1 / 29

The software model checker BLAST

The software model checker BLAST. Dirk Beyer, Thomas A. H enzinger , Ranjit Jhala , Rupak Majumdar Presented by Yunho Kim. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A. Overview.

avidan
Télécharger la présentation

The software model checker BLAST

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The software model checker BLAST • Dirk Beyer, Thomas A. Henzinger, • RanjitJhala, RupakMajumdar • Presented by Yunho Kim TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA

  2. Overview • Predicate abstraction is successfully applied to software model checking • Infinite concrete states ! finite abstract states • Tools: SLAM(MSR), BLAST(UCB), SATABS(CMU) • Cost for abstraction is still too high • O( 2 # preds ) abstract states • We need to abstract and refine locally, not globally • Blast proposed • Lazy abstraction • Craig interpolation-based refinement

  3. Contents • Part I. Software Model Checking • Program behavior • Predicate abstraction • Counterexample-guided abstraction refinement • Part II. BLAST • Abstraction and model checking • Craig interpolation-based refinement

  4. Behavior of program State State ………… Transition 2 3 R 2 3 4 5 6 E lock(); old = new; 5 pc  2 old  1 new  2 lock  0 pc  3 old  2 new  2 lock  1 5 R 2 3 4 5 5 6 E 1: Example() { 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; } 5 R 2 3 4 5 5 6 E Behavior of program can be modeled as a state transition graph

  5. The safety verification ………… Error states R 2 3 4 5 6 E 5 5 R 2 3 4 5 6 E 5 5 R 2 3 4 5 6 E 5 Initial states Is there a path from an initial to an error state ?

  6. Abstract behavior of program State Transition 2 3 ………… lock(); old = new; R 2 3 4 5 6 E 5 pc  2 old  1 new  2 new  0 pc  3 old  2 new  2 new  1 5 Abs. state 5 R 2 3 4 5 6 E Abs. transition 5 • pc2 p1 :p2 • pc3 :p p2 5 lock(); old = new; R 2 3 4 5 6 E p1, (lock = 0) p2,(lock = 1) LOCK = 0 LOCK = 1 LOCK = 1 LOCK = 0 LOCK = 1 LOCK = 0 LOCK = 1 • Equivalent states satisfy same predicates and have same control location • They are merged into one abstract state

  7. Over-approximation ………… R 2 3 4 5 6 E 5 5 5 R 2 3 4 5 6 E 5 5 R 2 3 4 5 6 E LOCK = 0 LOCK = 1 LOCK = 1 LOCK = 0 LOCK = 1 LOCK = 0 LOCK = 1 If there exists a transition between s1 and s2, then also there exists a transition between abstract state of s1 and s2

  8. CEGAR C program P Spec φ Lazy abstraction OK Error trace New predicate ERROR + Craig interpolation-based Refinement Feasible? Infeasible path counterexample CounterExample-Guided Abstraction Refinement

  9. Part II. BLAST • Abstraction and model checking • Craig interpolation-based refinement

  10. A locking example lock unlock unlock lock 1: Example() { 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; } lock() { if (LOCK == 0) { LOCK = 1; } else { ERROR } } unlock() { if (LOCK == 1) { LOCK = 0; } else { ERROR } }

  11. Control Flow Automata for C programs 2 1: Example() { 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; } lock() old=new 3 [T] [T] [new!=old] 4 unlock() new++ 5 [new==old] 6 unlock() ret • Node corresponds to control location • Edge corresponds to either a basic block or an assume predicate

  12. Reachability tree Initial Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off 2 3 4 5 Find infeasible trace - Learn new predicates - Rebuild subtree with new preds. 6

  13. Forward search(1/4) 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; LOCK = 0 2 Map P from Loc to set of predicates • Each tree node corresponds to control location and labeled with reachable region • Edge corresponds to either a basic block or an assume predicate Reachability Tree

  14. Forward search(2/4) 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; LOCK = 0 2 lock() old=new 3 LOCK = 1 Compute successors where op = ‘x:=e’ and Loc is successors’ program counter SP(Á, x:=e) = Á [x’/x] Æ (x = e[x’/x]) SP(Á, x:=e) w.r.t. P(Loc) = Ãs.t. (1) SP(Á, x:=e) )Ã (2) Ã is a boolean combination of P(Loc) Map P from Loc to set of predicates Reachability Tree

  15. Forward search(3/4) 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; LOCK = 0 2 lock() old=new 3 LOCK = 1 [T] LOCK = 1 4 Compute successors where op = ‘[pred]’ and Loc is successors’ program counter SP(Á, [pred]) = ÁÆ [pred] SP(Á, [pred]) w.r.t. P(Loc) = Ãs.t. (1) SP(Á, [pred]) )Ã (2) Ã is a boolean combination of P(Loc) Map P from Loc to set of predicates Reachability Tree

  16. Forward search(4/4) 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; Counterexample trace 1: assume(true); 2: lock = 1; old = new; 3: assume(true); 4: lock = 0; new++; 5: assume(new==old); 6: assume(LOCK!=1); LOCK = 0 2 lock() old=new 3 LOCK = 1 [T] LOCK = 1 4 unlock() new++ Map P from Loc to set of predicates LOCK = 0 5 [new==old] LOCK = 0 6 unlock() err Reachability Tree

  17. Feasibility checking Counterexample trace 1: assume(true); 2: LOCK = 1; old = new; 3: assume(true); 4: LOCK = 0; new++; 5: assume(new==old); 6: assume(LOCK!=1); SSA form 1: assume(true); 2: LOCK0= 1; old0 = new0; 3: assume(true); 4: LOCK1= 0; new1 = new0 + 1; 5: assume(new1==old0); 6: assume(LOCK1!=1); Trace formula 1: true 2: Æ LOCK0 = 1; Æ old0 = new0; 3: Æ true; 4: Æ LOCK1 = 0; Æ new1 = new0 + 1; 5: Æ new1==old0; 6: Æ LOCK1!=1; Trace is feasible  Trace formula is satisfiable

  18. Which predicate is needed? Counterexample trace 1: assume(true); 2: LOCK = 1; old = new; 3: assume(true); 4: LOCK = 0; new++; 5: assume(new==old); 6: assume(LOCK!=1); Trace formula 1: true 2: Æ LOCK0 = 1; Æ old0 = new0; 3: Æ true; 4: Æ LOCK1 = 0; Æ new1 = new0 + 1; 5: Æ new1==old0; 6: Æ LOCK1!=1; Relevant information 1. Can be obtained after executing trace 2. has present values of variables 3. Makes trace suffix infeasible Relevant predicate 1. Implied by TF preffix 2. On common variables 3. TF suffix is unsatisfiable

  19. Craig interpolant • Given a pair (Á-, Á+) of formulas, an interpolantfor (Á-, Á+) is a formula à such that (i) Á-)à (ii) ÃÆÁ+ is unsatisfiable (iii) the variables of à are common to both Á- and Á+ • If Á-ÆÁ+ is unsatisfiable, then an interpolant always exists, and can be computed from a proof of unsatisfiability of Á-ÆÁ+

  20. Craig interpolant Counterexample trace 1: assume(true); 2: LOCK = 1; old = new; 3: assume(true); 4: LOCK = 0; new++; 5: assume(new==old); 6: assume(LOCK!=1); Trace formula 1: true 2: Æ LOCK0 = 1; Æ old0 = new0; 3: Æ true; 4: Æ LOCK1 = 0; Æ new1 = new0 + 1; 5: Æ new1==old0; 6: Æ LOCK1!=1; Á- Interpolantà old0 = new0 Á+ Interpolantà old0 = new0 Interpolantà Old0 != new0 Relevant predicate 1. Implied by TF suffix 2. On common variables 3. Æ TF suffix is unsatisfiable à is a formula such that 1. Á-)à 2. à only contains common variables of Á– and Á+ 3. ÃÆÁ+ is unsatisfiable

  21. Search with new predicates(1/3) 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; LOCK = 0 2 lock() old=new 3 LOCK = 1 Ænew = old Map P’ from loc to set of predicates

  22. Search with new predicates(2/3) 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; LOCK = 0 2 lock() old=new 3 LOCK = 1 Ænew = old [T] LOCK = 1 Ænew = old 4 unlock() new++ Map P’ from loc to set of predicates LOCK = 0 Ænewold 5 [new!=old] 2 LOCK = 0Ænewold COVERED

  23. Search with new predicates(3/3) 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; LOCK = 0 2 lock() old=new 3 LOCK = 1 Ænew = old [T] LOCK = 1 Ænew = old 4 [T] unlock() new++ LOCK = 0 Ænewold LOCK = 1 Ænew = old 5 5 [new!=old] [new==old] LOCK = 1 Ænew = old 2 6 2 6 FALSE FALSE unlock() LOCK = 0Ænewold COVERED LOCK = 0 Ænew = old ret Safe!

  24. Local predicate use Local Predicate use Ex: 2n states Global Predicate use Ex: 2n states • Use predicates needed at location • #Preds. grows with program size • #Preds per location is small

  25. Experiments funlock.c is an example we covered driver.c is a Windows driver for verifying locking discipline read.c, floppy.c are drivers from Windows DDK qpmouse.c and llrw_block.c are drivers from Linux Experiments ran on 800MHz PIII with 256M RAM

  26. Conclusions • BLAST is a software model checker for verifying program written in C language • BLAST improves the scheme of CEGAR by implementing lazy abstraction • avoids redundant abstraction and checking • Predicates are locally applied and states are locally abstracted

  27. Reference The Software Model Checker Blast: Applications to Software Engineering. by Dirk Beyer, Thomas A. Henzinger, RanjitJhala, and RupakMajumdar in Int. Journal on Software Tools for Technology Transfer, 2007 Lazy abstraction by Thomas A. Henzinger, RanjitJhala, RupakMajumdar, and GrégoireSutre in ACM SIGPLAN – SIGACT Conference on Principle Of Programming Language 2000 Abstractions from Proofs by Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar and Kenneth L. McMillan in ACM SIGPLAN-SIGACT Conference on Principles of Programming Languages, 2004

  28. Reference Lazy Abstraction slides by JinseongJeon in CS750 class, Fall, 2006 Software Verification with BLAST slides by Tom Henzinger, Ranjit , RupakMajumdar in SPIN workshop 2005 tutoriaÁÃ

  29. Control Flow Automata for C programs 1 Example(){ 2 do{ 3 if (LOCK == 0) 4 LOCK=1; 5 else 6 ERROR: 7 old = new; 8 if (*){ 9 if (LOCK == 1) 10 LOCK = 0; 11 else 12 ERROR: 13 new++; 14 } 15 }while (new != old); 16 if (LOCK == 1) 17 LOCK = 0; 18 else 19 ERROR: 20 return; 21 } 3 [LOCK == 0] [LOCK != 0] 4 6 LOCK=1 Skip 7 old = new 8 [TRUE] [TRUE] 9 16 [LOCK == 1] [LOCK != 1] [LOCK != 1] [LOCK == 1] 10 12 17 19 LOCK=0 Skip LOCK=0 Skip 13 20 return 15 [new != old] ret [new == old] • Node corresponds to control location • Edge corresponds to either a basic block or an assume predicate

More Related