130 likes | 292 Views
CSC2108 Lazy Abstraction on Software Model Checking. Wai Sum Mong. Survey of BLAST. Berkeley Lazy Abstraction Software Verification Tool A software model checker for C programs The goal is to check whether the program obeys the “API rules” Same goal as SLAM (Microsoft)
E N D
CSC2108Lazy Abstraction on Software Model Checking Wai Sum Mong
Survey of BLAST • Berkeley Lazy Abstraction Software Verification Tool • A software model checker for C programs • The goal is to check whether the program obeys the “API rules” • Same goal as SLAM (Microsoft) • Based on the abstract-check-refine approach • Lazy Abstraction • Integrates and possibly optimizes the abstract-check-refine approach
Problem Statement • Check whether the lines labeled by ERROR are reachable • Static analysis • assert(0); - runtime
Abstraction • State <-> region
Lazy Abstraction • Integrates the three steps • Try to reuse the works • Two Principles • On-the-fly Abstraction • On-demand Refinement
On-the-fly Abstraction • Some regions are never visited • Abstract only when needed
On-demand Refinement • Why check the same region again? • Add new predicates only when needed • Reuse the partial answer
Implementation • Control Flow automaton • Verification • Forward Search (abstract post) • Backward Counterexample Analysis (concrete pred)
BLAST • Only checked on device driver • Predicates • Support integers only so far • No support on multithreading programs in the current release
Using BLAST • Not a good experience • Experiments • Very simple linklist package • Error • Limitations • Pointer • Multithreaded programs • C source code as input (C library functions?)
Conclusion • Theoretically, optimizes the checking process • Similar to SLAM, except lazy abstraction • No access to SLAM • Cannot evaluate so far