Draft On Search Strategies for Constraint-Based Bounded Model Checking Michel RUEHER Joined work with Hélène Collavizza , Nguyen Le Vinh, Olivier Ponsini and Pascal Van Hentenryck University Nice Sophia-Antipolis I3S – CNRS, France CP meets CAV 25 June – 29 June 2012
Draft Outline CSP & BMC M. Rueher The CP Framework CPBPV A CP framework for Bounded Program Verification DPVS FM Application CPBPV, a Depth First Dynamic Exploration of the CFG Discussion DPVS, a Dynamic Backjumping Strategy The Flasher Manager Application Discussion 2
Draft Motivations CSP & BMC M. Rueher The CP Framework CPBPV → Automatic generation of counterexamples DPVS violating a property on a limited model FM Application of the program is very useful Discussion → Challenge : finding bugs for realistic time periods for real time applications 3
Draft Overall view of CP framework CSP & BMC M. Rueher The CP Framework ◮ Bounded program verification Overall view Pre-processing (the array lengths, the variable values and the loops A small example Language and are bounded) restrictions Constraint store Scalar assignment • Constraint stores to represent the specification and Array assignment Conditional instruction the program while instruction CPBPV DPVS • Program is partially correct if the constraint store FM Application implies the post-conditions Discussion ◮ Non deterministically exploration of execution paths 4
Draft CP-based BMC ... CSP & BMC M. Rueher The CP l Framework Overall view Pre-processing CP-based BMC mainly involves three steps: A small example Language and restrictions Constraint store Scalar assignment Array assignment 1. the program is unwound k times, Conditional instruction while instruction CPBPV 2. An annotated and simplified CFG is built DPVS FM Application 3. Program is translated in constraints on the fly Discussion A list of solvers tried in sequence (LP , MILP , Boolean, CP) 5
Draft CP framework & BMC ... CSP & BMC M. Rueher The CP ◮ CP framework Framework Overall view • Specification → constraints Pre-processing A small example Program → constraints (on the fly) Language and restrictions • Solving Process Constraint store Scalar assignment → List of solvers tried in sequence Array assignment Conditional instruction on each selected node of the CFG while instruction → Takes advantage of the structure of the program CPBPV DPVS ◮ BMC based on SAT / SMT solvers FM Application • Program & specification → Big Boolean formula Discussion • Solving Process → SAT solvers or SMT solvers have a “Global view” → Critical issue: minimum conflict sets (to limit backtracks & spurious solutions) 6
Draft CP framework, pre-processing CSP & BMC M. Rueher Pre-processing The CP Framework Overall view Pre-processing 1. P is unwound k times → P uw A small example Language and restrictions Constraint store 2. P uw → DSA , Dynamic Single Assignment form Scalar assignment Array assignment (each variable is assigned exactly once on each Conditional instruction while instruction program path) CPBPV DPVS 3. DSA is simplified according to the specific FM Application property by applying slicing techniques Discussion 4. Domains of all variables are filtered by propagating constant values along the simplified CFG 7
Draft A small example CSP & BMC M. Rueher void foo( int a , int b ) The CP Framework int c, d, e, f ; Overall view if ( a > = 0) { Pre-processing A small example if ( a < 10) { f = b − 1;} Language and restrictions else { f = b − a ; } Constraint store Scalar assignment Array assignment c = a ; Conditional instruction while instruction if ( b > = 0) { d = a ; e = b ;} CPBPV else { d = a ; e = − b ;} } DPVS else { FM Application c = b ; d = 1; e = − a ; Discussion if ( a > b ) { f = b + e + a ;} else { f = e ∗ a − b ;} } c = c + d + e ; assert( c > = d + e ); // property p 1 assert ( f > = − b ∗ e ); // property p 2 8
Draft A small example(continued) CSP & BMC M. Rueher Initial CFG The CP Framework Overall view Pre-processing A small example Language and ��� restrictions � � ����� ���� Constraint store ����� Scalar assignment ��� � � ����� Array assignment ���� ����� Conditional instruction ��� � � ���� � while instruction ��� ��� � � ���� � ���� � � ���� � ���� � � � ���� CPBPV � � ����� � ��� DPVS � � ���� � ��� � � ���� � FM Application ���� ����� ��� Discussion ���� ���� � � ����� � � ���� � ���� � ���� � � � ���� � ���� � ���� � ���� ����� ��� ��� � � ���� � � � ���� � � � ���� � � � ����� � ���� � � ���� � ���� �� ��� � 9
Draft A small example(continued) CSP & BMC M. Rueher Simplified CFG The CP Framework Overall view Pre-processing A small example Language and restrictions ��� � � ����� Constraint store ���� Scalar assignment Array assignment ����� ��� Conditional instruction � � ���� � while instruction ��� CPBPV � � ���� � ��� � � ����� � � ���� DPVS ���� ����� � � ����� � FM Application ��� ��� � � ���� � � � ���� � Discussion � � ���� � � � ����� � ���� � � ���� � ���� �� ��� � 10
Draft CP framework, language CSP & BMC M. Rueher The CP Framework ◮ Java programs and JML specifications Overall view Pre-processing A small example JML = Language and restrictions • Comments in java code (“javadoc” like) Constraint store Scalar assignment (can be compiled and executed at run time) Array assignment Conditional instruction while instruction • Properties are directly expressed on the CPBPV program variables DPVS → no need for abstraction FM Application • Pre-conditions and post-relations Discussion • Exists and Forall quantifiers ◮ C programs and assertions 11
Draft CP framework, restrictions CSP & BMC M. Rueher The CP ◮ Unit code validation Framework Overall view Pre-processing ◮ Data types : Booleans, integers, arrays of integers, A small example Language and [floats] restrictions Constraint store Scalar assignment ◮ Bounded programs : array lengths, number of Array assignment Conditional instruction while instruction unfoldings of loops, size of integers are known CPBPV ◮ Normal behaviours of the method (no exception) DPVS FM Application ◮ JML specification : Discussion • post condition : the conjunction of use cases of the method • possibly a precondition 12
Draft Building the constraint store: principle CSP & BMC M. Rueher The CP Framework ◮ Each expression is mapped to a constraint : Overall view Pre-processing ρ transforms program expressions into constraints A small example Language and restrictions Constraint store ◮ SSA-like variable renaming : σ [ v ] is the current Scalar assignment Array assignment renaming of variable v Conditional instruction while instruction CPBPV ◮ JML : DPVS FM Application • \ forall i → conjunction of conditions Discussion • \ exist i → disjunction of conditions ( i has bounded values) 13
Draft Building the constraint store ... CSP & BMC M. Rueher The CP Framework Overall view ◮ scalar assignment Pre-processing A small example Language and restrictions σ 2 = σ 1 [ v /σ 1 ( v ) + 1 ] & c 2 ≡ ( ρ σ 2 v ) = ( ρ σ 1 e ) Constraint store Scalar assignment � [ v ← e , l ] , σ 1 , c 1 � �− → � [ l ] , σ 2 , c 1 ∧ c 2 � Array assignment Conditional instruction while instruction Program CPBPV DPVS x=x+1; y=x*y; x=x+y; FM Application Constraints Discussion { x 1 = x 0 + 1 , y 1 = x 1 ∗ y 0 , x 2 = x 1 ∗ y 1 } 14
Draft Building the constraint store ... CSP & BMC M. Rueher The CP Framework ◮ array assignment Overall view Pre-processing σ 2 = σ 1 [ a /σ 1 ( a ) + 1 ] A small example c 2 ≡ ( ρ σ 2 a )[ ρ σ 1 e 1 ] = ( ρ σ 1 e 2 ) Language and restrictions c 3 ≡ ∀ i ∈ 0 .. a . length ( ρ σ 1 e 1 ) � = i → ( ρ σ 2 a )[ i ] = ( ρ σ 1 a )[ i ] Constraint store Scalar assignment Array assignment � [ a [ e 1 ] ← e 2 , l ] , σ 1 , c 1 � �− → � [ l ] , σ 2 , c 1 ∧ c 2 ∧ c 3 � Conditional instruction while instruction CPBPV Program (a.length=8) DPVS a[i] = x; FM Application Constraints Discussion { a 1 [ i 0 ] = x 0 , i 0 � = 0 → a 1 [ 0 ] = a 0 [ 0 ] , i 0 � = 1 → a 1 [ 1 ] = a 0 [ 1 ] , ..., i 0 � = 7 → a 1 [ 7 ] = a 0 [ 7 ] } guard → body is a guarded constraint a [ i ] = x is the element constraint : i and x are constrained variables whose values may be unknown 15
Recommend
More recommend