Hybrid Constraint-Based Bounded Program Verification Michel RUEHER University of Nice Sophia-Antipolis / I3S – CNRS, France Courtesy to Hélène COLLAVIZZA, Nguyen Le VINH and Pascal Van HENTENRYCK June, 2011 ACP Summer School “Hybrid Methods for Constraint Programming” Turunç
Outline Bounded Program Verification M. Rueher Basics on BMC Basics on Bounded Model Checking (BMC) The CP Framework CPBPV A CP framework for Bounded Program Verification DPVS FM Application CPBPV, a Depth First Dynamic Exploration of the CFG Discussion DPVS The Flasher Manager Application Discussion 2
Basics on BMC Bounded Program Verification M. Rueher Basics on BMC BMC: overview Algorithm ◮ Mechanically check properties of models CP & BMC The CP Framework CPBPV ◮ Widely used in hardware verification and software DPVS verification FM Application Discussion ◮ Automatic generation of counterexamples 3
BMC: key features Bounded Program Verification M. Rueher ◮ Models → finite automates, labelled transition Basics on BMC BMC: overview systems Algorithm CP & BMC The CP Framework ◮ Properties: CPBPV DPVS ◮ Safety → something bad should not happen FM Application Discussion ◮ Liveness → something good should happen ◮ Bound k → look only for counter examples made of k states 4
Algorithm for Model Checking Safety Bounded Program Verification M. Rueher % set of states: S, initial states: I, transition relation: T Basics on BMC BMC: overview % bad states B reachable from I via T? Algorithm CP & BMC The CP bounded_model_checker forward ( I , T , B , k ) Framework S C = ∅ ; S N = I ; n = 1 CPBPV while S C � = S N and n < k do DPVS if B ∩ S N � = ∅ FM Application then return “found error trace to bad states”; Discussion else S C = S N ; S N = S C ∪ T ( S C ); n = n + 1 ; done return “no bad state reachable” ; 5
BMC framework Bounded Program Verification M. Rueher BMC: Bounded Model Checking Basics on BMC BMC: overview • BMC: falsification of a given property is checked for a Algorithm CP & BMC given bound The CP Framework • BMC mainly involves three steps: CPBPV DPVS 1. the program is unwound k times, FM Application Discussion 2. the unwound program and the property are translated into a big propositional formula φ φ is satisfiable iff there exists a counterexample of depth less than k 3. A SAT-solver or SMT-solver is used for checking the satisfiability of φ 6
CP framework Bounded Program Verification M. Rueher Basics on BMC The CP Framework Overall view Pre-processing ◮ A CP framework for Bounded Program Verification A small example Language and restrictions Constraint store Scalar assignment Array assignment Conditional instruction while instruction Depth first search strategies CPBPV DPVS FM Application Discussion 7
Overall view of CP framework Bounded Program Verification M. Rueher Basics on BMC ◮ Bounded program verification The CP (the array lengths, the variable values and the loops Framework Overall view are bounded) Pre-processing A small example • Constraint stores to represent the specification and Language and restrictions the program Constraint store Scalar assignment Array assignment Conditional instruction while instruction • Program is partially correct if the constraint store Depth first search strategies implies the post-conditions CPBPV DPVS ◮ Non deterministically exploration of execution paths FM Application Discussion 8
CP-based BMC ... Bounded Program Verification M. Rueher CP-based Bounded Program Verification Basics on BMC The CP • CP-based BMC: falsification of a given property is Framework Overall view checked for a given bound Pre-processing A small example Language and restrictions • CP-based BMC mainly involves three steps: Constraint store Scalar assignment Array assignment 1. the program is unwound k times, Conditional instruction while instruction Depth first search strategies 2. An annotated and simplified CFG is built CPBPV 3. Program is translated in constraints on the fly DPVS FM Application A list of solvers tried in sequence (LP , MILP , Boolean, Discussion CP) 9
CP framework & BMC ... Bounded Program Verification M. Rueher ◮ CP framework Basics on BMC • Specification → constraints The CP Program → constraints (on the fly) Framework Overall view • Solving Process Pre-processing A small example → List of solvers tried in sequence Language and restrictions on each selected node of the CFG Constraint store → Takes advantage of the structure of the program Scalar assignment Array assignment Conditional instruction ◮ BMC based on SAT / SMT solvers while instruction Depth first search strategies • Program & specification → Big Boolean formula CPBPV • Solving Process DPVS → SAT solvers or SMT solvers (SAT solvers FM Application & specialised solvers) Discussion � spurious solutions → backtracks → Critical issue: minimum conflict sets 10
CP framework, pre-processing Bounded Program Verification M. Rueher Pre-processing Basics on BMC The CP 1. P is unwound k times → P uw Framework Overall view Pre-processing 2. P uw → DSA Puw , Dynamic Single Assignment form A small example Language and restrictions (each variable is assigned exactly once on each Constraint store Scalar assignment program path) Array assignment Conditional instruction while instruction 3. DSA Puw is simplified according to the specific Depth first search strategies property prop by applying slicing techniques CPBPV DPVS 4. Domains of all variables are filtered by propagating FM Application constant values along G , the simplified CFG Discussion 11
A small example Bounded Program Verification M. Rueher void foo( int a , int b ) int c, d, e, f ; Basics on BMC if ( a > = 0) { The CP Framework if ( a < 10) { f = b − 1;} Overall view Pre-processing else { f = b − a ; } A small example Language and c = a ; restrictions Constraint store if ( b > = 0) { d = a ; e = b ;} Scalar assignment Array assignment else { d = a ; e = − b ;} } Conditional instruction while instruction else { Depth first search strategies c = b ; d = 1; e = − a ; CPBPV if ( a > b ) { f = b + e + a ;} DPVS else { f = e ∗ a − b ;} } FM Application c = c + d + e ; Discussion assert( c > = d + e ); // property p 1 assert ( f > = − b ∗ e ); // property p 2 12
A small example(continued) Bounded Program Verification M. Rueher Initial CFG Basics on BMC The CP Framework ��� Overall view � � ����� ���� Pre-processing ����� A small example ��� Language and � � ����� restrictions ���� ����� ��� Constraint store � � ���� � ��� ��� Scalar assignment � � ���� � ���� � � ���� � ���� � � � ���� Array assignment � � ����� � Conditional instruction ��� while instruction � � ���� � ��� Depth first search � � ���� � strategies ���� ����� ��� CPBPV ���� ���� � � ����� � � ���� � ���� � ���� � � � ���� � ���� � ���� � ���� ����� DPVS ��� ��� � � ���� � � � ���� � FM Application � � ���� � � � ����� � Discussion ���� � � ���� � ���� �� ��� � 13
A small example(continued) Bounded Program Verification M. Rueher Simplified CFG Basics on BMC The CP Framework Overall view ��� Pre-processing � � ����� ���� A small example Language and ����� ��� restrictions � � ���� � Constraint store Scalar assignment ��� Array assignment � � ���� � ��� Conditional instruction � � ����� � � ���� while instruction ���� ����� Depth first search � � ����� � strategies ��� ��� CPBPV � � ���� � � � ���� � � � ���� � � � ����� � DPVS FM Application ���� Discussion � � ���� � ���� �� ��� � 14
CP framework, language Bounded Program Verification M. Rueher ◮ Java programs and JML specifications Basics on BMC The CP Framework JML = Overall view Pre-processing • Comments in java code (“javadoc” like) A small example Language and (can be compiled and executed at run time) restrictions Constraint store • Properties are directly expressed on the Scalar assignment Array assignment program variables Conditional instruction while instruction → no need for abstraction Depth first search strategies • Pre-conditions and post-relations CPBPV DPVS • Exists and Forall quantifiers FM Application Discussion ◮ C programs and assertions 15
Recommend
More recommend
