Int J Softw Tools Technol Transfer (2007) 9:505–525 DOI 10.1007/s10009-007-0044-z SPECIAL SECTION FASE’04/05 The software model checker BLAST Applications to software engineering Dirk Beyer Thomas A. Henzinger Ranjit Jhala · · · Rupak Majumdar Published online: 13 September 2007 © Springer-Verlag 2007 Abstract Blast is an automatic verification tool for cause such executions. Our experiments show that Blast checking temporal safety properties of C programs. Given a can provide automated, precise, and scalable analysis for C program and a temporal safety property, Blast either sta- C programs. tically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the Keywords Model checking Software verification · · property (or, since the problem is undecidable, does not ter- Software specification Memory safety Test-case · · minate). Blast constructs, explores, and refines abstractions generation of the program state space based on lazy predicate abstrac- tion and interpolation-based predicate discovery. This paper gives an introduction to Blast and demonstrates, through two case studies, how it can be applied to program verifica- 1 Introduction tion and test-case generation. In the first case study, we use Blast to statically prove memory safety for C programs. Model checking is an algorithmic technique to verify a sys- We use CCured, a type-based memory-safety analyzer, to tem description against a specification [20,22,75]. Given a annotate a program with run-time assertions that check for system description and a logical specification, the model- safe memory operations. Then, we use Blast to remove as checking algorithm either proves that the system description many of the run-time checks as possible (by proving that satisfies the specification, or reports a counterexample that these checks never fail), and to generate execution scenarios violates the specification. Software model checking, the ap- that violate the assertions for the remaining run-time checks. plication of algorithmic verification to implemented code, In our second case study, we use Blast to automatically has been an active area of recent research [4,17,28,35,42, generate test suites that guarantee full coverage with res- 52,66]. The input to a software model checker is the program pect to a given predicate. Given a C program and a target source (system description) and a temporal safety property predicate p, Blast determines the program locations q for (specification). The specification is usually given by program which there exists a program execution that reaches q with instrumentation that defines a monitor automaton [5,7,41, p true, and automatically generates a set of test vectors that 79], which observes if a program execution violates the de- sired property, such as adherence to a locking or security D. Beyer (B) discipline. The output of the model checker is ideally either Simon Fraser University, Surrey, BC, Canada a proof of program correctness that can be separately vali- dated [47,68], or a counterexample in the form of a specific T. A. Henzinger EPFL, Lausanne, Switzerland execution path of the program. A key paradigm behind some of the new software ver- R. Jhala ification tools is the principle of counterexample-guided University of California, San Diego, USA abstraction refinement (CEGAR) [1,3,4,21,49,61,78]. In R. Majumdar this paradigm, the model checker attempts to verify the pro- University of California, Los Angeles, USA perty starting with a coarse abstraction of the program, which 123 506 D. Beyer et al. tracks only a few relations (called predicates) between safety. The second study [6] uses the abstract and symbolic program variables, instead of the full program state. By the state exploration capabilities of Blast to generate test cases conservative nature of this abstraction, if the verification suc- that meet a certain coverage goal. We proceed with a brief ceeds, then one is guaranteed that the concrete program satis- overview of software verification tools that are related to fies the specification. If the verification fails, then it produces Blast, and then we explain the two case studies. a path that violates the specification in the abstract program. Software model checking. Program verification has been This path may either correspond to a concrete program execu- a central problem since the early days of computer science tion (feasible path) which violates the specification, or arise [34,50,63,64]. The area has received much research attention due to the imprecision of the abstraction, and thus not corres- in recent years owing to new algorithmic techniques (such pond to a concrete program execution (infeasible path). In the as CEGAR) and faster computers, which have renewed the former case, a program bug has been found. In the latter case, promise of providing automatic tools for checking program the infeasibility of the abstract error path is used to automa- correctness and generating counterexamples [51]. tically deduce additional predicates which encode relevant Automatic software verification tools can be broadly clas- facts about the program variables. By tracking the values of sified into execution-based and abstraction-based approa- these additional predicates, the abstraction of the program ches. Execution-based model checkers [2,35,42,52,66] is refined in a way that guarantees that subsequent verifi- exhaustively search the concrete state space of a program. cation attempts, which use the refined abstraction, will not The emphasis of this approach is on finding bugs rather produce the previously encountered infeasible error path. The than proving correctness, and the main challenge is scaling entire process is repeated, by discovering and tracking an ever the search to large state spaces. Abstraction-based verifiers increasing number of predicates, until either a feasible path [12,28,31,62] compute an abstraction of the state space. The that witnesses a program bug (the so-called counterexample) emphasis is on proving correctness by demonstrating the is found, or the abstraction is precise enough to prove the absence of bugs in the abstract domain, and the main chal- absence of such paths (or, since the verification problem is lenge is improving the precision of the analysis. Traditionally, undecidable, the iteration of refinements never terminates). abstractions are specified manually by providing a lattice of The result is a sound (no violations of the specification are dataflow facts to be tracked. missed) and precise (no false alarms are generated) program CEGAR techniques combine aspects of both execution- verification algorithm. based and abstraction-based approaches. The CEGAR loop The scheme of counterexample-guided predicate abstrac- tries to automate the process of finding a suitable abstrac- tion refinement was first implemented for verifying software tion by stepwise abstraction refinement, which is guided by the Slam project [4], and applied successfully to find by searching for abstract error paths and relating them to bugs in device drivers. The basic scheme was improved by the concrete state space. The promise of CEGAR is that the Blast model checker. First, relevant predicates are dis- it will automatically adjust the precision of an abstraction covered locally and independently at each program location for the purpose of proving the property of interest, while at as interpolants between the past and the future fragments of the same time keeping the abstract state space small enough an infeasible error path (interpolation-based predicate disco- to be efficiently searched. Implementations of CEGAR in- very)[46]. Second, instead of constructing an abstraction of clude Slam, Blast, Magic, Moped, SatAbs, and F- Soft the program which tracks all relevant predicates, the disco- [4,17,23,33,54]. The integration of execution-based and vered new predicates are added and tracked locally in some abstraction-based techniques has been carried even further parts of a tree that represents the abstract executions of the in several recent projects: abstraction-based model checkers program, namely, in those parts where the infeasible error can be accelerated by exploring concrete program executions path occurred (lazy predicate abstraction)[49]. The resul- [38,60], and execution-based tools can be augmented to pro- ting program abstraction is nonuniform, in that different pre- pagate symbolic inputs [36,80]. dicates are tracked at different program locations, possibly even at different visits to the same location. This emphasis Checking memory safety. Invalid memory access is a major on parsimonious abstractions renders the analysis scalable source of program failures. If a program statement dere- for large programs: Blast has been used to verify tempo- ferences a pointer that points to an invalid memory cell, ral safety properties of C programs with up to 50 K lines of the program is either aborted by the operating system or, code [57]. often worse, the program continues to run with an undefi- In this article we provide a tutorial introduction to the ned behavior. To avoid the latter, one can perform checks Blast model checker, and demonstrate its use in program before every memory access at run time. For some program- analysis and software testing through two case studies. The ming languages (e.g., Java) this is done automatically by first study [9] uses Blast to check run-time assertions on the compiler/run-time environment, at considerable perfor- the safe usage of pointers, which ensures a form of memory mance cost. For C, neither the compiler nor the run-time 123 The software model checker BLAST 507 environment enforces memory-safety policies. As a result, Generating test cases. Model checking requires a specifica- C programmers often face program crashes (or worse, tion. In the absence of particular correctness assertions, the security vulnerabilities) whose cause can be traced back to software engineer may still be interested in a set of inputs improper access of memory. that exercise the program “enough,” for example, by mee- Memory safety is a fundamental correctness property, and ting certain coverage goals.