The Software Model Checker BLAST

1
The Software Model Checker BLAST

• By D. Beyer et. al.

2
Introduction

• Model Checking is a technique to verify a system
  desc against a spec
• Input
• Program source (system desc)
• Temporal safty property (spec)
• Output
• Proof of correctness
• Counterexample

Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
3
CEGAR

• The paradigm behind some verification tools
• CounterExample Guided Abstraction Refinement

4
BLAST

• Software Model Checking
• Checking Memory Safety
• Generating Test

Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
5
BLAST (Software Model Checking)

• Automatic Software Verification Tools
• Execution-based
• Find bugs
• Scale the search to large state spaces
• Abstraction-based
• Proving correctness
• Improve precision
• But CEGAR combines these two!
• Automatic precision adjustment
• Keeps the state space small

Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
6
BLAST (Memory Safety Test Case)

• Memory Safety
• First we use CCURED to mark possible locations
• Use Blast to eliminate unreachable error marks
• Identify usage scenarios leading to errors
• Test Case Generation
• We need a spec or a set of coverage goals
• Instead of the error path, BLAST creates a test
  vector
• Test vector to the state q that always satisfies
  p
• Test vector to the state q that never satisfies
  p
• Test vector to the state q that smt satisfies p
  but smt not

Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
7
Example
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
8
Example (CFA)
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
9
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)