Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

Published byRoger Hubbard Modified over 9 years ago

Similar presentations

Presentation on theme: "The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST."— Presentation transcript:

1 The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST

2 Overview The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST2/26 The reliable software is hard to build and verify The scheme of CEGAR was implemented for verifying software by SLAM and applied successfully to find bugs in device drivers BLAST is an improved automatic verification tool for checking safety properties of C programs – Lazy predicate abstraction – Interpolation-based predicate discovery

3 Contents The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST3/26 Introduction Lazy abstraction Predicate discovery Conclusion

4 Introduction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST4/26 Software model checking is an algorithmic technique to verify implemented code against a specification Logical Specification Model Checker Implemented code Okay Satisfied Not satisfied Counterexample

5 Introduction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST5/26 Even very simple code has many states 1 BubbleSort(int data[], int N){ 2 int i, j, tmp; 3 for (i=0; i<N-1; i++){ 4 for (j=i+1; j<N; j++){ 5 if (data[i] > data[j]){ 6 tmp = data[i]; 7 data[i] = data[j]; 8 data[j] = tmp; 9 } 10 } 11 } 12 } This has at least 2 32 £ (2 32 ) 2 32 initial states!!

6 Introduction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST6/26 The Counter-Example Guided Abstraction Refinement(CEGAR) is a key paradigm for software model checking Abstraction Model checking Refinement Feasible? Program P Spec φ Infeasible path p φ false + counterexample φ true Abstract program P ’ Error trace p

7 Introduction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST7/26 BLAST improves CEGAR approach – Lazy predicate abstraction – Interpolation-based predicate refinement Constructing Abstraction Reachable Tree Model checking Interpolation -based refinement Feasible? Program P Spec φ Infeasible path p φ false + counterexample φ true ART Error trace p

8 Contents The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST8/26 Introduction Lazy abstraction Predicate discovery Conclusion

9 Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST9/26 Simple example program using a lock – Lock should be followed by unlock 1 Lock(){ 2 if (LOCK == 0){ 3 LOCK = 1; 4 }else{ 5 ERROR: 6 } 7 } 8 9 Unlock(){ 10 if (LOCK == 1){ 11 LOCK = 0; 12 }else{ 13 ERROR: 14 } 15 } 16 17 Example(){ 18 do{ 19 Lock(); 20 old = new; 21 q = q->next; 22 if (q != NULL){ 23 q->data = new; 24 Unlock(); 25 new++; 26 } 27 }while(new != old); 28 Unlock(); 29 } LOCK = 0 LOCK = 1 Lock() Unlock()

10 Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 10/26 BLAST represents a program by a set of control-flow- automata (CFA) – Each function has a CFA 1 Lock(){ 2 if (LOCK == 0){ 3 LOCK = 1; 4 }else{ 5 ERROR: 6 } 7 } 8 9 Unlock(){ 10 if (LOCK == 1){ 11 LOCK = 0; 12 }else{ 13 ERROR: 14 } 15 } 16 L#2 Pred(LOCK==0); L#3L#5 Pred(!(LOCK==0)); U#10 Pred(LOCK==1); U#11U#13 Pred(!(LOCK==1)); L#7 U#15 LOCK=1; LOCK=0 ; Error location skip;

11 Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 11/26 A CFA for Example() function 17 Example(){ 18 do{ 19 Lock(); 20 old = new; 21 q = q->next; 22 if (q != NULL){ 23 q->data = new; 24 Unlock(); 25 new++; 26 } 27 }while(new != old); 28 Unlock(); 29 } E#19 Lock(); E#22 E#23 E#27 E#28 Pred(q!=NULL) Pred(!(q!=NULL)) q->data=new; Pred(!(new!=old)); Pred((new!=old)); E#29 Unlock(); E#20 old = new; q=q->next; E#24 E#25 Unlock(); new++;

12 Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 12/26 A CFA is a directed graph, with nodes corresponding to control points of the program, and edges corresponding to program operations An edge between two nodes is labeled by the instruction which is either – A basic block of assignments – An assume predicate – A function call – A return instruction

13 Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 13/26 To prove the error location is never reached, BLAST constructs an abstract reachability tree (ART) An ART is a labeled tree that represents a portion of the reachable state space of the program Each node n is denoted by n : (q, Á ) – q is the CFA location – Á is the reachable region Each edge is labeled with an instruction

14 Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 14/26 The ART construction proceeds by unrolling the CFAs and keeping track of the reachable region at each CFA location Initially BLAST starts with no predicates and the given entry location How to compute the successor of the reachable region? – Using weakest precondition

15 Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 15/26 The successor of the reachable region R is generated using weakest precondition For each predicate p, check if either p or : p is true after op When is p true after op ? – If WP ( p, op ) is true before OP – We know R is true before OP – Query: R ) WP ( p, op )

16 Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 16/26 Example What is the successor of R w.r.t. predicate p and op ? – WP ( x >0, x := 1- x ) = x < 1 – x < 0 ) x < 1 is valid – x < 1 is successor E#27 E#28 x := 1 - x ? R: x < 0 p: x > 0

17 Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 17/26 For a tree node n : ( q, Á ), BLAST constructs successor nodes of n in the tree for all edges between q ! q ’ – Function call is inlined E#19 Lock(); E#22 Pred(!(q!=NULL)) E#20 old = new; q=q->next; E#19 L#2 Pred(LOCK==0); L#3L#5 Pred(!(LOCK==0)); Lock(); The error location is encountered Pred((q!=NULL)) L#2 Pred(LOCK==0); L#3L#5 Pred(!(LOCK==0)); L#7 LOCK=1;skip; TRUE

18 Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 18/26 To analyze the abstract error path, BLAST creates path formula(PF) Path formula is a set of constraints which is satisfiable iff the path is feasible The PF is built by transforming the path into SSA form, and then generating constraints for each operation along the path

19 Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 19/26 Feasibility check 1: LOCK=0 2: call Lock() 3: assume(LOCK==1) Trace SSA Trace LOCK 0 = 0 Æ TRUE Æ LOCK 0 = 1 1: LOCK 0 = 0 2: call Lock() 3: LOCK 0 = 1 Path Formula Trace is feasible iff TF is satisfiable

20 Contents The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST20/26 Introduction Lazy abstraction Predicate discovery Conclusion

21 Predicate Discovery The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 21/26 What predicate is needed? 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible … implied by PF prefix … on common variables … & PF suffix is unsatisfiable Predicate …Relevant Information 1: LOCK=0 2: call Lock() 3: assume(LOCK==1) LOCK 0 = 0 Æ TRUE Æ LOCK 0 = 1 prefix suffix prefix suffix Trace Path Formula

22 Predicate Discovery The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 22/26 For a pair of formulas Á - and Á + s.t. Á - Æ Á + is unsatisfiable, a Craig interpolant à is a formula such that – The implication Á - ) à is valid – The conjunction Ã Æ Á + is unsatisfiable – à only contains symbols common to both Á - and Á + à satisfies the following conditions – à is implied by PF prefix – Ã Æ PF suffix is unsatisfiable – à only contains common variables on prefix and suffix

23 Predicate Discovery The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 23/26 Adding new predicates for the control location LOCK 0 = 0 Æ TRUE Æ LOCK 0 = 1 Path Formula à : LOCK = 0 New predicate for the location line 2 is added 2: LOCK = 0 This predicate is only applied at the location line 2

24 Predicate Discovery The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 24/26 Rebuild ART E#19 Lock(); E#22 E#20 old = new; q=q->next; E#19 L#2 Pred(LOCK==0); L#3L#5 Pred(!(LOCK==0)); Lock(); TRUE ) WP ( LOCK=0, Pred(LOCK=0) ) Pred((q!=NULL)) L#2 Pred(LOCK==0); L#3L#5 Pred(!(LOCK==0)); L#7 LOCK=1;skip; TRUE LOCK = 0 L#7 TRUE LOCK=1; E#22 E#20 old = new; q=q->next; Pred((q!=NULL)) return; TRUE E#23 q->data=new; E#24 Unlock(); U#10 U#11U#13 Pred(!(LOCK==1));Pred((LOCK==1)); TRUE

25 Predicate Discovery The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 25/26 Final ART E#19 L#2 Pred(LOCK==0); L#3L#5 Pred(!(LOCK==0)); Lock(); TRUE L#7 LOCK=1 LOCK=1; E#22 E#20 old = new; q=q->next; Pred((q!=NULL)) return; E#23 q->data=new; E#24 Unlock(); U#10 U#11U#13 Pred(!(LOCK==1)); (LOCK=1) Æ (old = new) LOCK=1 (LOCK=1) Æ (old = new) Pred(LOCK==1); (LOCK=1) Æ (old = new) Pred(!(q!=NULL)) (LOCK=1) Æ (old = new) U#15 LOCK=0 ; E#25 E#27 (LOCK=0) Æ (old = new) return ; new++; (LOCK=0) Æ (old  new) (LOCK=0) Æ (old = new) E#27 E#28 Pred(!(new!=old)); (LOCK=1) Æ (old = new) Pred(new!=old);

26 Conclusion The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 26/26 BLAST is a software model checker for verifying program written in C language BLAST improves the scheme of CEGAR by implementing lazy abstraction and interpolation-based predicate refinement

27 Reference The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 27/26 The Software Model Checker Blast: Applications to Software Engineering. by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar in Int. Journal on Software Tools for Technology Transfer, 2007

Download ppt "The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST."

Similar presentations

Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstraction of Source Code (from Bandera lectures and talks)

Abstraction of Source Code (from Bandera lectures and talks)
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.

Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.

Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.

Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.
Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.

Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Similar presentations

Ads by Google