the software model checker blast by dirk beyer, thomas a. henzinger, ranjit jhala and rupak majumdar...
TRANSCRIPT
The Software Model Checker BLAST
by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Ma-jumdar
Presented by Yunho KimProvable Software Lab, KAIST
Overview
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 2/26
• The reliable software is hard to build and ver-ify
• The scheme of CEGAR was implemented for veri-fying software by SLAM and applied success-fully to find bugs in device drivers
• BLAST is an improved automatic verification tool for checking safety properties of C programs– Lazy predicate abstraction– Interpolation-based predicate discovery
Contents
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 3/26
• Introduction
• Lazy abstraction
• Predicate discovery
• Conclusion
Introduction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 4/26
• Software model checking is an algorithmic technique to verify implemented code against a specification
Logical Specification
Model Checker
Implemented code
Okay
Satisfied Not satisfied
Counterexam-ple
Introduction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 5/26
• Even very simple code has many states
1 BubbleSort(int data[], int N){ 2 int i, j, tmp; 3 for (i=0; i<N-1; i++){ 4 for (j=i+1; j<N; j++){ 5 if (data[i] > data[j]){ 6 tmp = data[i]; 7 data[i] = data[j]; 8 data[j] = tmp; 9 } 10 } 11 } 12 }
This has at least 232 £ (232)232 initial states!!
Introduction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 6/26
• The Counter-Example Guided Abstraction Refine-ment(CEGAR) is a key paradigm for software model checking
AbstractionModel
checking
RefinementFeasi-ble?
Program P
Spec φ
Infeasible path p
φ false +
counterexam-ple
φ trueAbstract program P’
Error trace p
Introduction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 7/26
• BLAST improves CEGAR approach – Lazy predicate abstraction – Interpolation-based predicate refinement
Constructing Abstraction Reachable
Tree
Modelchecking
Interpola-tion-based refinement
Feasi-ble?
Program P
Spec φ
Infeasible path p
φ false +
counterexam-ple
φ trueART
Error trace p
Contents
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 8/26
• Introduction
• Lazy abstraction
• Predicate discovery
• Conclusion
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 9/26
• Simple example program using a lock– Lock should be followed by unlock
1 Lock(){ 2 if (LOCK == 0){ 3 LOCK = 1; 4 }else{ 5 ERROR: 6 } 7 } 8 9 Unlock(){ 10 if (LOCK == 1){ 11 LOCK = 0; 12 }else{ 13 ERROR: 14 } 15 } 16
17 Example(){ 18 do{ 19 Lock(); 20 old = new; 21 q = q->next; 22 if (q != NULL){ 23 q->data = new; 24 Unlock(); 25 new++; 26 } 27 }while(new != old); 28 Unlock(); 29 }
LOCK = 0 LOCK = 1
Lock()
Lock()
Unlock()
Unlock()
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 10/26
• BLAST represents a program by a set of control-flow-automata (CFA)– Each function has a CFA
1 Lock(){ 2 if (LOCK == 0){ 3 LOCK = 1; 4 }else{ 5 ERROR: 6 } 7 } 8 9 Unlock(){ 10 if (LOCK == 1){ 11 LOCK = 0; 12 }else{ 13 ERROR: 14 } 15 } 16
L#2
Pred(LOCK==0);
L#3L#5
Pred(!(LOCK==0));
U#10
Pred(LOCK==1);
U#11
U#13
Pred(!(LOCK==1));
L#7
U#15
LOCK=1;
LOCK=0 ;
Error lo-cation
skip;
skip;
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 11/26
• A CFA for Example() function
17 Example(){ 18 do{ 19 Lock(); 20 old = new; 21 q = q->next; 22 if (q != NULL){ 23 q->data = new; 24 Unlock(); 25 new++; 26 } 27 }while(new != old); 28 Unlock(); 29 }
E#19
Lock();
E#22
E#23
E#27
E#28
Pred(q!=NULL)
Pred(!(q!=NULL)) q->data=new;
Pred(!(new!=old));
Pred((new!=old));
E#29
Unlock();
E#20
old = new;q=q->next;
E#24
E#25
Unlock();
new++;
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 12/26
• A CFA is a directed graph, with nodes correspond-ing to control points of the program, and edges corresponding to program operations
• An edge between two nodes is labeled by the in-struction which is either – A basic block of assignments– An assume predicate – A function call– A return instruction
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 13/26
• To prove the error location is never reached, BLAST constructs an abstract reachability tree (ART)
• An ART is a labeled tree that represents a portion of the reachable state space of the program
• Each node n is denoted by n : (q, Á)– q is the CFA location– Á is the reachable region
• Each edge is labeled with an instruction
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 14/26
• The ART construction proceeds by unrolling the CFAs and keeping track of the reachable region at each CFA location
• Initially BLAST starts with no predicates and the given entry location
• How to compute the successor of the reachable region?– Using weakest precondition
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 15/26
• The successor of the reachable region R is gener-ated using weakest precondition
• For each predicate p, check if either p or :p is true after op
• When is p true after op?– If WP(p, op) is true before OP– We know R is true before OP– Query: R ) WP(p, op)
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 16/26
• Example
• What is the successor of R w.r.t. predicate p and op?– WP(x>0, x := 1-x) = x < 1– x < 0 ) x < 1 is valid– x < 1 is successor
E#27
E#28
x := 1 - x
?
R: x < 0p: x > 0
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 17/26
• For a tree node n : (q, Á), BLAST constructs suc-cessor nodes of n in the tree for all edges be-tween q ! q’– Function call is inlined
E#19
Lock();
E#22
Pred(!(q!=NULL))
E#20
old = new;q=q->next;
E#19
L#2
Pred(LOCK==0);
L#3L#5
Pred(!(LOCK==0));
Lock();
The error location is encoun-tered
Pred((q!=NULL))
L#2
Pred(LOCK==0);
L#3L#5
Pred(!(LOCK==0));
L#7LOCK=1;skip;
TRUE
TRUE
TRUETRUE
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 18/26
• To analyze the abstract error path, BLAST creates path formula(PF)
• Path formula is a set of constraints which is satis-fiable iff the path is feasible
• The PF is built by transforming the path into SSA form, and then generating constraints for each operation along the path
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 19/26
• Feasibility check
1: LOCK=0
2: call Lock()
3: assume(LOCK==1)
Trace SSA Trace
LOCK0 = 0
Æ TRUE
Æ LOCK0 = 1
1: LOCK0 = 0
2: call Lock()
3: LOCK0 = 1
PathFormula
Trace is feasible iff TF is satisfi-able
Contents
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 20/26
• Introduction
• Lazy abstraction
• Predicate discovery
• Conclusion
Predicate Discovery
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 21/26
• What predicate is needed?
1. … after executing trace prefix
2. … has present values of variables
3. … makes trace suffix infeasible
… implied by PF prefix
… on common variables
… & PF suffix is unsatisfiable
Predicate …Relevant Informa-tion
1: LOCK=0
2: call Lock()
3: assume(LOCK==1)
LOCK0 = 0
Æ TRUE
Æ LOCK0 = 1
prefix
suffix
prefix
suffix
Trace Path Formula
Predicate Discovery
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 22/26
• For a pair of formulas Á- and Á+ s.t. Á- Æ Á+ is un-satisfiable, a Craig interpolant à is a formula such that– The implication Á- ) à is valid– The conjunction Ã Æ Á+ is unsatisfiable– à only contains symbols common to both Á- and Á+
• Ã satisfies the following conditions– Ã is implied by PF prefix– Ã Æ PF suffix is unsatisfiable– Ã only contains common variables on prefix and suffix
Predicate Discovery
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 23/26
• Adding new predicates for the control location
LOCK0 = 0
Æ TRUE
Æ LOCK0 = 1
PathFormula
Ã: LOCK = 0
New predicate for the location line 2 is added
2: LOCK = 0
This predicate is only applied at the location line 2
Predicate Discovery
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 24/26
• Rebuild ART
E#19
Lock();
E#22
E#20
old = new;q=q->next;
E#19
L#2
Pred(LOCK==0);
L#3L#5
Pred(!(LOCK==0));
Lock();
TRUE ) WP(LOCK=0, Pred(LOCK=0) )
Pred((q!=NULL))
L#2
Pred(LOCK==0);
L#3L#5
Pred(!(LOCK==0));
L#7LOCK=1;skip;
TRUE
TRUE
LOCK = 0
L#7 TRUE
LOCK=1;
E#22
E#20
old = new;q=q->next;
Pred((q!=NULL))
return;TRUE
TRUE
E#23
q->data=new;
E#24
Unlock();U#1
0
U#11
U#13
Pred(!(LOCK==1)); Pred((LOCK==1));
TRUE
TRUE
TRUE
TRUE TRUE
Predicate Discovery
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 25/26
• Final ART
E#19
L#2
Pred(LOCK==0);
L#3L#5
Pred(!(LOCK==0));
Lock();
TRUE
TRUE
L#7 LOCK=1
LOCK=1;
E#22
E#20
old = new;q=q->next;
Pred((q!=NULL))
return;
E#23
q->data=new;
E#24
Unlock();U#1
0
U#11
U#13
Pred(!(LOCK==1));
(LOCK=1) Æ (old = new)
LOCK=1
(LOCK=1) Æ (old = new)
(LOCK=1) Æ (old = new)
(LOCK=1) Æ (old = new)
(LOCK=1) Æ (old = new)
Pred(LOCK==1);(LOCK=1) Æ (old = new)
Pred(!(q!=NULL))
(LOCK=1) Æ (old = new)
U#15
LOCK=0 ;
E#25
E#27
(LOCK=0) Æ (old = new)
return ;
new++;
(LOCK=0) Æ (old new)
(LOCK=0) Æ (old = new)
E#27
E#28
Pred(!(new!=old));
(LOCK=1) Æ (old = new)
Pred(new!=old);
Conclusion
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 26/26
• BLAST is a software model checker for verifying program written in C language
• BLAST improves the scheme of CEGAR by imple-menting lazy abstraction and interpolation-based predicate refinement
Reference
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 27/26
• The Software Model Checker Blast: Applications to Software Engineering.by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdarin Int. Journal on Software Tools for Technology Transfer, 2007