Lazy Predicate Abstraction in BLAST

1
Lazy Predicate Abstraction in BLAST

• John Gallagher
• CS4117

2
BLAST from the Past

• To quickly rehash my last presentation a few
  points on Blast.
• BLAST is a model checker. It can usually verify
  that software satisfies certain safety
  properties.
• BLAST converts safety specifications into
  reachabililty problems can an unsafe state be
  reached in execution.
• Analysis conducted using Control Flow Automata,
  Abstract Reachability Trees, Predicate Formulae

3
A Safe C Program

• include "assert.h"
• int main()
• int i, x, y, ctr
• x ctr
• ctr ctr 1
• y ctr
• if (x i)
• assert (y i 1)

4
The Problem

• Simulating real execution explodes the state
  space exponentially when trying to determine
  feasible paths.
• Abstraction is expensive, because reachability
  problem requires SAT invocation. Given n
  abstract predicates, 2n abstract states.
• Lazily find important predicates!

5
The Approach

• include "assert.h"
• int main()
• int i, x, y, ctr
• x ctr
• ctr ctr 1
• y ctr
• if (x i)
• assert (y i 1)

• How much information needs to be kept about the
  state?
• How many instructions need to be evaluated to
  ensure safety/show safety violation?

6
The Approach

• Make a cut-point in the code.
• Given current values for variables from above
  point, which ones show that the rest of the path
  to the error state is infeasible?
• A Craig Interpolant may help

x ctr ctr ctr 1 y ctr

• if (x i)
• assert (y i 1)

7
Craig Interpolants

• First, we must convert the state of the program
  into FOPL. xctr ctr1ctr1 yctr1 above the
  cut. Below the cut, xi y ! i1 .
• By conjoining the two formulas (call them A and
  B) satisfiability can determined. This answers
  the question, from my state above the cut, can I
  get to a certain state below?
• These will be our FOPL formulas A and B. If A
  B is unsatisfiable, there exists a Craig
  interpolant C such that A ? C and B C is
  unsatisfiable, which gives at least one answer to
  the question, why cant I reach the state below?

8
Interpolants in Action

• The FOPL formula xctr ctr1ctr1 yctr1
  xi y ! i1 is inconsistent. This means
  that given what we know at the current cut point.
• BLASTs interpolation procedure returns yx1.
  The interpolant generation is complex, but SAT
  solving through reduction is a good start.
  Investigate here.

x ctr ctr ctr 1 y ctr

• if (x i)
• assert (y i 1)

9
So What?

• Finding an interpolant in this trivial example
  did not help much.
• On big programs, it helps reduce the number of
  predicates used in the state tremendously. Last
  presentations Abstract Reachability Tree (the
  graphical representation of the predicate states
  and transitions) was cramped and that example had
  four lines of C.

10
So What?

• By being able to weed out the important
  predicates to track, BLAST is fairly scalable.
  Here is some data presented at the SPIN 2005
  Conference.

11
Questions?
12
References

• http//mtc.epfl.ch/software-tools/blast/
• Software Verification withBLAST (PPT) Thomas A.
  Henzinger, Ranjit Jhala, and Rupak Majumdar.
• Interpolation for data structuresKapur, D.,
  Majumdar, R., and Zarba, C. G. 2006.
  Interpolation for data structures. In Proceedings
  of the 14th ACM SIGSOFT international Symposium
  on Foundations of Software Engineering (Portland,
  Oregon, USA, November 05 - 11, 2006).
• Applications of Craig Interpolants in Model
  CheckingK. L. McMillan, TACAS 2005 1-12