Lazy Predicate Abstraction in BLAST John Gallagher CS4117

BLAST from the Past To quickly rehash my last presentation a few points on Blast. BLAST is a model checker. It can usually verify that software satisfies certain safety properties. BLAST converts safety specifications into reachabililty problems: can an unsafe state be reached in execution. Analysis conducted using Control Flow Automata, Abstract Reachability Trees, Predicate Formulae

A Safe C Program #include "assert.h" int main() { int i, x, y, ctr; int i, x, y, ctr; x = ctr; x = ctr; ctr = ctr + 1; ctr = ctr + 1; y = ctr; y = ctr; if (x == i) { if (x == i) { assert (y == i + 1); assert (y == i + 1); }} Main() x=ctr ctr=ctr+1 y=ctr x==i y==i+1y!=i+1 Error x!=i

The Problem Simulating real execution explodes the state space exponentially when trying to determine feasible paths. Abstraction is expensive, because reachability problem requires SAT invocation. Given n abstract predicates, 2 n abstract states. Lazily find important predicates!

The Approach #include "assert.h" int main() { int i, x, y, ctr; int i, x, y, ctr; x = ctr; x = ctr; ctr = ctr + 1; ctr = ctr + 1; y = ctr; y = ctr; if (x == i) { if (x == i) { assert (y == i + 1); assert (y == i + 1); }} How much information needs to be kept about the state? How many instructions need to be evaluated to ensure safety/show safety violation?

The Approach Make a cut-point in the code. Given current values for variables from above point, which ones show that the rest of the path to the error state is infeasible? A Craig Interpolant may help if (x == i) { assert (y == i + 1); assert (y == i + 1); } x = ctr; x = ctr; ctr = ctr + 1; ctr = ctr + 1; y = ctr; y = ctr;

Craig Interpolants First, we must convert the state of the program into FOPL. x=ctr ^ ctr 1 =ctr+1 ^ y=ctr 1 above the cut. Below the cut, x==i ^ y != i+1. By conjoining the two formulas (call them A and B) satisfiability can determined. This answers the question, from my state above the cut, can I get to a certain state below? These will be our FOPL formulas A and B. If A ^ B is unsatisfiable, there exists a Craig interpolant C such that A → C and B ^ C is unsatisfiable, which gives at least one answer to the question, why can’t I reach the state below?

Interpolants in Action The FOPL formula x=ctr ^ ctr 1 =ctr+1 ^ y=ctr 1 ^ x==i ^ y != i+1 is inconsistent. This means that given what we know at the current cut point. BLAST’s interpolation procedure returns y==x+1. The interpolant generation is complex, but SAT solving through reduction is a good start. Investigate here. here if (x == i) { assert (y == i + 1); assert (y == i + 1); } x = ctr; x = ctr; ctr = ctr + 1; ctr = ctr + 1; y = ctr; y = ctr;

So… What? Finding an interpolant in this trivial example did not help much. On big programs, it helps reduce the number of predicates used in the state tremendously. Last presentation’s Abstract Reachability Tree (the graphical representation of the predicate states and transitions) was cramped and that example had four lines of C.

So… What? By being able to weed out the important predicates to track, BLAST is fairly scalable. Here is some data presented at the SPIN 2005 Conference. ProgramLines pre- processed Time (mins) Predicates Total Average kbfiltr 12k floppy 17k diskprf 14k cdaudio 18k parport 61k parclss 138k

Questions?

References Software Verification with BLAST (PPT) Software Verification with BLAST (PPT) Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar. Software Verification with BLAST (PPT) Interpolation for data structures Interpolation for data structures Kapur, D., Majumdar, R., and Zarba, C. G Interpolation for data structures. In Proceedings of the 14th ACM SIGSOFT international Symposium on Foundations of Software Engineering (Portland, Oregon, USA, November , 2006). Interpolation for data structures Applications of Craig Interpolants in Model Checking Applications of Craig Interpolants in Model Checking K. L. McMillan, TACAS 2005: 1-12 Applications of Craig Interpolants in Model Checking