CSC2108 Lazy Abstraction on Software Model Checking

1
CSC2108Lazy Abstraction on Software Model
Checking

• Wai Sum Mong

2
Survey of BLAST

• Berkeley Lazy Abstraction Software Verification
  Tool
• A software model checker for C programs
• The goal is to check whether the program obeys
  the API rules
• Same goal as SLAM (Microsoft)
• Based on the abstract-check-refine approach
• Lazy Abstraction
• Integrates and possibly optimizes the
  abstract-check-refine approach

3
Problem Statement

• Check whether the lines labeled by ERROR are
  reachable
• Static analysis
• assert(0) - runtime

4
Abstract-check-refine Loop
5
Abstraction

• State lt-gt region

6
Lazy Abstraction

• Integrates the three steps
• Try to reuse the works
• Two Principles
• On-the-fly Abstraction
• On-demand Refinement

7
On-the-fly Abstraction

• Some regions are never visited
• Abstract only when needed

8
On-demand Refinement

• Why check the same region again?
• Add new predicates only when needed
• Reuse the partial answer

9
Implementation

• Control Flow automaton
• Verification
• Forward Search (abstract post)
• Backward Counterexample Analysis (concrete pred)

10
Architecture of BLAST
11
BLAST

• Only checked on device driver
• Predicates
• Support integers only so far
• No support on multithreading programs in the
  current release

12
Using BLAST

• Not a good experience
• Experiments
• Very simple linklist package
• Error
• Limitations
• Pointer
• Multithreaded programs
• C source code as input (C library functions?)

13
Conclusion

• Theoretically, optimizes the checking process
• Similar to SLAM, except lazy abstraction
• No access to SLAM
• Cannot evaluate so far