1 / 17

Blast: Software Model Checking

Blast: Software Model Checking. Tom Henzinger Ranjit Jhala Rupak Majumdar. Software Model Checking. Objective: Automatic verification of flow-sensitive temporal properties of C code using model checking.

homer
Télécharger la présentation

Blast: Software Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Blast: Software Model Checking Tom Henzinger Ranjit Jhala Rupak Majumdar

  2. Software Model Checking Objective: Automatic verification of flow-sensitive temporal properties of C code using model checking. Approach: -Starting point: Counter-example driven abstraction refinement (Microsoft SLAM project). -Key improvement: Lazy Abstraction.

  3. Software Model Checking Tool: BLAST (Berkeley Lazy Abstraction Software * Tool). Applications: -Linux and NT device drivers. -If a bug is found, then BLAST produces a counter-example; otherwise BLAST produces a succinct correctness certificate (which can be used in proof-carrying code). Ongoing Work: -Race checking for multi-threaded code. -Provide automatic suggestions for bug fixes.

  4. A Brief History of Model Checking 1980s:Theory of finite-state model checking [Clarke, Sifakis, et al.] 1990s:Finite-state model checking penetrates the hardware industry [Intel, IBM, Motorola, Siemens, Lucent/Cadence] Heuristics to combat state explosion [Mcmillan et al.] Theory of infinite-state model checking 2000s:Infinite-state model checking penetrates the software industry ? Heuristics for automatic model extraction ?

  5. The SLAM Abstract-Check-Refine Loop [Ball, Rajamani] Code Build Predicate Abstraction New Predicates of Interest Concretize Error Trajectory Model Check Abstraction Abstract Error Trajectory Concrete Error Trajectory Correctness Certificate

  6. BLAST (The Berkeley Lazy Abstraction Software * Tool) Code Locally Refine Build Predicate Abstraction Refined Parts of the Abstraction New Predicates of Interest Integrated Concretize Error Trajectory Model Check Abstraction Abstract Error Trajectory Concrete Error Trajectory Correctness Certificate

  7. Example Example () { 1: do { lock (); old = new; 2: if (*) { 3: unlock (); new ++; } 4: } while (new != old); 5: unlock (); ?: return; } lock () U L unlock () unlock () lock () E Safety specification

  8. 1 lock (); old = new 2 lock () U L [T] [T] unlock () 3 [new != old] unlock () lock () unlock (); new++ 4 E [new == old] 5 unlock () ? Control Flow Graph Example () { 1: do { lock (); old = new; 2: if (*) { 3: unlock (); new ++; } 4: } while (new != old); 5: unlock (); ?: return; }

  9. 1 lock (); old = new 2 lock () U L [T] unlock () [T] 3 [new != old] unlock () lock () unlock (); new++ 4 E [new == old] 5 unlock () ? Abstract Reachability 1 U lock (); old = new 2 L [T] 3 L unlock (); new++ 4 U [new == old] 5 U unlock () ? E

  10. 1 lock (); old = new 2 lock () U L [T] unlock () [T] 3 [new != old] unlock () lock () unlock (); new++ 4 E [new == old] 5 unlock () ? Concretize Error Trajectory 1 U new+1 = new lock (); old = new 2 L new+1 = old [T] 3 L new+1 = old unlock (); new++ 4 U new = old [new == old] 5 U true unlock () ? E true

  11. 1 lock (); old = new 2 lock () U L [T] unlock () [T] 3 [new != old] unlock () lock () unlock (); new++ 4 E [new == old] 5 unlock () ? Concretize Error Trajectory new=old is a relevant predicate 1 U new+1 = new lock (); old = new 2 L new+1 = old [T] 3 L new+1 = old unlock (); new++ 4 U new = old [new == old] 5 U true unlock () ? E true

  12. 1 lock (); old = new 2 lock () U L [T] unlock () [T] 3 [new != old] unlock () lock () unlock (); new++ 4 E [new == old] 5 unlock () ? Refined Abstract Reachability 1 U lock (); old = new 2 L, new = old [T] L, new = old 3 unlock (); new++ U, new  old 4 [new == old] [new != old] 5 1 U, new  old

  13. 1 lock (); old = new 2 lock () U L [T] unlock () [T] 3 [new != old] unlock () lock () unlock (); new++ 4 E [new == old] 5 unlock () ? Complete Proof Tree 1 U lock (); old = new 2 L, new = old [T] [T] L, new = old 3 4 L, new = old [new != old] unlock (); new++ [new == old] 1 5 L, new = old U, new  old 4 unlock () [new == old] [new != old] 5 1 ? U, new = old U, new  old

  14. Incremental Programming 0 Example () { 0: if (*) { 6: do { got_lock = 0; 7: if (*) { 8: lock(); got_lock ++; } 9: if (got_lock) { 10: unlock(); } 11: } while (*) ; } 1: do { lock(); old = new; 2: if (*) { 3: unlock(); new ++; } 4: } while ( new != old); 5: unlock (); return; } 6: do { got_lock = 0; 7: if (*) { 8: lock (); got_lock ++; }; 9: if (got_lock) { 10: unlock (); }; 11: } while (*); }; 1 6 2 7 3 8 4 9 1: do { lock (); old = new; 2: if (*) { 3: unlock (); new ++; } 4: } while (new != old); 5: unlock (); ?: return; } 10 5 11 ?

  15. Incremental Model Checking U 0 [T] [T] 1 6 U U old proof tree refine only this part using different predicates E

  16. Incremental Model Checking U 0 [T] [T] 1 6 U U reuse old proof tree 1 U, got_lock  0

  17. Experiments with BLAST Program Lines of Code Total Preds Active Preds Total Time (sec) Proof Size (bytes) Pred. Disc. Time (sec) ide.c 18131 5 5 4.5 0.01 253 Linux Lock 3 states qpmouse.c 23539 2 2 0.5 0.01 179 aha152x.c 17736 2 2 20.93 0.03 tlan.c 16506 5 4 428.63 403.33 cdaudio.c 17798 85 45 1398 540 156787 floppy.c 17386 62 37 2086 1565 [fixed] 93 44 395 17 60129 kbflter.c 12131 54 40 64 5 WindowsDDK IRP 22 states 48 35 256 165 [fixed] 37 34 10 0.38 7619 mouclass.c 17372 57 46 54 3.34 parport.c 61781 193 50 1980 519 102967

More Related