The software model checker BLAST
Dirk Beyer, Thomas A. Henzinger,
Ranjit Jhala, Rupak Majumdar
Presented by Yunho Kim
Overview
Predicate abstraction is successfully applied to software
model checking
g
z
z
Cost for abstraction is still too high
z
z
Infinite concrete states → finite abstract states
Tools: SLAM(MSR), BLAST(UCB), SATABS(CMU)
O( 2 # preds ) abstract states
We need to abstract and refine locally, not globally
Blast proposed
z
z
Lazy abstraction
Craig interpolation-based refinement
Yunho Kim@ pswlab
The software model checker BLAST
2 / 28
Contents
Part I. Software Model Checking
z
z
z
Program behavior
Predicate abstraction
Counterexample-guided abstraction refinement
Part II. BLAST
z
z
Abstraction and model checking
Craig interpolation-based refinement
Yunho Kim@ pswlab
The software model checker BLAST
3 / 28
Behavior of program
Behavior of program can be modeled as a state transition
graph
g
p
St t
State
St t
State
…………
2
3
4
5
5
6
R
E
5
2
3
4
5
5
6
R
E
2
pc a 2
old a 1
new a 2
lock a 0
1:
2:
5
2
3
4
5
5
6
R
E
3:
4:
5:
6:
Yunho Kim@ pswlab
Transition
lock();
old = new;
3
pc a 3
old a 2
new a 2
lock a 1
Example() {
do {
lock();
old = new;
if (*) {
unlock();
new++;
}
} while (new != old);
unlock();
return;
}
The software model checker BLAST
4 / 28
The safety verification
Is there a path from an initial to an error state ?
…………
2
3
4
5
5
6
R
E
5
6
R
E
5
6
R
E
Error states
5
2
3
4
5
5
2
3
4
5
Initial states
Yunho Kim@ pswlab
The software model checker BLAST
5 / 28
Abstract behavior of program
Equivalent states satisfy same predicates and have same
control location
State
z
2
They are merged into one abstract state
…………
4
6
5 5
3
R
E
R
E
5
2
3
4
5
5
6
5
2
3
LOCK = 0
4
LOCK = 1
LOCK = 1
5
5
LOCK = 1
LOCK = 0
Yunho Kim@ pswlab
R
6
LOCK = 0
LOCK = 1
E
2
Transition
lock();
old = new;
pc a 2
old a 1
new a 2
new a 0
Abs.
Abs.
state
transition
pc a 2
p1
lock();
¬p2
3
pc a 3
old a 2
new a 2
new a 1
old = new;
pc a 3
¬p
p2
p1 , (lock = 0)
p2 , (lock = 1)
The software model checker BLAST
6 / 28
Over-approximation
If there exists a transition between s1 and s2, then also
there exists a transition between abstract state of s1 and s2
2
…………
3
4
5
5
6
R
E
5
6
R
E
5
6
R
E
5
2
3
4
5
5
2
3
LOCK = 0
4
LOCK = 1
LOCK = 1
Yunho Kim@ pswlab
5
LOCK = 1
LOCK = 0
LOCK = 0
LOCK = 1
The software model checker BLAST
7 / 28
CEGAR
CounterExample-Guided Abstraction Refinement
C program P
S
Spec
φ
OK
Lazy
abstraction
Error trace
New predicate
Craig
interpolationbased
Refinement
Yunho Kim@ pswlab
ERROR +
Infeasible
path
Feasible?
counterexample
The software model checker BLAST
8 / 28
Part II. BLAST
Abstraction and model checking
Craig interpolation-based refinement
Yunho Kim@ pswlab
The software model checker BLAST
9 / 28
A locking example
1:
2:
3:
4:
5:
6:
Example() {
do {
lock();
old = new;
if (*) {
unlock();
new++;
}
} while (new != old);
unlock();
return;
lock() {
if (LOCK == 0) {
LOCK = 1;
} else {
ERROR
}
}
unlock() {
if (
(LOCK == 1)
) {
LOCK = 0;
} else {
ERROR
}
lock
}
}
unlock
unlock
Yunho Kim@ pswlab
The software model checker BLAST
lock
10 / 28
Control Flow Automata for C programs
2
lock()
l
k()
old=new
1:
2:
3:
4:
5:
6:
Example() {
do {
lock();
old = new;
if (*) {
unlock();
new++;
}
} while (new != old);
unlock();
return;
t
[T]
[T]
4
unlock()
new++
[new!=old]
5
[new==old]
6
unlock()
ret
}
Yunho Kim@ pswlab
3
Node corresponds to control location
Edge corresponds to either a basic block
or an assume predicate
The software model checker BLAST
11 / 28
Reachability tree
Initial
2
3
4
Unroll Abstraction
1. Pick tree-node (=abs. state)
2. Add children (=abs. successors)
3. On re-visiting abs. state, cut-off
5
Fi d infeasible
Find
i f
ibl trace
t
6
Yunho Kim@ pswlab
- Learn new predicates
- Rebuild subtree with new preds.
The software model checker BLAST
12 / 28
Forward search(1/4)
2:
3:
4:
5:
6:
do {
l k()
lock();
old = new;
if (*) {
unlock();
new++;
}
} while (new != old);
unlock();
return;
2
LOCK = 0
Map P from Loc to set of predicates
Location
Predicates
2
LOCK = 0, LOCK = 1
3
LOCK = 0, LOCK = 1
4
LOCK = 0,
0 LOCK = 1
5
LOCK = 0, LOCK = 1
6
LOCK = 0, LOCK = 1
Yunho Kim@ pswlab
Each
E
h ttree node
d corresponds
d tto control
t l
location and labeled with reachable region
Edge
g corresponds
p
to either a basic block or
an assume predicate
Reachability Tree
The software model checker BLAST
13 / 28
Forward search(2/4)
2:
3:
4:
5:
6:
do {
l k()
lock();
old = new;
if (*) {
unlock();
new++;
}
} while (new != old);
unlock();
return;
2
lock()
old=new
3
Predicates
LOCK = 1
Compute successors where op = ‘x:=e’
x: e and
Map P from Loc to set of predicates
Location
LOCK = 0
Loc is successors’ program counter
SP(φ, x:
x:=e)
e) = φ [x
[x’/x]
/x] Æ (x = e[x
e[x’/x])
/x])
2
LOCK = 0, LOCK = 1
3
LOCK = 0, LOCK = 1
SP(φ, x:=e) w.r.t. P(Loc) = ψ s.t.
4
LOCK = 0,
0 LOCK = 1
(1) SP(φ, x:
x:=e)
e) ⇒ ψ
5
LOCK = 0, LOCK = 1
(2) ψ is a boolean combination of P(Loc)
6
LOCK = 0, LOCK = 1
Yunho Kim@ pswlab
Reachability Tree
The software model checker BLAST
14 / 28
Forward search(3/4)
2:
3:
4:
5:
6:
do {
l k()
lock();
old = new;
if (*) {
unlock();
new++;
}
} while (new != old);
unlock();
return;
2
LOCK = 0
lock()
old=new
[T]
4
3
LOCK = 1
LOCK = 1
Compute successors where op = ‘[pred]’
[pred] and
Map P from Loc to set of predicates
Loc is successors’ program counter
Location
Predicates
2
LOCK = 0, LOCK = 1
SP(φ [pred]) = φ Æ [pred]
SP(φ,
3
LOCK = 0, LOCK = 1
SP(φ, [pred]) w.r.t. P(Loc) = ψ s.t.
4
LOCK = 0,
0 LOCK = 1
(1) SP(φ
SP(φ, [pred]) ⇒ ψ
5
LOCK = 0, LOCK = 1
(2) ψ is a boolean combination of P(Loc)
6
LOCK = 0, LOCK = 1
Yunho Kim@ pswlab
Reachability Tree
The software model checker BLAST
15 / 28
Forward search(4/4)
2:
3:
4:
5:
6:
do {
l k()
lock();
old = new;
if (*) {
unlock();
new++;
}
} while (new != old);
unlock();
return;
2
lock()
old=new
[T]
4
Map P from Loc to set of predicates
Location
Predicates
2
LOCK = 0, LOCK = 1
3
LOCK = 0, LOCK = 1
4
LOCK = 0,
0 LOCK = 1
5
LOCK = 0, LOCK = 1
6
LOCK = 0, LOCK = 1
Yunho Kim@ pswlab
LOCK = 0
5
3
LOCK = 1
Counterexample trace
1: assume(true);
2: lock = 1;
LOCK = 1
old = new;
unlock()
l k()
new++
3: assume(true);
LOCK = 0
4: lock = 0;
new++;
[new==old]
6
LOCK = 0
5: assume(new==old);
unlock()
6: assume(LOCK!=1);
err
Reachability Tree
The software model checker BLAST
16 / 28
Feasibility checking
Counterexample trace
SSA form
Trace formula
1 assume(true);
1:
(t
)
1 assume(true);
1:
(t
)
1
1:
2: LOCK = 1;
2: LOCK0 = 1;
2: Æ LOCK0 = 1;
old = new;
old0 = new0;
t
true
Æ old0 = new0;
3: assume(true);
3: assume(true);
3: Æ true;
4: LOCK = 0;
4: LOCK1 = 0;
4: Æ LOCK1 = 0;
new++;
new1 = new0 + 1;
Æ new1 = new0 + 1;
5: assume(new==old);
5: assume(new1==old0);
5: Æ new1==old0;
6: assume(LOCK!=1);
assume(LOCK! 1);
6: assume(LOCK1!=1);
! 1);
6: Æ LOCK1!=1;
Trace is feasible Ù Trace formula is satisfiable
Yunho Kim @ pswlab
Lazy Abstraction
17 / 28
Which predicate is needed?
Counterexample trace
Trace formula
1 assume(true);
1:
(t
)
1
1:
2: LOCK = 1;
2: Æ LOCK0 = 1;
t
true
Æ old0 = new0;
old = new;
3: assume(true);
3: Æ true;
4: LOCK = 0;
4: Æ LOCK1 = 0;
Æ new1 = new0 + 1;
new++;
5: assume(new==old);
5: Æ new1==old0;
6: assume(LOCK!=1);
assume(LOCK! 1);
6: Æ LOCK1!=1;
! 1;
Relevant information
1 Can be obtained after executing trace
1.
2. has present values of variables
3. Makes trace suffix infeasible
Yunho Kim @ pswlab
Lazy Abstraction
Relevant predicate
1 Implied by TF preffix
1.
2. On common variables
3. TF suffix is unsatisfiable
18 / 28
Craig interpolant
Given a pair (φ-, φ+) of formulas, an interpolant for (φ-, φ+)
is a formula ψ such that
(i) φ- ⇒ ψ
((ii)) ψ Æ φ+ iss u
unsatisfiable
sat s ab e
(iii) the variables of ψ are common to both φ- and φ+
If φ- Æ φ+ is unsatisfiable, then an interpolant always
p
from a proof
p
of
exists,, and can be computed
unsatisfiability of φ- Æ φ+
Yunho Kim@ pswlab
The software model checker BLAST
19 / 28
Craig interpolant
Counterexample trace
Trace formula
1 assume(true);
1:
(t
)
1
1:
2: LOCK = 1;
2: Æ LOCK0 = 1;
t
true
Æ old0 = new0;
old = new;
3: assume(true);
3: Æ true;
4: LOCK = 0;
4: Æ LOCK1 = 0;
Æ new1 = new0 + 1;
new++;
5: assume(new==old);
5: Æ new1==old0;
6: assume(LOCK!=1);
assume(LOCK! 1);
6: Æ LOCK1!=1;
! 1;
Relevant predicate
p
by
y TF suffix
1. Implied
2. On common variables
3. Æ TF suffix is unsatisfiable
Yunho Kim @ pswlab
Lazy Abstraction
φφ+
Interpolant
p
ψ
old0 = new0
Interpolant ψ
old
ld0 = new0
Interpolant ψ
Old0 !
!= new0
ψ is a formula such that
1. φ- ⇒ ψ
2. ψ only contains common
variables of φ– and φ+
3. ψ Æ φ+ is unsatisfiable
20 / 28
Search with new predicates(1/3)
2:
3:
4:
5:
6:
do {
l k()
lock();
old = new;
if (*) {
unlock();
new++;
}
} while (new != old);
unlock();
return;
2
LOCK = 0
lock()
old=new
3
LOCK = 1 Æ new = old
Map P’ from loc to set of predicates
Location
Predicates
2
LOCK = 0, LOCK = 1,
3
LOCK = 0, LOCK = 1, old = new
4
LOCK = 0,
0 LOCK = 1,
1 old = new
5
LOCK = 0, LOCK = 1, old != new
6
LOCK = 0, LOCK = 1
Yunho Kim @ pswlab
Lazy Abstraction
21 / 28
Search with new predicates(2/3)
2:
3:
4:
5:
6:
do {
l k()
lock();
old = new;
if (*) {
unlock();
new++;
}
} while (new != old);
unlock();
return;
2
lock()
old=new
ld
[T]
LOCK = 1 Æ new = old
Map P’ from loc to set of predicates
Location
3
LOCK = 1 Æ new = old
4
unlock()
new++
LOCK = 0 Æ new ≠ old 5
Predicates
[new!=old]
2
LOCK = 0, LOCK = 1,
3
LOCK = 0, LOCK = 1, old = new
4
LOCK = 0,
0 LOCK = 1,
1 old = new
5
LOCK = 0, LOCK = 1, old != new
LOCK = 0 Æ
new ≠ old
6
LOCK = 0, LOCK = 1
COVERED
Yunho Kim @ pswlab
LOCK = 0
2
Lazy Abstraction
22 / 28
Search with new predicates(3/3)
2:
3:
4:
5:
6:
do {
l k()
lock();
old = new;
if (*) {
unlock();
new++;
}
[T]
} while (new != old);
unlock();
LOCK = 1 Æ new = old 4
return;
unlock()
l k()
2
LOCK = 0
lock()
old=new
3
LOCK = 1 Æ new = old
[T]
[
]
new++
LOCK = 0 Æ new ≠ old 5
5
[new!=old]
[
]
2
LOCK = 0 Æ
new ≠ old
COVERED
Yunho Kim @ pswlab
LOCK = 1 Æ new = old
[new==old]
6
2
FALS FALS
E
E
6
LOCK = 1 Æ new = old
unlock()
ret LOCK = 0 Æ new = old
Safe!
Lazy Abstraction
23 / 28
Local predicate use
Use predicates needed at location
•
#Preds. grows with program size
•
#Preds per location is small
Local Predicate use
Ex: 2n states
Yunho Kim @ pswlab
Global Predicate use
Ex: 2n states
Lazy Abstraction
24 / 28
Experiments
funlock.c is an example we covered
driver c is a Windows driver for verifying locking
driver.c
discipline
read c floppy.c
read.c,
floppy c are drivers from Windows DDK
qpmouse.c and llrw_block.c are drivers from Linux
Experiments ran on 800MHz PIII with 256M RAM
Yunho Kim @ pswlab
Lazy Abstraction
25 / 28
Conclusions
BLAST is a software model checker for verifying program
written in C language
g g
BLAST improves the scheme of CEGAR by implementing
lazyy abstraction
z
z
avoids redundant abstraction and checking
Predicates are locally applied and states are locally abstracted
Yunho Kim @ pswlab
Lazy Abstraction
26 / 28
Reference
The Software Model Checker Blast: Applications to Software
Engineering.
by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala,
and Rupak Majumdar
in Int.
Int Journal on Software Tools for Technology Transfer
Transfer, 2007
Lazy abstraction
by Thomas
o as A. Henzinger,
e
ge , Ranjit
a jtJ
Jhala,
a a, Rupak
upa Majumdar,
aju da , and
a d
Grégoire Sutre
in ACM SIGPLAN – SIGACT Conference on
P i i l Of P
Principle
Programming
i L
Language 2000
Abstractions from Proofs
by Thomas A.
A Henzinger,
Henzinger Ranjit Jhala
Jhala, Rupak Majumdar and Kenneth
L. McMillan
in ACM SIGPLAN-SIGACT Conference on
Principles of Programming Languages, 2004
Yunho Kim @ pswlab
Lazy Abstraction
27 / 28
Reference
Lazy Abstraction slides
by Jinseong Jeon
in CS750 class, Fall, 2006
Software Verification with BLAST slides
by Tom Henzinger, Ranjit , Rupak Majumdar
in SPIN workshop 2005 tutoria φ ψ
Yunho Kim @ pswlab
Lazy Abstraction
28 / 28
© Copyright 2026 Paperzz