Lazy Predicate Abstraction in BLAST - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

Lazy Predicate Abstraction in BLAST

Description:

It can usually verify that software satisfies certain safety properties. ... predicate states and transitions) was cramped and that example had four lines of C. ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 13
Provided by: Joh6449
Category:

less

Transcript and Presenter's Notes

Title: Lazy Predicate Abstraction in BLAST


1
Lazy Predicate Abstraction in BLAST
  • John Gallagher
  • CS4117

2
BLAST from the Past
  • To quickly rehash my last presentation a few
    points on Blast.
  • BLAST is a model checker. It can usually verify
    that software satisfies certain safety
    properties.
  • BLAST converts safety specifications into
    reachabililty problems can an unsafe state be
    reached in execution.
  • Analysis conducted using Control Flow Automata,
    Abstract Reachability Trees, Predicate Formulae

3
A Safe C Program
  • include "assert.h"
  • int main()
  • int i, x, y, ctr
  • x ctr
  • ctr ctr 1
  • y ctr
  • if (x i)
  • assert (y i 1)

4
The Problem
  • Simulating real execution explodes the state
    space exponentially when trying to determine
    feasible paths.
  • Abstraction is expensive, because reachability
    problem requires SAT invocation. Given n
    abstract predicates, 2n abstract states.
  • Lazily find important predicates!

5
The Approach
  • include "assert.h"
  • int main()
  • int i, x, y, ctr
  • x ctr
  • ctr ctr 1
  • y ctr
  • if (x i)
  • assert (y i 1)
  • How much information needs to be kept about the
    state?
  • How many instructions need to be evaluated to
    ensure safety/show safety violation?

6
The Approach
  • Make a cut-point in the code.
  • Given current values for variables from above
    point, which ones show that the rest of the path
    to the error state is infeasible?
  • A Craig Interpolant may help

x ctr ctr ctr 1 y ctr
  • if (x i)
  • assert (y i 1)

7
Craig Interpolants
  • First, we must convert the state of the program
    into FOPL. xctr ctr1ctr1 yctr1 above the
    cut. Below the cut, xi y ! i1 .
  • By conjoining the two formulas (call them A and
    B) satisfiability can determined. This answers
    the question, from my state above the cut, can I
    get to a certain state below?
  • These will be our FOPL formulas A and B. If A
    B is unsatisfiable, there exists a Craig
    interpolant C such that A ? C and B C is
    unsatisfiable, which gives at least one answer to
    the question, why cant I reach the state below?

8
Interpolants in Action
  • The FOPL formula xctr ctr1ctr1 yctr1
    xi y ! i1 is inconsistent. This means
    that given what we know at the current cut point.
  • BLASTs interpolation procedure returns yx1.
    The interpolant generation is complex, but SAT
    solving through reduction is a good start.
    Investigate here.

x ctr ctr ctr 1 y ctr
  • if (x i)
  • assert (y i 1)

9
So What?
  • Finding an interpolant in this trivial example
    did not help much.
  • On big programs, it helps reduce the number of
    predicates used in the state tremendously. Last
    presentations Abstract Reachability Tree (the
    graphical representation of the predicate states
    and transitions) was cramped and that example had
    four lines of C.

10
So What?
  • By being able to weed out the important
    predicates to track, BLAST is fairly scalable.
    Here is some data presented at the SPIN 2005
    Conference.

11
Questions?
12
References
  • http//mtc.epfl.ch/software-tools/blast/
  • Software Verification withBLAST (PPT) Thomas A.
    Henzinger, Ranjit Jhala, and Rupak Majumdar.
  • Interpolation for data structuresKapur, D.,
    Majumdar, R., and Zarba, C. G. 2006.
    Interpolation for data structures. In Proceedings
    of the 14th ACM SIGSOFT international Symposium
    on Foundations of Software Engineering (Portland,
    Oregon, USA, November 05 - 11, 2006).
  • Applications of Craig Interpolants in Model
    CheckingK. L. McMillan, TACAS 2005 1-12
Write a Comment
User Comments (0)
About PowerShow.com