Checking Memory Safety with Blast

  • Dirk Beyer
  • Thomas A. Henzinger
  • Ranjit Jhala
  • Rupak Majumdar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3442)


Blast is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, Blast statically proves that either the program satisfies the safety property or the program has an execution trace that exhibits a violation of the property. Blast constructs, explores, and refines abstractions of the program state space based on lazy predicate abstraction and interpolation-based predicate discovery. We show how Blast can be used to statically prove memory safety for C programs. We take a two-step approach. First, we use Ccured, a type-based memory safety analyzer, to annotate with run-time checks all program points that cannot be proved memory safe by the type system. Second, we use Blast to remove as many of the run-time checks as possible (by proving that these checks never fail), and to generate for the remaining run-time checks execution traces that witness them fail. Our experience shows that Blast can remove many of the run-time checks added by Ccured and provide useful information to the programmer about many of the remaining checks.


Model Checker Error Location Trace Formula Reachable State Execution Trace 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Andrews, T., Qadeer, S., Rajamani, S.K., Rehof, J., Xie, Y.: Zing: A model checker for concurrent software. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 484–487. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: Proc. PLDI, pp. 290–301. ACM, New York (1994)Google Scholar
  3. 3.
    Ball, T., Rajamani, S.K.: The Slam project: Debugging system software via static analysis. In: Proc. POPL, pp. 1–3. ACM, New York (2002)Google Scholar
  4. 4.
    Bodik, R., Gupta, R., Sarkar, V.: ABCD: Eliminating array bounds checks on demand. In: Proc. PLDI, pp. 321–333. ACM, New York (2000)Google Scholar
  5. 5.
    Carlisle, M.C.: Olden: Parallelizing Programs with Dynamic Data Structures on Distributed Memory Machines. PhD thesis, Princeton University (1996)Google Scholar
  6. 6.
    Chaki, S., Clarke, E.M., Groce, A., Jha, S., Veith, H.: Modular verification of software components in C. IEEE Trans. Software Engineering 30, 388–402 (2004)CrossRefGoogle Scholar
  7. 7.
    Condit, J., Harren, M., McPeak, S., Necula, G.C., Weimer, W.: CCured in the real world. In: Proc. PLDI, pp. 232–244. ACM, New York (2003)Google Scholar
  8. 8.
    Corbett, J.C., Dwyer, M.B., Hatcliff, J., Pasareanu, C., Robby, J., Laubach, S., Zheng, H.: Bandera: Extracting finite-state models from Java source code. In: Proc. ICSE, pp. 439–448. ACM, New York (2000)CrossRefGoogle Scholar
  9. 9.
    Craig, W.: Linear reasoning. J. Symbolic Logic 22, 250–268 (1957)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadek, F.K.: Efficiently computing static single-assignment form and the program dependence graph. ACM Trans. Programming Languages and Systems 13, 451–490 (1991)CrossRefGoogle Scholar
  11. 11.
    Godefroid, P.: Model checking for programming languages using VERISOFT. In: Proc. POPL, pp. 174–186. ACM, New York (1997)Google Scholar
  12. 12.
    Hastings, R., Joyce, B.: Purify: Fast detection of memory leaks and access errors. In: Proc. USENIX, pp. 125–136 (1992)Google Scholar
  13. 13.
    Havelund, K., Pressburger, T.: Model checking Java programs using Java PathFinder. Software Tools for Technology Transfer 2, 72–84 (2000)CrossRefGoogle Scholar
  14. 14.
    Henglein, F.: Global tagging optimization by type inference. In: Proc. LISP and Functional Programming, pp. 205–215. ACM, New York (1992)Google Scholar
  15. 15.
    Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: Proc. POPL, pp. 232–244. ACM, New York (2004)Google Scholar
  16. 16.
    Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 526–538. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sanvido, M.A.A.: Extreme model checking. In: Dershowitz, N. (ed.) Verification: Theory and Practice. LNCS, vol. 2772, pp. 332–358. Springer, Heidelberg (2004)Google Scholar
  18. 18.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: Proc. POPL, pp. 58–70. ACM, New York (2002)Google Scholar
  19. 19.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Software verification with BLAST. In: Ball, T., Rajamani, S.K. (eds.) SPIN 2003. LNCS, vol. 2648, pp. 235–239. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Holzmann, G.J.: The Spin Model Checker: Primer and Reference Manual. Addison-Wesley, Reading (2003)Google Scholar
  21. 21.
    Kaufer, S., Lopez, R., Pratap, S.: SABER-C: An interpreter-based programming environment for the C language. In: Proc. USENIX, pp. 161–171 (1988)Google Scholar
  22. 22.
    Musuvathi, M., Park, D.Y.W., Chou, A., Engler, D.R., Dill, D.L.: CMC: A pragmatic approach to model checking real code. In: Proc. OSDI. USENIX (2002)Google Scholar
  23. 23.
    Necula, G.C., Lee, P.: Efficient representation and validation of proofs. In: Proc. LICS, pp. 93–104 (1998)Google Scholar
  24. 24.
    Necula, G.C., McPeak, S., Weimer, W.: CCURED: Type-safe retrofitting of legacy code. In: Proc. POPL, pp. 128–139. ACM, New York (2002)Google Scholar
  25. 25.
    Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proc. POPL, pp. 49–61. ACM, New York (1995)Google Scholar
  26. 26.
    Suzuki, N., Ishihata, K.: Implementation of an array bound checker. In: Proc. POPL, pp. 132–143. ACM, New York (1977)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Dirk Beyer
    • 1
  • Thomas A. Henzinger
    • 1
    • 2
  • Ranjit Jhala
    • 3
  • Rupak Majumdar
    • 4
  1. 1.EPFLSwitzerland
  2. 2.University of CaliforniaBerkeley
  3. 3.University of CaliforniaSan Diego
  4. 4.University of CaliforniaLos Angeles

Personalised recommendations