the software model checker blast

The software model checker BLAST

Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar

Presented by Yunho Kim

2 / 28

Overview Predicate abstraction is successfully applied to software

model checking Infinite concrete states ! finite abstract states Tools: SLAM(MSR), BLAST(UCB), SATABS(CMU)

Cost for abstraction is still too high O( 2 # preds ) abstract states We need to abstract and refine locally, not globally

Blast proposed Lazy abstraction Craig interpolation-based refinement

Yunho Kim@ pswlab The software model checker BLAST

3 / 28

Contents Part I. Software Model Checking

Program behavior Predicate abstraction Counterexample-guided abstraction refinement

Part II. BLAST Abstraction and model checking Craig interpolation-based refinement


4 / 28

Behavior of program Behavior of program can be modeled as a state transition

graph


2 3

2 3

4 5 6

4 5 6

2 3 4 5 62 3

StateTransition

1: Example() {2: do { lock(); old = new;3: if (*) {4: unlock(); new++; }5: } while (new != old);6: unlock(); return;}

pc 2old 1new 2lock 0

pc 3old 2new 2lock 1

lock(); old = new;

R

R

R

5

5

E

E

E

State…………

5

5

5

5 / 28

The safety verification Is there a path from an initial to an error state ?


2 3

2 3

4 5 6

4 5 6

2 3 4 5 6

R

R

R

5

5

E

E

E

Initial states

Error states…………

5

5

5

6 / 28

Abstract behavior of program Equivalent states satisfy same predicates and have same

control location They are merged into one abstract state


2 3

2 3

4 5 6

4 5 6

2 3 4 5 6

R

R

R

5

5

E

E

E………… 2 3State

Transition

pc 2old 1new 2new 0

pc 3old 2new 2new 1

lock(); old = new;

pc 2p1

:p2

pc 3:pp2

Abs. state Abs.

transition

lock(); old = new;

p1 , (lock = 0)p2 , (lock = 1)

LOCK = 0

LOCK = 1

LOCK = 1

LOCK = 0

LOCK = 1

LOCK = 1

LOCK = 0

5

5

5

7 / 28

Over-approximation If there exists a transition between s1 and s2, then also

there exists a transition between abstract state of s1 and s2


2 3

2 3

4 5 6

4 5 6

2 3 4 5 6

R

R

R

5

5

E

E

E…………

LOCK = 0LOCK = 1

LOCK = 1LOCK = 0

LOCK = 1LOCK = 1

LOCK = 0

5

5

5

8 / 28

CEGAR CounterExample-Guided Abstraction Refinement


Lazy abstrac-tion

Craig interpo-lation-basedRefinement

Feasible?

C program PSpec φ

Infeasible path

ERROR +

counterexample

OK

Error traceNew predicate

9 / 28

Part II. BLAST

Abstraction and model checking

Craig interpolation-based refinement


10 / 28

A locking example


lock() { if (LOCK == 0) { LOCK = 1; } else { ERROR }}

unlock() { if (LOCK == 1) { LOCK = 0; } else { ERROR }}

lock

lock

unlock

unlock


11 / 28

Control Flow Automata for C pro-grams



2

3

4

5

6

ret

[T][T]

[new!=old]

[new==old]

lock()old=new

unlock()new++

unlock()

Node corresponds to control location Edge corresponds to either a basic block

or an assume predicate

12 / 28

Reachability tree


5

6

2

3

4

Unroll Abstraction1. Pick tree-node (=abs. state)2. Add children (=abs. successors)3. On re-visiting abs. state, cut-off

Find infeasible trace- Learn new predicates- Rebuild subtree with new preds.

Initial

13 / 28

Forward search(1/4)


2: do { lock(); old = new;3: if (*) {4: unlock(); new++; }5: } while (new != old);6: unlock(); return;

Map P from Loc to set of predicates

Reachability Tree

2 LOCK = 0

Location Predicates

2 LOCK = 0, LOCK = 1





Each tree node corresponds to control location and labeled with reachable region

Edge corresponds to either a basic block or an assume predicate

14 / 28

Forward search(2/4)



Reachability Tree

2

3

lock()old=new

LOCK = 0

LOCK = 1

Map P from Loc to set of predicatesLocation Predicates






Compute successors where op = ‘x:=e’ and

Loc is successors’ program counter

SP(Á, x:=e) = Á [x’/x] Æ (x = e[x’/x])

SP(Á, x:=e) w.r.t. P(Loc) = Ã s.t.

(1) SP(Á, x:=e) ) Ã(2) Ã is a boolean combination of P(Loc)

15 / 28

Forward search(3/4)



2

3

4

lock()old=new

LOCK = 0

LOCK = 1[T]

LOCK = 1

Reachability Tree







Compute successors where op = ‘[pred]’ and

Loc is successors’ program counter

SP(Á, [pred]) = Á Æ [pred]

SP(Á, [pred]) w.r.t. P(Loc) = Ã s.t.

(1) SP(Á, [pred]) ) Ã(2) Ã is a boolean combination of P(Loc)

16 / 28

Forward search(4/4)



Reachability Tree

2

3

4

5

6

err

lock()old=new

LOCK = 0

LOCK = 1[T]

unlock()new++

LOCK = 1

LOCK = 0[new==old]

unlock()

LOCK = 0







Counterexample trace

1: assume(true);

2: lock = 1;

old = new;

3: assume(true);

4: lock = 0;

new++;

5: assume(new==old);

6: assume(LOCK!=1);

17 / 28

Feasibility checking

Yunho Kim @ pswlab Lazy Abstraction


1: assume(true);

2: LOCK = 1;

old = new;

3: assume(true);

4: LOCK = 0;

new++;


6: assume(LOCK!=1);

SSA form

1: assume(true);

2: LOCK0 = 1;

old0 = new0;

3: assume(true);

4: LOCK1 = 0;

new1 = new0 + 1;

5: assume(new1==old0);

6: assume(LOCK1!=1);

Trace formula

1: true

2: Æ LOCK0 = 1;

Æ old0 = new0;

3: Æ true;

4: Æ LOCK1 = 0;

Æ new1 = new0 + 1;

5: Æ new1==old0;

6: Æ LOCK1!=1;

Trace is feasible Trace formula is satisfiable

18 / 28

Which predicate is needed?



1: assume(true);

2: LOCK = 1;

old = new;

3: assume(true);

4: LOCK = 0;

new++;


6: assume(LOCK!=1);

Trace formula

1: true

2: Æ LOCK0 = 1;

Æ old0 = new0;

3: Æ true;

4: Æ LOCK1 = 0;

Æ new1 = new0 + 1;

5: Æ new1==old0;

6: Æ LOCK1!=1;

Relevant information1. Can be obtained after executing trace2. has present values of variables3. Makes trace suffix infeasible

Relevant predicate1. Implied by TF preffix2. On common variables3. TF suffix is unsatisfiable

19 / 28

Craig interpolant Given a pair (Á-, Á+) of formulas, an interpolant for (Á-, Á+)

is a formula Ã such that(i) Á- ) Ã(ii) Ã Æ Á+ is unsatisfiable(iii) the variables of Ã are common to both Á- and

Á+

If Á- Æ Á+ is unsatisfiable, then an interpolant always ex-ists, and can be computed from a proof of unsatisfiability of Á- Æ Á+


20 / 28

Craig interpolant



1: assume(true);

2: LOCK = 1;

old = new;

3: assume(true);

4: LOCK = 0;

new++;


6: assume(LOCK!=1);

Trace formula

1: true

2: Æ LOCK0 = 1;

Æ old0 = new0;

3: Æ true;

4: Æ LOCK1 = 0;

Æ new1 = new0 + 1;

5: Æ new1==old0;

6: Æ LOCK1!=1;

Relevant predicate1. Implied by TF suffix2. On common variables

3. Æ TF suffix is unsatisfiable

Á-

Á+

Interpolant Ãold0 = new0

Ã is a formula such that 1. Á- ) Ã2. Ã only contains common vari-

ables of Á– and Á+

3. Ã Æ Á+ is unsatisfiable

Interpolant Ãold0 = new0Interpolant ÃOld0 != new0

21 / 28

Search with new predicates(1/3)



2

3

lock()old=new

LOCK = 0

LOCK = 1 Æ new = old

Map P’ from loc to set of predicatesLocation Predicates

2 LOCK = 0, LOCK = 1,

3 LOCK = 0, LOCK = 1, old = new


5 LOCK = 0, LOCK = 1, old != new


22 / 28




2

3

4

5

lock()old=new

LOCK = 0


[T]

unlock()new++


LOCK = 0 Æ new old

2

[new!=old]

LOCK = 0 Æ new oldCOVERED

Map P’ from loc to set of predicatesLocation Predicates

2 LOCK = 0, LOCK = 1,



5 LOCK = 0, LOCK = 1, old != new


23 / 28




2

3

4

5

6

lock()old=new

LOCK = 0


[T]

unlock()new++


LOCK = 0 Æ new old

FALSE

2

[new!=old]

LOCK = 0 Æ new oldCOVERED

5

[T]


2 6[new==old]

FALSE


ret

unlock()

LOCK = 0 Æ new = oldSafe

!

24 / 28

Local predicate use Use predicates needed at location

• #Preds. grows with program size

• #Preds per location is small


Local Predicate useEx: 2n states

Global Predicate useEx: 2n states

25 / 28

Experiments

funlock.c is an example we covered driver.c is a Windows driver for verifying locking disci-

pline read.c, floppy.c are drivers from Windows DDK qpmouse.c and llrw_block.c are drivers from Linux Experiments ran on 800MHz PIII with 256M RAM


26 / 28

Conclusions BLAST is a software model checker for verifying program

written in C language

BLAST improves the scheme of CEGAR by implementing lazy abstraction avoids redundant abstraction and checking Predicates are locally applied and states are locally abstracted


27 / 28

Reference The Software Model Checker Blast: Applications to Software Engi-

neering.by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar

in Int. Journal on Software Tools for Technology Transfer, 2007 Lazy abstraction

by Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Gré-goire Sutrein ACM SIGPLAN – SIGACT Conference on

Principle Of Programming Language 2000 Abstractions from Proofs

by Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar and Kenneth L. McMillanin ACM SIGPLAN-SIGACT Conference on

Principles of Programming Languages, 2004


28 / 28

Reference Lazy Abstraction slides

by Jinseong Jeonin CS750 class, Fall, 2006

Software Verification with BLAST slidesby Tom Henzinger, Ranjit , Rupak Majumdar

in SPIN workshop 2005 tutoria Á Ã


29 / 28

Control Flow Automata for C pro-grams


3

4

ret

6[LOCK == 0]

[LOCK != 0]

LOCK=1 Skip

Node corresponds to control location Edge corresponds to either a basic block

or an assume predicate

1 Example(){ 2 do{ 3 if (LOCK == 0) 4 LOCK=1; 5 else 6 ERROR: 7 old = new; 8 if (*){ 9 if (LOCK == 1) 10 LOCK = 0; 11 else 12 ERROR: 13 new++; 14 } 15 }while (new != old); 16 if (LOCK == 1) 17 LOCK = 0; 18 else 19 ERROR: 20 return; 21 }

7

8old = new

9

10 12[LOCK == 1]

[LOCK != 1]

13LOCK=0 Skip

15[new != old]

[TRUE][TRUE]

16

17 19[LOCK == 1]

[LOCK != 1]

LOCK=0 Skip20return

[new == old]

the software model checker blast

Documents