120 likes | 323 Views
Lazy Predicate Abstraction in BLAST. John Gallagher CS4117. BLAST from the Past. To quickly rehash my last presentation a few points on Blast. BLAST is a model checker. It can usually verify that software satisfies certain safety properties.
E N D
Lazy Predicate Abstraction in BLAST John Gallagher CS4117
BLAST from the Past To quickly rehash my last presentation a few points on Blast. BLAST is a model checker. It can usually verify that software satisfies certain safety properties. BLAST converts safety specifications into reachabililty problems: can an unsafe state be reached in execution. Analysis conducted using Control Flow Automata, Abstract Reachability Trees, Predicate Formulae
A Safe C Program #include "assert.h" int main() { inti, x, y, ctr; x = ctr; ctr = ctr + 1; y = ctr; if (x == i) { assert (y == i + 1); } }
The Problem Simulating real execution explodes the state space exponentially when trying to determine feasible paths. Abstraction is expensive, because reachability problem requires SAT invocation. Given n abstract predicates, 2n abstract states. Lazily find important predicates!
The Approach #include "assert.h" int main() { inti, x, y, ctr; x = ctr; ctr = ctr + 1; y = ctr; if (x == i) { assert (y == i + 1); } } • How much information needs to be kept about the state? • How many instructions need to be evaluated to ensure safety/show safety violation?
The Approach • Make a cut-point in the code. • Given current values for variables from above point, which ones show that the rest of the path to the error state is infeasible? • A Craig Interpolant may help if (x == i) { assert (y == i + 1); } x = ctr; ctr = ctr + 1; y = ctr;
Craig Interpolants First, we must convert the state of the program into FOPL. x=ctr ^ ctr1=ctr+1 ^ y=ctr1 above the cut. Below the cut, x==i ^ y != i+1 . By conjoining the two formulas (call them A and B) satisfiability can determined. This answers the question, from my state above the cut, can I get to a certain state below? These will be our FOPL formulas A and B. If A ^ B is unsatisfiable, there exists a Craig interpolant C such that A → C and B ^ C is unsatisfiable, which gives at least one answer to the question, why can’t I reach the state below?
Interpolants in Action • The FOPL formula x=ctr ^ ctr1=ctr+1 ^ y=ctr1 ^ x==i ^ y != i+1 is inconsistent. This means that given what we know at the current cut point. • BLAST’s interpolation procedure returns y==x+1. The interpolant generation is complex, but SAT solving through reduction is a good start. Investigate here. if (x == i) { assert (y == i + 1); } x = ctr; ctr = ctr + 1; y = ctr;
So… What? Finding an interpolant in this trivial example did not help much. On big programs, it helps reduce the number of predicates used in the state tremendously. Last presentation’s Abstract Reachability Tree (the graphical representation of the predicate states and transitions) was cramped and that example had four lines of C.
So… What? • By being able to weed out the important predicates to track, BLAST is fairly scalable. Here is some data presented at the SPIN 2005 Conference.
References http://mtc.epfl.ch/software-tools/blast/ Software Verification withBLAST (PPT)Thomas A. Henzinger, RanjitJhala, and RupakMajumdar. Interpolation for data structuresKapur, D., Majumdar, R., and Zarba, C. G. 2006. Interpolation for data structures. In Proceedings of the 14th ACM SIGSOFT international Symposium on Foundations of Software Engineering (Portland, Oregon, USA, November 05 - 11, 2006). Applications of Craig Interpolants in Model CheckingK. L. McMillan, TACAS 2005: 1-12