Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introducing BLAST Software Verification John Gallagher CS4117.

Similar presentations


Presentation on theme: "Introducing BLAST Software Verification John Gallagher CS4117."— Presentation transcript:

1 Introducing BLAST Software Verification John Gallagher CS4117

2 What is BLAST? The Berkeley Lazy Abstraction Software- verification Tool is a model checker that checks the safety properties of C programs. “Automated, precise and scalable” (so, usable).

3 What BLAST Isn’t A magical solution to the halting problem, so BLAST may run forever on some input. And it may not be able to assert that a given execution path will not occur. A C compiler, though it parses and validates preprocessed C.

4 Quick Example InputOutput #include "assert.h" /*Blast's assert.h*/ int foo(int x, int y) { if (x > y) { x = x - y; x = x - y; assert(x > 0); assert(x > 0); } return 0; } addPred: 0: (gui) adding predicate 1<=x@foo- y@foo to the system addPred: 1: (gui) adding predicate 1<=x@foo to the system Adding all preds now... [BAT] Done refiner Non-trivial functions 0 Depth of tree: 7 No error found. The system is safe :-)

5 What Just Happened? First, BLAST builds a Control Flow Automata (basically, a flow graph) from the preprocessed C, which in simplified form looks like: void __blast_assert(){ ERROR: goto ERROR; ERROR: goto ERROR;} void __assert_fail(){__blast_assert();} int foo(int x, int y) { if (x > y) { x = x - y; x = x - y; ((void) ((x > 0) ? 0 : (__assert_fail())))) ((void) ((x > 0) ? 0 : (__assert_fail())))) } return 0; }

6 Is Label ERROR Reachable? The assert safety check has been converted into a reachability problem. BLAST represents the code as a Control Flow Automata, then constructs an Abstract Reachability Tree to try and answer this question without exploding the state space or looping forever.

7 The CFA 1:foo 3:Pred(x<=y)2:Pred(x>y) 5:x=x-y 7:x>0 6:x<=0 8:__assert_fail() 10:__blast_assert() 12:ERROR 9:return 0

8 Properties of the ART A node in the ART has a triple of (Label # CFA, Call Stack, Reachable Region) Reachable Region is a boolean formula representing the set of data states An ART is safe if for every node whose CFA Label is an error location, the Reachable Region expression ^ with the predicate is unsatisfiable.

9 Properties of the ART For us, that means the node whose CFA Label is 6 must have a non satisfiable set of data states when ^ with (x <= 0).

10 The ART (Call Stack Omitted) 1 TRUE 5 x>y ^ x=x-y 7 x>y ^ x>0 6 x>y ^ x=x-y ^x<=0 12 3 x<=y 9 2 x>y Pred (x>y) Pred (x<=y) x=x-y Pred (x<=0)Pred (x>0) return 0 ERROR

11 Safe? If the program is safe, the node labeled 6 (there is one such node in this program) must have an unsatisfiable data state. x>y ^ x=x-y ^ x y can be substituted for x in the subtraction. set x (>y)-y, set x >0. If x>0 is pred p1, x y ^ x=x-y ^ x y can be substituted for x in the subtraction. set x (>y)-y, set x >0. If x>0 is pred p1, x<=0 is !p1. p1 ^ !p1 is always false, so the program is safe.

12 Predicate Discovery Build ART by setting all of the data states to true, and exercising the CFA to find all reachable error states, including the data state. There now exists a path between the root (initial) state and the error state, but predicate discovery is used to determine whether the path is feasible. (Lazy Predicate Abstraction) By examining the program at certain cut points, predicates are added to show the feasibility or infeasibility of a path (using Craig Interpolants, probably the subject of another presentation).

13 An Unsafe Modification InputOutput #include "assert.h" /*Blast's assert.h*/ int foo(int x, int y) { if (x > y) { x = 2 + y - x; x = 2 + y - x; assert(x > 0); assert(x > 0); } return 0; } Error found! The system is unsafe :-( Error trace: Error trace: src="tut1unsafe.i"; line=0 FunctionCall(__BLAST_initialize_tut1unsafe.i()) Pred(x@foo > y@foo) Block(x@foo = 2 + y@foo - x@foo;) Pred(x@foo <= 0) FunctionCall(__assert_fail)) FunctionCall(__blast_assert())

14 The ART (Call Stack Omitted) 1 TRUE 5 x>y ^ x=2+y-x 7 x>y ^ x>0 6 x>y ^ x=2+y-x ^x<=0 12 3 x<=y 9 2 x>y Pred (x>y) Pred (x<=y) x=x-y Pred (x<=0)Pred (x>0) return 0 ERROR

15 Beyond Assert BLAST is designed to be useful for legacy code, so it has a language for writing specifications to determine whether a safety property is violated: The BLAST Query Language. Specifications are kept separate from the code in their own file. Pattern matching is used to associate a specification item with its relevant location in code.

16 BLAST Query Language global int lockStatus = 0; event { pattern { FSMInit(); } action { lockStatus = 0; } } event { pattern { FSMLock(); } guard { lockStatus == 0 } action { lockStatus = 1; } } event { pattern { FSMUnLock(); } guard { lockStatus == 1 } action { lockStatus = 0; } }

17 References http://mtc.epfl.ch/software-tools/blast/ The BLAST query language for software verification The BLAST query language for software verification Dirk Beyer, Adam J. Chlipala, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar. Proceedings of the 11th International Static Analysis Symposium (SAS 2004), LNCS 3148, pages 2-18, Springer-Verlag, 2004. The BLAST query language for software verification The software model checker BLAST The software model checker BLAST Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Gregoire Sutre. Software verification with Blast. In Tenth International Workshop on Model Checking of Software (SPIN), volume 2648 of Lecture Notes in Computer Science, pages 235--239. Springer-Verlag, 2003. The software model checker BLAST


Download ppt "Introducing BLAST Software Verification John Gallagher CS4117."

Similar presentations


Ads by Google