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@3e8f06b7: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(netdev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@59e88242: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(urb) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@6ded5b7f: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(dev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@46947bb9: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(catc) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@6b1705ee: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(intf) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@36e106c9: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(lock) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@33d44625: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Dereferencing of a non-pointer in expression *(dev) (org.eclipse.cdt.internal.core.dom.parser.ProblemType@14c3b886: Type depends on an unresolved name) (CounterexampleCheck:ASTConverter.convert, WARNING) Error path found and confirmed by counterexample check with CPACHECKER. (CounterexampleCheckAlgorithm.checkCounterexample, INFO) Stopping analysis ... (CPAchecker.runAlgorithm, INFO) PredicateCPA statistics ----------------------- Number of abstractions: 4336 (1% of all post computations) Times abstraction was reused: 0 Because of function entry/exit: 0 (0%) Because of loop head: 4336 (100%) Because of join nodes: 0 (0%) Because of threshold: 0 (0%) Times precision was empty: 3 (0%) Times precision was {false}: 0 (0%) Times result was cached: 1529 (35%) Times cartesian abs was used: 0 (0%) Times boolean abs was used: 2804 (65%) Times result was 'false': 1536 (35%) Number of strengthen sat checks: 4235 Times result was 'false': 4180 (99%) Number of coverage checks: 72878 BDD entailment checks: 12010 Number of SMT sat checks: 4235 trivial: 0 cached: 1253 Max ABE block size: 162 Number of predicates discovered: 61 Number of abstraction locations: 6 Max number of predicates per location: 37 Avg number of predicates per location: 21 Total predicates per abstraction: 52989 Max number of predicates per abstraction: 37 Avg number of predicates per abstraction: 18.90 Number of irrelevant predicates: 3528 (7%) Number of preds handled by boolean abs: 49461 (93%) Total number of models for allsat: 41878 Max number of models for allsat: 878 Avg number of models for allsat: 14.94 Number of path formula cache hits: 367748 (79%) Time for post operator: 4.534s Time for path formula creation: 4.136s Actual computation: 3.678s Time for strengthen operator: 7.911s Time for satisfiability checks: 7.655s Time for prec operator: 38.911s Time for abstraction: 38.822s (Max: 1.867s, Count: 4336) Boolean abstraction: 31.133s Solving time: 1.836s (Max: 0.072s) Model enumeration time: 26.792s Time for BDD construction: 1.146s (Max: 0.025s) Time for merge operator: 0.895s Time for coverage check: 0.092s Time for BDD entailment checks: 0.084s Total time for SMT solver (w/o itp): 36.244s Number of BDD nodes: 9557 Size of BDD node table: 10007 Size of BDD node cleanup queue: 32595 (count: 35830, min: 0, max: 4308, avg: 0,91) Time for BDD node cleanup: 0.025s Time for BDD garbage collection: 0.188s (in 748 runs) PrecisionBootstrap statistics ----------------------------- Init. function predicates: 0 Init. global predicates: 0 Init. location predicates: 0 AutomatonAnalysis (SVCOMP) statistics ------------------------------------- Number of states: 1 Total time for successor computation: 0.767s Time for transition matches: 0.297s Time for transition assertions: 0.002s Time for transition actions: 0.011s Automaton transfers with branching: 0 Automaton transfer successors: 665751 (count: 665751, min: 1, max: 1, avg: 1,00) [1 x 665751] CPA algorithm statistics ------------------------ Number of iterations: 400084 Max size of waitlist: 263 Average size of waitlist: 98 Number of computed successors: 434107 Max successors for one state: 2 Number of times merged: 30434 Number of times stopped: 32407 Number of times breaked: 55 Total time for CPA algorithm: 59.631s (Max: 13.430s) Time for choose from waitlist: 0.262s Time for precision adjustment: 39.510s Time for transfer relation: 15.622s Time for merge operator: 1.468s Time for stop operator: 0.529s Time for adding to reached set: 0.795s Predicate-Abstraction Refiner statistics ---------------------------------------- Avg. length of target path (in blocks): 684 (count: 55, min: 2, max: 46, avg: 12,44) Time for refinement: 12.580s Counterexample analysis: 11.209s (Max: 2.154s, Calls: 55) Refinement sat check: 2.174s Interpolant computation: 8.795s Error path post-processing: 0.254s Path-formulas extraction: 0.001s Building the counterexample trace: 11.209s Extracting precise counterexample: 0.254s Predicate creation: 0.020s Precision update: 0.078s ARG update: 0.917s Length of refined path (in blocks): 626 (count: 53, min: 2, max: 46, avg: 11,81) Number of affected states: 488 (count: 53, min: 1, max: 45, avg: 9,21) Length (states) of path with itp 'true': 85 (count: 53, min: 0, max: 5, avg: 1,60) Length (states) of path with itp non-trivial itp: 488 (count: 53, min: 1, max: 45, avg: 9,21) Length (states) of path with itp 'false': 34 (count: 53, min: 0, max: 1, avg: 0,64) Different non-trivial interpolants along paths: 154 (count: 53, min: 0, max: 11, avg: 2,91) Equal non-trivial interpolants along paths: 281 (count: 53, min: 0, max: 40, avg: 5,30) Different precisions along paths: 0 (count: 0, min: 0, max: 0, avg: 0,00) Equal precisions along paths: 0 (count: 0, min: 0, max: 0, avg: 0,00) Number of refs with location-based cutoff: 0 CEGAR algorithm statistics -------------------------- Number of refinements: 55 Number of successful refinements: 54 Number of failed refinements: 0 Max. size of reached set before ref.: 61939 Max. size of reached set after ref.: 33744 Avg. size of reached set before ref.: 15812.11 Avg. size of reached set after ref.: 8666.02 Total time for CEGAR algorithm: 72.341s Time for refinements: 12.709s Average time for refinement: 0.231s Max time for refinement: 2.261s Counterexample-Check Algorithm statistics ----------------------------------------- Number of counterexample checks: 1 Number of infeasible paths: 0 (0%) Time for counterexample checks: 1.662s CPAchecker general statistics ----------------------------- Number of program locations: 1010 Number of functions: 66 Number of loops: 6 Size of reached set: 51658 Number of reached locations: 697 (69%) Avg states per location: 74 Max states per location: 1780 (at node N251) Number of reached functions: 47 (71%) Number of partitions: 51429 Avg size of partitions: 1 Max size of partitions: 10 (with key [N1491 (before lines 8878-9089), Function main called from node N1468, stack depth 1 [1c9a4938], stack [main], Init]) Number of target states: 1 Size of final wait list 102 Time for analysis setup: 3.319s Time for loading CPAs: 0.534s Time for loading parser: 0.551s Time for CFA construction: 2.188s Time for parsing file(s): 1.015s Time for AST to CFA: 0.668s Time for CFA sanity check: 0.000s Time for post-processing: 0.234s Time for var class.: 0.000s Time for Analysis: 74.003s CPU time for analysis: 73.990s Total time for CPAchecker: 77.323s Total CPU time for CPAchecker: 77.310s Time for Garbage Collector: 2.674s (in 29 runs) Garbage Collector(s) used: PS MarkSweep, PS Scavenge Used heap memory: 1154MB ( 1100 MiB) max; 465MB ( 444 MiB) avg; 1207MB ( 1151 MiB) peak Used non-heap memory: 30MB ( 29 MiB) max; 27MB ( 25 MiB) avg; 31MB ( 29 MiB) peak Used in PS Old Gen pool: 183MB ( 175 MiB) max; 71MB ( 68 MiB) avg; 183MB ( 175 MiB) peak Allocated heap memory: 1364MB ( 1301 MiB) max; 1133MB ( 1080 MiB) avg Allocated non-heap memory: 31MB ( 29 MiB) max; 28MB ( 27 MiB) avg Total process virtual memory: 4967MB ( 4737 MiB) max; 4900MB ( 4673 MiB) avg Verification result: FALSE. Property violation (__VERIFIER_error(); called in line 9112) found by chosen configuration. More details about the verification run can be found in the directory "./output".