Introducing BLAST Software Verification John Gallagher CS4117.

Slides:



Advertisements
Similar presentations
50.530: Software Engineering
Advertisements

Semantics Static semantics Dynamic semantics attribute grammars
Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Lazy Predicate Abstraction in BLAST John Gallagher CS4117.
Synergy: A New Algorithm for Property Checking
An Evaluation of BLAST John Gallagher CS4117. Overview BLAST incorporates new, fascinating and complex technology. The engine and external components.
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.
Counter Example Guided Refinement CEGAR Mooly Sagiv.
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
Temporal-Safety Proofs for Systems Code Thomas A. Henzinger Ranjit Jhala Rupak Majumdar George Necula Westley Weimer Grégoire Sutre UC Berkeley.
Finding the Weakest Characterization of Erroneous Inputs Dzintars Avots and Benjamin Livshits.
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
Path Slicing Presentation by Massimiliano Menarini Ranjit Jhala and Rupak Majumdar, “Path Slicing” PLDI 05 (June 2005, Chicago, Illinois)
Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre.
Abstract Verification is traditionally done by determining the truth of a temporal formula (the specification) with respect to a timed transition system.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Lazy Abstraction Lecture 3 : Partial Analysis Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.
CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Sequencing Properties Copyright , Matt Dwyer, John Hatcliff,
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
Lazy Abstraction Jinseong Jeon ARCS, KAIST CS750b, KAIST2/26 References Lazy Abstraction –Thomas A. Henzinger et al., POPL ’02 Software verification.
CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Bogor-Simulation: Executing (Simulating) Concurrent Systems in Bogor Copyright.
Integrating high-level constructs into programming languages Language extensions to make programming more productive Underspecified programs –give assertions,
Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Java Basics Hussein Suleman March 2007 UCT Department of Computer Science Computer Science 1015F.
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
Formal Verification of Synchronization Issues of SpecC Description with Automatic Abstraction Thanyapat Sakunkonchak Masahiro Fujita Department of Electronics.
CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Examples: Simple BIR-Lite Examples Copyright 2004, Matt Dwyer, John Hatcliff,
Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.
Synergy: A New Algorithm for Property Checking Bhargav S. Gulavani (IIT Bombay)‏ Yamini Kannan (Microsoft Research India)‏ Thomas A. Henzinger (EPFL)‏
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
R-Verify: Deep Checking of Embedded Code James Ezick † Donald Nguyen † Richard Lethin † Rick Pancoast* (†) Reservoir Labs (*) Lockheed Martin The Eleventh.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
Counter Example Guided Refinement CEGAR Mooly Sagiv.
CS223: Software Engineering Lecture 26: Software Testing.
The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.
Having a BLAST with SLAM
Over-Approximating Boolean Programs with Unbounded Thread Creation
Abstractions from Proofs
Program Verification by Lazy Abstraction
Software Verification with BLAST
Predicate Abstraction
BLAST: A Software Verification Tool for C programs
SOFTWARE ENGINEERING INSTITUTE
Presentation transcript:

Introducing BLAST Software Verification John Gallagher CS4117

What is BLAST? The Berkeley Lazy Abstraction Software- verification Tool is a model checker that checks the safety properties of C programs. “Automated, precise and scalable” (so, usable).

What BLAST Isn’t A magical solution to the halting problem, so BLAST may run forever on some input. And it may not be able to assert that a given execution path will not occur. A C compiler, though it parses and validates preprocessed C.

Quick Example InputOutput #include "assert.h" /*Blast's assert.h*/ int foo(int x, int y) { if (x > y) { x = x - y; x = x - y; assert(x > 0); assert(x > 0); } return 0; } addPred: 0: (gui) adding predicate to the system addPred: 1: (gui) adding predicate to the system Adding all preds now... [BAT] Done refiner Non-trivial functions 0 Depth of tree: 7 No error found. The system is safe :-)

What Just Happened? First, BLAST builds a Control Flow Automata (basically, a flow graph) from the preprocessed C, which in simplified form looks like: void __blast_assert(){ ERROR: goto ERROR; ERROR: goto ERROR;} void __assert_fail(){__blast_assert();} int foo(int x, int y) { if (x > y) { x = x - y; x = x - y; ((void) ((x > 0) ? 0 : (__assert_fail())))) ((void) ((x > 0) ? 0 : (__assert_fail())))) } return 0; }

Is Label ERROR Reachable? The assert safety check has been converted into a reachability problem. BLAST represents the code as a Control Flow Automata, then constructs an Abstract Reachability Tree to try and answer this question without exploding the state space or looping forever.

The CFA 1:foo 3:Pred(x<=y)2:Pred(x>y) 5:x=x-y 7:x>0 6:x<=0 8:__assert_fail() 10:__blast_assert() 12:ERROR 9:return 0

Properties of the ART A node in the ART has a triple of (Label # CFA, Call Stack, Reachable Region) Reachable Region is a boolean formula representing the set of data states An ART is safe if for every node whose CFA Label is an error location, the Reachable Region expression ^ with the predicate is unsatisfiable.

Properties of the ART For us, that means the node whose CFA Label is 6 must have a non satisfiable set of data states when ^ with (x <= 0).

The ART (Call Stack Omitted) 1 TRUE 5 x>y ^ x=x-y 7 x>y ^ x>0 6 x>y ^ x=x-y ^x<= x<=y 9 2 x>y Pred (x>y) Pred (x<=y) x=x-y Pred (x<=0)Pred (x>0) return 0 ERROR

Safe? If the program is safe, the node labeled 6 (there is one such node in this program) must have an unsatisfiable data state. x>y ^ x=x-y ^ x y can be substituted for x in the subtraction. set x (>y)-y, set x >0. If x>0 is pred p1, x y ^ x=x-y ^ x y can be substituted for x in the subtraction. set x (>y)-y, set x >0. If x>0 is pred p1, x<=0 is !p1. p1 ^ !p1 is always false, so the program is safe.

Predicate Discovery Build ART by setting all of the data states to true, and exercising the CFA to find all reachable error states, including the data state. There now exists a path between the root (initial) state and the error state, but predicate discovery is used to determine whether the path is feasible. (Lazy Predicate Abstraction) By examining the program at certain cut points, predicates are added to show the feasibility or infeasibility of a path (using Craig Interpolants, probably the subject of another presentation).

An Unsafe Modification InputOutput #include "assert.h" /*Blast's assert.h*/ int foo(int x, int y) { if (x > y) { x = 2 + y - x; x = 2 + y - x; assert(x > 0); assert(x > 0); } return 0; } Error found! The system is unsafe :-( Error trace: Error trace: src="tut1unsafe.i"; line=0 FunctionCall(__BLAST_initialize_tut1unsafe.i()) > = <= 0) FunctionCall(__assert_fail)) FunctionCall(__blast_assert())

The ART (Call Stack Omitted) 1 TRUE 5 x>y ^ x=2+y-x 7 x>y ^ x>0 6 x>y ^ x=2+y-x ^x<= x<=y 9 2 x>y Pred (x>y) Pred (x<=y) x=x-y Pred (x<=0)Pred (x>0) return 0 ERROR

Beyond Assert BLAST is designed to be useful for legacy code, so it has a language for writing specifications to determine whether a safety property is violated: The BLAST Query Language. Specifications are kept separate from the code in their own file. Pattern matching is used to associate a specification item with its relevant location in code.

BLAST Query Language global int lockStatus = 0; event { pattern { FSMInit(); } action { lockStatus = 0; } } event { pattern { FSMLock(); } guard { lockStatus == 0 } action { lockStatus = 1; } } event { pattern { FSMUnLock(); } guard { lockStatus == 1 } action { lockStatus = 0; } }

References The BLAST query language for software verification The BLAST query language for software verification Dirk Beyer, Adam J. Chlipala, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar. Proceedings of the 11th International Static Analysis Symposium (SAS 2004), LNCS 3148, pages 2-18, Springer-Verlag, The BLAST query language for software verification The software model checker BLAST The software model checker BLAST Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Gregoire Sutre. Software verification with Blast. In Tenth International Workshop on Model Checking of Software (SPIN), volume 2648 of Lecture Notes in Computer Science, pages Springer-Verlag, The software model checker BLAST