The Software Model Checker BLAST - Chair of Software Engineering

Download PDF
1 downloads 239 Views 47KB Size Report
Comment
17 Mar 2009 ... 1. The Software Model Checker. BLAST: Applications to Software. Engineering. Dirk Beyer, Thomas A. Henzinger,. Ranjit Jhala, RupakĀ ...
The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Int. Journal on Software Tools for Technology Transfer, 2007

Stefan Buchholz March 17, 2009

1

Model checking

Program source Property

software model checker

e.g. modified C-code (SLAM, BLAST) - Valid according to the specification - Error path 2

Model checking Goal Find a path from an initial state to an error state (reachability)

Problem State explosion ! Infeasible to check every state.

BLAST's solution Dynamic (lazy) predicate abstraction

3

CEGAR Counterexample-guided abstraction refinement Start with a coarse abstraction Try to reach an error state in the abstract domain Success

Fail

Is the path feasible ?

No

Refine the abstraction

Program satisfies the specification Yes

Safety property violated (bug) 4

Optimizations

Lazy predicate abstraction don't refine error-free regions

Interpolation-based predicate discovery add predicates locally when refining

5

Applications Reduce runtime memory-checks Test their reachability and remove unnecessary ones

Automatic test generation For any counterexample found try to generate a test vector

BLASTing Linux Code

6

Demonstration Open source ! http://mtc.epfl.ch/software-tools/blast/

7

Limitations False alarms (can't show infeasability of a path) Mathematical integers (no overflows modeled) Decision functions only implement linear arithmetic Uninterpreted functions (e.g. bit-level manipulations) Simple pointer arithmetic and alias-handling

Weak predicate language No logical quantifiers No precise reasoning about recursive functions possible

8

Conclusion +

Good performance and scalability

-

Limitations make it impractical for a lot of real world applications (pointer arithmetic !)

-

Manually modifying the source code is always required

9

BACKUP

10

Data structures Control flow automaton (CFA) Internal representation of a program Nodes are control points, edges are operations

Abstract reachability tree (ART) Represents a portion of the reachable state space A path in the ART corresponds to a program execution Each node stores a link to a CFA-location, the current call stack and the state of variables

11

Automatic test generation Target Predicate Coverage Can a location be reached and the variables satisfy a predicate p ? e.g. p = true for location coverage

Coverage of a location L Test if L is reachable (dead code detection) When a feasible path is found generate a variable assignment that guides it to the location Embarrassingly parallel

12