Applicability of the BLAST Model Checker: An Industrial Case Study

Model checking of software has been a very active research topic recently. As a result, a number of software model checkers have been developed for analysis of software written in different programming languages, e.g., SLAM, BLAST, and Java PathFinder. Applicability of these tools in the general industrial development process, however, is yet to be shown. In this paper, we present results of an experiment, in which we applied BLAST, a state-of-the-art model checker for C programs, in industrial settings. An industrial strength C implementation of a protocol stack has been verified against a set of formalized properties. We have identified real bugs in the code and we have also reached the limits of the tool. This experience report provides valuable guidance for developers of code analysis tools as well as for general software developers, who need to decide whether this kind of technique is ready for application and suitable for their particular goals.

[1]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[2]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[3]  Matthias Damm,et al.  OPC Unified Architecture , 2009, Autom..

[4]  Ondrej Sery Enhanced Property Specification and Verification in BLAST , 2009, FASE.

[5]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[6]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[7]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[8]  Daniel Kroening,et al.  SATABS: SAT-Based Predicate Abstraction for ANSI-C , 2005, TACAS.

[9]  Corina S. Pasareanu,et al.  Assume-guarantee verification of source code with design-level assumptions , 2004, Proceedings. 26th International Conference on Software Engineering.

[10]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[11]  Thomas A. Henzinger,et al.  Configurable Software Verification: Concretizing the Convergence of Model Checking and Program Analysis , 2007, CAV.

[12]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[13]  Orna Grumberg,et al.  Bounded Model Checking of Concurrent Programs , 2005, CAV.

[14]  Dawson R. Engler,et al.  Static Analysis versus Software Model Checking for Bug Finding , 2004, VMCAI.

[15]  Walter F. Tichy,et al.  Proceedings 25th International Conference on Software Engineering , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[16]  Thomas A. Henzinger,et al.  Invited talk: the blast query language for software verification , 2004, PEPM.

[17]  Thomas A. Henzinger,et al.  Program Analysis with Dynamic Precision Adjustment , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[18]  Sriram K. Rajamani,et al.  SLIC: A Specification Language for Interface Checking (of C) , 2002 .

[19]  Wolfgang Mahnke,et al.  OPC Unified Architecture , 2009, Autom..

[20]  Boudewijn R. Haverkort,et al.  Formal Methods: Applications and Technology, 11th International Workshop, FMICS 2006 and 5th International Workshop PDMC 2006, Bonn, Germany, August 26-27, and August 31, 2006, Revised Selected Papers , 2007, FMICS/PDMC.

[21]  Thomas A. Henzinger,et al.  The Blast Query Language for Software Verification , 2004, SAS.

[22]  Gerald Lüttgen,et al.  Blasting Linux Code , 2006, FMICS/PDMC.