Abstract
Blast is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, Blast statically proves that either the program satisfies the safety property or the program has an execution trace that exhibits a violation of the property. Blast constructs, explores, and refines abstractions of the program state space based on lazy predicate abstraction and interpolation-based predicate discovery. We show how Blast can be used to statically prove memory safety for C programs. We take a two-step approach. First, we use Ccured, a type-based memory safety analyzer, to annotate with run-time checks all program points that cannot be proved memory safe by the type system. Second, we use Blast to remove as many of the run-time checks as possible (by proving that these checks never fail), and to generate for the remaining run-time checks execution traces that witness them fail. Our experience shows that Blast can remove many of the run-time checks added by Ccured and provide useful information to the programmer about many of the remaining checks.
This research was supported in part by the NSF grants CCR-0234690, CCR-0225610, and ITR-0326577.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Andrews, T., Qadeer, S., Rajamani, S.K., Rehof, J., Xie, Y.: Zing: A model checker for concurrent software. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 484–487. Springer, Heidelberg (2004)
Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: Proc. PLDI, pp. 290–301. ACM, New York (1994)
Ball, T., Rajamani, S.K.: The Slam project: Debugging system software via static analysis. In: Proc. POPL, pp. 1–3. ACM, New York (2002)
Bodik, R., Gupta, R., Sarkar, V.: ABCD: Eliminating array bounds checks on demand. In: Proc. PLDI, pp. 321–333. ACM, New York (2000)
Carlisle, M.C.: Olden: Parallelizing Programs with Dynamic Data Structures on Distributed Memory Machines. PhD thesis, Princeton University (1996)
Chaki, S., Clarke, E.M., Groce, A., Jha, S., Veith, H.: Modular verification of software components in C. IEEE Trans. Software Engineering 30, 388–402 (2004)
Condit, J., Harren, M., McPeak, S., Necula, G.C., Weimer, W.: CCured in the real world. In: Proc. PLDI, pp. 232–244. ACM, New York (2003)
Corbett, J.C., Dwyer, M.B., Hatcliff, J., Pasareanu, C., Robby, J., Laubach, S., Zheng, H.: Bandera: Extracting finite-state models from Java source code. In: Proc. ICSE, pp. 439–448. ACM, New York (2000)
Craig, W.: Linear reasoning. J. Symbolic Logic 22, 250–268 (1957)
Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadek, F.K.: Efficiently computing static single-assignment form and the program dependence graph. ACM Trans. Programming Languages and Systems 13, 451–490 (1991)
Godefroid, P.: Model checking for programming languages using VERISOFT. In: Proc. POPL, pp. 174–186. ACM, New York (1997)
Hastings, R., Joyce, B.: Purify: Fast detection of memory leaks and access errors. In: Proc. USENIX, pp. 125–136 (1992)
Havelund, K., Pressburger, T.: Model checking Java programs using Java PathFinder. Software Tools for Technology Transfer 2, 72–84 (2000)
Henglein, F.: Global tagging optimization by type inference. In: Proc. LISP and Functional Programming, pp. 205–215. ACM, New York (1992)
Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: Proc. POPL, pp. 232–244. ACM, New York (2004)
Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 526–538. Springer, Heidelberg (2002)
Henzinger, T.A., Jhala, R., Majumdar, R., Sanvido, M.A.A.: Extreme model checking. In: Dershowitz, N. (ed.) Verification: Theory and Practice. LNCS, vol. 2772, pp. 332–358. Springer, Heidelberg (2004)
Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: Proc. POPL, pp. 58–70. ACM, New York (2002)
Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Software verification with BLAST. In: Ball, T., Rajamani, S.K. (eds.) SPIN 2003. LNCS, vol. 2648, pp. 235–239. Springer, Heidelberg (2003)
Holzmann, G.J.: The Spin Model Checker: Primer and Reference Manual. Addison-Wesley, Reading (2003)
Kaufer, S., Lopez, R., Pratap, S.: SABER-C: An interpreter-based programming environment for the C language. In: Proc. USENIX, pp. 161–171 (1988)
Musuvathi, M., Park, D.Y.W., Chou, A., Engler, D.R., Dill, D.L.: CMC: A pragmatic approach to model checking real code. In: Proc. OSDI. USENIX (2002)
Necula, G.C., Lee, P.: Efficient representation and validation of proofs. In: Proc. LICS, pp. 93–104 (1998)
Necula, G.C., McPeak, S., Weimer, W.: CCURED: Type-safe retrofitting of legacy code. In: Proc. POPL, pp. 128–139. ACM, New York (2002)
Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proc. POPL, pp. 49–61. ACM, New York (1995)
Suzuki, N., Ishihata, K.: Implementation of an array bound checker. In: Proc. POPL, pp. 132–143. ACM, New York (1977)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R. (2005). Checking Memory Safety with Blast. In: Cerioli, M. (eds) Fundamental Approaches to Software Engineering. FASE 2005. Lecture Notes in Computer Science, vol 3442. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31984-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-540-31984-9_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25420-1
Online ISBN: 978-3-540-31984-9
eBook Packages: Computer ScienceComputer Science (R0)