Presentation is loading. Please wait.

Presentation is loading. Please wait.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

Published byDerek Chandler Modified over 9 years ago

Similar presentations

Presentation on theme: "BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser."— Presentation transcript:

1 BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser University) Presented by Sowmya Venkateswaran

2 BLAST Installation Currently version 2.0 src files available. http://mtc.epfl.ch/software-tools/blast /http://mtc.epfl.ch/software-tools/blast / Installation –Download Simplify theorem prover http://www.cs.virginia.edu/~weimer/615/hw.ht ml http://www.cs.virginia.edu/~weimer/615/hw.ht ml –Either build from src files or use Linux binaries. –A “working” example configuration for compiling Blast 2.0 is OCaml 3.08.3 and gcc (GCC) 3.4.4 20050721 (Red Hat 3.4.4-2).

3 Features  “On the Fly” Abstraction  Automatic abstraction  Smarter predicate discovery  Verify safety properties, assertion violations  Finding reachable program locations  Detecting dead code  Reuse saved abstractions

4 Problems  Installing and making it work  Predicate discovery not good enough.  Checking concurrent programs  Eclipse plugin  Checking recursive functions

5 BLAST working Build an abstract model using predicate abstraction. Check for reachability of a specified label using the abstract model. If no path to ERR node-system safe. If path is feasible, output error trace. Else use infeasibility of path to refine abstract model.

6 BLAST working CIL Infrastructure C ProgramProperty spec.opt Instrumented C file with error label Lazy Abstraction CFA Forward Search Phase ART Error node unreachable; program safe Backward counterexample analysis Refine Add Predicates

7 Problem: Abstraction is expensive # of abstract states=2 # of predicates Solution 1: Only abstract reachable states Solution 2: Don’t refine any error free states Advantages: –State space only refined as much as required. –Reuse previously defined error free states.

8 Lazy Abstraction Integrate the following –Abstraction –Verification –Counterexample-driven refinement Find pivot state. Construct, verify and refine abstract model “on the fly” from pivot state on. Forward Search Phase and Backward Counterexample analysis. Stop when either real counterexample found or system found safe

9 Locking example

10 Control Flow Automaton Local and global variables of C program Vertices: control locations of a function. Labeled directed edges –Basic block of instructions. –Assume predicate for branch condition. Formally, CFA is a tuple –Q- finite set of control locations –q 0 -initial control location –X- set of variables –Ops- set of operations on X (lval=exp or [p]) –→ ∈ (Q x Ops x Q)

11 Control Flow Automaton

12 Forward Search Phase Abstract reachability tree in dfs order. Constructed from CFA. Vertices in CFA are nodes in ART. Labels of nodes are reachable regions. Reachable region obtained from parent’s reachable region and instructions on the edge between them. Finite set of predicates per node. Reachable region is a boolean combination of set of predicates

13 Forward Search for locking example 1 LOCK=0 2 [T] LOCK=0 lock() old=new 3 LOCK=1 4 [T] LOCK=1 5 unlock() new++ LOCK=0 [new=old] 6LOCK=0 unlock() ERRLOCK=0 Is this a valid counterexample??

14 Weakest Precondition WP(P,Op) –weakest formula P` s.t. if P` is T before Op, then P is T after Op Assign x=e P P [e / x ] new+1=old new=new + 1 new=old

15 Weakest Precondition WP(P,Op) –weakest formula P` s.t. if P` is T before Op, then P is T after Op Assume [C] P C ^ P new = old [ new=old ] new=old

16 Backward Counterexample Analysis For each tree node, find a bad region. Bad region of ERR node=T Other nodes=WP of bad region of child w.r.t instructions on edge between the 2. Start from ERR node Pivot node - First node in the tree where Bad region ∩ Reachable region=φ Refine abstraction from pivot node onwards

17 Counter example analysis for locking program 1 LOCK=0 2 [T] LOCK=0 lock() old=new 3 LOCK=1 4 [T] LOCK=1 5 unlock() new++ LOCK=0 [new=old] 6LOCK=0 unlock() ERRLOCK=0 {LOCK=0} { LOCK=0 & new=old } { LOCK=1 & new+1=old } { LOCK=0 & new+1=new } {T}

18 Searching with new predicate new=old 1 LOCK=0 2 [T] LOCK=0 3 LOCK=1 & new=old 4 5LOCK=0& !new=old 26 5 26 [T] [new!=old] LOCK=1 & new=old [new=old] RET unlock() LOCK=0 & new=old False LOCK=0 Program Safe!!

19 Finding Predicates Problem: How many predicates to find? # of predicates grows with program size 2 n abstract states!! p1 p2 pn Solution: Use predicates only where needed 2n abstract states

20 Counter example Traces 1:x=ctr; 2:ctr=ctr+1; 3:y=ctr; 4: if (x=i-1) { 5: if (y!=i){ ERROR; }} 1: x=ctr; 2: ctr=ctr+1; 3: y=ctr; 4: assume (x=i-1) 5: assume (y!=i) Theorem: Trace formula is satisfiable iff trace is feasible. Counter example trace Sample program 1:x 1 =ctr 0 2:ctr 1 =ctr 0 +1 3:y 1 =ctr 1 4:x 1 =i 0 -1 5:y 1 !=i 0 Trace Formula φ Trace formula is a conjunction of constraints, one per instruction in the trace.

21 Steps in Refine Stage Counter example trace Trace formula Proof of Unsatisfiability Theorem Prover Interpolate Predicate Map

22 Finding what predicates are needed 1: x=ctr; 2: ctr=ctr+1; 3: y=ctr; 4: assume (x=i-1) 5: assume (y!=i) 1:x 1 =ctr 0 2:ctr 1 =ctr 0 +1 3:y 1 =ctr 1 4:x 1 =i 0 -1 5:y 1 !=i 0 What predicate is needed for trace to become infeasible TraceTrace Formula Given an infeasible trace t, find a set of predicates P, such that t is abstractly infeasible w.r.t P.

23 Partition φ into φ - (trace prefix) and φ + (trace suffix) Find an interpolant Ψ s.t –φ - implies Ψ –Ψ ^ φ + is unsatisfiable. –The variables of Ψ are common to both φ - and φ + Use interpolant to construct predicate map. Finding what predicates are needed

24 Interpolant = Predicate 1:x 1 =ctr 0 2:ctr 1 =ctr 0 +1 3:y 1 =ctr 1 4:x 1 =i 0 -1 5:y 1 !=i 0 Trace Formula φ-φ- φ+φ+ Interpolate φ Predicate at 4: y=x+1 Predicate is..implied by Trace formula prefix..on common variables..makes Trace Formula suffix unfeasible x1x1 y1y1 y1y1 x1x1

25 Finding predicate map Partition at each point Interpolate at each partition Construct predicate map pc i  Interpolant from partition i TraceTrace Formula 1: x=ctr; 2: ctr=ctr+1; 3: y=ctr; 4: assume (x=i-1) 5: assume (y!=i) 1:x 1 =ctr 0 2:ctr 1 =ctr 0 +1 3:y 1 =ctr 1 4:x 1 =i 0 -1 5:y 1 !=i 0 φ-φ- φ+φ+ Interpolate x 1 =ctr 0 Predicate Map 2: x 1 =ctr 0

26 Partition at each point Interpolate at each partition Construct predicate map pc i  Interpolant from partition i TraceTrace Formula 1: x=ctr; 2: ctr=ctr+1; 3: y=ctr; 4: assume (x=i-1) 5: assume (y!=i) 1:x 1 =ctr 0 2:ctr 1 =ctr 0 +1 3:y 1 =ctr 1 4:x 1 =i 0 -1 5:y 1 !=i 0 φ-φ- φ+φ+ Interpolate x 1 =ctr 1 -1 Predicate Map 2: x 1 =ctr 0 3: x 1 =ctr 1 -1 Finding predicate map

27 Partition at each point Interpolate at each partition Construct predicate map pc i  Interpolant from partition i TraceTrace Formula 1: x=ctr; 2: ctr=ctr+1; 3: y=ctr; 4: assume (x=i-1) 5: assume (y!=i) 1:x 1 =ctr 0 2:ctr 1 =ctr 0 +1 3:y 1 =ctr 1 4:x 1 =i 0 -1 5:y 1 !=i 0 φ-φ- φ+φ+ Interpolate y 1 =x 1 +1 Predicate Map 2: x 1 =ctr 0 3: x 1 =ctr 1 -1 4: y 1 =x 1 +1

28 Finding predicate map Partition at each point Interpolate at each partition Construct predicate map pc i  Interpolant from partition i TraceTrace Formula 1: x=ctr; 2: ctr=ctr+1; 3: y=ctr; 4: assume (x=i-1) 5: assume (y!=i) 1:x 1 =ctr 0 2:ctr 1 =ctr 0 +1 3:y 1 =ctr 1 4:x 1 =i 0 -1 5:y 1 !=i 0 φ-φ- φ+φ+ Interpolate y 1 =i 0 Predicate Map 2: x 1 =ctr 0 3: x 1 =ctr 1 -1 4: y 1 =x 1 +1 5: y 1 =i 0

29 BLAST Specification language Include directives Global variables Shadowed types Events –Pattern –Guard –Action/Repair –Before/After

30 References “Abstractions from Proofs”-Thomas.H et al. “The Blast query language for software verification”- Dirk Beyer et al. “Lazy Abstraction”-Gregoire Sutre et al.

Download ppt "BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan.

By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.

Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.

Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar.

Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar.
Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.

Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.
Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.

Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Similar presentations

Ads by Google