85624ec53a93717f7f893209dccf7944.ppt

- Количество слайдов: 17

Introducing BLAST Software Verification John Gallagher CS 4117

What is BLAST? The Berkeley Lazy Abstraction Softwareverification Tool is a model checker that checks the safety properties of C programs. “Automated, precise and scalable” (so, usable).

What BLAST Isn’t A magical solution to the halting problem, so BLAST may run forever on some input. And it may not be able to assert that a given execution path will not occur. A C compiler, though it parses and validates preprocessed C.

Quick Example Input Output #include "assert. h" /*Blast's assert. h*/ int foo(int x, int y) { if (x > y) { x = x - y; assert(x > 0); } return 0; } add. Pred: 0: (gui) adding predicate 1<[email protected]@foo to the system add. Pred: 1: (gui) adding predicate 1<[email protected] to the system Adding all preds now. . . [BAT] Done refiner Non-trivial functions 0 Depth of tree: 7 No error found. The system is safe : -)

What Just Happened? First, BLAST builds a Control Flow Automata (basically, a flow graph) from the preprocessed C, which in simplified form looks like: void __blast_assert(){ ERROR: goto ERROR; } void __assert_fail(){__blast_assert(); } int foo(int x, int y) { if (x > y) { x = x - y; ((void) ((x > 0) ? 0 : (__assert_fail())))) } return 0; }

Is Label ERROR Reachable? The assert safety check has been converted into a reachability problem. BLAST represents the code as a Control Flow Automata, then constructs an Abstract Reachability Tree to try and answer this question without exploding the state space or looping forever.

The CFA 1: foo 3: Pred(x<=y) 2: Pred(x>y) 5: x=x-y 7: x>0 6: x<=0 8: __assert_fail() 9: return 0 10: __blast_assert() 12: ERROR

Properties of the ART A node in the ART has a triple of (Label # CFA, Call Stack, Reachable Region) Reachable Region is a boolean formula representing the set of data states An ART is safe if for every node whose CFA Label is an error location, the Reachable Region expression ^ with the predicate is unsatisfiable.

Properties of the ART For us, that means the node whose CFA Label is 6 must have a non satisfiable set of data states when ^ with (x <= 0).

The ART (Call Stack Omitted) TRUE 1 Pred (x<=y) Pred (x>y) 2 x<=y 3 x>y x=x-y 5 Pred (x>0) return 0 x>y ^ x>0 7 x>y ^ x=x-y Pred (x<=0) 6 x>y ^ x=x-y ^x<=0 ERROR return 0 9 12

Safe? If the program is safe, the node labeled 6 (there is one such node in this program) must have an unsatisfiable data state. x>y ^ x=x-y ^ x<=0 is unsatisfiable. >y can be substituted for x in the subtraction. set x (>y)-y, set x >0. If x>0 is pred p 1, x<=0 is !p 1. p 1 ^ !p 1 is always false, so the program is safe.

Predicate Discovery Build ART by setting all of the data states to true, and exercising the CFA to find all reachable error states, including the data state. There now exists a path between the root (initial) state and the error state, but predicate discovery is used to determine whether the path is feasible. (Lazy Predicate Abstraction) By examining the program at certain cut points, predicates are added to show the feasibility or infeasibility of a path (using Craig Interpolants, probably the subject of another presentation).

An Unsafe Modification Input Output #include "assert. h" /*Blast's assert. h*/ int foo(int x, int y) { if (x > y) { x = 2 + y - x; assert(x > 0); } return 0; } Error found! The system is unsafe : -( Error trace: src="tut 1 unsafe. i"; line=0 Function. Call(__BLAST_initialize_tut 1 unsafe. i()) Pred([email protected] > [email protected]) Block([email protected] = 2 + [email protected] - [email protected]; ) Pred([email protected] <= 0) Function. Call(__assert_fail)) Function. Call(__blast_assert())

The ART (Call Stack Omitted) TRUE 1 Pred (x<=y) Pred (x>y) 2 x<=y 3 x>y x=x-y 5 Pred (x>0) return 0 x>y ^ x>0 7 x>y ^ x=2+y-x Pred (x<=0) 6 x>y ^ x=2+y-x ^x<=0 ERROR return 0 9 12

Beyond Assert BLAST is designed to be useful for legacy code, so it has a language for writing specifications to determine whether a safety property is violated: The BLAST Query Language. Specifications are kept separate from the code in their own file. Pattern matching is used to associate a specification item with its relevant location in code.

BLAST Query Language global int lock. Status = 0; event { pattern { FSMInit(); } action { lock. Status = 0; } } event { pattern { FSMLock(); } guard { lock. Status == 0 } action { lock. Status = 1; } } event { pattern { FSMUn. Lock(); } guard { lock. Status == 1 } action { lock. Status = 0; } }

References http: //mtc. epfl. ch/software-tools/blast/ The BLAST query language for software verification Dirk Beyer, Adam J. Chlipala, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar. Proceedings of the 11 th International Static Analysis Symposium (SAS 2004), LNCS 3148, pages 2 -18, Springer-Verlag, 2004. The software model checker BLAST Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Gregoire Sutre. Software verification with Blast. In Tenth International Workshop on Model Checking of Software (SPIN), volume 2648 of Lecture Notes in Computer Science, pages 235 --239. Springer-Verlag, 2003.