Download presentation
Presentation is loading. Please wait.
1
The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA
2
2 / 28 Overview Predicate abstraction is successfully applied to software model checking Infinite concrete states ! finite abstract states Tools: SLAM(MSR), BLAST(UCB), SATABS(CMU) Cost for abstraction is still too high O( 2 # preds ) abstract states We need to abstract and refine locally, not globally Blast proposed Lazy abstraction Craig interpolation-based refinement Yunho Kim@ pswlab The software model checker BLAST
3
3 / 28 Contents Part I. Software Model Checking Program behavior Predicate abstraction Counterexample-guided abstraction refinement Part II. BLAST Abstraction and model checking Craig interpolation-based refinement Yunho Kim@ pswlab The software model checker BLAST
4
4 / 28 Behavior of program Behavior of program can be modeled as a state transition graph Yunho Kim@ pswlab The software model checker BLAST 23 23 456 456 23456 23 State Transition 1: Example() { 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; } 1: Example() { 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; } pc 2 old 1 new 2 lock 0 pc 3 old 2 new 2 lock 1 lock(); old = new; R R R 5 5 E E E State ………… 5 5 5
5
5 / 28 The safety verification Is there a path from an initial to an error state ? Yunho Kim@ pswlab The software model checker BLAST 23 23 456 456 23456 R R R 5 5 E E E Initial states Error states ………… 5 5 5
6
6 / 28 Abstract behavior of program Equivalent states satisfy same predicates and have same control location They are merged into one abstract state Yunho Kim@ pswlab The software model checker BLAST 23 23 456 456 23456 R R R 5 5 E E E ………… 23 State Transition pc 2 old 1 new 2 new 0 pc 3 old 2 new 2 new 1 lock(); old = new; pc 2 p1 : p2 pc 3 : p p2 Abs. state Abs. transition lock(); old = new; p1, (lock = 0) p2, (lock = 1) LOCK = 0 LOCK = 1 LOCK = 0 LOCK = 1 LOCK = 0 5 5 5
7
7 / 28 Over-approximation If there exists a transition between s 1 and s 2, then also there exists a transition between abstract state of s 1 and s 2 Yunho Kim@ pswlab The software model checker BLAST 23 23 456 456 23456 R R R 5 5 E E E ………… LOCK = 0 LOCK = 1 LOCK = 0 LOCK = 1 LOCK = 0 5 5 5
8
8 / 28 CEGAR CounterExample-Guided Abstraction Refinement Yunho Kim@ pswlab The software model checker BLAST Lazy abstraction Craig interpolation- based Refinement Feasible? C program P Spec φ Infeasible path ERROR + counterexample OK Error trace New predicate
9
9 / 28 Part II. BLAST Abstraction and model checking Craig interpolation-based refinement Yunho Kim@ pswlab The software model checker BLAST
10
10 / 28 A locking example Yunho Kim@ pswlab The software model checker BLAST lock() { if (LOCK == 0) { LOCK = 1; } else { ERROR } unlock() { if (LOCK == 1) { LOCK = 0; } else { ERROR } lock unlock 1: Example() { 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; }
11
11 / 28 Control Flow Automata for C programs Yunho Kim@ pswlab The software model checker BLAST 1: Example() { 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; } 2 3 4 5 6 ret [T] [new!=old] [new==old] lock() old=new unlock() new++ unlock() Node corresponds to control location Edge corresponds to either a basic block or an assume predicate
![11 / 28 Control Flow Automata for C programs Yunho pswlab The software model checker BLAST 1: Example() { 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; } ret [T] [new!=old] [new==old] lock() old=new unlock() new++ unlock() Node corresponds to control location Edge corresponds to either a basic block or an assume predicate](http://images.slideplayer.com/42/11335477/slides/slide_11.jpg "11 / 28 Control Flow Automata for C programs Yunho pswlab The software model checker BLAST 1: Example() { 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; } ret [T] [new!=old] [new==old] lock() old=new unlock() new++ unlock() Node corresponds to control location Edge corresponds to either a basic block or an assume predicate")
12
12 / 28 Reachability tree Yunho Kim@ pswlab The software model checker BLAST 5 6 2 3 4 Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find infeasible trace - Learn new predicates - Rebuild subtree with new preds. Initial
13
13 / 28 Forward search(1/4) Yunho Kim@ pswlab The software model checker BLAST 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; Map P from Loc to set of predicates Reachability Tree 2 LOCK = 0 LocationPredicates 2LOCK = 0, LOCK = 1 3 4 5 6 Each tree node corresponds to control location and labeled with reachable region Edge corresponds to either a basic block or an assume predicate
14
14 / 28 Forward search(2/4) Yunho Kim@ pswlab The software model checker BLAST 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; Reachability Tree 2 3 lock() old=new LOCK = 0 LOCK = 1 Map P from Loc to set of predicates LocationPredicates 2LOCK = 0, LOCK = 1 3 4 5 6 Compute successors where op = ‘x:=e’ and Loc is successors’ program counter SP(Á, x:=e) = Á [x’/x] Æ (x = e[x’/x]) SP(Á, x:=e) w.r.t. P(Loc) = Ã s.t. (1) SP(Á, x:=e) ) Ã (2) Ã is a boolean combination of P(Loc)
![14 / 28 Forward search(2/4) Yunho pswlab The software model checker BLAST 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; Reachability Tree 2 3 lock() old=new LOCK = 0 LOCK = 1 Map P from Loc to set of predicates LocationPredicates 2LOCK = 0, LOCK = Compute successors where op = ‘x:=e’ and Loc is successors’ program counter SP(Á, x:=e) = Á [x’/x] Æ (x = e[x’/x]) SP(Á, x:=e) w.r.t.](http://images.slideplayer.com/42/11335477/slides/slide_14.jpg "P(Loc) = Ã s.t. (1) SP(Á, x:=e) ) Ã (2) Ã is a boolean combination of P(Loc).")
15
15 / 28 Forward search(3/4) Yunho Kim@ pswlab The software model checker BLAST 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; 2 3 4 lock() old=new LOCK = 0 LOCK = 1 [T] LOCK = 1 Reachability Tree Map P from Loc to set of predicates LocationPredicates 2LOCK = 0, LOCK = 1 3 4 5 6 Compute successors where op = ‘[pred]’ and Loc is successors’ program counter SP(Á, [pred]) = Á Æ [pred] SP(Á, [pred]) w.r.t. P(Loc) = Ã s.t. (1) SP(Á, [pred]) ) Ã (2) Ã is a boolean combination of P(Loc)
![15 / 28 Forward search(3/4) Yunho pswlab The software model checker BLAST 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; lock() old=new LOCK = 0 LOCK = 1 [T] LOCK = 1 Reachability Tree Map P from Loc to set of predicates LocationPredicates 2LOCK = 0, LOCK = Compute successors where op = ‘[pred]’ and Loc is successors’ program counter SP(Á, [pred]) = Á Æ [pred] SP(Á, [pred]) w.r.t.](http://images.slideplayer.com/42/11335477/slides/slide_15.jpg "P(Loc) = Ã s.t. (1) SP(Á, [pred]) ) Ã (2) Ã is a boolean combination of P(Loc).")
16
16 / 28 Forward search(4/4) Yunho Kim@ pswlab The software model checker BLAST 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; Reachability Tree 2 3 4 5 6 err lock() old=new LOCK = 0 LOCK = 1 [T] unlock() new++ LOCK = 1 LOCK = 0 [new==old] unlock() LOCK = 0 Map P from Loc to set of predicates LocationPredicates 2LOCK = 0, LOCK = 1 3 4 5 6 Counterexample trace 1: assume(true); 2: lock = 1; old = new; 3: assume(true); 4: lock = 0; new++; 5: assume(new==old); 6: assume(LOCK!=1);
![16 / 28 Forward search(4/4) Yunho pswlab The software model checker BLAST 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; Reachability Tree err lock() old=new LOCK = 0 LOCK = 1 [T] unlock() new++ LOCK = 1 LOCK = 0 [new==old] unlock() LOCK = 0 Map P from Loc to set of predicates LocationPredicates 2LOCK = 0, LOCK = Counterexample trace 1: assume(true); 2: lock = 1; old = new; 3: assume(true); 4: lock = 0; new++; 5: assume(new==old); 6: assume(LOCK!=1);](http://images.slideplayer.com/42/11335477/slides/slide_16.jpg "16 / 28 Forward search(4/4) Yunho pswlab The software model checker BLAST 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; Reachability Tree err lock() old=new LOCK = 0 LOCK = 1 [T] unlock() new++ LOCK = 1 LOCK = 0 [new==old] unlock() LOCK = 0 Map P from Loc to set of predicates LocationPredicates 2LOCK = 0, LOCK = Counterexample trace 1: assume(true); 2: lock = 1; old = new; 3: assume(true); 4: lock = 0; new++; 5: assume(new==old); 6: assume(LOCK!=1);")
17
17 / 28 Feasibility checking Yunho Kim @ pswlab Lazy Abstraction Counterexample trace 1: assume(true); 2: LOCK = 1; old = new; 3: assume(true); 4: LOCK = 0; new++; 5: assume(new==old); 6: assume(LOCK!=1); SSA form 1: assume(true); 2: LOCK 0 = 1; old 0 = new 0 ; 3: assume(true); 4: LOCK 1 = 0; new 1 = new 0 + 1; 5: assume(new 1 ==old 0 ); 6: assume(LOCK 1 !=1); Trace formula 1: true 2: Æ LOCK 0 = 1; Æ old 0 = new 0 ; 3: Æ true; 4: Æ LOCK 1 = 0; Æ new 1 = new 0 + 1; 5: Æ new 1 ==old 0 ; 6: Æ LOCK 1 !=1; Trace is feasible Trace formula is satisfiable
18
18 / 28 Which predicate is needed? Yunho Kim @ pswlab Lazy Abstraction Counterexample trace 1: assume(true); 2: LOCK = 1; old = new; 3: assume(true); 4: LOCK = 0; new++; 5: assume(new==old); 6: assume(LOCK!=1); Trace formula 1: true 2: Æ LOCK 0 = 1; Æ old 0 = new 0 ; 3: Æ true; 4: Æ LOCK 1 = 0; Æ new 1 = new 0 + 1; 5: Æ new 1 ==old 0 ; 6: Æ LOCK 1 !=1; Relevant information 1. Can be obtained after executing trace 2. has present values of variables 3. Makes trace suffix infeasible Relevant predicate 1. Implied by TF preffix 2. On common variables 3. TF suffix is unsatisfiable
19
19 / 28 Craig interpolant Given a pair (Á -, Á + ) of formulas, an interpolant for (Á -, Á + ) is a formula à such that (i) Á - ) à (ii) Ã Æ Á + is unsatisfiable (iii) the variables of à are common to both Á - and Á + If Á - Æ Á + is unsatisfiable, then an interpolant always exists, and can be computed from a proof of unsatisfiability of Á - Æ Á + Yunho Kim@ pswlab The software model checker BLAST
20
20 / 28 Craig interpolant Yunho Kim @ pswlab Lazy Abstraction Counterexample trace 1: assume(true); 2: LOCK = 1; old = new; 3: assume(true); 4: LOCK = 0; new++; 5: assume(new==old); 6: assume(LOCK!=1); Trace formula 1: true 2: Æ LOCK 0 = 1; Æ old 0 = new 0 ; 3: Æ true; 4: Æ LOCK 1 = 0; Æ new 1 = new 0 + 1; 5: Æ new 1 ==old 0 ; 6: Æ LOCK 1 !=1; Relevant predicate 1. Implied by TF suffix 2. On common variables 3. Æ TF suffix is unsatisfiable Á-Á- Á+Á+ Interpolant à old 0 = new 0 à is a formula such that 1. Á - ) à 2. à only contains common variables of Á – and Á + 3. Ã Æ Á + is unsatisfiable Interpolant à old 0 = new 0 Interpolant à Old 0 != new 0
21
21 / 28 Search with new predicates(1/3) Yunho Kim @ pswlab Lazy Abstraction 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; 2 3 lock() old=new LOCK = 0 LOCK = 1 Æ new = old Map P’ from loc to set of predicates LocationPredicates 2LOCK = 0, LOCK = 1, 3LOCK = 0, LOCK = 1, old = new 4 5LOCK = 0, LOCK = 1, old != new 6LOCK = 0, LOCK = 1
22
22 / 28 Search with new predicates(2/3) Yunho Kim @ pswlab Lazy Abstraction 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; 2 3 4 5 lock() old=new LOCK = 0 LOCK = 1 Æ new = old [T] unlock() new++ LOCK = 1 Æ new = old LOCK = 0 Æ new old 2 [new!=old] LOCK = 0 Æ new old COVERED Map P’ from loc to set of predicates LocationPredicates 2LOCK = 0, LOCK = 1, 3LOCK = 0, LOCK = 1, old = new 4 5LOCK = 0, LOCK = 1, old != new 6LOCK = 0, LOCK = 1
![22 / 28 Search with new predicates(2/3) Yunho pswlab Lazy Abstraction 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; lock() old=new LOCK = 0 LOCK = 1 Æ new = old [T] unlock() new++ LOCK = 1 Æ new = old LOCK = 0 Æ new old 2 [new!=old] LOCK = 0 Æ new old COVERED Map P’ from loc to set of predicates LocationPredicates 2LOCK = 0, LOCK = 1, 3LOCK = 0, LOCK = 1, old = new 4 5LOCK = 0, LOCK = 1, old != new 6LOCK = 0, LOCK = 1](http://images.slideplayer.com/42/11335477/slides/slide_22.jpg "22 / 28 Search with new predicates(2/3) Yunho pswlab Lazy Abstraction 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; lock() old=new LOCK = 0 LOCK = 1 Æ new = old [T] unlock() new++ LOCK = 1 Æ new = old LOCK = 0 Æ new old 2 [new!=old] LOCK = 0 Æ new old COVERED Map P’ from loc to set of predicates LocationPredicates 2LOCK = 0, LOCK = 1, 3LOCK = 0, LOCK = 1, old = new 4 5LOCK = 0, LOCK = 1, old != new 6LOCK = 0, LOCK = 1")
23
23 / 28 Search with new predicates(3/3) Yunho Kim @ pswlab Lazy Abstraction 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; 2 3 4 5 6 lock() old=new LOCK = 0 LOCK = 1 Æ new = old [T] unlock() new++ LOCK = 1 Æ new = old LOCK = 0 Æ new old FALS E 2 [new!=old] LOCK = 0 Æ new old COVERED 5 [T] LOCK = 1 Æ new = old 26 [new==old] FALS E LOCK = 1 Æ new = old ret unlock() LOCK = 0 Æ new = old Safe!
![23 / 28 Search with new predicates(3/3) Yunho pswlab Lazy Abstraction 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; lock() old=new LOCK = 0 LOCK = 1 Æ new = old [T] unlock() new++ LOCK = 1 Æ new = old LOCK = 0 Æ new old FALS E 2 [new!=old] LOCK = 0 Æ new old COVERED 5 [T] LOCK = 1 Æ new = old 26 [new==old] FALS E LOCK = 1 Æ new = old ret unlock() LOCK = 0 Æ new = old Safe!](http://images.slideplayer.com/42/11335477/slides/slide_23.jpg "23 / 28 Search with new predicates(3/3) Yunho pswlab Lazy Abstraction 2: do { lock(); old = new; 3: if (*) { 4: unlock(); new++; } 5: } while (new != old); 6: unlock(); return; lock() old=new LOCK = 0 LOCK = 1 Æ new = old [T] unlock() new++ LOCK = 1 Æ new = old LOCK = 0 Æ new old FALS E 2 [new!=old] LOCK = 0 Æ new old COVERED 5 [T] LOCK = 1 Æ new = old 26 [new==old] FALS E LOCK = 1 Æ new = old ret unlock() LOCK = 0 Æ new = old Safe!")
24
24 / 28 Local predicate use Use predicates needed at location #Preds. grows with program size #Preds per location is small Yunho Kim @ pswlab Lazy Abstraction Local Predicate use Ex: 2n states Global Predicate use Ex: 2 n states
25
25 / 28 Experiments funlock.c is an example we covered driver.c is a Windows driver for verifying locking discipline read.c, floppy.c are drivers from Windows DDK qpmouse.c and llrw_block.c are drivers from Linux Experiments ran on 800MHz PIII with 256M RAM Yunho Kim @ pswlab Lazy Abstraction
26
26 / 28 Conclusions BLAST is a software model checker for verifying program written in C language BLAST improves the scheme of CEGAR by implementing lazy abstraction avoids redundant abstraction and checking Predicates are locally applied and states are locally abstracted Yunho Kim @ pswlab Lazy Abstraction
27
27 / 28 Reference The Software Model Checker Blast: Applications to Software Engineering. by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar in Int. Journal on Software Tools for Technology Transfer, 2007 Lazy abstraction by Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Gr é goire Sutre in ACM SIGPLAN – SIGACT Conference on Principle Of Programming Language 2000 Abstractions from Proofs by Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar and Kenneth L. McMillan in ACM SIGPLAN-SIGACT Conference on Principles of Programming Languages, 2004 Yunho Kim @ pswlab Lazy Abstraction
28
28 / 28 Reference Lazy Abstraction slides by Jinseong Jeon in CS750 class, Fall, 2006 Software Verification with BLAST slides by Tom Henzinger, Ranjit, Rupak Majumdar in SPIN workshop 2005 tutoria Á Ã Yunho Kim @ pswlab Lazy Abstraction
29
29 / 28 Control Flow Automata for C programs Yunho Kim@ pswlab The software model checker BLAST 3 4 ret 6 [LOCK == 0][LOCK != 0] LOCK=1 Skip Node corresponds to control location Edge corresponds to either a basic block or an assume predicate 1 Example(){ 2 do{ 3 if (LOCK == 0) 4 LOCK=1; 5 else 6 ERROR: 7 old = new; 8 if (*){ 9 if (LOCK == 1) 10 LOCK = 0; 11 else 12 ERROR: 13 new++; 14 } 15 }while (new != old); 16 if (LOCK == 1) 17 LOCK = 0; 18 else 19 ERROR: 20 return; 21 } 7 8 old = new 9 1012 [LOCK == 1][LOCK != 1] 13 LOCK=0 Skip 15 [new != old] [TRUE] 16 1719 [LOCK == 1] [LOCK != 1] LOCK=0 Skip 20 return [new == old]
![29 / 28 Control Flow Automata for C programs Yunho pswlab The software model checker BLAST 3 4 ret 6 [LOCK == 0][LOCK != 0] LOCK=1 Skip Node corresponds to control location Edge corresponds to either a basic block or an assume predicate 1 Example(){ 2 do{ 3 if (LOCK == 0) 4 LOCK=1; 5 else 6 ERROR: 7 old = new; 8 if (*){ 9 if (LOCK == 1) 10 LOCK = 0; 11 else 12 ERROR: 13 new++; 14 } 15 }while (new != old); 16 if (LOCK == 1) 17 LOCK = 0; 18 else 19 ERROR: 20 return; 21 } 7 8 old = new [LOCK == 1][LOCK != 1] 13 LOCK=0 Skip 15 [new != old] [TRUE] [LOCK == 1] [LOCK != 1] LOCK=0 Skip 20 return [new == old]](http://images.slideplayer.com/42/11335477/slides/slide_29.jpg "29 / 28 Control Flow Automata for C programs Yunho pswlab The software model checker BLAST 3 4 ret 6 [LOCK == 0][LOCK != 0] LOCK=1 Skip Node corresponds to control location Edge corresponds to either a basic block or an assume predicate 1 Example(){ 2 do{ 3 if (LOCK == 0) 4 LOCK=1; 5 else 6 ERROR: 7 old = new; 8 if (*){ 9 if (LOCK == 1) 10 LOCK = 0; 11 else 12 ERROR: 13 new++; 14 } 15 }while (new != old); 16 if (LOCK == 1) 17 LOCK = 0; 18 else 19 ERROR: 20 return; 21 } 7 8 old = new [LOCK == 1][LOCK != 1] 13 LOCK=0 Skip 15 [new != old] [TRUE] [LOCK == 1] [LOCK != 1] LOCK=0 Skip 20 return [new == old]")
Similar presentations
