1 / 27

The Software Model Checker BLAST by Dirk Beyer , Thomas A. Henzinger , Ranjit Jhala and Rupak Majumdar

The Software Model Checker BLAST by Dirk Beyer , Thomas A. Henzinger , Ranjit Jhala and Rupak Majumdar. Presented by Yunho Kim Provable Software Lab, KAIST. The reliable software is hard to build and verify

kelli
Download Presentation

The Software Model Checker BLAST by Dirk Beyer , Thomas A. Henzinger , Ranjit Jhala and Rupak Majumdar

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Software Model Checker BLASTby Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST

  2. The reliable software is hard to build and verify • The scheme of CEGAR was implemented for verifying software by SLAM and applied successfully to find bugs in device drivers • BLAST is an improved automatic verification tool for checking safety properties of C programs • Lazy predicate abstraction • Interpolation-based predicate discovery Overview The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  3. Introduction Lazy abstraction Predicate discovery Conclusion Contents The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  4. Software model checking is an algorithmic technique to verify implemented code against a specification Introduction Implemented code Logical Specification Model Checker Satisfied Not satisfied Counterexample Okay The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  5. Even very simple code has many states Introduction 1 BubbleSort(int data[], int N){ 2 int i, j, tmp; 3 for (i=0; i<N-1; i++){ 4 for (j=i+1; j<N; j++){ 5 if (data[i] > data[j]){ 6 tmp = data[i]; 7 data[i] = data[j]; 8 data[j] = tmp; 9 } 10 } 11 } 12 } This has at least 232£ (232)232initial states!! The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  6. The Counter-Example Guided Abstraction Refinement(CEGAR) is a key paradigm for software model checking Introduction Abstract program P’ Program P Abstraction Model checking φ true Spec φ Error trace p Refinement φ false + Feasible? Infeasible path p counterexample The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  7. BLAST improves CEGAR approach • Lazy predicate abstraction • Interpolation-based predicate refinement Introduction Program P Constructing Abstraction Reachable Tree ART Model checking φ true Spec φ Error trace p Interpolation-based refinement φ false + Feasible? Infeasible path p counterexample The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  8. Introduction Lazy abstraction Predicate discovery Conclusion Contents The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  9. Simple example program using a lock • Lock should be followed by unlock Lock() LOCK = 1 LOCK = 0 Unlock() Unlock() Lock() Lazy Abstraction 1 Lock(){ 2 if (LOCK == 0){ 3 LOCK = 1; 4 }else{ 5 ERROR: 6 } 7 } 8 9 Unlock(){ 10 if (LOCK == 1){ 11 LOCK = 0; 12 }else{ 13 ERROR: 14 } 15 } 16 17 Example(){ 18 do{ 19 Lock(); 20 old = new; 21 q = q->next; 22 if (q != NULL){ 23 q->data = new; 24 Unlock(); 25 new++; 26 } 27 }while(new != old); 28 Unlock(); 29 } The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  10. BLAST represents a program by a set of control-flow-automata (CFA) • Each function has a CFA Lazy Abstraction 1 Lock(){ 2 if (LOCK == 0){ 3 LOCK = 1; 4 }else{ 5 ERROR: 6 } 7 } 8 9 Unlock(){ 10 if (LOCK == 1){ 11 LOCK = 0; 12 }else{ 13 ERROR: 14 } 15 } 16 L#2 Pred(!(LOCK==0)); Pred(LOCK==0); L#5 L#3 LOCK=1; skip; L#7 Error location U#10 Pred(!(LOCK==1)); Pred(LOCK==1); U#13 U#11 LOCK=0 ; skip; U#15 The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  11. A CFA for Example() function Lazy Abstraction E#19 Lock(); E#20 old = new; q=q->next; 17 Example(){ 18 do{ 19 Lock(); 20 old = new; 21 q = q->next; 22 if (q != NULL){ 23 q->data = new; 24 Unlock(); 25 new++; 26 } 27 }while(new != old); 28 Unlock(); 29 } E#22 Pred(q!=NULL) Pred((new!=old)); E#23 Pred(!(q!=NULL)) q->data=new; E#24 Unlock(); E#25 new++; E#27 Pred(!(new!=old)); E#28 Unlock(); E#29 The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  12. A CFA is a directed graph, with nodes corresponding to control points of the program, and edges corresponding to program operations • An edge between two nodes is labeled by the instruction which is either • A basic block of assignments • An assume predicate • A function call • A return instruction Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  13. To prove the error location is never reached, BLAST constructs an abstract reachability tree (ART) • An ART is a labeled tree that represents a portion of the reachable state space of the program • Each node n is denoted by n : (q, Á) • q is the CFA location • Á is the reachable region • Each edge is labeled with an instruction Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  14. The ART construction proceeds by unrolling the CFAs and keeping track of the reachable region at each CFA location • Initially BLAST starts with no predicates and the given entry location • How to compute the successor of the reachable region? • Using weakest precondition Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  15. The successor of the reachable region R is generated using weakest precondition • For each predicate p, check if either p or :p is true after op • When is p true after op? • If WP(p, op) is true before OP • We know R is true before OP • Query: R )WP(p, op) Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  16. Example • What is the successor of R w.r.t. predicate p and op? • WP(x>0, x := 1-x) = x < 1 • x < 0 )x < 1 is valid • x < 1 is successor Lazy Abstraction R: x < 0 E#27 p: x > 0 x := 1 - x E#28 ? The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  17. For a tree node n : (q, Á), BLAST constructs successor nodes of n in the tree for all edges between q!q’ • Function call is inlined Lazy Abstraction TRUE E#19 L#2 Lock(); Pred(!(LOCK==0)); Pred(LOCK==0); L#2 TRUE Pred(!(LOCK==0)); Pred(LOCK==0); L#5 L#3 skip; LOCK=1; TRUE L#5 L#3 TRUE L#7 E#19 The error location is encountered Lock(); E#20 old = new; q=q->next; E#22 Pred((q!=NULL)) Pred(!(q!=NULL)) The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  18. To analyze the abstract error path, BLAST creates path formula(PF) • Path formula is a set of constraints which is satisfiableiff the path is feasible • The PF is built by transforming the path into SSA form, and then generating constraints for each operation along the path Lazy Abstraction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  19. Feasibility check Lazy Abstraction 1: LOCK=0 2: call Lock() 3: assume(LOCK==1) 1: LOCK0 = 0 2: call Lock() 3: LOCK0 = 1 LOCK0 = 0 Æ TRUE Æ LOCK0 = 1 Trace Path Formula SSA Trace Trace is feasibleiffTF is satisfiable The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  20. Introduction Lazy abstraction Predicate discovery Conclusion Contents The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  21. What predicate is needed? Predicate Discovery 1: LOCK=0 2: call Lock() 3: assume(LOCK==1) LOCK0 = 0 Æ TRUE Æ LOCK0 = 1 prefix prefix suffix suffix Trace Path Formula Relevant Information Predicate … … implied by PF prefix … on common variables … & PF suffix is unsatisfiable 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  22. For a pair of formulas Á- and Á+s.t. Á- ÆÁ+ is unsatisfiable, a Craig interpolantà is a formula such that • The implication Á- )à is valid • The conjunction ÃÆÁ+ is unsatisfiable • à only contains symbols common to both Á- and Á+ • à satisfies the following conditions • à is implied by PF prefix • ÃÆ PF suffix is unsatisfiable • à only contains common variables on prefix and suffix Predicate Discovery The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  23. Adding new predicates for the control location Predicate Discovery LOCK0 = 0 Æ TRUE Æ LOCK0 = 1 Ã: LOCK = 0 New predicate for the location line 2 is added 2: LOCK = 0 This predicate is only applied at the location line 2 Path Formula The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  24. Rebuild ART Predicate Discovery TRUE )WP(LOCK=0, Pred(LOCK=0) ) E#19 TRUE L#2 Lock(); Pred(!(LOCK==0)); Pred(LOCK==0); L#2 TRUE Pred(!(LOCK==0)); Pred(LOCK==0); L#5 L#3 Pred((q!=NULL)) skip; LOCK=1; L#5 L#3 LOCK = 0 L#7 LOCK=1; TRUE E#23 E#19 q->data=new; L#7 TRUE Lock(); return; TRUE E#24 E#20 E#20 TRUE old = new; q=q->next; Unlock(); old = new; q=q->next; TRUE U#10 E#22 E#22 TRUE Pred(!(LOCK==1)); Pred((LOCK==1)); Pred((q!=NULL)) TRUE U#13 U#11 TRUE The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  25. Final ART Predicate Discovery E#19 TRUE Pred((q!=NULL)) Lock(); L#2 TRUE E#23 (LOCK=1) Æ (old = new) q->data=new; Pred(!(LOCK==0)); Pred(LOCK==0); E#24 (LOCK=1) Æ (old = new) L#5 L#3 Unlock(); Pred(!(q!=NULL)) (LOCK=1) Æ (old = new) LOCK=1; U#10 (LOCK=1) Æ (old = new) L#7 LOCK=1 Pred(!(LOCK==1)); (LOCK=1) Æ (old = new) E#27 Pred(LOCK==1); return; (LOCK=1) Æ (old = new) E#20 Pred(!(new!=old)); LOCK=1 U#13 U#11 old = new; q=q->next; E#28 (LOCK=1) Æ (old = new) LOCK=0 ; E#22 (LOCK=1) Æ (old = new) U#15 (LOCK=0) Æ (old = new) return ; E#25 (LOCK=0) Æ (old = new) Pred(new!=old); new++; E#27 (LOCK=0) Æ (old  new) The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  26. BLAST is a software model checker for verifying program written in C language BLAST improves the scheme of CEGAR by implementing lazy abstraction and interpolation-based predicate refinement Conclusion The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

  27. The Software Model Checker Blast: Applications to Software Engineering. by Dirk Beyer, Thomas A. Henzinger, RanjitJhala, and RupakMajumdar in Int. Journal on Software Tools for Technology Transfer, 2007 Reference The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST

More Related