The Software Model Checker BLAST by Dirk Beyer

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST

Overview • The reliable software is hard to build and verify • The scheme of CEGAR was implemented for verifying software by SLAM and applied successfully to find bugs in device drivers • BLAST is an improved automatic verification tool for checking safety properties of C programs – Lazy predicate abstraction – Interpolation-based predicate discovery The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 2/26

Contents • Introduction • Lazy abstraction • Predicate discovery • Conclusion The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 3/26

Introduction • Software model checking is an algorithmic technique to verify implemented code against a specification Logical Specification Implemented code Model Checker Satisfied Okay Not satisfied Counterexample The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 4/26

Introduction • Even very simple code has many states 1 Bubble. Sort(int data[], int N){ 2 int i, j, tmp; 3 for (i=0; i<N-1; i++){ 4 for (j=i+1; j<N; j++){ 5 if (data[i] > data[j]){ 6 tmp = data[i]; 7 data[i] = data[j]; 8 data[j] = tmp; 9 } 10 } 11 } 12 } This has at least 32 232 £ (232)2 initial states!! The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 5/26

Introduction • The Counter-Example Guided Abstraction Refinement(CEGAR) is a key paradigm for software model checking Program P Spec φ Abstraction Refinement Abstract program P’ Model checking φ true Error trace p φ false + Infeasible path p Feasible? counterexample The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 6/26

Introduction • BLAST improves CEGAR approach – Lazy predicate abstraction – Interpolation-based predicate refinement Program P Spec φ Constructing Abstraction Reachable Tree ART Interpolationbased refinement Infeasible path p Model checking φ true Error trace p φ false + Feasible? counterexample The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 7/26

Contents • Introduction • Lazy abstraction • Predicate discovery • Conclusion The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 8/26

Lazy Abstraction • Simple example program using a lock – Lock should be followed by unlock 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Lock(){ if (LOCK == 0){ LOCK = 1; }else{ ERROR: } } Unlock(){ if (LOCK == 1){ LOCK = 0; }else{ ERROR: } } 17 18 19 20 21 22 23 24 25 26 27 28 29 Example(){ do{ Lock(); old = new; q = q->next; if (q != NULL){ q->data = new; Unlock(); new++; } }while(new != old); Unlock(); } Lock() LOCK = 0 LOCK = 1 Unlock() The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST Lock() 9/26

Lazy Abstraction • BLAST represents a program by a set of control-flowautomata (CFA) – Each function has a CFA 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Lock(){ if (LOCK == 0){ LOCK = 1; }else{ ERROR: } } Unlock(){ if (LOCK == 1){ LOCK = 0; }else{ ERROR: } } L#2 Pred(!(LOCK==0)); Pred(LOCK==0); L#5 L#3 LOCK=1; skip; L#7 Error location U#10 Pred(!(LOCK==1)); Pred(LOCK==1); U#13 skip; U#11 LOCK=0 ; U#15 The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 10/26

Lazy Abstraction • A CFA for Example() function E#19 Lock(); E#20 17 18 19 20 21 22 23 24 25 26 27 28 29 Example(){ do{ Lock(); old = new; q = q->next; if (q != NULL){ q->data = new; Unlock(); new++; } }while(new != old); Unlock(); } old = new; q=q->next; E#22 Pred(q!=NULL) Pred(!(q!=NULL)) Pred((new!=old)); E#23 q->data=new; E#24 Unlock(); E#25 new++; E#27 Pred(!(new!=old)); E#28 Unlock(); E#29 The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 11/26

Lazy Abstraction • A CFA is a directed graph, with nodes corresponding to control points of the program, and edges corresponding to program operations • An edge between two nodes is labeled by the instruction which is either – – A basic block of assignments An assume predicate A function call A return instruction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 12/26

Lazy Abstraction • To prove the error location is never reached, BLAST constructs an abstract reachability tree (ART) • An ART is a labeled tree that represents a portion of the reachable state space of the program • Each node n is denoted by n : (q, Á) – q is the CFA location – Á is the reachable region • Each edge is labeled with an instruction The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 13/26

Lazy Abstraction • The ART construction proceeds by unrolling the CFAs and keeping track of the reachable region at each CFA location • Initially BLAST starts with no predicates and the given entry location • How to compute the successor of the reachable region? – Using weakest precondition The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 14/26

Lazy Abstraction • The successor of the reachable region R is generated using weakest precondition • For each predicate p, check if either p or : p is true after op • When is p true after op? – If WP(p, op) is true before OP – We know R is true before OP – Query: R ) WP(p, op) The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 15/26

Lazy Abstraction • Example E#27 R: x < 0 x : = 1 - x E#28 p: x > 0 ? • What is the successor of R w. r. t. predicate p and op? – WP(x>0, x : = 1 -x) = x < 1 – x < 0 ) x < 1 is valid – x < 1 is successor The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 16/26

Lazy Abstraction • For a tree node n : (q, Á), BLAST constructs successor nodes of n in the tree for all edges between q ! q’ – Function call is inlined L#2 Pred(!(LOCK==0)); L#3 skip; LOCK=1; L#7 E#19 Lock(); E#20 Lock(); Pred(LOCK==0); L#5 TRUE E#19 L#2 Pred(!(LOCK==0)); TRUE L#5 TRUE Pred(LOCK==0); L#3 TRUE The error location is encountered old = new; q=q->next; E#22 Pred(!(q!=NULL)) Pred((q!=NULL)) The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 17/26

Lazy Abstraction • To analyze the abstract error path, BLAST creates path formula(PF) • Path formula is a set of constraints which is satisfiable iff the path is feasible • The PF is built by transforming the path into SSA form, and then generating constraints for each operation along the path The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 18/26

Lazy Abstraction • Feasibility check 1: LOCK=0 1: LOCK 0 = 0 2: call Lock() Æ TRUE 3: assume(LOCK==1) 3: LOCK 0 = 1 Æ LOCK 0 = 1 Trace SSA Trace Path Formula Trace is feasible iff TF is satisfiable The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 19/26

Contents • Introduction • Lazy abstraction • Predicate discovery • Conclusion The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 20/26

Predicate Discovery • What predicate is needed? 1: LOCK=0 2: call Lock() LOCK 0 = 0 prefix 3: assume(LOCK==1) suffix Trace Relevant Information Æ TRUE prefix Æ LOCK 0 = 1 suffix Path Formula Predicate … 1. … after executing trace prefix … implied by PF prefix 2. … has present values of variables … on common variables 3. … makes trace suffix infeasible … & PF suffix is unsatisfiable The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 21/26

Predicate Discovery • For a pair of formulas Á- and Á+ s. t. Á- Æ Á+ is unsatisfiable, a Craig interpolant à is a formula such that – The implication Á- ) à is valid – The conjunction Ã Æ Á+ is unsatisfiable – à only contains symbols common to both Á- and Á+ • à satisfies the following conditions – à is implied by PF prefix – Ã Æ PF suffix is unsatisfiable – à only contains common variables on prefix and suffix The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 22/26

Predicate Discovery • Adding new predicates for the control location LOCK 0 = 0 Æ TRUE Ã: LOCK = 0 Æ LOCK 0 = 1 Path Formula New predicate for the location line 2 is added 2: LOCK = 0 This predicate is only applied at the location line 2 The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 23/26

Predicate Discovery TRUE ) WP(LOCK=0, Pred(LOCK=0) ) • Rebuild ART Pred(!(LOCK==0)); Lock(); Pred(LOCK==0); L#5 Pred(!(LOCK==0)); Pred((q!=NULL)) LOCK=1; L#7 TRUE E#19 LOCK = 0 LOCK=1; L#5 L#3 q->data=new; L#7 TRUE old = new; q=q->next; TRUE U#10 Pred(!(LOCK==1)); TRUE U#13 TRUE return; E#24 Unlock(); E#22 Pred((q!=NULL)) Pred(LOCK==0); E#23 Lock(); E#20 TRUE L#2 L#3 skip; TRUE E#19 L#2 E#20 E#22 Pred((LOCK==1)); U#11 TRUE old = new; q=q->next; TRUE The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 24/26

Predicate Discovery • Final ART E#19 TRUE Pred((q!=NULL)) Lock(); L#2 Pred(!(LOCK==0)); Pred(!(q!=NULL)) (LOCK=1) Æ (old = new) E#27 Pred(!(new!=old)); (LOCK=1) Æ (old = new) E#28 L#5 TRUE (LOCK=1) Æ (old = new) E#23 q->data=new; Pred(LOCK==0); L#3 (LOCK=1) Æ (old = new) E#24 Unlock(); LOCK=1; (LOCK=1) Æ (old = new) U#10 L#7 LOCK=1 Pred(!(LOCK==1)); Pred(LOCK==1); return; (LOCK=1) Æ (old = n E#20 LOCK=1 U#13 U#11 old = new; q=q->next; LOCK=0 ; E#22 U#15 (LOCK=0) Æ (old = new) (LOCK=1) Æ (old = new) E#25 Pred(new!=old); E#27 The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST return ; (LOCK=0) Æ (old = new) new++; (LOCK=0) Æ (old new) 25/26

Conclusion • BLAST is a software model checker for verifying program written in C language • BLAST improves the scheme of CEGAR by implementing lazy abstraction and interpolation-based predicate refinement The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 26/26

Reference • The Software Model Checker Blast: Applications to Software Engineering. by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar in Int. Journal on Software Tools for Technology Transfer, 2007 The Software Model Checker BLAST, Yunho Kim, Provable Software Lab, KAIST 27/26