Software Verification with BLAST Model Checking Blast Motivation - - PowerPoint PPT Presentation

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Software Verification with BLAST

Rigorous Sofware Development via Model Checking Seminar Daniele Sgandurra

Università di Pisa

10 December 2008

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Outline

1

Introduction Model Checking

2

Blast Motivation Lazy Abstraction Reachability Tree

3

Complete Examples Example 1 Example 2

4

Demo Download and Installation Tutorial

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Model Checking

• Model checking is an algorithmic technique to verify a

system description against a specification.

• Given a system description and a logical specification, the

model-checking algorithm either proves that the system description satisfies the specification, or reports a counterexample that violates the specification.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Model Checking

• The input to a sofware model checker is the program source

(=system description) and a temporal safety property (=specification).

• The specification is usually given by program instrumentation

that defines a monitor automaton, which observes if a program execution violates the desired property.

• The output of the model checker is ideally either a proof of

program correctness that can be separately validated, or a counterexample in the form of a specific execution path of the program.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample-Guided Abstraction Refinement

• CEGAR: Counterexample-Guided Abstraction Refinement.
• The model checker attempts to verify the property starting

with a coarse abstraction of the program, which tracks only a few relations (=predicates) between program variables.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample-Guided Abstraction Refinement

• If the verification succeeds, then the concrete program

satisfies the specification.

• If the verification fails, then it produces a path that violates

the specification in the abstract program.

• The path may either correspond to a concrete program

execution (feasible path) which violates the specification, or arise due to the imprecision of abstraction, and thus not correspond to a concrete program execution (infeasible path).

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample-Guided Abstraction Refinement

• In the case of a feasible path, a program bug has been

found.

• In the case of an infeasible path, the infeasibility of the

abstract error path is used to automatically deduce additional predicates which encode relevant facts about the program.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample-Guided Abstraction Refinement

• By tracking the values of these additional predicates, the

abstraction of the program is refined in a way that guarantees that subsequent verification attempts will not produce the previously encountered infeasible error path.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample-Guided Abstraction Refinement

• The entire process is repeated, by discovering and tracking

an ever increasing number of predicates, until either a feasible path that witnesses a program bug (=counterexample) is found, or the abstraction is precise enough to prove the absence of such paths.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample-Guided Abstraction Refinement

• First, relevant predicates are discovered locally and

independently at each program location as interpolants between the past and the future fragments of an infeasible error path (interpolation-based predicate discovery).

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample-Guided Abstraction Refinement

• Second, instead of construction an abstraction of the

program which tracks all relevant predicates, the discovered new predicates are added and tracked locally in some parts

• f a tree that represents the abstract executions of the

program, namely, in those parts where the infeasible error path occurred (lazy predicate abstraction).

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample-Guided Abstraction Refinement

• The resulting program abstraction is nonuniform, in that

different predicates are tracked at different program locations, possibly even at different visits to the same location.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Predicate Discovery

• The predicate-discovery algorithm takes the path formula

and finds new predicates that must be added to the abstraction in order to rule out the infeasible error path.

• The key to adding predicates is the notion of an interpolant

(Craig interpolants).

• By examining the program at certain cut points, predicates

are added to show the feasibility or infeasibility of a path (using Craig Interpolants).

• The refinement algorithm cuts the infeasible error path at

every node.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

What is BLAST?

• The Berkeley Lazy Abstraction Software verification

Tool is a model checker that checks the safety properties of C programs.

• “Automated, precise and scalable”.
• Some slides are taken/adapted from:
• SPIN Workshop 2005 Blast tutorial
• http://mtc.epfl.ch/software-tools/blast/
• Authors: Tom Henzinger, Ranjit Jhala, Rupak Majumdar

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Motivation

• Goal: decide reachability of a program location
• Safety properties can be translated into this task:
• Assertion violation;
• Memory safety;
• Pre- and post-conditions;
• Locking policy;
• ...

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

BLAST Working

• Build an abstract model using predicate abstraction.
• Check for reachability of a specified label using the

abstract model.

• If no path to ERR node: system safe.
• If path is feasible, output error trace.
• Else use infeasibility of path to refine abstract model.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

BLAST Working

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Locking

1: do{ lock();

• ld = new;

q = q->next; 2: if(q != NULL){ 3: q->data = new; unlock(); new++; } 4: while(new != old) 5: unlock(); return; }

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

What a Program Really Is...

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

The Safety Verification Problem

• Is there a path from an initial to an error state?
• Problem: Infinite state graph.
• Solution: Set of states’ logical formula.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Idea 1: Predicate Abstraction

• Predicates in program state:
• lock
• old = new
• States satisfying same predicates

are equivalent:

• Merged into one abstract

state;

• #abstract states is finite

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Abstract States and Transitions

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Abstract States and Transitions

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Abstract States and Transitions

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Analyze Abstraction

• Analyze finite graph:
• over approximate: system

safe;

• no false negatives.
• Problem: spurious

counterexample.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Idea 2: Counterexample-Guided Refinement

• Solution: use spurious

counterexamples to refine abstraction!

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Idea 2: Counterexample-Guided Refinement

• Solution: use spurious

counterexamples to refine abstraction! 1 Add predicates to distinguish states across cut; 2 Build refined abstraction: eliminates counterexamples;

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Idea 2: Counterexample-Guided Refinement

• Solution: use spurious

counterexamples to refine abstraction! 1 Add predicates to distinguish states across cut; 2 Build refined abstraction: eliminates counterexamples; 3 Repeat search till real counterexample or system proved safe.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Lazy Abstraction

• Integrate the following:
• Abstraction;
• Verification;
• Counterexample-driven refinement.
• Find pivot state.
• Construct, verify and refine abstract model “on the fly”

from pivot state on.

• Forward search phase and backward counterexample

analysis.

• Stop when either real counterexample found or system

found safe.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Lazy Abstraction

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Lazy Abstraction

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Problem: Abstraction is Expensive

• Problem: #abstract states =

2#predicates

• Exponential Theorem Prover

queries.

• Observe: Fraction of state space

reachable.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Solution 1: Only Abstract Reachable States

• Problem: #abstract states =

2#predicates

• Exponential Theorem Prover

queries.

• Solution: build abstraction during

search.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Solution 2: Don’t Refine Error-Free Regions

• Problem: #abstract states =

2#predicates

• Exponential Theorem Prover

queries.

• Don’t refine error-free regions.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Key Idea: Reachability Tree

• Unroll abstraction:

1 Pick tree-node (=abs. state); 2 Add children (=abs. successors); 3 On re-visiting abs. state, cut-off.

• Find min infeasible suffix:
• Learn new predicates;
• Rebuild sub-tree with new

preds.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Key Idea: Reachability Tree

• Unroll abstraction:

1 Pick tree-node (=abs. state); 2 Add children (=abs. successors); 3 On re-visiting abs. state, cut-off.

• Find min infeasible suffix:
• Learn new predicates;
• Rebuild sub-tree with new

preds.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Key Idea: Reachability Tree

Safe:

• Only abstract reachable states;
• Don’t refine error-free regions.
• Unroll abstraction:

1 Pick tree-node (=abs. state); 2 Add children (=abs. successors); 3 On re-visiting abs. state, cut-off.

• Find min infeasible suffix:
• Learn new predicates;
• Rebuild sub-tree with new

preds.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Build-and-Search

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Lazy Abstraction

• Problem: abstraction is expensive.
• Solution:

1 Abstract reachable states; 2 Avoid refining error-free regions.

• Key idea: reachability tree.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Example

#include <stdio.h> #include <stdlib.h> int *a; void myscanf(const char* format, int* arg) { *arg = rand(); } int altInit(int size, int *pval1, int *pval2) { 1: int i, *ptr; 2: a = (int *) malloc(sizeof(int) * (size+1)); 3: if (a == 0) { 4: printf("Memory exhausted."); 5: exit(1); 6: } 7: i = 0; a[0] = *pval1; 8: while(i < size) { 9: i = i + 1; 10: if (i % 2 == 0) { 11: ptr = pval1; 12: } else { 13: ptr = pval2; 14: } 15: a[i] = *ptr; 16: printf("%d. iteration", i); 17: } 18: if (ptr == 0) ERR: ; 19: return *ptr; } int main(int argc, char *argv []) { 20: int *pval=(int *)malloc(sizeof(int)); 21: if (pval == 0) { 22: printf("Memory exhausted."); 23: exit(1); 24: } 25: *pval = 0; 26: while(*pval <= 0) { 27: printf("Give a number: "); 28: myscanf("%d", pval); 29: } 30: return altInit(*pval, pval, pval); }

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Example

The example program consists of three functions:

• altInit has three formal parameters: size, pval1,

pval2.

• It allocates and initializes a global array a.
• The size of the allocated array is given by size.
• The array is initialized with an alternating sequence of two

values, pointed to by the pointers pval1 and pval2.

• After the initialization is completed, the last value of the

sequence is returned to the caller.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Example

• main is a simple test driver for function altInit.
• It reads an integer number from standard input and ensures

that it gets a value greater than zero.

• Then it calls function altInit with the read value as

parameter for the size as well as for the two initial values.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Example

• The stub function myscanf models the behavior of the C

library function scanf, which reads input values.

• It returs a random integer value.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Control-Flow Automata

• Internally, Blast represents a program by a set of control flow

automata (CFAs), one for each function of the program.

• A CFA is a directed graph, with locations corresponding to

control points of the program (program-counter values), and edges corresponding to program operations.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Control-Flow Automata

• An edge between two locations is labeled by the instruction

that executes when control moves from the source to the destination.

• An instruction is either a basic block of assignments, an

assume predicate corresponding to the condition that must hold for control to proceed across the edge, a function call with call-by-value parameters, or a return instruction.

• Any C program can be converted to this representation.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

CFA for Function main

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

CFA for Function altInit

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Error Location

• We now describe how Blast checks that the label ERR

(or equivalently, the error configuration consisting of error location 1#22 and the error predicate true) is not reached along any execution of the program.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Abstract Reachability Tree

• The implementation of Blast uses a context-free reachability

algorithm to compute an approximation of the reachable set

• f states.
• In order to prove that the error configuration is never

reached, Blast constructs an abstract reachability tree (ART).

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Abstract Reachability Tree

• An ART is a labeled tree that represents a portion of the

reachable state space of the program.

• Each node of the ART is labeled with a location of a CFA, the

current call stack (a sequence of CFA locations representing return addresses), and a boolean formula (called the reachable region) representing a set of data states.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Abstract Reachability Tree

• We denote a labeled tree node by n : (q, s, φ), where n is the

tree node, q is the CFA location, s is the call stack, and φ is the reachable region.

• Each edge of the tree is marked with a basic block, an

assume predicate, a function call, or a return.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Abstract Reachability Tree

• A path in the ART corresponds to a program execution.
• The reachable region of a node n describes an
• verapproximation of the reachable states of the program

assuming execution follows the sequence of operations labeling the path from the root of the tree to n

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Complete ART

• Intuitively, a complete ART is a finite unfolding of a set of

CFAs whose locations are annotated with regions and call stacks, and whose edges are annotated with corresponding

• perations from the CFAs.
• A complete ART is safe with respect to a configuration (q, p),

where q is a CFA location (the error location) and p is a predicate over program variables (the error region), if for every node n : (q, ·, φ) in the tree, we have φ ∧ p is not satisfiable.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Complete ART

• A complete ART that is safe for configuration (q, p) serves as

a certificate (proof) that no execution of the program reaches a state where the location is q and the data state satisfies p.

• (Formal description not given here: see refs.)

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Complete ART

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample-Guided Abstraction Refinement

• Blast starts with a coarse abstraction of the state space and

attempts to construct a complete ART with the coarse abstraction.

• If this complete ART is safe for the error configuration, then

the program is safe.

• However, the imprecision of the abstraction may result in the

analysis finding paths in the ART leading to the error configuration which are infeasible during the execution of the program.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample-Guided Abstraction Refinement

• Blast runs a counterexample analysis algorithm that

determines whether the path to the error configuration is feasible (i.e., there is a program bug) or infeasible.

• In the latter case it refines the current abstraction using an

interpolation-based predicate-discovery algorithm, which adds predicates locally to rule out the infeasible error path.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample-Guided Abstraction Refinement

• For a given abstraction (mapping of control locations to

predicates), Blast constructs the ART on-the-fly, stopping and running the counterexample analysis whenever a path to the error location is found in the ART.

• The refinement procedure refines the abstraction locally, and

the search is resumed on the nodes of the ART where the abstraction has been refined.

• The parts of the ART that have not been affected the

refinement are left intact. This algorithm is called lazy abstraction.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Constructing the ART

• Initially, Blast starts with no predicates, and attempts to

construct an ART.

• The ART construction proceeds by unrolling the CFAs and

keeping track of the reachable region at each CFA location.

• We start with the initial location of the program (in our

example the first location of main), with the reachable region true (which represents an arbitrary initial data state).

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Constructing the ART

• For a tree node n : (q, s, φ), we construct successor nodes of

n in the tree for all edges q

• p

→ q

′ in the CFA.

• The successor nodes are labeled with overapproximations of

the set of states reachable from (q, s, φ) when the corresponding operations op are performed.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Constructing the ART

• For the first iteration, since we do not track any facts

(predicates) about variable values, all reachable regions are

• verapproximated by true (that is, the abstraction assumes

that every data state is possible).

• With this abstraction, Blast finds that the error location may

be reachable in the example.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

ART When the First Infeasible Path is Found

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

ART When the First Infeasible Path is Found

• The figure shows the ART when Blast finds the first path to

the error location.

• This ART is not complete, because some nodes have not yet

been processed.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

ART When the First Infeasible Path is Found

• In the figure, all nodes with incoming dotted edges (e.g., the

node 2#7) have not been processed.

• However, the incomplete ART already contains an error path

from node 2#3 to 1#22 (the error node is depicted as a filled ellipse).

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample Analysis

• At this point, Blast invokes the counterexample-analysis

algorithm, which checks if the error path is feasible in the concrete program (i.e., the program has a bug), or whether it arises because the current abstraction is too coarse.

• To analyze the abstract error path, Blast creates a set of

constraints, called the path formula (PF), which is satisfiable if and only if the path is feasible in the concrete program.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Counterexample Analysis

• The PF is built by transforming the path into static

single-assignment form (every variable is assigned a value at most once, which is achieved by introducing new special variables), and then generating constraints for each

• peration along the path.
• For the abstract error path of the example, the path formula

(not shown here) is unsatisfiable, and hence the error path is not feasible.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Complete ART

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Complete ART

• Adding more predicates, Blast constructs the complete ART

shown in the Figure.

• Since this tree is safe for the error location 1#22, this proves

that ERR can never be reached by executing the program.

• Note that some leaf nodes in the tree are covered: as no

new states can be reached by exploring states from covered nodes, Blast stops the ART construction at such nodes, and the whole process terminates.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Another Example

Input:

#include "assert.h" /*Blast’s assert.h*/ foo(int x, int y) { if (x > y) { x = x - y; assert(x > 0); } return 0; }

Output:

addPred: 0: (gui) adding predicate 1<=x@foo- y@foo to the system addPred: 0: (gui) adding predicate 1<=x@foo- y@foo to the system addPred: 1: (gui) adding predicate 1<=x@foo to the system addPred: 1: (gui) adding predicate 1<=x@foo to th the system Adding all preds now... [BAT] Done refiner Non-trivial functions 0 Depth of tree: 7 No error found. The system is safe :-)

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

What Just Happened?

First, BLAST builds a Control Flow Automata (basically, a flow graph) from the preprocessed C, which in simplified form looks like: void __blast_assert(){ ERROR: goto ERROR; } void __assert_fail(){__blast_assert();} int foo(int x, int y) { if (x > y) { x = x - y; ((void) ((x > 0) ? 0 : (__assert_fail())))); } return 0; }

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Is Label ERROR Reachable?

• The assert safety check has been converted into a

reachability problem.

• BLAST represents the code as a Control Flow Automata,

then constructs an Abstract Reachability Tree to try and answer this question without exploding the state space or looping forever.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

The CFA

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Properties of the ART

• A node in the ART has a triple of (Label #CFA, Call Stack,

Reachable Region).

• Reachable Region is a boolean formula representing the set
• f data states.
• An ART is safe if for every node whose CFA Label is an error

location, the Reachable Region expression ∧ with the predicate is unsatisfiable.

• For us, that means the node whose CFA label is 6 must have

a non satisfiable set of data states when ∧ with (x <= 0).

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

The ART (Call Stack Omitted)

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Safe?

• If the program is safe, the node labeled 6 (there is one such

node in this program) must have an unsatisfiable data state.

• (x > y) ∧ (x = x − y) ∧ (x ≤ 0) is unsatisfiable. y can be

substituted for x in the subtraction. set x − y, set x > 0. If x > 0 is pred p1, x ≤ 0 is !p1, since p1∧!p1 is always false, then the program is safe.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Getting BLAST

(Required: ocaml) >pwd /home/daniele/blast >wget http://mtc.epfl.ch/software-tools/blast/ \\ download/blast-2.5.zip >unzip blast-2.5.zip >cd blast-2.5/blast/ >ln -s ../foci/ foci >make distclean >make >cd bin/ >pwd /home/daniele/blast/blast-2.5/blast/bin >export PATH=$PATH:/home/daniele/blast/blast-2.5/blast/bin >.. >pblast.opt incref.c -main main -L ERROR

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Reachability Checking

• The simplest way to write a program that Blast should check

is to specify a C label at a program location that must not be reached.

• The model checker Blast checks whether such a label in the

C source code is reachable.

• The basic command for running Blast is:

pblast.opt prog.c -main start -L errlabel

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Reachability Checking

• This runs the model checker on the program prog.c and

checks for reachability of the error label errlabel, starting from the initial location of function start.

• The run ends with either an error trace or with a message

that the error was unreachable (or, since the reachability problem is undecidable, the program may not terminate).

• Not covered here: assertion checking and temporal stafety

specification.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Beyond Assert

• BLAST is designed to be useful for legacy code, so it has a

language for writing specifications to determine whether a safety property is violated: The BLAST Query Language.

• Specifications are kept separate from the code in their own
• file. Pattern matching is used to associate a specification

item with its relevant location in code.

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

BLAST Query Language

global int lockStatus = 0; event { pattern { FSMInit(); } action { lockStatus = 0; } } event { pattern { FSMLock(); } guard { lockStatus == 0 } action { lockStatus = 1; } } event { pattern { FSMUnLock(); } guard { lockStatus == 1 } action { lockStatus = 0; } }

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

Demo

>pblast.opt loop.c -main main -L ERROR >pblast.opt ptest0.c -main main -L ERROR >pblast.opt manyswap.c -main main -L ERROR >pblast.opt manyswap-unsafe.c -main main -L ERROR >pblast.opt swap4.c -main main -L ERROR >pblast.opt swap4-bug.c -main main -L ERROR >pblast.opt driver-simple.c -main main -L ERROR >pblast.opt driver.c -main main -L ERROR >pblast.opt incref.c -main main -L ERROR >pblast.opt incref.c -main main -L STUCK >pblast.opt -pred alias1.pred alias1.c >pblast.opt file_io_test.c -main main -L ERROR >pblast.opt -nofp -cf -craig 1 -alias -incref -skipfun \\

• noinitialize -L BERROR
• funlabel __error__ \\
• reloadmod -dmod -pred wuftpd-instrumented.pred \\

wuftpd-instrumented.c

Software Verification with BLAST Daniele Sgandurra Introduction

Model Checking

Blast

Motivation Lazy Abstraction Reachability Tree

Complete Examples

Example 1 Example 2

Demo

Download and Installation Tutorial

References

[1] http://mtc.epfl.ch/software-tools/blast/ [2] Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar and Kenneth L. McMillan Abstractions from Proofs. In ACM SIGPLAN-SIGACT Conference on Principles of Programming Languages, 2004. [3] Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar The Software Model Checker Blast: Applications to Software Engineering.

• Int. Journal on Software Tools for Technology Transfer, 2007.

[4] Dirk Beyer, Thomas A. Henzinger, and Gregory Theoduloz Lazy Shape Analysis.

• Proc. of the 18th International Conference on Computer Aided Verification (CAV 2006), LNCS 4144,

pages 532-546, Springer- Verlag, 2006. [5] Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar Checking memory safety with BLAST.

• Proc. of the 8th International Conference on Fundamental Approaches to Software Engineering (FASE

2005), LNCS 3442, pages 2-18, Springer-Verlag, 2005. [6] Dirk Beyer, Adam J. Chlipala, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar The BLAST query language for software verification.

• Proc. of the 11th International Static Analysis Symposium, LNCS 3148, pp 2-18, 2004.

[7] Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar and Gregoire Sutre Lazy Abstraction. In ACM SIGPLAN-SIGACT Conference on Principles of Programming Languages, pages 58-70, 2002.