the software model checker blast
DESCRIPTION
The software model checker BLAST. Dirk Beyer, Thomas A. H enzinger , Ranjit Jhala , Rupak Majumdar Presented by Yunho Kim. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A. Overview. - PowerPoint PPT PresentationTRANSCRIPT
The software model checker BLAST
Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar
Presented by Yunho Kim
2 / 28
Overview Predicate abstraction is successfully applied to software
model checking Infinite concrete states ! finite abstract states Tools: SLAM(MSR), BLAST(UCB), SATABS(CMU)
Cost for abstraction is still too high O( 2 # preds ) abstract states We need to abstract and refine locally, not globally
Blast proposed Lazy abstraction Craig interpolation-based refinement
Yunho Kim@ pswlab The software model checker BLAST
3 / 28
Contents Part I. Software Model Checking
Program behavior Predicate abstraction Counterexample-guided abstraction refinement
Part II. BLAST Abstraction and model checking Craig interpolation-based refinement
Yunho Kim@ pswlab The software model checker BLAST
4 / 28
Behavior of program Behavior of program can be modeled as a state transition
graph
Yunho Kim@ pswlab The software model checker BLAST
2 3
2 3
4 5 6
4 5 6
2 3 4 5 62 3
StateTransition
1: Example() {2: do { lock(); old = new;3: if (*) {4: unlock(); new++; }5: } while (new != old);6: unlock(); return;}
pc 2old 1new 2lock 0
pc 3old 2new 2lock 1
lock(); old = new;
R
R
R
5
5
E
E
E
State…………
5
5
5
5 / 28
The safety verification Is there a path from an initial to an error state ?
Yunho Kim@ pswlab The software model checker BLAST
2 3
2 3
4 5 6
4 5 6
2 3 4 5 6
R
R
R
5
5
E
E
E
Initial states
Error states…………
5
5
5
6 / 28
Abstract behavior of program Equivalent states satisfy same predicates and have same
control location They are merged into one abstract state
Yunho Kim@ pswlab The software model checker BLAST
2 3
2 3
4 5 6
4 5 6
2 3 4 5 6
R
R
R
5
5
E
E
E………… 2 3State
Transition
pc 2old 1new 2new 0
pc 3old 2new 2new 1
lock(); old = new;
pc 2p1
:p2
pc 3:pp2
Abs. state Abs.
transition
lock(); old = new;
p1 , (lock = 0)p2 , (lock = 1)
LOCK = 0
LOCK = 1
LOCK = 1
LOCK = 0
LOCK = 1
LOCK = 1
LOCK = 0
5
5
5
7 / 28
Over-approximation If there exists a transition between s1 and s2, then also
there exists a transition between abstract state of s1 and s2
Yunho Kim@ pswlab The software model checker BLAST
2 3
2 3
4 5 6
4 5 6
2 3 4 5 6
R
R
R
5
5
E
E
E…………
LOCK = 0LOCK = 1
LOCK = 1LOCK = 0
LOCK = 1LOCK = 1
LOCK = 0
5
5
5
8 / 28
CEGAR CounterExample-Guided Abstraction Refinement
Yunho Kim@ pswlab The software model checker BLAST
Lazy abstrac-tion
Craig interpo-lation-basedRefinement
Feasible?
C program PSpec φ
Infeasible path
ERROR +
counterexample
OK
Error traceNew predicate
9 / 28
Part II. BLAST
Abstraction and model checking
Craig interpolation-based refinement
Yunho Kim@ pswlab The software model checker BLAST
10 / 28
A locking example
Yunho Kim@ pswlab The software model checker BLAST
lock() { if (LOCK == 0) { LOCK = 1; } else { ERROR }}
unlock() { if (LOCK == 1) { LOCK = 0; } else { ERROR }}
lock
lock
unlock
unlock
1: Example() {2: do { lock(); old = new;3: if (*) {4: unlock(); new++; }5: } while (new != old);6: unlock(); return;}
11 / 28
Control Flow Automata for C pro-grams
Yunho Kim@ pswlab The software model checker BLAST
1: Example() {2: do { lock(); old = new;3: if (*) {4: unlock(); new++; }5: } while (new != old);6: unlock(); return;}
2
3
4
5
6
ret
[T][T]
[new!=old]
[new==old]
lock()old=new
unlock()new++
unlock()
Node corresponds to control location Edge corresponds to either a basic block
or an assume predicate
12 / 28
Reachability tree
Yunho Kim@ pswlab The software model checker BLAST
5
6
2
3
4
Unroll Abstraction1. Pick tree-node (=abs. state)2. Add children (=abs. successors)3. On re-visiting abs. state, cut-off
Find infeasible trace- Learn new predicates- Rebuild subtree with new preds.
Initial
13 / 28
Forward search(1/4)
Yunho Kim@ pswlab The software model checker BLAST
2: do { lock(); old = new;3: if (*) {4: unlock(); new++; }5: } while (new != old);6: unlock(); return;
Map P from Loc to set of predicates
Reachability Tree
2 LOCK = 0
Location Predicates
2 LOCK = 0, LOCK = 1
3 LOCK = 0, LOCK = 1
4 LOCK = 0, LOCK = 1
5 LOCK = 0, LOCK = 1
6 LOCK = 0, LOCK = 1
Each tree node corresponds to control location and labeled with reachable region
Edge corresponds to either a basic block or an assume predicate
14 / 28
Forward search(2/4)
Yunho Kim@ pswlab The software model checker BLAST
2: do { lock(); old = new;3: if (*) {4: unlock(); new++; }5: } while (new != old);6: unlock(); return;
Reachability Tree
2
3
lock()old=new
LOCK = 0
LOCK = 1
Map P from Loc to set of predicatesLocation Predicates
2 LOCK = 0, LOCK = 1
3 LOCK = 0, LOCK = 1
4 LOCK = 0, LOCK = 1
5 LOCK = 0, LOCK = 1
6 LOCK = 0, LOCK = 1
Compute successors where op = ‘x:=e’ and
Loc is successors’ program counter
SP(Á, x:=e) = Á [x’/x] Æ (x = e[x’/x])
SP(Á, x:=e) w.r.t. P(Loc) = Ã s.t.
(1) SP(Á, x:=e) ) Ã(2) Ã is a boolean combination of P(Loc)
15 / 28
Forward search(3/4)
Yunho Kim@ pswlab The software model checker BLAST
2: do { lock(); old = new;3: if (*) {4: unlock(); new++; }5: } while (new != old);6: unlock(); return;
2
3
4
lock()old=new
LOCK = 0
LOCK = 1[T]
LOCK = 1
Reachability Tree
Map P from Loc to set of predicatesLocation Predicates
2 LOCK = 0, LOCK = 1
3 LOCK = 0, LOCK = 1
4 LOCK = 0, LOCK = 1
5 LOCK = 0, LOCK = 1
6 LOCK = 0, LOCK = 1
Compute successors where op = ‘[pred]’ and
Loc is successors’ program counter
SP(Á, [pred]) = Á Æ [pred]
SP(Á, [pred]) w.r.t. P(Loc) = Ã s.t.
(1) SP(Á, [pred]) ) Ã(2) Ã is a boolean combination of P(Loc)
16 / 28
Forward search(4/4)
Yunho Kim@ pswlab The software model checker BLAST
2: do { lock(); old = new;3: if (*) {4: unlock(); new++; }5: } while (new != old);6: unlock(); return;
Reachability Tree
2
3
4
5
6
err
lock()old=new
LOCK = 0
LOCK = 1[T]
unlock()new++
LOCK = 1
LOCK = 0[new==old]
unlock()
LOCK = 0
Map P from Loc to set of predicatesLocation Predicates
2 LOCK = 0, LOCK = 1
3 LOCK = 0, LOCK = 1
4 LOCK = 0, LOCK = 1
5 LOCK = 0, LOCK = 1
6 LOCK = 0, LOCK = 1
Counterexample trace
1: assume(true);
2: lock = 1;
old = new;
3: assume(true);
4: lock = 0;
new++;
5: assume(new==old);
6: assume(LOCK!=1);
17 / 28
Feasibility checking
Yunho Kim @ pswlab Lazy Abstraction
Counterexample trace
1: assume(true);
2: LOCK = 1;
old = new;
3: assume(true);
4: LOCK = 0;
new++;
5: assume(new==old);
6: assume(LOCK!=1);
SSA form
1: assume(true);
2: LOCK0 = 1;
old0 = new0;
3: assume(true);
4: LOCK1 = 0;
new1 = new0 + 1;
5: assume(new1==old0);
6: assume(LOCK1!=1);
Trace formula
1: true
2: Æ LOCK0 = 1;
Æ old0 = new0;
3: Æ true;
4: Æ LOCK1 = 0;
Æ new1 = new0 + 1;
5: Æ new1==old0;
6: Æ LOCK1!=1;
Trace is feasible Trace formula is satisfiable
18 / 28
Which predicate is needed?
Yunho Kim @ pswlab Lazy Abstraction
Counterexample trace
1: assume(true);
2: LOCK = 1;
old = new;
3: assume(true);
4: LOCK = 0;
new++;
5: assume(new==old);
6: assume(LOCK!=1);
Trace formula
1: true
2: Æ LOCK0 = 1;
Æ old0 = new0;
3: Æ true;
4: Æ LOCK1 = 0;
Æ new1 = new0 + 1;
5: Æ new1==old0;
6: Æ LOCK1!=1;
Relevant information1. Can be obtained after executing trace2. has present values of variables3. Makes trace suffix infeasible
Relevant predicate1. Implied by TF preffix2. On common variables3. TF suffix is unsatisfiable
19 / 28
Craig interpolant Given a pair (Á-, Á+) of formulas, an interpolant for (Á-, Á+)
is a formula à such that(i) Á- ) Ã(ii) Ã Æ Á+ is unsatisfiable(iii) the variables of à are common to both Á- and
Á+
If Á- Æ Á+ is unsatisfiable, then an interpolant always ex-ists, and can be computed from a proof of unsatisfiability of Á- Æ Á+
Yunho Kim@ pswlab The software model checker BLAST
20 / 28
Craig interpolant
Yunho Kim @ pswlab Lazy Abstraction
Counterexample trace
1: assume(true);
2: LOCK = 1;
old = new;
3: assume(true);
4: LOCK = 0;
new++;
5: assume(new==old);
6: assume(LOCK!=1);
Trace formula
1: true
2: Æ LOCK0 = 1;
Æ old0 = new0;
3: Æ true;
4: Æ LOCK1 = 0;
Æ new1 = new0 + 1;
5: Æ new1==old0;
6: Æ LOCK1!=1;
Relevant predicate1. Implied by TF suffix2. On common variables
3. Æ TF suffix is unsatisfiable
Á-
Á+
Interpolant Ãold0 = new0
à is a formula such that 1. Á- ) Ã2. à only contains common vari-
ables of Á– and Á+
3. Ã Æ Á+ is unsatisfiable
Interpolant Ãold0 = new0Interpolant ÃOld0 != new0
21 / 28
Search with new predicates(1/3)
Yunho Kim @ pswlab Lazy Abstraction
2: do { lock(); old = new;3: if (*) {4: unlock(); new++; }5: } while (new != old);6: unlock(); return;
2
3
lock()old=new
LOCK = 0
LOCK = 1 Æ new = old
Map P’ from loc to set of predicatesLocation Predicates
2 LOCK = 0, LOCK = 1,
3 LOCK = 0, LOCK = 1, old = new
4 LOCK = 0, LOCK = 1, old = new
5 LOCK = 0, LOCK = 1, old != new
6 LOCK = 0, LOCK = 1
22 / 28
Search with new predicates(2/3)
Yunho Kim @ pswlab Lazy Abstraction
2: do { lock(); old = new;3: if (*) {4: unlock(); new++; }5: } while (new != old);6: unlock(); return;
2
3
4
5
lock()old=new
LOCK = 0
LOCK = 1 Æ new = old
[T]
unlock()new++
LOCK = 1 Æ new = old
LOCK = 0 Æ new old
2
[new!=old]
LOCK = 0 Æ new oldCOVERED
Map P’ from loc to set of predicatesLocation Predicates
2 LOCK = 0, LOCK = 1,
3 LOCK = 0, LOCK = 1, old = new
4 LOCK = 0, LOCK = 1, old = new
5 LOCK = 0, LOCK = 1, old != new
6 LOCK = 0, LOCK = 1
23 / 28
Search with new predicates(3/3)
Yunho Kim @ pswlab Lazy Abstraction
2: do { lock(); old = new;3: if (*) {4: unlock(); new++; }5: } while (new != old);6: unlock(); return;
2
3
4
5
6
lock()old=new
LOCK = 0
LOCK = 1 Æ new = old
[T]
unlock()new++
LOCK = 1 Æ new = old
LOCK = 0 Æ new old
FALSE
2
[new!=old]
LOCK = 0 Æ new oldCOVERED
5
[T]
LOCK = 1 Æ new = old
2 6[new==old]
FALSE
LOCK = 1 Æ new = old
ret
unlock()
LOCK = 0 Æ new = oldSafe
!
24 / 28
Local predicate use Use predicates needed at location
• #Preds. grows with program size
• #Preds per location is small
Yunho Kim @ pswlab Lazy Abstraction
Local Predicate useEx: 2n states
Global Predicate useEx: 2n states
25 / 28
Experiments
funlock.c is an example we covered driver.c is a Windows driver for verifying locking disci-
pline read.c, floppy.c are drivers from Windows DDK qpmouse.c and llrw_block.c are drivers from Linux Experiments ran on 800MHz PIII with 256M RAM
Yunho Kim @ pswlab Lazy Abstraction
26 / 28
Conclusions BLAST is a software model checker for verifying program
written in C language
BLAST improves the scheme of CEGAR by implementing lazy abstraction avoids redundant abstraction and checking Predicates are locally applied and states are locally abstracted
Yunho Kim @ pswlab Lazy Abstraction
27 / 28
Reference The Software Model Checker Blast: Applications to Software Engi-
neering.by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar
in Int. Journal on Software Tools for Technology Transfer, 2007 Lazy abstraction
by Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Gré-goire Sutrein ACM SIGPLAN – SIGACT Conference on
Principle Of Programming Language 2000 Abstractions from Proofs
by Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar and Kenneth L. McMillanin ACM SIGPLAN-SIGACT Conference on
Principles of Programming Languages, 2004
Yunho Kim @ pswlab Lazy Abstraction
28 / 28
Reference Lazy Abstraction slides
by Jinseong Jeonin CS750 class, Fall, 2006
Software Verification with BLAST slidesby Tom Henzinger, Ranjit , Rupak Majumdar
in SPIN workshop 2005 tutoria Á Ã
Yunho Kim @ pswlab Lazy Abstraction
29 / 28
Control Flow Automata for C pro-grams
Yunho Kim@ pswlab The software model checker BLAST
3
4
ret
6[LOCK == 0]
[LOCK != 0]
LOCK=1 Skip
Node corresponds to control location Edge corresponds to either a basic block
or an assume predicate
1 Example(){ 2 do{ 3 if (LOCK == 0) 4 LOCK=1; 5 else 6 ERROR: 7 old = new; 8 if (*){ 9 if (LOCK == 1) 10 LOCK = 0; 11 else 12 ERROR: 13 new++; 14 } 15 }while (new != old); 16 if (LOCK == 1) 17 LOCK = 0; 18 else 19 ERROR: 20 return; 21 }
7
8old = new
9
10 12[LOCK == 1]
[LOCK != 1]
13LOCK=0 Skip
15[new != old]
[TRUE][TRUE]
16
17 19[LOCK == 1]
[LOCK != 1]
LOCK=0 Skip20return
[new == old]