The Software Model Checker BLAST: Applications to Software - - PowerPoint PPT Presentation

the software model checker blast applications to software
SMART_READER_LITE
LIVE PREVIEW

The Software Model Checker BLAST: Applications to Software - - PowerPoint PPT Presentation

Jun 29, 2023 331 likes •460 views

The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Int. Journal on Software Tools for Technology Transfer, 2007 Stefan Buchholz March 17, 2009 1 Model

slide-1
SLIDE 1

1

The Software Model Checker BLAST: Applications to Software Engineering

Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar

  • Int. Journal on Software Tools for

Technology Transfer, 2007

Stefan Buchholz March 17, 2009

slide-2
SLIDE 2

2

Model checking

software model checker

Program source Property e.g. modified C-code (SLAM, BLAST)

  • Valid according to the specification
  • Error path
slide-3
SLIDE 3

3

Model checking

Goal

Find a path from an initial state to an error state (reachability)

Problem

State explosion ! Infeasible to check every state.

BLAST's solution

Dynamic (lazy) predicate abstraction

slide-4
SLIDE 4

4

CEGAR

Counterexample-guided abstraction refinement

Start with a coarse abstraction Try to reach an error state in the abstract domain Program satisfies the specification Fail Success Is the path feasible ? Yes Safety property violated (bug) Refine the abstraction No

slide-5
SLIDE 5

5

Optimizations

Lazy predicate abstraction

don't refine error-free regions

Interpolation-based predicate discovery

add predicates locally when refining

slide-6
SLIDE 6

6

Applications

Reduce runtime memory-checks

Test their reachability and remove unnecessary ones

Automatic test generation

For any counterexample found try to generate a test vector

BLASTing Linux Code

slide-7
SLIDE 7

7

Demonstration

Open source !

http://mtc.epfl.ch/software-tools/blast/

slide-8
SLIDE 8

8

Limitations

False alarms (can't show infeasability of a path)

Mathematical integers (no overflows modeled) Decision functions only implement linear arithmetic Uninterpreted functions (e.g. bit-level manipulations) Simple pointer arithmetic and alias-handling

Weak predicate language

No logical quantifiers No precise reasoning about recursive functions possible

slide-9
SLIDE 9

9

Conclusion

+ Good performance and scalability

  • Limitations make it impractical for a lot of real world

applications (pointer arithmetic !)

  • Manually modifying the source code is always

required

slide-10
SLIDE 10

10

BACKUP

slide-11
SLIDE 11

11

Data structures

Control flow automaton (CFA)

Internal representation of a program Nodes are control points, edges are operations

Abstract reachability tree (ART)

Represents a portion of the reachable state space A path in the ART corresponds to a program execution Each node stores a link to a CFA-location, the current call stack and the state of variables

slide-12
SLIDE 12

12

Automatic test generation

Target Predicate Coverage

Can a location be reached and the variables satisfy a predicate p ? e.g. p = true for location coverage

Coverage of a location L

Test if L is reachable (dead code detection) When a feasible path is found generate a variable assignment that guides it to the location Embarrassingly parallel