Transcript First

Introducing BLAST
Software Verification
John Gallagher
CS4117
What is BLAST?
The Berkeley Lazy Abstraction Softwareverification Tool is a model checker that
checks the safety properties of C
programs.
“Automated, precise and scalable” (so,
usable).
What BLAST Isn’t
A magical solution to the halting problem,
so BLAST may run forever on some input.
And it may not be able to assert that a
given execution path will not occur.
A C compiler, though it parses and
validates preprocessed C.
Quick Example
Input
Output
#include "assert.h"
/*Blast's assert.h*/
int foo(int x, int y) {
if (x > y) {
x = x - y;
assert(x > 0);
}
return 0;
}
addPred: 0: (gui) adding predicate 1<=x@fooy@foo to the system
addPred: 0: (gui) adding predicate 1<=x@fooy@foo to the system
addPred: 1: (gui) adding predicate 1<=x@foo to
the system
addPred: 1: (gui) adding predicate 1<=x@foo to
the system
Adding all preds now...
[BAT] Done refiner
Non-trivial functions 0
Depth of tree: 7
No error found. The system is safe :-)
What Just Happened?
First, BLAST builds a Control Flow Automata (basically, a
flow graph) from the preprocessed C, which in simplified
form looks like:
void __blast_assert(){
ERROR: goto ERROR;
}
void __assert_fail(){__blast_assert();}
int foo(int x, int y) {
if (x > y) {
x = x - y;
((void) ((x > 0) ? 0 : (__assert_fail()))))
}
return 0;
}
Is Label ERROR Reachable?
The assert safety check has been
converted into a reachability problem.
BLAST represents the code as a Control
Flow Automata, then constructs an
Abstract Reachability Tree to try and
answer this question without exploding the
state space or looping forever.
The CFA
1:foo
3:Pred(x<=y)
2:Pred(x>y)
5:x=x-y
7:x>0
6:x<=0
8:__assert_fail()
9:return 0
10:__blast_assert()
12:ERROR
Properties of the ART
A node in the ART has a triple of (Label #
CFA, Call Stack, Reachable Region)
Reachable Region is a boolean formula
representing the set of data states
An ART is safe if for every node whose
CFA Label is an error location, the
Reachable Region expression ^ with the
predicate is unsatisfiable.
Properties of the ART
For us, that means the node whose CFA
Label is 6 must have a non satisfiable set
of data states when ^ with (x <= 0).
The ART (Call Stack Omitted)
1
TRUE
Pred (x<=y)
3
Pred (x>y)
2
x<=y
x>y
x=x-y
5
Pred (x>0)
return 0
x>y ^ x>0
7
x>y ^ x=x-y
Pred (x<=0)
6
x>y ^ x=x-y ^x<=0
ERROR
return 0
12
9
Safe?
If the program is safe, the node labeled 6
(there is one such node in this program)
must have an unsatisfiable data state.
x>y ^ x=x-y ^ x<=0 is unsatisfiable. >y can
be substituted for x in the subtraction. set
x (>y)-y, set x >0. If x>0 is pred p1, x<=0
is !p1. p1 ^ !p1 is always false, so the
program is safe.
Predicate Discovery
Build ART by setting all of the data states to true,
and exercising the CFA to find all reachable error
states, including the data state.
There now exists a path between the root (initial)
state and the error state, but predicate discovery is
used to determine whether the path is feasible.
(Lazy Predicate Abstraction)
By examining the program at certain cut points,
predicates are added to show the feasibility or
infeasibility of a path (using Craig Interpolants,
probably the subject of another presentation).
An Unsafe Modification
Input
Output
#include "assert.h"
/*Blast's assert.h*/
int foo(int x, int y) {
if (x > y) {
x = 2 + y - x;
assert(x > 0);
}
return 0;
}
Error found! The system is unsafe :-(
Error trace:
src="tut1unsafe.i"; line=0
FunctionCall(__BLAST_initialize_tut1unsafe.i())
Pred(x@foo > y@foo)
Block(x@foo = 2 + y@foo - x@foo;)
Pred(x@foo <= 0) FunctionCall(__assert_fail))
FunctionCall(__blast_assert())
The ART (Call Stack Omitted)
1
TRUE
Pred (x<=y)
3
Pred (x>y)
2
x<=y
x>y
x=x-y
5
Pred (x>0)
return 0
x>y ^ x>0
7
x>y ^ x=2+y-x
Pred (x<=0)
6
x>y ^ x=2+y-x
^x<=0
ERROR
return 0
12
9
Beyond Assert
BLAST is designed to be useful for legacy
code, so it has a language for writing
specifications to determine whether a
safety property is violated: The BLAST
Query Language.
Specifications are kept separate from the
code in their own file. Pattern matching is
used to associate a specification item with
its relevant location in code.
BLAST Query Language
global int lockStatus = 0;
event {
pattern { FSMInit(); }
action { lockStatus = 0; }
}
event {
pattern { FSMLock(); }
guard { lockStatus == 0 }
action { lockStatus = 1; }
}
event {
pattern { FSMUnLock(); }
guard { lockStatus == 1 }
action { lockStatus = 0; }
}
References
http://mtc.epfl.ch/software-tools/blast/
The BLAST query language for software verification
Dirk Beyer, Adam J. Chlipala, Thomas A. Henzinger, Ranjit
Jhala, and Rupak Majumdar. Proceedings of the 11th
International Static Analysis Symposium (SAS 2004), LNCS
3148, pages 2-18, Springer-Verlag, 2004.
The software model checker BLAST
Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and
Gregoire Sutre. Software verification with Blast. In Tenth
International Workshop on Model Checking of Software
(SPIN), volume 2648 of Lecture Notes in Computer Science,
pages 235--239. Springer-Verlag, 2003.