Computer programs can only run reliably if the underlying operating system is free of errors. In this paper we evaluate, from a practitioner’s point of view, the utility of the popular software model checker Blast for revealing errors in Linux kernel code. The emphasis is on important errors related to memory safety in and locking behaviour of device drivers. Our conducted case studies show that, while Blast’s abstraction and refinement techniques are efficient and powerful, the tool has deficiencies regarding usability and support for analysing pointers, which are likely to prevent kernel developers from using it.


Source Code Model Check Application Program Interface Device Driver Software Model Check 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ball, T., Rajamani, S.K.: Automatically validating temporal safety properties of interfaces. In: Dwyer, M.B. (ed.) Model Checking Software. LNCS, vol. 2057, pp. 103–122. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Beyer, D., Chlipala, A.J., Henzinger, T.A., Jhala, R., Majumdar, R.: The BLAST query language for software verification. In: PEPM 2004, pp. 201–202. ACM Press, New York (2004)CrossRefGoogle Scholar
  3. 3.
    Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: Checking memory safety with BLAST. In: Cerioli, M. (ed.) FASE 2005. LNCS, vol. 3442, pp. 2–18. Springer, Heidelberg (2005)Google Scholar
  4. 4.
    Breuer, P.T., Pickin, S.: Abstract interpretation meets model checking near the 10<Superscript>6</Superscript> LOC mark. In: AVIS 2006, To appear in ENTCSGoogle Scholar
  5. 5.
    Chaki, S., Clarke, E., Groce, A., Ouaknine, J., Strichman, O., Yorav, K.: Efficient verification of sequential and concurrent C programs. FMSD 25(2–3), 129–166 (2004)zbMATHGoogle Scholar
  6. 6.
    Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.R.: An empirical study of operating system errors. In: SOSP 2001, pp. 73–88. ACM Press, New York (2001)CrossRefGoogle Scholar
  7. 7.
    Clarke, E.M., Grumberg, O., Peled, D.A.: Model checking. MIT Press, Cambridge (2000)Google Scholar
  8. 8.
    Corbet, J., Rubini, A., Kroah-Hartmann, G.: Linux Device Drivers, 3rd edn. O’Reilly, Sebastopol (2005)Google Scholar
  9. 9.
    Corbett, J.C., et al.: Bandera: Extracting finite-state models from Java source code. In: ICST 2000, pp. 439–448. SQS Publishing (2000)Google Scholar
  10. 10.
    Cousot, P., Cousot, R.: On abstraction in software verification. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 37–56. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Engler, D.R., Chelf, B., Chou, A., Hallem, S.: Checking system rules using system-specific, programmer-written compiler extensions. In: OSDI 2000, USENIX (2000)Google Scholar
  12. 12.
    Engler, D.R., Musuvathi, M.: Static analysis versus software model checking for bug finding. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 191–210. Springer, Heidelberg (2004)Google Scholar
  13. 13.
    Henzinger, T.A., Jhala, R., Majumdar, R.: Race checking by context inference. In: PLDI 2004, pp. 1–13. ACM Press, New York (2004)CrossRefGoogle Scholar
  14. 14.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sanvido, M.A.A.: Extreme model cecking. In: Dershowitz, N. (ed.) Verification: Theory and Practice. LNCS, vol. 2772, pp. 232–358. Springer, Heidelberg (2004)Google Scholar
  15. 15.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: POPL 2002, pp. 58–70. ACM Press, New York (2002)CrossRefGoogle Scholar
  16. 16.
    Henzinger, T.A., et al.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 526–538. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Holzmann, G.J.: The SPIN model checker. Addison-Wesley, Reading (2003)Google Scholar
  18. 18.
    Jie, H., Shivaji, S.: Temporal safety verification of AVFS using BLAST. Project report, Univ. California at Santa Cruz (2004)Google Scholar
  19. 19.
    Microsoft Corporation. Static driver verifier: Finding bugs in device drivers at compile-time.
  20. 20.
    Mong, W.S.: Lazy abstraction on software model checking. Project report, Toronto Univ., Canada (2004)Google Scholar
  21. 21.
    Necula, G.C., McPeaki, S., Weimer, W.: CCured: Type-safe retrofitting of legacy code. In: POPL 2002, pp. 128–139. ACM Press, New York (2002)CrossRefGoogle Scholar

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Jan Tobias Mühlberg
    • 1
  • Gerald Lüttgen
    • 1
  1. 1.Department of Computer Science, University of York, York YO10 5DDU.K.

Personalised recommendations