Lazy Predicate Lazy Predicate Abstraction in BLASTAbstraction in BLAST

John GallagherJohn Gallagher

CS4117CS4117

BLAST from the PastBLAST from the Past

To quickly rehash my last presentation a few To quickly rehash my last presentation a few points on Blast.points on Blast.BLAST is a model checker. It can usually BLAST is a model checker. It can usually verify that software satisfies certain safety verify that software satisfies certain safety properties.properties.BLAST converts safety specifications into BLAST converts safety specifications into reachabililty problems: can an unsafe state reachabililty problems: can an unsafe state be reached in execution.be reached in execution.Analysis conducted using Control Flow Analysis conducted using Control Flow Automata, Abstract Reachability Trees, Automata, Abstract Reachability Trees, Predicate FormulaePredicate Formulae

A Safe C ProgramA Safe C Program

#include "assert.h"#include "assert.h"

int main() {int main() { int i, x, y, ctr;int i, x, y, ctr;

x = ctr;x = ctr; ctr = ctr + 1;ctr = ctr + 1; y = ctr;y = ctr; if (x == i) {if (x == i) { assert (y == i + 1); assert (y == i + 1); }}}}

The ProblemThe Problem

Simulating real execution explodes the Simulating real execution explodes the state space exponentially when trying to state space exponentially when trying to determine feasible paths.determine feasible paths.

Abstraction is expensive, because Abstraction is expensive, because reachability problem requires SAT reachability problem requires SAT invocation. Given n abstract predicates, 2invocation. Given n abstract predicates, 2nn abstract states.abstract states.

Lazily find important predicates!Lazily find important predicates!

The ApproachThe Approach

#include "assert.h"#include "assert.h"

int main() {int main() { int i, x, y, ctr;int i, x, y, ctr;

x = ctr;x = ctr; ctr = ctr + 1;ctr = ctr + 1; y = ctr;y = ctr; if (x == i) {if (x == i) { assert (y == i + 1); assert (y == i + 1); }}}}

How much How much information needs to information needs to be kept about the be kept about the state?state?

How many How many instructions need to instructions need to be evaluated to be evaluated to ensure safety/show ensure safety/show safety violation?safety violation?

The ApproachThe Approach

Make a cut-point in Make a cut-point in the code.the code.Given current values Given current values for variables from for variables from above point, which above point, which ones show that the ones show that the rest of the path to the rest of the path to the error state is error state is infeasible?infeasible?A Craig Interpolant A Craig Interpolant may helpmay help

if (x == i) {if (x == i) {

assert (y == i + 1); assert (y == i + 1);

}}

x = ctr;x = ctr;

ctr = ctr + 1;ctr = ctr + 1;

y = ctr;y = ctr;

Craig InterpolantsCraig Interpolants

First, we must convert the state of the program First, we must convert the state of the program into FOPL. x=ctr ^ ctrinto FOPL. x=ctr ^ ctr11=ctr+1 ^ y=ctr=ctr+1 ^ y=ctr1 1 above the above the cut. Below the cut, x==i ^ y != i+1 .cut. Below the cut, x==i ^ y != i+1 .By conjoining the two formulas (call them A and B) By conjoining the two formulas (call them A and B) satisfiability can determined. This answers the satisfiability can determined. This answers the question, from my state above the cut, can I get to question, from my state above the cut, can I get to a certain state below?a certain state below?These will be our FOPL formulas A and B. If A ^ B These will be our FOPL formulas A and B. If A ^ B is unsatisfiable, there exists a Craig interpolant C is unsatisfiable, there exists a Craig interpolant C such that A → C and B ^ C is unsatisfiable, which such that A → C and B ^ C is unsatisfiable, which gives at least one answer to the question, why gives at least one answer to the question, why can’t I reach the state below?can’t I reach the state below?

Interpolants in ActionInterpolants in Action

The FOPL formula x=ctr ^ The FOPL formula x=ctr ^ ctrctr11=ctr+1 ^ y=ctr=ctr+1 ^ y=ctr11 ^ x==i ^ x==i ^ y != i+1 is inconsistent. ^ y != i+1 is inconsistent. This means that given This means that given what we know at the what we know at the current cut point.current cut point.BLAST’s interpolation BLAST’s interpolation procedure returns procedure returns y==x+1. The interpolant y==x+1. The interpolant generation is complex, generation is complex, but SAT solving through but SAT solving through reduction is a good start. reduction is a good start. Investigate Investigate here..

if (x == i) {if (x == i) {

assert (y == i + 1); assert (y == i + 1);

}}

x = ctr;x = ctr;

ctr = ctr + 1;ctr = ctr + 1;

y = ctr;y = ctr;

So… What?So… What?

Finding an interpolant in this trivial Finding an interpolant in this trivial example did not help much.example did not help much.On big programs, it helps reduce the On big programs, it helps reduce the number of predicates used in the state number of predicates used in the state tremendously. Last presentation’s tremendously. Last presentation’s Abstract Reachability Tree (the graphical Abstract Reachability Tree (the graphical representation of the predicate states and representation of the predicate states and transitions) was cramped and that transitions) was cramped and that example had four lines of C.example had four lines of C.

So… What?So… What?

By being able to weed By being able to weed out the important out the important predicates to track, predicates to track, BLAST is fairly BLAST is fairly scalable. Here is scalable. Here is some data presented some data presented at the SPIN 2005 at the SPIN 2005 Conference.Conference.

Program

Lines pre-

processed

Time(mins)

Predicates Total Average

kbfiltr 12k 3 72 6.5

floppy 17k 25 240 7.7

diskprf 14k 13 140 10

cdaudio 18k 23 256 7.8

parport 61k 74 753 8.1

parclss 138k 77 382 7.2

Questions?Questions?

ReferencesReferences

http://mtc.epfl.ch/software-tools/blast/http://mtc.epfl.ch/software-tools/blast/Software Verification withSoftware Verification withBLAST (PPT) BLAST (PPT) Thomas A. Henzinger, Ranjit Jhala, and Rupak Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar. Majumdar. Interpolation for data structuresInterpolation for data structuresKapur, D., Majumdar, R., and Zarba, C. G. 2006. Kapur, D., Majumdar, R., and Zarba, C. G. 2006. Interpolation for data structures. In Interpolation for data structures. In Proceedings of the Proceedings of the 14th ACM SIGSOFT international Symposium on 14th ACM SIGSOFT international Symposium on Foundations of Software EngineeringFoundations of Software Engineering (Portland, (Portland, Oregon, USA, November 05 - 11, 2006). Oregon, USA, November 05 - 11, 2006). Applications of Craig Interpolants in Model CheckingApplications of Craig Interpolants in Model CheckingK. L. McMillan, TACAS 2005: 1-12K. L. McMillan, TACAS 2005: 1-12