The software model checker Blast

Applications to software engineering
  • Dirk Beyer
  • Thomas A. Henzinger
  • Ranjit Jhala
  • Rupak Majumdar
Special section FASE'04/05


Blast is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, Blast either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, since the problem is undecidable, does not terminate). Blast constructs, explores, and refines abstractions of the program state space based on lazy predicate abstraction and interpolation-based predicate discovery. This paper gives an introduction to Blast and demonstrates, through two case studies, how it can be applied to program verification and test-case generation. In the first case study, we use Blast to statically prove memory safety for C programs. We use CCured, a type-based memory-safety analyzer, to annotate a program with run-time assertions that check for safe memory operations. Then, we use Blast to remove as many of the run-time checks as possible (by proving that these checks never fail), and to generate execution scenarios that violate the assertions for the remaining run-time checks. In our second case study, we use Blast to automatically generate test suites that guarantee full coverage with respect to a given predicate. Given a C program and a target predicate p, Blast determines the program locations q for which there exists a program execution that reaches q with p true, and automatically generates a set of test vectors that cause such executions. Our experiments show that Blast can provide automated, precise, and scalable analysis for C programs.


Model checking Software verification Software specification Memory safety Test-case generation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alur R., Itai A., Kurshan R.P. and Yannakakis M. (1995). Timing verification by successive approximation. Inf. Comput. 118(1): 142–157 zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Andrews, T., Qadeer, S., Rajamani, S.K., Rehof, J., Xie, Y.: Zing: A model checker for concurrent software. In: Proc. CAV, LNCS, vol. 3114, pp. 484–487. Springer, Berlin (2004)Google Scholar
  3. 3.
    Balarin, F., Sangiovanni-Vincentelli, A.L.: An iterative approach to language containment. In: Proc. CAV, LNCS, vol. 697, pp. 29–40. Springer, Berlin (1993)Google Scholar
  4. 4.
    Ball, T., Rajamani, S.K.: The Slam project: Debugging system software via static analysis. In: Proc. POPL, pp. 1–3. ACM, New York (2002)Google Scholar
  5. 5.
    Ball, T., Rajamani, S.K.: SLIC: A specification language for interface checking (of C). Tech. Rep. MSR-TR-2001-21, Microsoft Research (2002)Google Scholar
  6. 6.
    Beyer, D., Chlipala, A.J., Henzinger, T.A., Jhala, R., Majumdar, R.: Generating tests from counterexamples. In: Proc. ICSE, pp. 326–335. IEEE, Los Alamitos (2004)Google Scholar
  7. 7.
    Beyer, D., Chlipala, A.J., Henzinger, T.A., Jhala, R., Majumdar, R.: The Blast query language for software verification. In: Proc. SAS, LNCS, vol. 3148, pp. 2–18. Springer, Berlin (2004)Google Scholar
  8. 8.
    Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: An Eclipse plug-in for model checking. In: Proc. IWPC, pp. 251–255. IEEE, Los Alamitos (2004)Google Scholar
  9. 9.
    Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: Checking memory safety with Blast. In: Proc. FASE, LNCS, vol. 3442, pp. 2–18. Springer, Berlin (2005)Google Scholar
  10. 10.
    Beyer, D., Henzinger, T.A., Théoduloz, G.: Lazy shape analysis. In: Proc. CAV, LNCS, vol. 4144, pp. 532–546, Springer, Berlin (2006)Google Scholar
  11. 11.
    Beyer, D., Henzinger, T.A., Théoduloz, G.: Configurable software verification: concretizing the convergence of model checking and program analysis. In: Proc. CAV, LNCS, vol. 4590, pp. 504–518. Springer, Berlin (2007)Google Scholar
  12. 12.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Mine, A., Monniaux, D., Rival, X.: Design and implementation of a special-purpose static program analyzer for safety-critical real-time embedded software. In: The Essence of Computation, Complexity, Analysis, Transformation: Essays Dedicated to Neil D. Jones, LNCS, vol. 2566, pp. 85–108. Springer, Berlin (2002)Google Scholar
  13. 13.
    Bodik, R., Gupta, R., Sarkar, V.: ABCD: eliminating array bounds checks on demand. In: Proc. PLDI, pp. 321–333. ACM, New York (2000)Google Scholar
  14. 14.
    Bodik, R., Gupta, R., Soffa, M.L.: Interprocedural conditional branch elimination. In: Proc. PLDI, pp. 146–158. ACM, New York (1997)Google Scholar
  15. 15.
    Boyapati, C., Khurshid, S., Marinov, D.: Korat: automated testing based on Java predicates. In: Proc. ISSTA, pp. 123–133. ACM, New York (2002)Google Scholar
  16. 16.
    Carlisle, M.C.: Olden: parallelizing programs with dynamic data structures on distributed memory machines. Ph.D. thesis, Princeton University (1996)Google Scholar
  17. 17.
    Chaki, S., Clarke, E.M., Groce, A., Jha, S., Veith, H.: Modular verification of software components in C. IEEE Trans. Softw. Eng. 30(6), 388–402. Wiley, New York (2004)Google Scholar
  18. 18.
    Chen, H., Wagner, D.: MOPS: An infrastructure for examining security properties of software. In: Proc. CCS, pp. 235–244. ACM, New York (2002)Google Scholar
  19. 19.
    Chen, H., Wagner, D., Dean, D.: Setuid demystified. In: Proc. USENIX Security Symp., pp. 171–190 (2002)Google Scholar
  20. 20.
    Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching-time temporal logic. In: Proc. Logic of Programs 1981, LNCS, vol. 131, pp. 52–71. Springer, Berlin (1982)Google Scholar
  21. 21.
    Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Proc. CAV, LNCS, vol. 1855, pp. 154–169. Springer, Berlin (2000)Google Scholar
  22. 22.
    Clarke E.M., Grumberg O. and Peled D. (1999). Model Checking. MIT, Cambridge Google Scholar
  23. 23.
    Clarke, E.M., Kroening, D., Sharygina, N., Yorav, K.: SatAbs: SAT-based predicate abstraction for ANSI-C. In: Proc. TACAS, LNCS, vol. 3440, pp. 570–574. Springer, Berlin (2005)Google Scholar
  24. 24.
    Clarke L.A. (1976). A system to generate test data and symbolically execute programs. IEEE Trans. Softw. Eng. 2(3): 215–222 CrossRefGoogle Scholar
  25. 25.
    Clarke, L.A., Richardson, D.J.: Symbolic evaluation methods for program analysis. In: Program Flow Analysis: Theory and Applications, pp. 264–300. Prentice-Hall, Boston (1981)Google Scholar
  26. 26.
    Condit, J., Harren, M., McPeak, S., Necula, G.C., Weimer, W.: CCured in the real world. In: Proc. PLDI, pp. 232–244. ACM, New York (2003)Google Scholar
  27. 27.
    Cook, B., Kroening, D., Sharygina, N.: Cogent: accurate theorem proving for program verification. In: Proc. CAV, LNCS, vol. 3576, pp. 296–300. Springer, Berlin (2005)Google Scholar
  28. 28.
    Corbett, J.C., Dwyer, M.B., Hatcliff, J., Pasareanu, C., Robby, Laubach, S., Zheng, H.: Bandera: Extracting finite-state models from Java source code. In: Proc. ICSE, pp. 439–448. ACM, New York (2000)Google Scholar
  29. 29.
    Craig W. (1957). Linear reasoning. A new form of the Herbrand-Gentzen theorem. Symbolic Logic 22(3): 250–268 zbMATHMathSciNetGoogle Scholar
  30. 30.
    Cytron R., Ferrante J., Rosen B.K., Wegman M.N. and Zadek F.K. (1991). Efficiently computing static single-assignment form and the program dependence graph. ACM Trans. Program. Languages Systems 13(4): 451–490 CrossRefGoogle Scholar
  31. 31.
    Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: Proc. PLDI, pp. 57–68. ACM, New York (2002)Google Scholar
  32. 32.
    Detlefs D., Nelson G. and Saxe J.B. (2005). Simplify: A theorem prover for program checking. J. ACM 52(3): 365–473 CrossRefMathSciNetGoogle Scholar
  33. 33.
    Esparza, J., Kiefer, S., Schwoon, S.: Abstraction refinement with Craig interpolation and symbolic pushdown systems. In: Proc. TACAS, LNCS, vol. 3920, pp. 489–503. Springer, Berlin (2006)Google Scholar
  34. 34.
    Floyd, R.W.: Assigning meanings to programs. In: Mathematical Aspects of Computer Science, pp. 19–32. AMS (1967)Google Scholar
  35. 35.
    Godefroid, P.: Model checking for programming languages using VeriSoft. In: Proc. POPL, pp. 174–186. ACM, New York (1997)Google Scholar
  36. 36.
    Godefroid, P., Klarlund, N., Sen, K.: Dart: Directed automated random testing. In: Proc. PLDI, pp. 213–223. ACM, New York (2005)Google Scholar
  37. 37.
    Gotlieb, A., Botella, B., Rueher, M.: Automatic test data generation using constraint solving techniques. In: Proc. ISSTA, pp. 53–62. ACM, New York (1998)Google Scholar
  38. 38.
    Gulavani, B., Henzinger, T.A., Kannan, Y., Nori, A., Rajamani, S.K.: Synergy: a new algorithm for property checking. In: Proc. FSE. ACM, New York (2006)Google Scholar
  39. 39.
    Gunter, E., Peled, D.: Temporal debugging for concurrent systems. In: Proc. TACAS, LNCS, vol. 2280, pp. 431–444. Springer, Berlin (2002)Google Scholar
  40. 40.
    Gupta, N., Mathur, A.P., Soffa, M.L.: Generating test data for branch coverage. In: Proc. ASE, pp. 219–228. IEEE, Los Alamitos (2000)Google Scholar
  41. 41.
    Hallem, S., Chelf, B., Xie, Y., Engler, D.: A system and language for building system-specific static analyses. In: Proc. PLDI, pp. 69–82. ACM, New York (2002)Google Scholar
  42. 42.
    Havelund K. and Pressburger T. (2000). Model checking Java programs using Java PathFinder. STTT 2(4): 366–381 zbMATHGoogle Scholar
  43. 43.
    Henglein, F.: Global tagging optimization by type inference. In: Proc. LISP and Functional Programming, pp. 205–215. ACM, New York (1992)Google Scholar
  44. 44.
    Henzinger, T.A., Jhala, R., Majumdar, R.: Race checking by context inference. In: Proc. PLDI, pp. 1–13. ACM, New York (2004)Google Scholar
  45. 45.
    Henzinger, T.A., Jhala, R., Majumdar, R.: Permissive interfaces. In: Proc. ESEC/FSE, pp. 31–40. ACM, New York (2005)Google Scholar
  46. 46.
    Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: Proc. POPL, pp. 232–244. ACM, New York (2004)Google Scholar
  47. 47.
    Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: Proc. CAV, LNCS, vol. 2404, pp. 526–538. Springer, Berlin (2002)Google Scholar
  48. 48.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sanvido, M.A.A.: Extreme model checking. In: International Symposium on Verification: Theory and Practice, LNCS, vol. 2772, pp. 332–358. Springer, Berlin (2003)Google Scholar
  49. 49.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: Proc. POPL, pp. 58–70. ACM, New York (2002)Google Scholar
  50. 50.
    Hoare C.A.R. (1969). An axiomatic basis for computer programming. Commun. ACM 12(10): 576–580 zbMATHCrossRefGoogle Scholar
  51. 51.
    Hoare C.A.R. (2003). The verifying compiler: a grand challenge for computing research. J. ACM 50(1): 63–69 CrossRefGoogle Scholar
  52. 52.
    Holzmann G.J. (1997). The Spin model checker. IEEE Trans. Softw. Eng. 23(5): 279–295 CrossRefMathSciNetGoogle Scholar
  53. 53.
    Hong, H.S., Cha, S.D., Lee, I., Sokolsky, O., Ural, H.: Data flow testing as model checking. In: Proc. ICSE, pp. 232–243. IEEE, Los Alamitos (2003)Google Scholar
  54. 54.
    Ivancic, F., Yang, Z., Ganai, M.K., Gupta, A., Shlyakhter, I., Ashar, P.: F-Soft: Software verification platform. In: Proc. CAV, LNCS, vol. 3576, pp. 301–306. Springer, Berlin (2005)Google Scholar
  55. 55.
    Jackson, D., Vaziri, M.: Finding bugs with a constraint solver. In: Proc. ISSTA, pp. 14–25. ACM, New York (2000)Google Scholar
  56. 56.
    Jasper, R., Brennan, M., Williamson, K., Currier, B., Zimmerman, D.: Test data generation and infeasible path analysis. In: Proc. ISSTA, pp. 95–107. ACM, New York (1994)Google Scholar
  57. 57.
    Jhala, R., Majumdar, R.: Path slicing. In: Proc. PLDI, pp. 38–47. ACM, New York (2005)Google Scholar
  58. 58.
    Khurshid, S., Pasareanu, C.S., Visser, W.: Generalized symbolic execution for model checking and testing. In: Proc. TACAS, LNCS, vol. 2619, pp. 553–568. Springer, Berlin (2003)Google Scholar
  59. 59.
    King J.C. (1976). Symbolic execution and program testing. Commun. ACM 19(7): 385–394 zbMATHCrossRefGoogle Scholar
  60. 60.
    Kroening, D., Groce, A., Clarke, E.M.: Counterexample guided abstraction refinement via program execution. In: Proc. ICFEM, LNCS, vol. 3308, pp. 224–238. Springer, Berlin (2004)Google Scholar
  61. 61.
    Kurshan, R.P.: Computer Aided Verification of Coordinating Processes. Princeton University Press (1994)Google Scholar
  62. 62.
    Lev-Ami, T., Sagiv, M.: Tvla: A system for implementing static analyses. In: Proc. SAS, LNCS, vol. 2280, pp. 280–301. Springer, Berlin (2000)Google Scholar
  63. 63.
    Manna Z. (1974). Mathematical Theory of Computation. McGraw-Hill, New York zbMATHGoogle Scholar
  64. 64.
    McCarthy, J.: Towards a mathematical science of computation. In: Proc. IFIP Congress, pp. 21–28. North-Holland (1962)Google Scholar
  65. 65.
    McMillan K.L. (2005). An interpolating theorem prover. Theor. Comput. Sci. 345(1): 101–121 zbMATHCrossRefMathSciNetGoogle Scholar
  66. 66.
    Musuvathi, M., Park, D.Y.W., Chou, A., Engler, D.R., Dill, D.L.: CMC: A pragmatic approach to model checking real code. In: Proc. OSDI. USENIX (2002)Google Scholar
  67. 67.
    Myers, G.J.: The Art of Software Testing. Wiley (1979)Google Scholar
  68. 68.
    Necula, G.C.: Proof carrying code. In: POPL 97: Principles of Programming Languages, pp. 106–119. ACM, New York (1997)Google Scholar
  69. 69.
    Necula, G.C., Lee, P.: Efficient representation and validation of proofs. In: Proc. LICS, pp. 93–104. IEEE, Los Alamitos (1998)Google Scholar
  70. 70.
    Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: Proc. CC, LNCS, vol. 2304, pp. 213–228. Springer, Berlin (2002)Google Scholar
  71. 71.
    Necula, G.C., McPeak, S., Weimer, W.: CCured: Type-safe retrofitting of legacy code. In: Proc. POPL, pp. 128–139. ACM, New York (2002)Google Scholar
  72. 72.
    Nelson, G.: Techniques for program verification. Tech. Rep. CSL81-10, Xerox Palo Alto Research Center (1981)Google Scholar
  73. 73.
    Peled D. (2001). Software Reliability Methods. Springer, Berlin zbMATHGoogle Scholar
  74. 74.
    Peled, D.: Model checking and testing combined. In: Proc. ICALP, LNCS, vol. 2719, pp. 47–63. Springer, Berlin (2003)Google Scholar
  75. 75.
    Queille, J.P., Sifakis, J.: Specification and verification of concurrent systems in CESAR. In: Proc. Symposium on Programming, LNCS, vol. 137, pp. 337–351. Springer, Berlin (1982)Google Scholar
  76. 76.
    Ramamoorthy C.V., Ho S.B.F. and Chen W.T. (1976). On the automated generation of program test data. IEEE Trans. Softw. Eng. 2(4): 293–300 CrossRefGoogle Scholar
  77. 77.
    Reps, T.W., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proc. POPL, pp. 49–61. ACM, New York (1995)Google Scholar
  78. 78.
    Saidi, H.: Model-checking-guided abstraction and analysis. In: Proc. SAS, LNCS, vol. 1824, pp. 377–396. Springer, Berlin (2000)Google Scholar
  79. 79.
    Schneider, F.B.: Enforceable security policies. Tech. Rep. TR98-1664, Cornell (1999)Google Scholar
  80. 80.
    Sen, K., Marinov, D., Agha, G.: Cute: A concolic unit testing engine for C. In: Proc. ESEC/FSE, pp. 263–272. ACM, New York (2005)Google Scholar
  81. 81.
    Suzuki, N., Ishihata, K.: Implementation of an array bound checker. In: Proc. POPL, pp. 132–143. ACM, New York (1977)Google Scholar
  82. 82.
    Young M. and Pezze M. (2005). Software Testing and Analysis: Process, Principles and Techniques. Wiley, New York Google Scholar

Copyright information

© Springer-Verlag 2007

Authors and Affiliations

  • Dirk Beyer
    • 1
  • Thomas A. Henzinger
    • 2
  • Ranjit Jhala
    • 3
  • Rupak Majumdar
    • 4
  1. 1.Simon Fraser UniversitySurreyCanada
  2. 2.EPFLLausanneSwitzerland
  3. 3.University of CaliforniaSan DiegoUSA
  4. 4.University of CaliforniaLos AngelesUSA

Personalised recommendations