Software Verification with BLAST Model Checking Blast Motivation - PowerPoint PPT Presentation

Software Verification with BLAST Daniele Sgandurra Introduction Software Verification with BLAST Model Checking Blast Motivation Rigorous Sofware Development via Model Checking Lazy Abstraction Reachability Tree Seminar Complete Examples Example 1 Example 2 Daniele Sgandurra Demo Download and Installation Università di Pisa Tutorial 10 December 2008

Software Verification Outline with BLAST Daniele Sgandurra Introduction 1 Introduction Model Checking Model Checking Blast Motivation Blast 2 Lazy Abstraction Reachability Tree Motivation Complete Lazy Abstraction Examples Example 1 Reachability Tree Example 2 Demo Download and Complete Examples 3 Installation Tutorial Example 1 Example 2 4 Demo Download and Installation Tutorial

Software Verification Model Checking with BLAST Daniele Sgandurra Introduction Model Checking Blast Motivation Lazy Abstraction • Model checking is an algorithmic technique to verify a Reachability Tree system description against a specification. Complete Examples Example 1 • Given a system description and a logical specification, the Example 2 model-checking algorithm either proves that the system Demo description satisfies the specification, or reports a Download and Installation counterexample that violates the specification. Tutorial

Software Verification Model Checking with BLAST Daniele Sgandurra Introduction Model Checking • The input to a sofware model checker is the program source Blast Motivation (=system description) and a temporal safety property Lazy Abstraction Reachability Tree (=specification). Complete Examples • The specification is usually given by program instrumentation Example 1 that defines a monitor automaton, which observes if a Example 2 program execution violates the desired property. Demo Download and Installation • The output of the model checker is ideally either a proof of Tutorial program correctness that can be separately validated, or a counterexample in the form of a specific execution path of the program.

Software Verification Counterexample-Guided with BLAST Daniele Abstraction Refinement Sgandurra Introduction Model Checking Blast Motivation Lazy Abstraction Reachability Tree Complete Examples • CEGAR: Counterexample-Guided Abstraction Refinement. Example 1 Example 2 • The model checker attempts to verify the property starting Demo with a coarse abstraction of the program, which tracks only a Download and Installation few relations (=predicates) between program variables. Tutorial

Software Verification Counterexample-Guided with BLAST Daniele Abstraction Refinement Sgandurra Introduction Model Checking Blast Motivation • If the verification succeeds, then the concrete program Lazy Abstraction Reachability Tree satisfies the specification. Complete Examples • If the verification fails, then it produces a path that violates Example 1 Example 2 the specification in the abstract program. Demo • The path may either correspond to a concrete program Download and Installation execution (feasible path) which violates the specification, or Tutorial arise due to the imprecision of abstraction, and thus not correspond to a concrete program execution (infeasible path).

Software Verification Counterexample-Guided with BLAST Daniele Abstraction Refinement Sgandurra Introduction Model Checking Blast Motivation Lazy Abstraction Reachability Tree Complete • In the case of a feasible path, a program bug has been Examples found. Example 1 Example 2 • In the case of an infeasible path, the infeasibility of the Demo Download and abstract error path is used to automatically deduce additional Installation Tutorial predicates which encode relevant facts about the program.

Software Verification Counterexample-Guided with BLAST Daniele Abstraction Refinement Sgandurra Introduction Model Checking Blast Motivation Lazy Abstraction Reachability Tree Complete Examples • By tracking the values of these additional predicates, the Example 1 abstraction of the program is refined in a way that Example 2 Demo guarantees that subsequent verification attempts will not Download and produce the previously encountered infeasible error path. Installation Tutorial

Software Verification Counterexample-Guided with BLAST Daniele Abstraction Refinement Sgandurra Introduction Model Checking Blast Motivation Lazy Abstraction Reachability Tree Complete • The entire process is repeated, by discovering and tracking Examples Example 1 an ever increasing number of predicates, until either a Example 2 feasible path that witnesses a program bug Demo (=counterexample) is found, or the abstraction is precise Download and Installation enough to prove the absence of such paths. Tutorial

Software Verification Counterexample-Guided with BLAST Daniele Abstraction Refinement Sgandurra Introduction Model Checking Blast Motivation Lazy Abstraction Reachability Tree Complete Examples • First, relevant predicates are discovered locally and Example 1 independently at each program location as interpolants Example 2 Demo between the past and the future fragments of an infeasible Download and error path (interpolation-based predicate discovery). Installation Tutorial

Software Verification Counterexample-Guided with BLAST Daniele Abstraction Refinement Sgandurra Introduction Model Checking Blast Motivation Lazy Abstraction Reachability Tree Complete • Second, instead of construction an abstraction of the Examples program which tracks all relevant predicates, the discovered Example 1 Example 2 new predicates are added and tracked locally in some parts Demo of a tree that represents the abstract executions of the Download and Installation program, namely, in those parts where the infeasible error Tutorial path occurred (lazy predicate abstraction).

Software Verification Counterexample-Guided with BLAST Daniele Abstraction Refinement Sgandurra Introduction Model Checking Blast Motivation Lazy Abstraction Reachability Tree Complete Examples • The resulting program abstraction is nonuniform, in that Example 1 Example 2 different predicates are tracked at different program Demo locations, possibly even at different visits to the same Download and Installation location. Tutorial

Software Verification Predicate Discovery with BLAST Daniele Sgandurra Introduction Model Checking • The predicate-discovery algorithm takes the path formula Blast Motivation and finds new predicates that must be added to the Lazy Abstraction abstraction in order to rule out the infeasible error path. Reachability Tree Complete • The key to adding predicates is the notion of an interpolant Examples Example 1 (Craig interpolants). Example 2 Demo • By examining the program at certain cut points, predicates Download and Installation are added to show the feasibility or infeasibility of a path Tutorial (using Craig Interpolants). • The refinement algorithm cuts the infeasible error path at every node.

Software Verification What is BLAST? with BLAST Daniele Sgandurra Introduction Model Checking Blast • The Berkeley Lazy Abstraction Software verification Motivation Lazy Abstraction Tool is a model checker that checks the safety Reachability Tree Complete properties of C programs. Examples Example 1 • “Automated, precise and scalable”. Example 2 • Some slides are taken/adapted from: Demo Download and • SPIN Workshop 2005 Blast tutorial Installation Tutorial • http://mtc.epfl.ch/software-tools/blast/ • Authors: Tom Henzinger, Ranjit Jhala, Rupak Majumdar

Software Verification Motivation with BLAST Daniele Sgandurra Introduction Model Checking Blast Motivation Lazy Abstraction • Goal: decide reachability of a program location Reachability Tree • Safety properties can be translated into this task: Complete Examples • Assertion violation; Example 1 Example 2 • Memory safety; Demo • Pre- and post-conditions; Download and Installation • Locking policy; Tutorial • ...

Software Verification BLAST Working with BLAST Daniele Sgandurra Introduction Model Checking Blast Motivation • Build an abstract model using predicate abstraction. Lazy Abstraction Reachability Tree • Check for reachability of a specified label using the Complete Examples abstract model. Example 1 Example 2 • If no path to ERR node: system safe. Demo Download and • If path is feasible, output error trace. Installation Tutorial • Else use infeasibility of path to refine abstract model.

Software Verification BLAST Working with BLAST Daniele Sgandurra Introduction Model Checking Blast Motivation Lazy Abstraction Reachability Tree Complete Examples Example 1 Example 2 Demo Download and Installation Tutorial

Software Verification Locking with BLAST Daniele Sgandurra Introduction Model Checking Blast 1: do{ Motivation lock(); Lazy Abstraction Reachability Tree old = new; Complete q = q->next; Examples Example 1 2: if(q != NULL){ Example 2 3: q->data = new; Demo unlock(); Download and Installation new++; Tutorial } 4: while(new != old) 5: unlock(); return; }

Software Verification What a Program Really Is... with BLAST Daniele Sgandurra Introduction Model Checking Blast Motivation Lazy Abstraction Reachability Tree Complete Examples Example 1 Example 2 Demo Download and Installation Tutorial