The Software Model Checker BLAST

by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Ma-jumdar

Presented by Yunho KimProvable Software Lab, KAIST

Overview

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 2/26

• The reliable software is hard to build and ver-ify

• The scheme of CEGAR was implemented for veri-fying software by SLAM and applied success-fully to find bugs in device drivers

• BLAST is an improved automatic verification tool for checking safety properties of C programs– Lazy predicate abstraction– Interpolation-based predicate discovery

Contents

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 3/26

• Introduction

• Lazy abstraction

• Predicate discovery

• Conclusion

Introduction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 4/26

• Software model checking is an algorithmic technique to verify implemented code against a specification

Logical Specification

Model Checker

Implemented code

Okay

Satisfied Not satisfied

Counterexam-ple

Introduction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 5/26

• Even very simple code has many states

1 BubbleSort(int data[], int N){ 2 int i, j, tmp; 3 for (i=0; i<N-1; i++){ 4 for (j=i+1; j<N; j++){ 5 if (data[i] > data[j]){ 6 tmp = data[i]; 7 data[i] = data[j]; 8 data[j] = tmp; 9 } 10 } 11 } 12 }

This has at least 232 £ (232)232 initial states!!

Introduction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 6/26

• The Counter-Example Guided Abstraction Refine-ment(CEGAR) is a key paradigm for software model checking

Abstraction Modelchecking

Refinement Feasi-ble?

Program PSpec φ

Infeasible path p

φ false +

counterexam-ple

φ trueAbstract program P’

Error trace p

Introduction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 7/26

• BLAST improves CEGAR approach – Lazy predicate abstraction – Interpolation-based predicate refinement

Constructing Abstraction Reachable

Tree

Modelchecking

Interpola-tion-based refinement

Feasi-ble?

Program PSpec φ

Infeasible path p

φ false +

counterexam-ple

φ trueART

Error trace p

Contents

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 8/26

• Introduction

• Lazy abstraction

• Predicate discovery

• Conclusion

Lazy Abstraction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 9/26

• Simple example program using a lock– Lock should be followed by unlock

1 Lock(){ 2 if (LOCK == 0){ 3 LOCK = 1; 4 }else{ 5 ERROR: 6 } 7 } 8 9 Unlock(){ 10 if (LOCK == 1){ 11 LOCK = 0; 12 }else{ 13 ERROR: 14 } 15 } 16

17 Example(){ 18 do{ 19 Lock(); 20 old = new; 21 q = q->next; 22 if (q != NULL){ 23 q->data = new; 24 Unlock(); 25 new++; 26 } 27 }while(new != old); 28 Unlock(); 29 }

LOCK = 0 LOCK = 1

Lock()

Lock()

Unlock()

Unlock()

Lazy Abstraction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 10/26

• BLAST represents a program by a set of control-flow-automata (CFA)– Each function has a CFA

1 Lock(){ 2 if (LOCK == 0){ 3 LOCK = 1; 4 }else{ 5 ERROR: 6 } 7 } 8 9 Unlock(){ 10 if (LOCK == 1){ 11 LOCK = 0; 12 }else{ 13 ERROR: 14 } 15 } 16

L#2

Pred(LOCK==0);

L#3L#5

Pred(!(LOCK==0));

U#10Pred(LOCK==1);

U#11U#13

Pred(!(LOCK==1));

L#7

U#15

LOCK=1;

LOCK=0 ;

Error lo-cation

skip;

skip;

Lazy Abstraction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 11/26

• A CFA for Example() function

17 Example(){ 18 do{ 19 Lock(); 20 old = new; 21 q = q->next; 22 if (q != NULL){ 23 q->data = new; 24 Unlock(); 25 new++; 26 } 27 }while(new != old); 28 Unlock(); 29 }

E#19Lock();

E#22

E#23

E#27

E#28

Pred(q!=NULL)

Pred(!(q!=NULL)) q->data=new;

Pred(!(new!=old));

Pred((new!=old));

E#29

Unlock();

E#20old = new;q=q->next;

E#24

E#25

Unlock();

new++;

Lazy Abstraction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 12/26

• A CFA is a directed graph, with nodes correspond-ing to control points of the program, and edges corresponding to program operations

• An edge between two nodes is labeled by the in-struction which is either – A basic block of assignments– An assume predicate – A function call– A return instruction

Lazy Abstraction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 13/26

• To prove the error location is never reached, BLAST constructs an abstract reachability tree (ART)

• An ART is a labeled tree that represents a portion of the reachable state space of the program

• Each node n is denoted by n : (q, Á)– q is the CFA location– Á is the reachable region

• Each edge is labeled with an instruction

Lazy Abstraction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 14/26

• The ART construction proceeds by unrolling the CFAs and keeping track of the reachable region at each CFA location

• Initially BLAST starts with no predicates and the given entry location

• How to compute the successor of the reachable region?– Using weakest precondition

Lazy Abstraction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 15/26

• The successor of the reachable region R is gener-ated using weakest precondition

• For each predicate p, check if either p or :p is true after op

• When is p true after op?– If WP(p, op) is true before OP– We know R is true before OP– Query: R ) WP(p, op)

Lazy Abstraction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 16/26

• Example

• What is the successor of R w.r.t. predicate p and op?– WP(x>0, x := 1-x) = x < 1– x < 0 ) x < 1 is valid– x < 1 is successor

E#27

E#28

x := 1 - x

?

R: x < 0p: x > 0

Lazy Abstraction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 17/26

• For a tree node n : (q, Á), BLAST constructs suc-cessor nodes of n in the tree for all edges be-tween q ! q’– Function call is inlined

E#19Lock();

E#22

Pred(!(q!=NULL))

E#20old = new;q=q->next;

E#19

L#2

Pred(LOCK==0);

L#3L#5

Pred(!(LOCK==0));

Lock();

The error location is encoun-tered

Pred((q!=NULL))

L#2

Pred(LOCK==0);

L#3L#5

Pred(!(LOCK==0));

L#7LOCK=1;skip;

TRUE

TRUE

TRUETRUE

Lazy Abstraction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 18/26

• To analyze the abstract error path, BLAST creates path formula(PF)

• Path formula is a set of constraints which is satis-fiable iff the path is feasible

• The PF is built by transforming the path into SSA form, and then generating constraints for each operation along the path

Lazy Abstraction

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 19/26

• Feasibility check

1: LOCK=0

2: call Lock()

3: assume(LOCK==1)

Trace SSA Trace

LOCK0 = 0

Æ TRUE

Æ LOCK0 = 1

1: LOCK0 = 0

2: call Lock()

3: LOCK0 = 1

PathFormula

Trace is feasible iff TF is satisfi-able

Contents

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 20/26

• Introduction

• Lazy abstraction

• Predicate discovery

• Conclusion

Predicate Discovery

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 21/26

• What predicate is needed?

1. … after executing trace prefix

2. … has present values of variables

3. … makes trace suffix infeasible

… implied by PF prefix

… on common variables

… & PF suffix is unsatisfiable

Predicate …Relevant Informa-tion

1: LOCK=0

2: call Lock()

3: assume(LOCK==1)

LOCK0 = 0

Æ TRUE

Æ LOCK0 = 1

prefix

suffix

prefix

suffix

Trace Path Formula

Predicate Discovery

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 22/26

• For a pair of formulas Á- and Á+ s.t. Á- Æ Á+ is un-satisfiable, a Craig interpolant à is a formula such that– The implication Á- ) à is valid– The conjunction Ã Æ Á+ is unsatisfiable– à only contains symbols common to both Á- and Á+

• Ã satisfies the following conditions– Ã is implied by PF prefix– Ã Æ PF suffix is unsatisfiable– Ã only contains common variables on prefix and suffix

Predicate Discovery

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 23/26

• Adding new predicates for the control location

LOCK0 = 0

Æ TRUE

Æ LOCK0 = 1

PathFormula

Ã: LOCK = 0New predicate for the location line 2 is added

2: LOCK = 0

This predicate is only applied at the location line 2

Predicate Discovery

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 24/26

• Rebuild ART

E#19Lock();

E#22

E#20old = new;q=q->next;

E#19

L#2

Pred(LOCK==0);

L#3L#5

Pred(!(LOCK==0));

Lock();

TRUE ) WP(LOCK=0, Pred(LOCK=0) )

Pred((q!=NULL))

L#2

Pred(LOCK==0);

L#3L#5

Pred(!(LOCK==0));

L#7LOCK=1;skip;

TRUE

TRUE

LOCK = 0

L#7 TRUELOCK=1;

E#22

E#20old = new;q=q->next;

Pred((q!=NULL))

return;TRUE

TRUE

E#23q->data=new;

E#24Unlock();

U#10

U#11U#13

Pred(!(LOCK==1)); Pred((LOCK==1));

TRUE

TRUE

TRUE

TRUE TRUE

Predicate Discovery

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 25/26

• Final ARTE#19

L#2

Pred(LOCK==0);

L#3L#5

Pred(!(LOCK==0));

Lock();

TRUE

TRUE

L#7 LOCK=1LOCK=1;

E#22

E#20old = new;q=q->next;

Pred((q!=NULL))

return;

E#23q->data=new;

E#24Unlock();

U#10

U#11U#13

Pred(!(LOCK==1));

(LOCK=1) Æ (old = new)

LOCK=1

(LOCK=1) Æ (old = new)

(LOCK=1) Æ (old = new)(LOCK=1) Æ (old = new)

(LOCK=1) Æ (old = new)Pred(LOCK==1);

(LOCK=1) Æ (old = new)

Pred(!(q!=NULL))

(LOCK=1) Æ (old = new)

U#15LOCK=0 ;

E#25

E#27

(LOCK=0) Æ (old = new)return ;

new++;

(LOCK=0) Æ (old new)

(LOCK=0) Æ (old = new)

E#27

E#28Pred(!(new!=old));

(LOCK=1) Æ (old = new)

Pred(new!=old);

Conclusion

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 26/26

• BLAST is a software model checker for verifying program written in C language

• BLAST improves the scheme of CEGAR by imple-menting lazy abstraction and interpolation-based predicate refinement

Reference

The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 27/26

• The Software Model Checker Blast: Applications to Software Engineering.by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdarin Int. Journal on Software Tools for Technology Transfer, 2007