Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lazy Predicate Abstraction in BLAST John Gallagher CS4117.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Lazy Predicate Abstraction in BLAST John Gallagher CS4117."— Presentation transcript:

1 Lazy Predicate Abstraction in BLAST John Gallagher CS4117

2 BLAST from the Past To quickly rehash my last presentation a few points on Blast. BLAST is a model checker. It can usually verify that software satisfies certain safety properties. BLAST converts safety specifications into reachabililty problems: can an unsafe state be reached in execution. Analysis conducted using Control Flow Automata, Abstract Reachability Trees, Predicate Formulae

3 A Safe C Program #include "assert.h" int main() { int i, x, y, ctr; int i, x, y, ctr; x = ctr; x = ctr; ctr = ctr + 1; ctr = ctr + 1; y = ctr; y = ctr; if (x == i) { if (x == i) { assert (y == i + 1); assert (y == i + 1); }} Main() x=ctr ctr=ctr+1 y=ctr x==i y==i+1y!=i+1 Error x!=i

4 The Problem Simulating real execution explodes the state space exponentially when trying to determine feasible paths. Abstraction is expensive, because reachability problem requires SAT invocation. Given n abstract predicates, 2 n abstract states. Lazily find important predicates!

5 The Approach #include "assert.h" int main() { int i, x, y, ctr; int i, x, y, ctr; x = ctr; x = ctr; ctr = ctr + 1; ctr = ctr + 1; y = ctr; y = ctr; if (x == i) { if (x == i) { assert (y == i + 1); assert (y == i + 1); }} How much information needs to be kept about the state? How many instructions need to be evaluated to ensure safety/show safety violation?

6 The Approach Make a cut-point in the code. Given current values for variables from above point, which ones show that the rest of the path to the error state is infeasible? A Craig Interpolant may help if (x == i) { assert (y == i + 1); assert (y == i + 1); } x = ctr; x = ctr; ctr = ctr + 1; ctr = ctr + 1; y = ctr; y = ctr;

7 Craig Interpolants First, we must convert the state of the program into FOPL. x=ctr ^ ctr 1 =ctr+1 ^ y=ctr 1 above the cut. Below the cut, x==i ^ y != i+1. By conjoining the two formulas (call them A and B) satisfiability can determined. This answers the question, from my state above the cut, can I get to a certain state below? These will be our FOPL formulas A and B. If A ^ B is unsatisfiable, there exists a Craig interpolant C such that A → C and B ^ C is unsatisfiable, which gives at least one answer to the question, why can’t I reach the state below?

8 Interpolants in Action The FOPL formula x=ctr ^ ctr 1 =ctr+1 ^ y=ctr 1 ^ x==i ^ y != i+1 is inconsistent. This means that given what we know at the current cut point. BLAST’s interpolation procedure returns y==x+1. The interpolant generation is complex, but SAT solving through reduction is a good start. Investigate here. here if (x == i) { assert (y == i + 1); assert (y == i + 1); } x = ctr; x = ctr; ctr = ctr + 1; ctr = ctr + 1; y = ctr; y = ctr;

9 So… What? Finding an interpolant in this trivial example did not help much. On big programs, it helps reduce the number of predicates used in the state tremendously. Last presentation’s Abstract Reachability Tree (the graphical representation of the predicate states and transitions) was cramped and that example had four lines of C.

10 So… What? By being able to weed out the important predicates to track, BLAST is fairly scalable. Here is some data presented at the SPIN 2005 Conference. ProgramLines pre- processed Time (mins) Predicates Total Average kbfiltr 12k3726.5 floppy 17k252407.7 diskprf 14k1314010 cdaudio 18k232567.8 parport 61k747538.1 parclss 138k773827.2

11 Questions?

12 References http://mtc.epfl.ch/software-tools/blast/ Software Verification with BLAST (PPT) Software Verification with BLAST (PPT) Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar. Software Verification with BLAST (PPT) Interpolation for data structures Interpolation for data structures Kapur, D., Majumdar, R., and Zarba, C. G. 2006. Interpolation for data structures. In Proceedings of the 14th ACM SIGSOFT international Symposium on Foundations of Software Engineering (Portland, Oregon, USA, November 05 - 11, 2006). Interpolation for data structures Applications of Craig Interpolants in Model Checking Applications of Craig Interpolants in Model Checking K. L. McMillan, TACAS 2005: 1-12 Applications of Craig Interpolants in Model Checking

Download ppt "Lazy Predicate Abstraction in BLAST John Gallagher CS4117."

Similar presentations

50.530: Software Engineering

50.530: Software Engineering
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.

Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.

Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.

Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.

Similar presentations

Ads by Google