Introducing BLAST Software Verification - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Introducing BLAST Software Verification

Description:

Introducing BLAST Software Verification. John Gallagher. CS4117 ... The BLAST query language for software verification ... Software verification with Blast. ... – PowerPoint PPT presentation

Number of Views:72
Avg rating:3.0/5.0
Slides: 18
Provided by: labu316
Category:

less

Transcript and Presenter's Notes

Title: Introducing BLAST Software Verification


1
Introducing BLAST Software Verification
  • John Gallagher
  • CS4117

2
What is BLAST?
  • The Berkeley Lazy Abstraction Softwareverification
    Tool is a model checker that checks the safety
    properties of C programs.
  • Automated, precise and scalable (so, usable).

3
What BLAST Isnt
  • A magical solution to the halting problem, so
    BLAST may run forever on some input. And it may
    not be able to assert that a given execution path
    will not occur.
  • A C compiler, though it parses and validates
    preprocessed C.

4
Quick Example
5
What Just Happened?
  • First, BLAST builds a Control Flow Automata
    (basically, a flow graph) from the preprocessed
    C, which in simplified form looks like
  • void __blast_assert()
  • ERROR goto ERROR
  • void __assert_fail()__blast_assert()
  • int foo(int x, int y)
  • if (x gt y)
  • x x - y
  • ((void) ((x gt 0) ? 0 (__assert_fail()))))
  • return 0

6
Is Label ERROR Reachable?
  • The assert safety check has been converted into a
    reachability problem.
  • BLAST represents the code as a Control Flow
    Automata, then constructs an Abstract
    Reachability Tree to try and answer this question
    without exploding the state space or looping
    forever.

7
The CFA
8
Properties of the ART
  • A node in the ART has a triple of (Label CFA,
    Call Stack, Reachable Region)
  • Reachable Region is a boolean formula
    representing the set of data states
  • An ART is safe if for every node whose CFA Label
    is an error location, the Reachable Region
    expression with the predicate is unsatisfiable.

9
Properties of the ART
  • For us, that means the node whose CFA Label is 6
    must have a non satisfiable set of data states
    when with (x lt 0).

10
The ART (Call Stack Omitted)
1
TRUE
Pred (xlty)
Pred (xgty)
2
3
xgty
xlty
xx-y
5
xgty xx-y
Pred (xlt0)
Pred (xgt0)
return 0
7
6
xgty xx-y xlt0
xgty xgt0
ERROR
return 0
12
9
11
Safe?
  • If the program is safe, the node labeled 6 (there
    is one such node in this program) must have an
    unsatisfiable data state.
  • xgty xx-y xlt0 is unsatisfiable. gty can be
    substituted for x in the subtraction. set x
    (gty)-y, set x gt0. If xgt0 is pred p1, xlt0 is
    !p1. p1 !p1 is always false, so the program is
    safe.

12
Predicate Discovery
  • Build ART by setting all of the data states to
    true, and exercising the CFA to find all
    reachable error states, including the data state.
  • There now exists a path between the root
    (initial) state and the error state, but
    predicate discovery is used to determine whether
    the path is feasible. (Lazy Predicate
    Abstraction)
  • By examining the program at certain cut points,
    predicates are added to show the feasibility or
    infeasibility of a path (using Craig
    Interpolants, probably the subject of another
    presentation).

13
An Unsafe Modification
14
The ART (Call Stack Omitted)
1
TRUE
Pred (xlty)
Pred (xgty)
2
3
xgty
xlty
xx-y
5
xgty x2y-x
Pred (xlt0)
Pred (xgt0)
return 0
xgty x2y-x xlt0
7
6
xgty xgt0
ERROR
return 0
12
9
15
Beyond Assert
  • BLAST is designed to be useful for legacy code,
    so it has a language for writing specifications
    to determine whether a safety property is
    violated The BLAST Query Language.
  • Specifications are kept separate from the code in
    their own file. Pattern matching is used to
    associate a specification item with its relevant
    location in code.

16
BLAST Query Language
global int lockStatus 0 event pattern
FSMInit() action lockStatus 0
event pattern FSMLock() guard
lockStatus 0 action lockStatus 1
event pattern FSMUnLock() guard
lockStatus 1 action lockStatus 0
17
References
  • http//mtc.epfl.ch/software-tools/blast/
  • The BLAST query language for software
    verificationDirk Beyer, Adam J. Chlipala, Thomas
    A. Henzinger, Ranjit Jhala, and Rupak Majumdar.
    Proceedings of the 11th International Static
    Analysis Symposium (SAS 2004), LNCS 3148, pages
    2-18, Springer-Verlag, 2004.
  • The software model checker BLAST Thomas A.
    Henzinger, Ranjit Jhala, Rupak Majumdar, and
    Gregoire Sutre. Software verification with Blast.
    In Tenth International Workshop on Model Checking
    of Software (SPIN), volume 2648 of Lecture Notes
    in Computer Science, pages 235--239.
    Springer-Verlag, 2003.
Write a Comment
User Comments (0)
About PowerShow.com