Transcript Second

Lazy Predicate
Abstraction in BLAST
John Gallagher
CS4117
BLAST from the Past
To quickly rehash my last presentation a few
points on Blast.
BLAST is a model checker. It can usually
verify that software satisfies certain safety
properties.
BLAST converts safety specifications into
reachabililty problems: can an unsafe state
be reached in execution.
Analysis conducted using Control Flow
Automata, Abstract Reachability Trees,
Predicate Formulae
A Safe C Program
#include "assert.h"
Main()
int main() {
int i, x, y, ctr;
x = ctr;
ctr = ctr + 1;
y = ctr;
if (x == i) {
assert (y == i + 1);
}
}
x=ctr
ctr=ctr+1
y=ctr
x==i
y==i+1
x!=i
y!=i+1
Error
The Problem
Simulating real execution explodes the
state space exponentially when trying to
determine feasible paths.
Abstraction is expensive, because
reachability problem requires SAT
invocation. Given n abstract predicates,
2n abstract states.
Lazily find important predicates!
The Approach
#include "assert.h"
int main() {
int i, x, y, ctr;
x = ctr;
ctr = ctr + 1;
y = ctr;
if (x == i) {
assert (y == i + 1);
}
}
How much
information needs to
be kept about the
state?
How many
instructions need to
be evaluated to
ensure safety/show
safety violation?
The Approach
Make a cut-point in
the code.
Given current values
for variables from
above point, which
ones show that the
rest of the path to the
error state is
infeasible?
A Craig Interpolant
may help
x = ctr;
ctr = ctr + 1;
y = ctr;
if (x == i) {
assert (y == i + 1);
}
Craig Interpolants
First, we must convert the state of the program
into FOPL. x=ctr ^ ctr1=ctr+1 ^ y=ctr1 above the
cut. Below the cut, x==i ^ y != i+1 .
By conjoining the two formulas (call them A and B)
satisfiability can determined. This answers the
question, from my state above the cut, can I get to
a certain state below?
These will be our FOPL formulas A and B. If A ^ B
is unsatisfiable, there exists a Craig interpolant C
such that A → C and B ^ C is unsatisfiable, which
gives at least one answer to the question, why
can’t I reach the state below?
Interpolants in Action
The FOPL formula x=ctr ^
ctr1=ctr+1 ^ y=ctr1 ^ x==i
^ y != i+1 is inconsistent.
This means that given
what we know at the
current cut point.
BLAST’s interpolation
procedure returns
y==x+1. The interpolant
generation is complex,
but SAT solving through
reduction is a good start.
Investigate here.
x = ctr;
ctr = ctr + 1;
y = ctr;
if (x == i) {
assert (y == i + 1);
}
So… What?
Finding an interpolant in this trivial
example did not help much.
On big programs, it helps reduce the
number of predicates used in the state
tremendously. Last presentation’s
Abstract Reachability Tree (the graphical
representation of the predicate states and
transitions) was cramped and that
example had four lines of C.
So… What?
By being able to weed
out the important
predicates to track,
BLAST is fairly
scalable. Here is
some data presented
at the SPIN 2005
Conference.
Program
Predicates
Total Average
Lines
Time
preprocessed
(mins)
kbfiltr
12k
3
72
6.5
floppy
17k
25
240
7.7
diskprf
14k
13
140
10
cdaudio
18k
23
256
7.8
parport
61k
74
753
8.1
parclss
138k
77
382
7.2
Questions?
References
http://mtc.epfl.ch/software-tools/blast/
Software Verification with
BLAST (PPT)
Thomas A. Henzinger, Ranjit Jhala, and Rupak
Majumdar.
Interpolation for data structures
Kapur, D., Majumdar, R., and Zarba, C. G. 2006.
Interpolation for data structures. In Proceedings of the
14th ACM SIGSOFT international Symposium on
Foundations of Software Engineering (Portland,
Oregon, USA, November 05 - 11, 2006).
Applications of Craig Interpolants in Model Checking
K. L. McMillan, TACAS 2005: 1-12