4 Using Blast: User Options
The following command line options are useful for running Blast
(see pblast.opt -help for a complete list).
Model Checking Options.
The following options are available to customize the model checking run.
-
-main xxx. Specify the entry point of the program. The default
is main.
- -L xxx. Specify an error label. The default is ERROR.
Note that if there are several labels in the program with the same name,
the effect of Blast is nondeterministic.
- -msvc. Parse file in MSVC mode. This is required by the CIL front end.
The default mode is GNU CC. Use this to read and analyze programs that use Microsoft
Visual C features.
- -bfs and -dfs. Specify the search strategy, breadth first or depth first.
The default is -bfs.
- -pred xxx. Specify a set of seed predicates as the initial abstraction.
When this is not specified, Blast starts running with the most abstract program:
where all the data has been abstracted.
The seed predicate file xxx contains a list of seed predicates, each predicate
is an atomic predicate using the C expression syntax.
See Section 6.3 for the syntax of predicates.
- -cf. Use context free reachability. This feature has not been
tested for this release.
- -init xxx. Specify the initial state in the file xxx.
The initial state is a (side effect free) C boolean expression in the
program variables in scope in the start function.
- -inv xxx. Specify additional invariants in a file. These are conjoined with
the set of reachable states.
The invariant file contains a C boolean expression.
- -s xxx. Specify the satisfiability solver to be used by the decision procedures
in Blast. The current options are Vampyre, Simplify, and Cvc, the default being Simplify.
Note however that the option -craig uses Vampyre internally.
See the programmer's documentation to see how to add your own decision procedure.
We recommend the use of Simplify as default as it is considerably faster than Vampyre.
- -nocache. Do not cache theorem prover calls. This makes the run require less
memory.
- -cov. With the option -cov, check for coverability is done only for
control flow nodes that have back pointers.
- -reclaim. A space saving heuristic: does not keep whole tree around during
the model checking, reclaims tree nodes on backtrack.
- -ax xxx. Specify a set of additional axioms for Simplify.
The axioms file is passed to Simplify. Simplify requires that the file
ends in ``.ax''. So, to pass the axiom file file.ax, say -ax file.
It is assumed that the axiom file is in the same directory from which
Blast is invoked.
- -alias xxx. Alias analysis options.
If the option xxx is bdd, invokes a bdd based alias analysis,
otherwise reads the alias relationships from the file xxx.
Additionally, the option
-pta [flow|noflow] specifies a mode for points to analysis:
noflow runs a flow insensitive version, flow a flow sensitive version.
This version of Blast only supports noflow.
If this option is omitted, then no alias analysis is performed,
and Blast makes the assumption that lvalues are not aliased.
The option
-scheck then performs some checks to ensure that this assumption is
met. However, it can happen that the analysis is unsound, even though -scheck
does not fail.
- -incref. Blast with full alias analysis is expensive, especially when the
alias analysis is imprecise.
Often aliasing is not important in This option gets a middle ground: the counterexample
analysis is done without the aliasing information, but the model checking uses
the alias information.
The analysis is sound, but Blast can fail if the analysis requires aliasing relationships
to be tracked.
- -nofp. Ignore function pointer calls. This is put in as a convenience:
the programmer can ignore function pointer calls in the analysis. Use with caution:
the results of Blast are meaningful only under the assumption that the function
pointer calls did not change the predicate state of the program.
- -bddcov and -nobddcov. The option -bddcov uses only bdds in cover check,
-nobddcov does a full cover check. The default is -bddcov. It is unlikely you
will need to change the default.
- -wpsat. Keep only satisfiable disjuncts in the weakest precondition.
- -restart. Restart model checking after every counterexample analysis (a.k.a. SLAM mode).
- -block. Analyze trace as blocks. This is the default, overriding the earlier counterexample
analysis.
You can still use the old counterexample analysis by running
-noblock.
With the old analysis, you can also specify the direction of the analysis
with the flag -refine [fwd|bwd] that runs the analysis forwards or backwards,
according to the option provided.
- -predH k. Perform predicate discovery heuristics.
There are several levels, we recommend using level k=7.
The heuristics include checking all causes of unsatisfiability, and adding
additional predicates based on the syntax.
- -tsd [zig]. Set trace search direction. [zig] goes zigzagging [] restarts from the end.
- -craig [1|2]. Use craig interpolants (FOCI) to get predicates
([1] use with scope, [2] maintains local tables of predicates).
See the paper ``Abstractions from Proofs'' (by T.A. Henzinger, R. Jhala, R. Majumdar, and
K.L. McMillan).
-craig internally uses the block based counterexample analysis (i.e.,
automatically sets -block).
See also -scope.
- -scope. Remove predicates not in scope. This should be run with
-craig 1, otherwise this fails.
Program Optimization Options.
Blast implements a set
of program analysis routines that can make the analysis run significantly faster.
These can be turned on or off with the following options.
-
-pe. Implements an aggressive interprocedural constant propagation
algorithm.
- -O x. Turn program optimizations on or off. The levels are 0-1.
The default is 0 (off). In level 1, a cone of influence optimization
is implemented. It assumes all variables occurring in conditionals are important,
and propagates this to find all useful assignments.
Further, the constant propagation algorithm is implemented (see also -pe).
- -depth k. Unroll CFA to depth k. This is experimental and not included
in the release.
Parallel Model Checking and Races.
Blast implements a Thread modular algorithm for
checking races in multithreaded C programs.
These options relate to the algorithm for checking races.
-
-checkRace. Invoke the TAR algorithm to check for races on shared variable accesses.
- -par. Use data structures for parallel Blast. Not supported.
Saved Abstractions and Summarization.
These options are used to save and load abstractions from a Blast run.
-
-loadabs. When Blast is run with the file fname.c,
it continuously outputs the abstraction used in the model checking
into the file fname.abs.
The -loadabs option can be used to read back the abstraction file
created in a previous run. This makes subsequent runs faster and is useful
for regression testing.
This option also allows us to run Blast with the abstraction generated
from an interrupted run.
- -interface f. Specify name of a function to take as describing a component interface.
Not supported in this release.
- -component f. Specify name of a function to check for satisfying the interface.
Not supported in this release.
Proof generation options.
Blast implements a set of options to generate
PCC style proofs. The proofs are output in textual form in LF syntax. These can be
read and encoded by a standard PCC proof encoder.
-
-pf. Generate proof tree in the file foo.tree.
- -pfgen. Spit out vampyre proofs. Always use this: the other option is buggy!
- -pffile xxx. File to write vampyre proofs. If no file is specified,
proofs are written to /tmp/lf.pfs.
Old Heuristics that are no longer used/supported.
You can omit reading about the options in this section.
These pertain to several heuristics in the older version.
The default is set to the heuristic that we found to work best.
Many of the following heuristics are no longer supported.
- -comp xxx. This implements the keep_subtree heuristic from the
Lazy Abstraction paper. The options are cut to remove the subtree, and path
to keep the subtree. We found that path was nominally faster, but went into
loops very often. So the default is set to cut.
- -post xxx. The algorithms to compute post. The options are slam
for an approximate Cartesian post as implemented in SLAM.
and H for the most precise predicate abstraction.
We saw that slam post is vastly more efficient, yet is precise enough
to prove properties of interest. The default is slam.
- -forget. This option naively forgets predicates found when it
backtracks out of a subtree. This repeats work: the next time the same
part of the program is visited, the same predicates are found again. The
default is not to forget.
- -dc. Some don't care heuristic for predicates not in scope.
Deprecated. Do not use, see -craig instead.
General Options.
The following options let the user select different
configurations, mostly for debugging.
-
-debug. Prints out copious debugging information.
- -cfa-dot xxx. Output the CFA of every function in ATT dot format
in the file xxx.
- -stop. Stop when the model checker hits the first (possibly invalid) counterexample.
Useful for debugging.
- -traces. Every time a false counterexample is encountered,
the trace itself is dumped. Used for diagnostic purposes.
With the option -tracefile xxx, you can additionally specify the name
of the file containing trace information. This is used by the trace viewer.
- -demo. Run in demo mode for the GUI.
- -xml. Generate error traces as a bunch of xml files that can be read in and
displayed by SLAM's GUI.
- -help or
--help. Display the list of options.