Constraint-Based Search Strategies For Bounded Program Verification. Michel RUEHER

Transcription

1 Constraint-Based For Bounded Program Verification Michel RUEHER University of Nice Sophia-Antipolis / I3S CNRS, France (joined work with Hélène COLLAVIZZA, Nguyen Le VINH and Pascal Van HENTENRYCK) January 25, 2011 N I I Tokyo This work was partially supported by the ANR-07-SESUR-003 project CAVERN and the ANR-07 TLOG 022 project TESTEC 1

2 Outline on Constraint Programming (CP) and on Bounded Model Checking (BMC) A CP framework for Bounded Program Verification, a Depth First Dynamic Exploration of the CFG, a Non Sequential Exploration Strategy of the CFG 2

3 on Constraint Programming on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm 3

4 Constraint Programming: Constraint Programming is a way of modeling and solving combinatorial optimization problems CP combines techniques from artificial intelligence, logic programming, and operations research There exist several industrial solvers (e.g., ILOG/IBM, Eclipse, Xpress-Kalis, Comet), and academic solvers (e.g., Gecode, Choco, Minion) on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm Many industrial applications, e.g., timetabling (Dutch railway), hardware verification (Intel), scheduling, planning,... 4

5 CP: key features Domain filtering Consider each constraint separately and remove values that are trivially inconsistent ing strategies Try to exploit the structure of the problem... and Global Constraints Use (efficient) specific algorithms for some subclasses of constraints on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm 5

6 CP filtering / solving Example: variables/domains x 1 {1, 2}, x 2 {0, 1, 2, 3}, x 3 {2, 3} constraints x 1 > x 2 on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm x 1 + x 2 = x 3 alldifferent(x 1, x 2, x 3 ) 6

7 CP filtering / solving Example: variables/domains x 1 {1, 2} x 2 {0, 1, 2/,3/ }, x 3 {2, 3} constraints x 1 > x 2 x 1 + x 2 = x 3 alldifferent(x 1, x 2, x 3 ) on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm 7

8 CP filtering / solving Example: domains x 1 {1} x 2 {0, 1/ }, x 3 {2, 3} constraints x 1 > x 2 x 1 + x 2 = x 3 alldifferent(x 1, x 2, x 3 ) on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm 8

9 CP filtering / solving Example: domains x 1 { 1/ } x 2 { 0/,1/ }, x 3 { 2/, 3/ } constraints x 1 > x 2 x 1 + x 2 = x 3 alldifferent(x 1, x 2, x 3 ) on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm 9

10 CP filtering / solving domains x 1 {2} x 2 {0, 1}, x 3 { 2/,3} constraints x 1 > x 2 x 1 + x 2 = x 3 alldifferent(x 1, x 2, x 3 ) on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm 10

11 CP filtering / solving domains x 1 {2} x 2 {0/, 1}, x 3 {2/,3} constraints x 1 > x 2 x 1 + x 2 = x 3 alldifferent(x 1, x 2, x 3 ) on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm 11

12 CP: Global Constraints Example: alldifferent Constraints: alldifferent(x 1, x 2, x 3, x 4, x 5, x 6 ) Domains: x 1 {1, 2}, x 2 {1, 2, 3}, x 3 {1, 3} x 4 {3, 4}, x 5 {1, 4, 6}, x 5 {5, 6, 7} Algorithm: matching bipartite graph (or network flow algorithm) on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm 12

13 CP: ing strategies Heuristics choosing the variable to instantiate choosing the value for the selected variable Popular heuristic: First fail "To succeed, try first where you are most likely to fail" on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm 13

14 on Bounded Model Checking on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm 14

15 on BMC Mechanically check properties of models Widely used in hardware verification and software verification Automatic generation of counterexamples on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm 15

16 BMC: key features Models finite automates, labelled transition systems Properties: Safety something bad should not happen Liveness something good should happen on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm Bound k look only for counter examples made of k states 16

17 Algorithm for Model Checking Safety % set of states: S, initial states: I, transition relation: T % bad states B reachable from I via T? bounded_model_checker forward (I, T, B, k) S C = ; S N = I; n = 1 while S C S N and n < k do if B S N then return found error trace to bad states ; else S C = S N ; S N = S C T (S C ); n = n + 1; done return no bad state reachable ; on CP CP: Overview CP Solving Global & on BMC BMC: overview Algorithm 17

18 CP framework CP & BMC A CP framework for Bounded Program Verification Pre-processing A small example Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction strategies 18

19 of CP framework Bounded program verification (the array lengths, the variable values and the loops are bounded) Constraint stores to represent the specification and the program CP & BMC Pre-processing A small example Language and restrictions Building the constraint store scalar assignment Program is partially correct if the constraint store implies the post-conditions Non deterministically exploration of execution paths array assignment conditional instruction while instruction strategies 19

20 CP framework & BMC BMC: Bounded Model Checking BMC: falsification of a given property is checked for a given bound BMC mainly involves three steps: 1. the program is unwound k times, 2. the unwounded program and the property are translated into a big propositional formula φ φ is satisfiable iff there exists a counterexample of depth less than k 3. A SAT-solver or SMT-solver is used for checking the satisfiability of φ CP & BMC Pre-processing A small example Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction strategies 20

21 CP framework & BMC... CP For Bounded Program Verification CP : falsification of a given property is checked for a given bound CP & BMC Pre-processing A small example CP mainly involves three steps: 1. the program is unwound k times, 2. An annotated and simplified CFG is built 3. Program is translated in constraints on the fly A list of solvers tried in sequence (LP, MILP, Boolean, CP) Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction strategies 21

22 CP framework & BMC... CP framework Specification constraints Program constraints (on the fly) Solving Process List of solvers tried in sequence on each selected node of the CFG Takes advantage of the structure of the program BMC based on SAT / SMT solvers Program & specification Big Boolean formula Solving Process SAT solvers or SMT solvers (SAT solvers & specialised solvers) spurious solutions backtracks Critical issue: minimum conflict sets CP & BMC Pre-processing A small example Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction strategies 22

23 CP framework, pre-processing Pre-processing 1. P is unwound k times P uw CP & BMC 2. P uw DSA Puw, Dynamic Single Assignment form (each variable is assigned exactly once on each program path) 3. DSA Puw is simplified according to the specific property prop by applying slicing techniques 4. Domains of all variables are filtered by propagating constant values along G, the simplified CFG Pre-processing A small example Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction strategies 23

24 A small example void foo(int a, int b) int c, d, e, f ; if(a >= 0) { if(a < 10) {f = b 1;} else {f = b a; } c = a; if(b >= 0) {d = a; e = b;} else {d = a; e = b;} } else { c = b; d = 1; e = a; if(a > b) {f = b + e + a;} else {f = e a b;} } c = c + d + e; assert(c >= d + e); // property p 1 assert(f >= b e); // property p 2 CP & BMC Pre-processing A small example Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction strategies 24

25 A small example(continued) Initial CFG CP & BMC Pre-processing A small example Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction strategies 25

26 A small example(continued) Simplified CFG CP & BMC Pre-processing A small example Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction strategies 26

27 CP framework, language Java programs and JML specifications JML = Comments in java code ( javadoc like) (can be compiled and executed at run time) Properties are directly expressed on the program variables no need for abstraction Pre-conditions and post-relations Exists and Forall quantifiers CP & BMC Pre-processing A small example Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction strategies C programs and assertions 27

28 CP framework, restrictions Unit code validation Data types : integers, arrays of integers Bounded programs : array lengths, number of unfoldings of loops, size of integers are known Normal behaviours of the method (no exception) CP & BMC Pre-processing A small example Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction JML specification : post condition : the conjunction of use cases of the method strategies possibly a precondition 28

29 Building the constraint store: principle Each expression is mapped to a constraint: ρ transforms program expressions into constraints CP & BMC SSA-like variable renaming: σ[v] is the current renaming of variable v Pre-processing A small example Language and restrictions Building the constraint store scalar assignment JML : \forall i conjunction of conditions \exist i disjunction of conditions (i has bounded values) array assignment conditional instruction while instruction strategies 29

30 Building the constraint store... scalar assignment Program σ 2 = σ 1 [v/σ 1 (v) + 1] & c 2 (ρ σ 2 v) = (ρ σ 1 e) [v e, l], σ 1, c 1 [l], σ 2, c 1 c 2 x=x+1; y=x*y; x=x+y; Constraints {x 1 = x 0 + 1, y 1 = x 1 y 0, x 2 = x 1 y 1 } CP & BMC Pre-processing A small example Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction strategies 30

31 Building the constraint store... array assignment σ 2 = σ 1 [a/σ 1 (a) + 1] c 2 (ρ σ 2 a)[ρ σ 1 e 1 ] = (ρ σ 1 e 2 ) c 3 i 0..a.length(ρ σ 1 e 1 ) i (ρ σ 2 a)[i] = (ρ σ 1 a)[i] [a[e 1 ] e 2, l], σ 1, c 1 [l], σ 2, c 1 c 2 c 3 Program (a.length=8) a[i] = x; Constraints {a 1 [i 0 ] = x 0, i 0 0 a 1 [0] = a 0 [0], i 0 1 a 1 [1] = a 0 [1],..., i 0 7 a 1 [7] = a 0 [7]} CP & BMC Pre-processing A small example Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction strategies guard body is a guarded constraint a[i] = x is the element constraint: i and x are constrained variables whose values may be unknown 31

32 Building the constraint store... conditional instruction: if b i ; l CP & BMC c (ρ σ b) is satisfiable if b i ; l, σ, c i ; l, σ, c (ρ σ b) Pre-processing A small example Language and restrictions Building the constraint store scalar assignment array assignment c (ρ σ b) is satisfiable if b i ; l, σ, c l, σ, c (ρ σ b) conditional instruction while instruction strategies 32

33 Building the constraint store... while instruction: while b i ; l CP & BMC Pre-processing c (ρ σ b) is satisfiable while b i ; l, σ, c i; while b i ; l, σ, c (ρ σ b) A small example Language and restrictions Building the constraint store scalar assignment array assignment conditional instruction while instruction c (ρ σ b) is satisfiable while b i; l, σ, c l, σ, c (ρ σ b) strategies 33

34 strategies, Depth first exploration of the CFG CP & BMC Pre-processing A small example Language and restrictions, Non sequential exploration of the CFG Building the constraint store scalar assignment array assignment conditional instruction while instruction strategies 34

35 A Depth First Dynamic Exploration of the CFG Example Implementation & Implementation 35

36 , Translate precondition of the specification (if it exists) into a set of constraints PRECOND Example Translate post condition of the specification into a set of constraints POSTCOND Implementation & Implementation Explore each branch B i of the program and translate instructions of B i into a set of constraints PROG_Bi 36

37 , the validation process For each branch B i, solve CSPi = PROG_Bi PRECOND NOT(POSTCOND) If for each branch B i CSPi is inconsistent, then the program is conform with its specification If for a branch B i CSPi has a solution, then this solution is a test case which illustrates a non-conformity Example Implementation & Implementation! Inconsistencies of CSPi are detected at each node of the control flow graph 37

38 Binary search (1) requires (\forall int && (\result!=-1 ==> t[\result] == v) (\result==-1 ==> \forall int k; 0<=k<t.length; 1 static int binary_search(int[] t, int v) 2 int l = 0; 3 int u = t.length-1; 4 while (l <= u) 5 int m = (l + u) / 2; 6 if (t[m]==v) return m; 7 if (t[m] > v) 8 u = m - 1; 9 else 10 l = m + 1; // ERROR else u = m - 1; 11 return -1; Example Implementation & Implementation 38

39 Binary search (2) Precondition \forall int i;i>=0 && i<t.length-1;t[i]<=t[i+1] CSP t 0 [0] t 0 [1] t 0 [1] t 0 [2]... t 0 [6] t 0 [7] Example Implementation & Implementation Initialization int l=0;int u=t.length-1; CSP CSP l 0 = 0 u 0 = 7 39

40 Binary search (2) Precondition \forall int i;i>=0 && i<t.length-1;t[i]<=t[i+1] CSP t 0 [0] t 0 [1] t 0 [1] t 0 [2]... t 0 [6] t 0 [7] Example Implementation & Implementation Initialization int l=0;int u=t.length-1; CSP CSP l 0 = 0 u 0 = 7 40

41 Binary search (3) Loop while (l<=u) Enter into the loop since l 0 u 0 is consistent with the current constraint store CSP CSP l 0 u 0 Example Implementation & Implementation Assignment int m=(l+u)/2; CSP CSP m 0 = (l 0 + u 0 )/2 = 3 41

42 Binary search (3) Loop while (l<=u) Enter into the loop since l 0 u 0 is consistent with the current constraint store CSP CSP l 0 u 0 Example Implementation & Implementation Assignment int m=(l+u)/2; CSP CSP m 0 = (l 0 + u 0 )/2 = 3 42

43 Binary search (4) Conditional if (t[m]==v) return m; t 0 [m 0 ] = v 0 is consistent with the constraint store so take the if part CSP CSP t 0 [m 0 ] = v 0 Example Implementation & Implementation Complete execution path p whose constraint store c p is: c pre l 0 = 0 u 0 = 7 m 0 = 3 t 0 [m 0 ] = v 0 43

44 Binary search (4) Conditional if (t[m]==v) return m; t 0 [m 0 ] = v 0 is consistent with the constraint store so take the if part CSP CSP t 0 [m 0 ] = v 0 Example Implementation & Implementation Complete execution path p whose constraint store c p is: c pre l 0 = 0 u 0 = 7 m 0 = 3 t 0 [m 0 ] = v 0 44

45 Binary search (5) Return statement has been reached add negation of post condition and link JML \result variable with returned value m 0 \result!=-1 ==> t[\result] == v) && (\result==-1 ==> \forall int k; 0<=k<t.length; t[k]!=v) \m 0! = 1 t 0 [m 0 ]! = v 0 \m 0 = 1 (t 0 [0] = v 0 t 0 [1] = v 0... t 0 [6] = v 0 ) solve the CSP There is No solution so the program is correct along this execution path Example Implementation & Implementation Go back to conditional if (t[m]==v) to explore the else part 45

46 Binary search (5) Return statement has been reached add negation of post condition and link JML \result variable with returned value m 0 \result!=-1 ==> t[\result] == v) && (\result==-1 ==> \forall int k; 0<=k<t.length; t[k]!=v) \m 0! = 1 t 0 [m 0 ]! = v 0 \m 0 = 1 (t 0 [0] = v 0 t 0 [1] = v 0... t 0 [6] = v 0 ) solve the CSP There is No solution so the program is correct along this execution path Example Implementation & Implementation Go back to conditional if (t[m]==v) to explore the else part 46

47 Implementation Dedicated solvers ad-hoc simplifier : trivial simplifications and calculus on constants linear solver (LP algorithm) + MIP solver Boolean solver (SAT solver) (Boolean relaxation of the non linear constraints) CSP solver : used if none of the other solver did find an inconsistency Prototype Example Implementation & Implementation Solvers : Ilog CPLEX11 and JSolver4verif Written in Java using JDT (eclipse) for parsing Java programs!! CPLEX is unsafe but Neumaier & Shcherbina method for computing a certificate of infeasibility 47

48 Current prototype On the fly validation : if c then... else... If c can be simplified into constant value true or false, select the branch which corresponds to c If c is linear 1. add decision c in linear_csp 2. solve linear_csp if linear_csp has no solution, condition c is not feasible for the current path choose another path Example Implementation & Implementation if linear_csp has a solution, we can t conclude anything on complete_csp investigate both branches c and c 48

49 Current prototype On the fly validation : if c then... else... If c is NOT linear : 1. abstract decision c and add it in boolean_csp 2. solve boolean_csp boolean_csp has no solution choose another path if boolean_csp has a solution investigate both branches c and c Example Implementation & Implementation Boolean abstraction hash-table of decisions : keys are decisions, values are Boolean variables sub-expressions are shared rewriting 49

50 Current prototype On the fly validation : loops Let c be the entrance condition if c is trivially simplified to true or false enter or exit the loop if {c + linear_csp } is inconsistent add c to the CSPs and exit the loop Example Implementation & Implementation In other cases, unfold loop max times: If max is reached add c to the CSPs and exit the loop Else investigate both paths 50

51 We compared CPBVP with the following frameworks: ESC/Java, an Extended Static Checker for Java run-time errors in JML-annotated Java programs (static analysis of the code and its annotations) CBMC, a Bounded Model Checker for ANSI-C and C++ programs verification of array bounds (buffer overflows), pointer safety, exceptions, and user-specified assertions BLAST, a software model checker for C program (Berkeley Lazy Abstraction Software Verification Tool) EUREKA, a C bounded model checker which uses an SMT solver instead of an SAT solver Why, a verification platform which integrates provers (proof assistants such as Coq, PVS, HOL 4,...) and decision procedures (Simplify, Yices,...) Example Implementation & Implementation 51

52 Binary search length time 1.08s 1.69s 4.04s 17.01s s CBMC time 1.37s 1.43s KO Why inv 11.18s KO ESC/Java Error BLAST KO EUREKA tool : cannot handle because of expression m = (u + l)/2 CP execution paths explored given by the recurrence relation: P(2) = P(4); P(2n) = 2P(n) + log(n) length ESC/Java CBMC WHY inv BLAST s 1.21 s 1.38s KO KO s s 1.69s KO KO s s 7.62s KO KO s s 27.05s KO KO s s s KO KO Table: Experimental Results for an Incorrect Binary Example Implementation & Implementation CBMC and ESC/Java only show the decisions taken along the faulty path (they do not provide any value for the array nor the searched data) 52

53 Binary search length time 1.08s 1.69s 4.04s 17.01s s CBMC time 1.37s 1.43s KO Why inv 11.18s KO ESC/Java Error BLAST KO EUREKA tool : cannot handle because of expression m = (u + l)/2 CP execution paths explored given by the recurrence relation: P(2) = P(4); P(2n) = 2P(n) + log(n) length ESC/Java CBMC WHY inv BLAST s 1.21 s 1.38s KO KO s s 1.69s KO KO s s 7.62s KO KO s s 27.05s KO KO s s s KO KO Table: Experimental Results for an Incorrect Binary Example Implementation & Implementation CBMC and ESC/Java only show the decisions taken along the faulty path (they do not provide any value for the array nor the searched data) 53

54 Tritype Takes 3 integers (triangle sides) and returns the type of triangle CP :10 paths explored among 57 correspond to actual inputs because of complex conditionals CP and Why : time does not depend on the size of the integers earlier approach (Boolean abstraction, TACAS 06): 8.52s for integers coded on 16 bits, 92 spurious paths Example Implementation & Implementation ESC/Java CBMC Why BLAST time 0.287s 1.828s 0.82s 8.85s KO 54

55 Sum of squares requires (n == & (\forall int i; i>=0 & (0<=t[i] & & (\alldifferent ensures \result == 1 int sum(int[] t, int n) 2 int s = 0; 3 int i = 0; 4 while (i!=t.length) 5 s=s+t[i]*t[i] 6 i =i+1; 7 return s; Example Implementation & Implementation Using global constraint alldiff Solving non linear problems s for n = 10 55

56 Role of the different solvers CPLEX, the MIP solver, plays a key role in all these benchmarks: Example Tritype: the CP solver is never called Binary search: there are only length calls to the CP solver (and much more calls to CPLEX) but almost 75% of the CPU time is spent in the CP solver Implementation & Implementation Sum of squares: 80% of the CPU time is spent in the CP solver 56

57 Critical issues We do not need the Boolean abstraction to capture the control structure of the program Use the CFG and constraints to prune the search space Example Implementation & Implementation Depth first dynamic exploration of the CFG Efficient if the variables are instantiated early Blind searching: post-condition becomes active very late 57

58 A Non Sequential Exploration Strategy of the CFG A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 58

59 , A new search strategy for verifying a restricted class of Java or C programs: Non sequential dynamic exploration of the CFG Goal: generating counterexamples for real time applications A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 59

60 Non sequential dynamic constraint based exploration strategy Essential observation When the program is in an SSA-like form, a path can be built in a non-sequential dynamic way CFG does not have to be explored in a top down (or bottom up) way: compatible blocks can just be collected in a non-deterministic way Constraint solving is integrated with state exploration to prune the state space as early as possible A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 60

61 Non sequential dynamic constraint based exploration strategy starts from the post-condition and dynamically collects program blocks which involve variables of the post-condition Collecting as much information as possible on a given variable enforces the constraints on its domain and reduces the search space A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 61

62 A small example void foo(int a, int b) int c, d, e, f ; if(a >= 0) { if(a < 10) {f = b 1;} else {f = b a; } c = a; if(b >= 0) {d = a; e = b;} else {d = a; e = b;} } else { c = b; d = 1; e = a; if(a > b) {f = b + e + a;} else {f = e a b;} } c = c + d + e; assert(c >= d + e); // property p 1 assert(f >= b e); // property p 2 A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 62

63 A small example(continued) To prove property p 1, select node (4) the condition in node (0) must be true S = {c 1 < d 0 + e 0 c 1 = c 0 + d 0 + e 0 c 0 = a 0 a 0 0} = {a 0 < 0 a 0 0}... inconsistent A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 63

64 A small example(continued) Select node (8) condition in node (0) must be false S = {c 1 < d 0 + e 0 c 1 = c 0 + d 0 + e 0 c 0 = b 0 d 0 = 1 e 0 = a 0 a 0 < 0} = {a 0 < 0 b 0 < 0} Solution {a 0 = 1, b 0 = 1} A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 64

65 , Algorithm (scheme) S negation of prop % constraint store Q variables in prop % queue of variables IF Q, v POP(Q) for a program block PB(v) where v is defined PUSH(Q, new_var), new_var = new variables ( input variables) of PB(v) S S {definition of v and conditions required to reach definition of v } IF S is inconsistent, backtrack & search another definition (otherwise the dual condition is cut off) IF Q = search for an instantiation of the input variables (= counterexample) If no solution exists, backtracks. A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 65

66 FM Application: Description of the module A real time industrial application from a car manufacturer (provided by Geensoft) Flasher Manager (FM): controller that drives several functions related to the flashing lights Purpose: to indicate a direction change to lock and unlock the car from the distance to activate the warning lights A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work Simulink model of FM C function f 1 66

67 FM Application: Simulink model (1) A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 67

68 FM Application: Simulink model (2) A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 68

69 FM Application: Function f 1 Simulink model of FM C function f 1 81 Boolean variables (6 inputs, 2 outputs) and 28 integer variables 300 lines of code: nested conditionals including linear operations and constant assignments Piece of code: A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 69

70 FM Application: property p 1 Property p 1 : The lights should never remain lit Property p 1 concerns the behaviour of FM for an infinite time period p 1 is violated when the lights remain on for N consecutive time periods a loop (bounded by N) that counts the number of times where the output of FM has consecutively been true A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work Challenge: bound N as great as possible 70

71 : tools, implemented in Comet, a hybrid optimization platform for solving combinatorial problems *, an optimized version of based on a dynamic top down strategy CBMC, one of the best bounded model checkers were performed on a Quad-core Intel Xeon X GHz clocked with 16Gb memory All times are given in seconds. A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 71

72 (results) Solving time: N CBMC * TO TO 400 TO 4.66 TO Pre-processing time: N CBMC * TO A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 72

73 Discussion on the binary search Length CBMC * TO TO TO TO TO TO and CBMC waste a lot of time in exploring the different paths * incrementally adds the decisions taken along a path well adapted for the Binary program A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 73

74 Discussion (continued) Future work on other applications Extension of our prototype handling pointers interfacing with a floating point number solver Combining strategies A small example Algorithm FM Application Description Simulink model Program Discussion Binary search Future work 74

75 A Constraint-Programming for Bounded Program Verification Hélène Collavizza, Michel Rueher, and Pascal Van Hentenryck Constraints Journal, Springer Verlag, vol. 15(2): , Efficient Constraint-Based Dynamic For Generating Counterexamples Hélène Collavizza, Nguyen Le Vinh, Michel Rueher, Samuel Devulder, Thierry Gueguen 26th ACM Symposium On Applied Computing, Software Verification and Testing Track,Taiwan, March

76 Thank you :) 76