The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar...
-
Upload
roger-hubbard -
Category
Documents
-
view
223 -
download
0
Transcript of The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar...
![Page 1: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/1.jpg)
The Software Model Checker BLAST
by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Ma-jumdar
Presented by Yunho KimProvable Software Lab, KAIST
![Page 2: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/2.jpg)
Overview
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 2/26
• The reliable software is hard to build and ver-ify
• The scheme of CEGAR was implemented for veri-fying software by SLAM and applied success-fully to find bugs in device drivers
• BLAST is an improved automatic verification tool for checking safety properties of C programs– Lazy predicate abstraction– Interpolation-based predicate discovery
![Page 3: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/3.jpg)
Contents
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 3/26
• Introduction
• Lazy abstraction
• Predicate discovery
• Conclusion
![Page 4: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/4.jpg)
Introduction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 4/26
• Software model checking is an algorithmic technique to verify implemented code against a specification
Logical Specification
Model Checker
Implemented code
Okay
Satisfied Not satisfied
Counterexam-ple
![Page 5: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/5.jpg)
Introduction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 5/26
• Even very simple code has many states
1 BubbleSort(int data[], int N){ 2 int i, j, tmp; 3 for (i=0; i<N-1; i++){ 4 for (j=i+1; j<N; j++){ 5 if (data[i] > data[j]){ 6 tmp = data[i]; 7 data[i] = data[j]; 8 data[j] = tmp; 9 } 10 } 11 } 12 }
This has at least 232 £ (232)232 initial states!!
![Page 6: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/6.jpg)
Introduction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 6/26
• The Counter-Example Guided Abstraction Refine-ment(CEGAR) is a key paradigm for software model checking
AbstractionModel
checking
RefinementFeasi-ble?
Program P
Spec φ
Infeasible path p
φ false +
counterexam-ple
φ trueAbstract program P’
Error trace p
![Page 7: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/7.jpg)
Introduction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 7/26
• BLAST improves CEGAR approach – Lazy predicate abstraction – Interpolation-based predicate refinement
Constructing Abstraction Reachable
Tree
Modelchecking
Interpola-tion-based refinement
Feasi-ble?
Program P
Spec φ
Infeasible path p
φ false +
counterexam-ple
φ trueART
Error trace p
![Page 8: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/8.jpg)
Contents
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 8/26
• Introduction
• Lazy abstraction
• Predicate discovery
• Conclusion
![Page 9: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/9.jpg)
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 9/26
• Simple example program using a lock– Lock should be followed by unlock
1 Lock(){ 2 if (LOCK == 0){ 3 LOCK = 1; 4 }else{ 5 ERROR: 6 } 7 } 8 9 Unlock(){ 10 if (LOCK == 1){ 11 LOCK = 0; 12 }else{ 13 ERROR: 14 } 15 } 16
17 Example(){ 18 do{ 19 Lock(); 20 old = new; 21 q = q->next; 22 if (q != NULL){ 23 q->data = new; 24 Unlock(); 25 new++; 26 } 27 }while(new != old); 28 Unlock(); 29 }
LOCK = 0 LOCK = 1
Lock()
Lock()
Unlock()
Unlock()
![Page 10: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/10.jpg)
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 10/26
• BLAST represents a program by a set of control-flow-automata (CFA)– Each function has a CFA
1 Lock(){ 2 if (LOCK == 0){ 3 LOCK = 1; 4 }else{ 5 ERROR: 6 } 7 } 8 9 Unlock(){ 10 if (LOCK == 1){ 11 LOCK = 0; 12 }else{ 13 ERROR: 14 } 15 } 16
L#2
Pred(LOCK==0);
L#3L#5
Pred(!(LOCK==0));
U#10
Pred(LOCK==1);
U#11
U#13
Pred(!(LOCK==1));
L#7
U#15
LOCK=1;
LOCK=0 ;
Error lo-cation
skip;
skip;
![Page 11: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/11.jpg)
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 11/26
• A CFA for Example() function
17 Example(){ 18 do{ 19 Lock(); 20 old = new; 21 q = q->next; 22 if (q != NULL){ 23 q->data = new; 24 Unlock(); 25 new++; 26 } 27 }while(new != old); 28 Unlock(); 29 }
E#19
Lock();
E#22
E#23
E#27
E#28
Pred(q!=NULL)
Pred(!(q!=NULL)) q->data=new;
Pred(!(new!=old));
Pred((new!=old));
E#29
Unlock();
E#20
old = new;q=q->next;
E#24
E#25
Unlock();
new++;
![Page 12: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/12.jpg)
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 12/26
• A CFA is a directed graph, with nodes correspond-ing to control points of the program, and edges corresponding to program operations
• An edge between two nodes is labeled by the in-struction which is either – A basic block of assignments– An assume predicate – A function call– A return instruction
![Page 13: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/13.jpg)
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 13/26
• To prove the error location is never reached, BLAST constructs an abstract reachability tree (ART)
• An ART is a labeled tree that represents a portion of the reachable state space of the program
• Each node n is denoted by n : (q, Á)– q is the CFA location– Á is the reachable region
• Each edge is labeled with an instruction
![Page 14: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/14.jpg)
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 14/26
• The ART construction proceeds by unrolling the CFAs and keeping track of the reachable region at each CFA location
• Initially BLAST starts with no predicates and the given entry location
• How to compute the successor of the reachable region?– Using weakest precondition
![Page 15: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/15.jpg)
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 15/26
• The successor of the reachable region R is gener-ated using weakest precondition
• For each predicate p, check if either p or :p is true after op
• When is p true after op?– If WP(p, op) is true before OP– We know R is true before OP– Query: R ) WP(p, op)
![Page 16: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/16.jpg)
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 16/26
• Example
• What is the successor of R w.r.t. predicate p and op?– WP(x>0, x := 1-x) = x < 1– x < 0 ) x < 1 is valid– x < 1 is successor
E#27
E#28
x := 1 - x
?
R: x < 0p: x > 0
![Page 17: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/17.jpg)
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 17/26
• For a tree node n : (q, Á), BLAST constructs suc-cessor nodes of n in the tree for all edges be-tween q ! q’– Function call is inlined
E#19
Lock();
E#22
Pred(!(q!=NULL))
E#20
old = new;q=q->next;
E#19
L#2
Pred(LOCK==0);
L#3L#5
Pred(!(LOCK==0));
Lock();
The error location is encoun-tered
Pred((q!=NULL))
L#2
Pred(LOCK==0);
L#3L#5
Pred(!(LOCK==0));
L#7LOCK=1;skip;
TRUE
TRUE
TRUETRUE
![Page 18: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/18.jpg)
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 18/26
• To analyze the abstract error path, BLAST creates path formula(PF)
• Path formula is a set of constraints which is satis-fiable iff the path is feasible
• The PF is built by transforming the path into SSA form, and then generating constraints for each operation along the path
![Page 19: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/19.jpg)
Lazy Abstraction
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 19/26
• Feasibility check
1: LOCK=0
2: call Lock()
3: assume(LOCK==1)
Trace SSA Trace
LOCK0 = 0
Æ TRUE
Æ LOCK0 = 1
1: LOCK0 = 0
2: call Lock()
3: LOCK0 = 1
PathFormula
Trace is feasible iff TF is satisfi-able
![Page 20: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/20.jpg)
Contents
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 20/26
• Introduction
• Lazy abstraction
• Predicate discovery
• Conclusion
![Page 21: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/21.jpg)
Predicate Discovery
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 21/26
• What predicate is needed?
1. … after executing trace prefix
2. … has present values of variables
3. … makes trace suffix infeasible
… implied by PF prefix
… on common variables
… & PF suffix is unsatisfiable
Predicate …Relevant Informa-tion
1: LOCK=0
2: call Lock()
3: assume(LOCK==1)
LOCK0 = 0
Æ TRUE
Æ LOCK0 = 1
prefix
suffix
prefix
suffix
Trace Path Formula
![Page 22: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/22.jpg)
Predicate Discovery
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 22/26
• For a pair of formulas Á- and Á+ s.t. Á- Æ Á+ is un-satisfiable, a Craig interpolant à is a formula such that– The implication Á- ) à is valid– The conjunction Ã Æ Á+ is unsatisfiable– à only contains symbols common to both Á- and Á+
• Ã satisfies the following conditions– Ã is implied by PF prefix– Ã Æ PF suffix is unsatisfiable– Ã only contains common variables on prefix and suffix
![Page 23: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/23.jpg)
Predicate Discovery
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 23/26
• Adding new predicates for the control location
LOCK0 = 0
Æ TRUE
Æ LOCK0 = 1
PathFormula
Ã: LOCK = 0
New predicate for the location line 2 is added
2: LOCK = 0
This predicate is only applied at the location line 2
![Page 24: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/24.jpg)
Predicate Discovery
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 24/26
• Rebuild ART
E#19
Lock();
E#22
E#20
old = new;q=q->next;
E#19
L#2
Pred(LOCK==0);
L#3L#5
Pred(!(LOCK==0));
Lock();
TRUE ) WP(LOCK=0, Pred(LOCK=0) )
Pred((q!=NULL))
L#2
Pred(LOCK==0);
L#3L#5
Pred(!(LOCK==0));
L#7LOCK=1;skip;
TRUE
TRUE
LOCK = 0
L#7 TRUE
LOCK=1;
E#22
E#20
old = new;q=q->next;
Pred((q!=NULL))
return;TRUE
TRUE
E#23
q->data=new;
E#24
Unlock();U#1
0
U#11
U#13
Pred(!(LOCK==1)); Pred((LOCK==1));
TRUE
TRUE
TRUE
TRUE TRUE
![Page 25: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/25.jpg)
Predicate Discovery
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 25/26
• Final ART
E#19
L#2
Pred(LOCK==0);
L#3L#5
Pred(!(LOCK==0));
Lock();
TRUE
TRUE
L#7 LOCK=1
LOCK=1;
E#22
E#20
old = new;q=q->next;
Pred((q!=NULL))
return;
E#23
q->data=new;
E#24
Unlock();U#1
0
U#11
U#13
Pred(!(LOCK==1));
(LOCK=1) Æ (old = new)
LOCK=1
(LOCK=1) Æ (old = new)
(LOCK=1) Æ (old = new)
(LOCK=1) Æ (old = new)
(LOCK=1) Æ (old = new)
Pred(LOCK==1);(LOCK=1) Æ (old = new)
Pred(!(q!=NULL))
(LOCK=1) Æ (old = new)
U#15
LOCK=0 ;
E#25
E#27
(LOCK=0) Æ (old = new)
return ;
new++;
(LOCK=0) Æ (old new)
(LOCK=0) Æ (old = new)
E#27
E#28
Pred(!(new!=old));
(LOCK=1) Æ (old = new)
Pred(new!=old);
![Page 26: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/26.jpg)
Conclusion
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 26/26
• BLAST is a software model checker for verifying program written in C language
• BLAST improves the scheme of CEGAR by imple-menting lazy abstraction and interpolation-based predicate refinement
![Page 27: The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d9107/html5/thumbnails/27.jpg)
Reference
The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 27/26
• The Software Model Checker Blast: Applications to Software Engineering.by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdarin Int. Journal on Software Tools for Technology Transfer, 2007