Hélène)Collavizza,))Claude)Michel,)Olivier)Ponsini,)) Le ... › ~provilla › journeeMDSC › 2014 › rueher.pdfVariaonsautourdelavériﬁcaonsous contraintes) Michel)Rueher))!

Varia%ons autour de la vérifica%on sous contraintes

Michel Rueher

(en collabora+on avec Hélène Collavizza, Claude Michel, Olivier Ponsini,

Le Vinh Nguyen, Mohamed Said Belaid, Mohammed Bekkouche)

Journée Pole MDSC

22/05/2014

Vérifica%on sous contraintes

Ø Vérifica%on de propriétés cri%ques est une contrainte de plus en plus forte dans de nombreux domaines :

•  Contrôle d'une centrale nucléaire •  Construc+on automobile •  Ges+on hospitalière.

Ø U%lisa%on des nombres floLants è Nouveaux problèmes

2

PLAN

§  Vérifica3on de propriétés pour des programmes avec des tableaux et boucles de taille bornée

§  Approxima3on des erreurs / risques d’instabilité pour des programmes avec des calculs floGants

§  Aide à la localisa3on des erreurs pour des programmes avec des calculs numériques

3

Dra

ftOn Search Strategies forConstraint-Based Bounded Model

Checking

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVS

FM Application

Discussion

Outline

A CP framework for Bounded Program Verification

CPBPV, a Depth First Dynamic Exploration of the CFG

DPVS, a Dynamic Backjumping Strategy

The Flasher Manager Application

Discussion

5

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVS

FM Application

Discussion

Motivations

→ Automatic generation of counterexamplesviolating a property on a limited modelof the program is very useful

→ Challenge: finding bugs for realistic time periodsfor real time applications with Numeric operations

6

Dra

ft

CSP & BMC

The CPFrameworkOverall view

Pre-processing

Example

Constraint store

Scalar assignment

Array assignment

CPBPV

DPVS

FM Application

Discussion

Overall view of CP framework

I Bounded program verification(the array lengths, the variable values and the loopsare bounded)

• Constraint stores to represent the specification andthe program

• Program is partially correct if the constraint storeimplies the post-conditions

I Non deterministically exploration of execution paths

7

Dra

ft

CSP & BMC


Pre-processing

Example

Constraint store

Scalar assignment

Array assignment

CPBPV

DPVS

FM Application

Discussion

CP-based BMC ...

CP-based BMC mainly involves three steps:

1. the program is unwound k times,

2. An annotated and simplified CFG is built

3. Program is translated in constraints on the fly

LP, MILP, Boolean, CP solvers tried in sequence

8

Dra

ft

CSP & BMC


Pre-processing

Example

Constraint store

Scalar assignment

Array assignment

CPBPV

DPVS

FM Application

Discussion

CP framework & BMC ...

I CP framework• Specification→ constraints

Program→ constraints (on the fly)• Solving Process→ List of solvers tried in sequence

on each selected node of the CFG→ Takes advantage of the structure of the program

I BMC based on SAT / SMT solvers• Program & specification→ Big Boolean formula• Solving Process→ SAT /SMT solvers have a global view→ Critical issue: minimum conflict sets

(to limit backtracks & spurious solutions)

9

Dra

ft

CSP & BMC


Pre-processing

Example

Constraint store

Scalar assignment

Array assignment

CPBPV

DPVS

FM Application

Discussion

CP framework, pre-processing

Pre-processing

1. P is unwound k times→ Puw

2. Puw → DSA, Dynamic Single Assignment form(each variable is assigned exactly once on eachprogram path)

3. DSA is simplified according to the specificproperty by applying slicing techniques

4. Domains of all variables are filtered by propagatingconstant values along the simplified CFG

10

Dra

ft

CSP & BMC


Pre-processing

Example

Constraint store

Scalar assignment

Array assignment

CPBPV

DPVS

FM Application

Discussion

A small example

void foo(int a, int b)int c, d, e, f ;if(a >= 0) {

if(a < 10) {f = b − 1;}else {f = b − a; }c = a;if(b >= 0) {d = a; e = b;}else {d = a; e = −b;} }

else {c = b; d = 1; e = −a;if(a > b) {f = b + e + a;}else {f = e ∗ a− b;} }

c = c + d + e;assert(c >= d + e); // property p1assert(f >= −b ∗ e); // property p2

11

Dra

ft

CSP & BMC


Pre-processing

Example

Constraint store

Scalar assignment

Array assignment

CPBPV

DPVS

FM Application

Discussion

A small example(continued)

Initial CFG

��

��

��

��

�

��

��

�

��

��

�

��

��

��

��

�

��

�

��

��

�

��

�

� ��

��

��

��

�

��

��

��

� �

��

��

��

��

�

��

��

��

��

��

��

�

� �

��

��

��

�

� ��

��

��

��

�

��

12

Dra

ft

CSP & BMC


Pre-processing

Example

Constraint store

Scalar assignment

Array assignment

CPBPV

DPVS

FM Application

Discussion

A small example(continued)

Simplified CFG

��

��

��

��

�

��

��

�

��

��

�

��

��

��

��

�

��

�

��

��

�

��

�

� ��

��

��

��

�

��

��

��

13

Dra

ft

CSP & BMC


Pre-processing

Example

Constraint store

Scalar assignment

Array assignment

CPBPV

DPVS

FM Application

Discussion

Building the constraint store: principle

I Each expression is mapped to a constraint:ρ transforms program expressions into constraints

I SSA-like variable renaming: σ[v] is the currentrenaming of variable v

I JML Specifications :

• \forall i→ conjunction of conditions• \exist i→ disjunction of conditions

(i has bounded values)

14

Dra

ft

CSP & BMC


Pre-processing

Example

Constraint store

Scalar assignment

Array assignment

CPBPV

DPVS

FM Application

Discussion

Building the constraint store ...

I scalar assignment

σ2 = σ1[v/σ1(v) + 1] & c2 ≡ (ρ σ2 v) = (ρ σ1 e)〈[v ← e , l], σ1, c1〉 7−→ 〈[l], σ2, c1 ∧ c2〉

Program

x=x+1; y=x*y; x=x+y;

Constraints{x1 = x0 + 1, y1 = x1 ∗ y0, x2 = x1 ∗ y1}

15

Dra

ft

CSP & BMC


Pre-processing

Example

Constraint store

Scalar assignment

Array assignment

CPBPV

DPVS

FM Application

Discussion

Building the constraint store ...

I array assignmentσ2 = σ1[a/σ1(a) + 1]c2 ≡ (ρ σ2 a)[ρ σ1 e1] = (ρ σ1 e2)c3 ≡ ∀i ∈ 0..a.length(ρ σ1 e1) 6= i → (ρ σ2 a)[i] = (ρ σ1 a)[i]

〈[a[e1]← e2, l], σ1 , c1〉 7−→ 〈[l], σ2, c1 ∧ c2 ∧ c3〉

Program (a.length=8)

a[i] = x;

Constraints{a1[i0] = x0, i0 6= 0→ a1[0] = a0[0],i0 6= 1→ a1[1] = a0[1], ..., i0 6= 7→ a1[7] = a0[7]}

guard → body is a guarded constraint

a[i] = x is the element constraint: i and x are constrainedvariables whose values may be unknown

16

Dra

ft

CSP & BMC

The CPFramework

CPBPVOverall view

Experiments

DPVS

FM Application

Discussion

CPBPV, Overall view

CPBPV, Depth first exploration of the CFG

I Translate precondition of the specification (if it exists)into a set of constraints PRECOND

I Translate post condition of the specification into a setof constraints POSTCOND

I Explore each branch Bi of the program and translateinstructions of Bi into a set of constraints PROG_Bi

17

Dra

ft

CSP & BMC

The CPFramework

CPBPVOverall view

Experiments

DPVS

FM Application

Discussion

On the fly validation : if c then ... else ...

I If c can be simplified into constant value “true” or“false”, select the branch which corresponds to c

I If c is linear1. add decision c in linear_CSP2. solve linear_CSP

I if linear_CSP has no solution, condition c is notfeasible for the current path choose another path

I if linear_CSP has a solution, we can’t concludeanything on complete_CSP investigate both branches c and ¬c

18

Dra

ft

CSP & BMC

The CPFramework

CPBPVOverall view

Experiments

DPVS

FM Application

Discussion

On the fly validation : if c then ... else ...

I If c is NOT linear :1. abstract decision c and add it in boolean_CSP2. solve boolean_CSP

I boolean_CSP has no solution choose anotherpath

I if boolean_CSP has a solution investigate bothbranches c and ¬c

Boolean abstraction• hash-table of decisions : keys are decisions, values

are Boolean variables• sub-expressions are shared→ rewriting

19

Dra

ft

CSP & BMC

The CPFramework

CPBPVOverall view

Experiments

DPVS

FM Application

Discussion

On the fly validation : loops

Let c be the entrance condition

• if c is trivially simplified to “true” or “false” enter or exit the loop• if {c + linear_CSP } is inconsistent add ¬c to the CSPs and exit the loop

In other cases, unfold loop max times:

• If max is reached add ¬c to the CSPs and exit the loop• Else investigate both paths

20

Dra

ft

CSP & BMC

The CPFramework

CPBPVOverall view

Experiments

DPVS

FM Application

Discussion

Binary search

length 8 16 32 64 128CPBPV time 1.08s 1.69s 4.04s 17.01s 136.80sCBMC time 1.37s 1.43s KO

Table : Results for a correct binary search program

length CPBPV CBMC8 0.027s 1.38s

16 0.037s 1.69s32 0.064s 7.62s64 0.115s 27.05s

128 0.241s 189.20s

Table : Results for an incorrect binary search

21

Dra

ft

CSP & BMC

The CPFramework

CPBPVOverall view

Experiments

DPVS

FM Application

Discussion

Critical issues

I We do not need the Boolean abstraction to capture thecontrol structure of the program

→ Use the CFG and constraints to prune thesearch space

I Depth first dynamic exploration of the CFG

• Efficient if the variables are instantiated early

• Blind searching: post-condition becomes active verylate

22

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVSExample

FM Application

Discussion

DPVS

DPVS, a Dynamic Backjumping Strategy

→ Generating Counterexamples

→ Starts from the postcondition and jumps to thelocations where the variables are assigned

23

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVSExample

FM Application

Discussion

A Dynamic Backjumping Strategy

Why can we do it ?

Essential observation:

When the program is in an SSA-like form, a path can bebuilt in a non-sequential dynamic way

→ CFG does not have to be explored in a top down (orbottom up) way: compatible blocks can just be

collected in a non-deterministic way

24

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVSExample

FM Application

Discussion

A Dynamic Backjumping Strategy

DPVS starts from the post-condition anddynamically collects program blocks which involvevariables of the post-condition

Why does it pay off ?

→ Enforces the constraints on the domains of theselected variables

→ Detects inconsistencies earlier

25

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVSExample

FM Application

Discussion

A small exemple

void foo(int a, int b)int c, d, e, f ;if(a >= 0) {

if(a < 10) {f = b − 1;}else {f = b − a; }c = a;if(b >= 0) {d = a; e = b;}else {d = a; e = −b;} }

else {c = b; d = 1; e = −a;if(a > b) {f = b + e + a;}else {f = e ∗ a− b;} }

c = c + d + e;assert(c >= d + e); // property p1assert(f >= −b ∗ e); // property p2

26

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVSExample

FM Application

Discussion

A small exemple(continued)

To prove property p1, select node (12), then select node(4)→ the condition in node (0) must be trueS = {c1 < d0 + e0 ∧ c1 = c0 + d0 + e0 ∧ c0 = a0 ∧ a0 ≥ 0}

= {a0 < 0 ∧ a0 ≥ 0} ... inconsistent

27

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVSExample

FM Application

Discussion

A small exemple(continued)

Select node (8)→ condition in node (0) must be falseS = {c1 < d0 + e0 ∧ c1 = c0 + d0 + e0 ∧ c0 = b0

∧a0 < 0 ∧ d0 = 1 ∧ e0 = −a0}= {a0 < 0 ∧ b0 < 0}

Solution {a0 = −1,b0 = −1}

28

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVS

FM ApplicationDescription

Program

Exp. on FM

Discussion

FM Application: Description of the module

• A real time industrial application from a carmanufacturer (provided by Geensoft)

• Flasher Manager (FM): controller that drives severalfunctions related to the flashing lights

Purpose:

• to indicate a direction change• to lock and unlock the car from the distance• to activate the warning lights

• Simulink model of FM→ C function f1

29

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVS


Program

Exp. on FM

Discussion

FM Application: functionalities

I Direction change: Boolean input R or L rises from 0to 1. The corresponding light then oscillates betweenon/off states with a period of 6 time-units (e.g. 3 s)→ output sequence of the form [111000]

I Lock and unlock of the carI If the unlock button is pressed while the car is

unlocked, nothing shall happen.I If the unlock button is pressed while the car is locked,

both lights shall flash with a period of 2 time-unitsduring 20 time-units (fast flashes for a short time)

I If the lock button is pressed while the car is unlocked,both lights shall go on for 10 time-units, and then shallgo off for another 10 time-units

I If the lock button is pressed while the car is locked,both lights shall flash during 60 time-units with aperiod of 2 time-units (fast flashes for a long time) ..

I Warning function: when the warning is on, both lightsflash with a period of 6 time-units 30

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVS


Program

Exp. on FM

Discussion

FM Application: Simulink model

31

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVS


Program

Exp. on FM

Discussion

FM Application: Function f1

Simulink model of FM→ C function f1

• 81 Boolean variables (6 inputs, 2 outputs) and 28integer variables

• 300 lines of code: nested conditionals includinglinear operations and constant assignmentsPiece of code:

32

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVS


Program

Exp. on FM

Discussion

FM Application: properties

p1 The lights should never remain lit

p2 The Warning function has priority over other flashingfunctions

p3 When the warning button has been pushed and thenreleased, the Warning function resumes to theFlashers_left (or Flashers_right) function, ifthis function was active when the warning button waspushed

p4 When the F signal (for flasher active) is off, then theFlashers_left, Flashers_right and Warningfunctions are desabled. On the contrary, all thefunctions related to the lock and unlock of the car aremaintained

33

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVS


Program

Exp. on FM

Discussion

Experiments (property p1)

Solving time:N CBMC DPVS CPBPV*5 0.03 0.02 0.84

100 58.52 1.11 TO200 232.19 1.7 TO400 TO 3.83 TO800 TO 9.35 TO

1600 TO 26.2 TOPresolving time:

N CBMC DPVS & CPBPV*5 0.366 0.48

100 96.21 14.95200 395.46 21.65400 TO 83.81800 TO 218.15

1600 TO 531.82

34

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVS


Program

Exp. on FM

Discussion

Experiments (cont)

I Presolving, search, and total times in seconds forchecking Property p2 with 10 unfoldings

Tool Presolving Search TotalCBMC 0.89 0.23 1.12CBMCz3 0.85 2.7 3.55DPVS 3.89 0.08 3.97DPVSz3 0.34 4.23

This propety does not hold (only 3 unfoldings arerequired)

I Property 3 and 4 couldn’t be checked

35

Dra

ft

CSP & BMC

The CPFramework

CPBPV

DPVS

FM Application

Discussion

Discussion

Experiments on the binary searchLength CBMC DPVS CPBPV*4 5.732 0.529 0.1078 110.081 35.074 0.29816 TO TO 1.14964 TO TO 27.714128 TO TO 153.646

• DPVS and CBMC waste a lot of time in exploringthe different paths

• CPBPV* incrementally adds the decisions takenalong a path→ well adapted for the Binary Search program

On going work : Combining strategies (on multi-coreprocessor)

36

Dra

ft

Identifyingsuspicious

values

Problematic

AI Approach

ConstraintProgramming

Motivatingexample

AI+CP

Experiments

Conclusion

Identifying suspicious values inprograms with floating-point numbers

38

Dra

ft


values

Problematic

AI Approach


Motivatingexample

AI+CP

Experiments

Conclusion

Outline

Problematic: Verifying Programs with FP computations

AI Approach: Abstraction of program states

Constraint Programming over continous domains

Motivating example

Combining AI and CP

Experiments

Conclusion

39

Dra

ft


values

ProblematicIntroduction

Floating-point pitfalls

Outline

AI Approach


Motivatingexample

AI+CP

Experiments

Conclusion

Introduction

I Problem: verifying programs with floating-pointcomputations

Embedded systems written in C (transportation, nuclearplants,...)

I Programs use floating-point numbers butI Specifications are written with the semantics of reals

“in mind”I Programs are written with the semantics of reals “in

mind”

40

Dra

ft


values



Outline

AI Approach


Motivatingexample

AI+CP

Experiments

Conclusion

Floating-point arithmetic pitfalls

Rounding Counter-intuitive properties

(0.1)10 = = (0.000110011001100 · · · )2simple precision

0.100000001490116119384765625

I Neither associative nor distributive operators(−10000001 + 107) + 0.5 6= −10000001 + (107 + 0.5)

I Absorption, cancellation phenomenaAbsorption: 107 + 0.5 = 107

Cancellation: ((1− 10−7)− 1) ∗ 107 = −1.192...( 6= −1)

→ Floats are source of errors in programs

41

Dra

ft


values



Outline

AI Approach


Motivatingexample

AI+CP

Experiments

Conclusion

Objectives & Method

Goals: → bounds for variables with real numbers semantics andfloating-point numbers semantics

→ bounds for the error due to the use of floating-pointnumbers instead of real numbers

to identify suspicious values

Method: combining abstract interpretation & constraintprogramming

42

Dra

ft


values



Outline

AI Approach


Motivatingexample

AI+CP

Experiments

Conclusion

Outline

Problematic: Verifying Programs with FP computations

AI Approach: Abstraction of program states

Constraint Programming over continous domains

Motivating example

Combining AI and CP

Experiments

Conclusion

43

Dra

ft


values

Problematic

AI ApproachZonotopes

Static analysis with AI

False Alarm


Motivatingexample

AI+CP

Experiments

Conclusion

AI Approach: Abstraction of programstates

Intervals, zonotopes, polyhedra...

Zonotopes: convex polytopes with a central symmetrySets of affine forms

a = a0 + a1ε1 + · · ·+ anεn

b = b0 + b1ε1 + · · ·+ bnεn...

with εi ∈ [−1,1]

+ Good trade-off between performance and precision– Not very accurate for nonlinear expressions– Not accurate on very common program constructs

such as conditionals44

Dra

ft


values

Problematic



False Alarm


Motivatingexample

AI+CP

Experiments

Conclusion

AI: Static analysis (cont.)

+ Good scalability forI Showing absence of runtime errorsI Estimating rounding errors and their propagationI Checking properties of programs

– Lack of precisionI Approximations may be very coarseI Over-approximation possible false alarms

45

Dra

ft


values

Problematic



False Alarm


Motivatingexample

AI+CP

Experiments

Conclusion

AI & False alarm

From Cousot:http://www.di.ens.fr/~cousot/AI/IntroAbsInt.html

46

http://www.di.ens.fr/~cousot/AI/IntroAbsInt.html

Dra

ft


values

Problematic

AI Approach

ConstraintProgrammingLocal consistencies

2B–consistency

3B-Consistency

ConstraintProgrammingframework: sum up

Motivatingexample

AI+CP

Experiments

Conclusion

CP over continous domains: overallscheme

CP over continous domains ≡ a branch & prune process→ an iteration of two steps:

1. Pruning the search space2. Making a choice to generate two (or more)

sub-problems

Pruning step→ reduces an interval when the upperbound or the lower bound does not satisfy someconstraintBranching step→ splits the domain of somevariable in two or more intervals

47

Dra

ft


values

Problematic

AI Approach


2B–consistency

3B-Consistency


Motivatingexample

AI+CP

Experiments

Conclusion

Local consistencies

Working with a single constraint

Consider Dx = [x , x ] and c(x , x1, . . . , xn) :

If c(x , x1, . . . , xn) does not hold for any valuesa ∈ [x , x ′], then Dx → [x ′, x ]

48

Dra

ft


values

Problematic

AI Approach


2B–consistency

3B-Consistency


Motivatingexample

AI+CP

Experiments

Conclusion

2B–consistency

I A constraint cj is 2B–consistent if for any variable xi

of cj , the bounds Dxi and Dxi have a support in thedomains of all other variables of cj

→Variable x is 2B–consistent for f (x , x1, . . . , xn) = 0 ifthe lower (resp. upper) bound of the domain of x is thesmallest (resp. largest) solution of f (x , x1, . . . , xn)

A CSP is 2B–consistent iff all its constraints are2B–consistent

49

Dra

ft


values

Problematic

AI Approach


2B–consistency

3B-Consistency


Motivatingexample

AI+CP

Experiments

Conclusion

3B–Consistency (1)

3B–Consistency, a shaving process

→

checks whether 2B–Consistency can be enforced when thedomain of a variable is reduced to the value of one of its

bounds in the whole system

50

Dra

ft


values

Problematic

AI Approach


2B–consistency

3B-Consistency


Motivatingexample

AI+CP

Experiments

Conclusion

3B–Consistency (2)

Let (X ,D, C) be a CSP and Dx = [a,b], ifΦ2B(PDx←[a, a+b

2 ]) = ∅I then the part [a, a+b

2 ) of Dx will be removed and thefiltering process continues on the interval [a+b

2 ,b]I otherwise, the filtering process continues on the

interval [a, 3a+b4 ].

51

Dra

ft


values

Problematic

AI Approach


2B–consistency

3B-Consistency


Motivatingexample

AI+CP

Experiments

Conclusion

Constraint Programming framework: sumup

+ Good refutation capabilitiesFlexibility: handling of integers, floats, non-linearexpressions,...

– ScalabilityPruning may be costly for large domainsA CSP is a conjunction of constraints a differentconstraint system is required for each path of theCFG

52

Dra

ft


values

Problematic

AI Approach


MotivatingexampleAI example

CP example

AI+CP

Experiments

Conclusion

Motivating example

float x = [0,10];float y = x*x - x;if (y >= 0)y = x/10;

elsey = x*x + 2;

53

Dra

ft


values

Problematic

AI Approach



CP example

AI+CP

Experiments

Conclusion

Example 1: Abstract Interpretation(zonotopes)


elsey = x*x + 2;

y = x ∗ x − x

y ≥ 0

y = x/10 y = x ∗ x + 2

y ≥ 0 y < 0

P0

P0 : x0 = 5 + 5ε1 ε1 ∈ [−1, 1]D0

x = [0, 10]

P1

P1 : y1 = 32.5 + 45ε1 + 12.5η1

η1 ∈ [−1, 1]D1

x = [0, 10] D1y = [−10, 90]

P2

P2 : y2 = y1 D2x = [0, 10]

D2y = [0, 90]

P3

P3 : y3 = 0.5 + 0.5ε1

D3y = [0, 1]

P4

P4 : y4 = y1 D4x = [0, 10]

D4y = [−10, 0[

P5

P5 : y5 = 39.5 + 50ε1 + 12.5η1

D5y = [2, 102]

P6

P6 : y6 = y3 ∪ y5 = 39.5 + 0.5ε1 + 62η2

η2 ∈ [−1, 1]D6

y = D3y ∪ D5

y = [0, 102]

54

Dra

ft


values

Problematic

AI Approach



CP example

AI+CP

Experiments

Conclusion



elsey = x*x + 2;

y = x ∗ x − x

y ≥ 0

y = x/10 y = x ∗ x + 2

y ≥ 0 y < 0

P0

P0 : x0 = 5 + 5ε1 ε1 ∈ [−1, 1]D0

x = [0, 10]

P1

P1 : y1 = 32.5 + 45ε1 + 12.5η1

η1 ∈ [−1, 1]D1

x = [0, 10] D1y = [−10, 90]

P2

P2 : y2 = y1 D2x = [0, 10]

D2y = [0, 90]

P3

P3 : y3 = 0.5 + 0.5ε1

D3y = [0, 1]

P4

P4 : y4 = y1 D4x = [0, 10]

D4y = [−10, 0[

P5

P5 : y5 = 39.5 + 50ε1 + 12.5η1

D5y = [2, 102]

P6

P6 : y6 = y3 ∪ y5 = 39.5 + 0.5ε1 + 62η2

η2 ∈ [−1, 1]D6

y = D3y ∪ D5

y = [0, 102]

55

Dra

ft


values

Problematic

AI Approach



CP example

AI+CP

Experiments

Conclusion



elsey = x*x + 2;

y = x ∗ x − x

y ≥ 0

y = x/10 y = x ∗ x + 2

y ≥ 0 y < 0

P0

P0 : x0 = 5 + 5ε1 ε1 ∈ [−1, 1]D0

x = [0, 10]

P1

P1 : y1 = 32.5 + 45ε1 + 12.5η1

η1 ∈ [−1, 1]D1

x = [0, 10] D1y = [−10, 90]

P2

P2 : y2 = y1 D2x = [0, 10]

D2y = [0, 90]

P3

P3 : y3 = 0.5 + 0.5ε1

D3y = [0, 1]

P4

P4 : y4 = y1 D4x = [0, 10]

D4y = [−10, 0[

P5

P5 : y5 = 39.5 + 50ε1 + 12.5η1

D5y = [2, 102]

P6

P6 : y6 = y3 ∪ y5 = 39.5 + 0.5ε1 + 62η2

η2 ∈ [−1, 1]D6

y = D3y ∪ D5

y = [0, 102] 56

Dra

ft


values

Problematic

AI Approach



CP example

AI+CP

Experiments

Conclusion

Example 1: Constraint Programming

y0 = x0 ∗ x0 − x0

y0 ≥ 0

y1 = x0/10 y1 = x0 ∗ x0 + 2

y0 ≥ 0 y0 < 0

y0 = x0 ∗ x0 − x0

y0 ≥ 0y1 = x0/10

filtering

D1x0 = [0, 10]

D1y0 = [0, 90]

D1y1 = [0, 1]

P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102]

P6

y0 ≥ 0

y1 = x0/10

y0 = x0 ∗ x0 − x0

y0 ≥ 0y1 = x0/10

y0 < 0

y0 = x0 ∗ x0 − x0

y0 ≥ 0

y1 = x0 ∗ x0 + 2

y0 = x0 ∗ x0 − x0

y0 < 0y1 = x0 ∗ x0 + 2

filtering

D2x0 = [0, 1.026]

y0 ≥ 0

y1 = x0/10

P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102]

y0 = x0 ∗ x0 − x0

y0 < 0y1 = x0 ∗ x0 + 2

filtering

D2x0 = [0, 1.026]

D2y0 = [−0.257, 0]

D2y1 = [2, 3.027]

P6 : D3y1 = D1

y1 ∪ D2y1 = [0, 3.027]

57

Dra

ft


values

Problematic

AI Approach



CP example

AI+CP

Experiments

Conclusion


y0 = x0 ∗ x0 − x0

y0 ≥ 0

y1 = x0/10 y1 = x0 ∗ x0 + 2

y0 ≥ 0 y0 < 0

y0 = x0 ∗ x0 − x0

y0 ≥ 0y1 = x0/10

filtering

D1x0 = [0, 10]

D1y0 = [0, 90]

D1y1 = [0, 1]

P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102]

P6

y0 ≥ 0

y1 = x0/10

y0 = x0 ∗ x0 − x0

y0 ≥ 0y1 = x0/10

y0 < 0

y0 = x0 ∗ x0 − x0

y0 ≥ 0

y1 = x0 ∗ x0 + 2

y0 = x0 ∗ x0 − x0

y0 < 0y1 = x0 ∗ x0 + 2

filtering

D2x0 = [0, 1.026]

y0 ≥ 0

y1 = x0/10

P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102]

y0 = x0 ∗ x0 − x0

y0 < 0y1 = x0 ∗ x0 + 2

filtering

D2x0 = [0, 1.026]

D2y0 = [−0.257, 0]

D2y1 = [2, 3.027]

P6 : D3y1 = D1

y1 ∪ D2y1 = [0, 3.027]

58

Dra

ft


values

Problematic

AI Approach



CP example

AI+CP

Experiments

Conclusion


y0 = x0 ∗ x0 − x0

y0 ≥ 0

y1 = x0/10 y1 = x0 ∗ x0 + 2

y0 ≥ 0 y0 < 0

y0 = x0 ∗ x0 − x0

y0 ≥ 0y1 = x0/10

filtering

D1x0 = [0, 10]

D1y0 = [0, 90]

D1y1 = [0, 1]

P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102]

P6

y0 ≥ 0

y1 = x0/10

y0 = x0 ∗ x0 − x0

y0 ≥ 0y1 = x0/10

y0 < 0

y0 = x0 ∗ x0 − x0

y0 ≥ 0

y1 = x0 ∗ x0 + 2

y0 = x0 ∗ x0 − x0

y0 < 0y1 = x0 ∗ x0 + 2

filtering

D2x0 = [0, 1.026]

y0 ≥ 0

y1 = x0/10

P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102]

y0 = x0 ∗ x0 − x0

y0 < 0y1 = x0 ∗ x0 + 2

filtering

D2x0 = [0, 1.026]

D2y0 = [−0.257, 0]

D2y1 = [2, 3.027]

P6 : D3y1 = D1

y1 ∪ D2y1 = [0, 3.027]

59

Dra

ft


values

Problematic

AI Approach


Motivatingexample

AI+CPProposed approach: AI+ CP

Combining AI and CP:Filtering

Experiments

Conclusion

Proposed approach: Combining AI and CP

Successive exploration and merging steps

I Use of AI to compute a first approximation of thevalues of variables at a program node where twobranches join

I Building a constraint system for each branch betweentwo join nodes in the CFG of the program and use ofCP local consistencies to shrink the domainscomputed by AI

60

Dra

ft


values

Problematic

AI Approach


Motivatingexample



Experiments

Conclusion

Combining AI and CP: CP process

Use of local consistencies to “shave” the domainscomputed by AI

I Build a constraint system for each branch between twojoin points in the CFG of a program

I Compute union of domains at join pointsI Propagate domains from and to AI at join points

1. Build a constraint system Ci for each branch betweentwo join nodes (N1,N2) in the CFG of the program

2. With each Ci , use local consistencies to shrink thedomains computed by AI at node N2

3. Compute the union DN2 of the reduced domains fromeach Ci

61

Dra

ft


values

Problematic

AI Approach


Motivatingexample



Experiments

Conclusion

Filtering techniques

I FPCS: 3B(w)-consistency over the floatsI Projection functions for floatsI Handling of rounding modesI Handling of x86 architecture specifics

I RealPaver: 2B(w)-consistency & Box-consistencyover the reals

I Reliable approximations of continuous solution setsI Correctly rounded interval methods and constraint

satisfaction techniques

62

Dra

ft


values

Problematic

AI Approach


Motivatingexample

AI+CP

ExperimentsBenchmarks

CDFL

Conclusion

Experiments: eliminating false alarms

CDFL: Program analyzer for proving the absence of runtimeerrors in program with floating-point computationsbased on Conflict-Driven Learning

RAICP Fluctuat CDFLFalse alarms 0 11 0Total time 40.55 s 18.37 s 208.99 s

Computed on the 55 benchs from CDFL (Conflict-DrivenLearning) paper (TACAS’12, D’Silva, Leopold Haller,Daniel Kroening, Michael Tautschnig)

63

Dra

ft


values

Problematic

AI Approach


Motivatingexample

AI+CP

Experiments

ConclusionConclusion

Conclusion

AI + CP framework: Efficient computation and sharp gooddomain approximations

Further works: interact with AI at the abstract domainlevelI Better approximationsI Keep statement contribution to rounding errors

64

Algorithms For Error Localiza2on On Numeric Constraints

65

Context

Ø Input •  Some impera,ve program with numeric statements (over integers or floa,ng-‐point numbers)

•  An asser-on to be checked •  A counter-‐example that violates the asser,on

Ø Output : informa-on on loca-ons of poten-ally faulty statements

66

Goal

§  Provide helpful informa,on for error localiza,on on numeric constraint systems

§  Two categories of informa,on o How much of an unsa-sfiable constraint set can be sa-sfied ?

→ MaxSAT, Max CSP, MaxFS o Where in the constraint set the “problem” lies ? → Irreducible / Irredundant Infeasible / Inconsistent Subsystems (IIS),Minimal Unsa,sfiable Core (MUC)

67

Defini2ons

•  MUS Minimal Unsa,sfiable Subset aka Irreducible Inconsistent Subsystem (IIS) M ⊆ C is a MUS ⇔ M is UNSAT and ∀c ∈ M : M \ {c} is SAT

•  MSS Maximal Sa,sfiable Subset a generaliza,on of MaxSAT / MaxFS considering maximality instead of maximum cardinality M ⊆ C is a MSS ⇔ M is SAT and ∀c ∈ C \ M : M ∪ {c} is UNSAT

•  MCS Minimal Correc,on Set the complement of some MSS: removal yields a sa,sfiable MSS (it “corrects” the infeasibility) M ⊆ C is a MCS ⇔ C \M is SAT and ∀c ∈ M : (C \M)∪{c} is UNSAT

68

Generic Algorithms •  Irreducible infeasible subset (IIS) or MUS, (Chinneck -‐ 2008), Dele,on

Filter (Chinneck et Dravnieks – 1991), Addi,ve Method (Tamiz et al -‐1996), Addi,ve Dele,on Method ( Guieu et Chinneck -‐1999 ), The Elas-c filter

•  Irreducible Conflict Sets (MUS) QUICKXPLAIN : Divide-‐and-‐Conquer for Explana,ons (Junker-‐2004)

•  All MCS / MUS –  Finding Mul-ple all MUSes: (Liffiton & Sakallah-‐2008); –  Enhancements :

•  MCS : adapta,on of QUICKXPLAIN : FastDiag & Enhanced FastDiag (Felfernig et al -‐2012, Silva et al-‐ 2013)

•  MUSEs: Marco Polo -‐ Finding Mul-ple MUSes Quickly (Liffiton & Malik -‐2013)

69

Irreducible infeasible subset (IIS)

« An irreducible infeasible subset (IIS) of the constraints, is a (small) subset of constraints that is itself infeasible, but becomes feasible if one or more constraints is removed » (Chinneck -‐ 2008) •  Used in global op,miza,on /opera,onal research •  Correspond to MUS (Minimal Unsa2sfiable Subset) used in SAT

•  Many algorithms: –  Dele,on filter, Addi,ve method, Addi,ve/Dele,on method –  The Elas,c filter –  Heuris,c for MIN IIS COVER –  All IIS of LP (based on the construc,on of a polytope using the simplex

method) –  …

70

On going work (1)

•  Efficient computa,on of MCS / MUS with a limited cardinality

•  Efficient computa,on of MCS / MUSes with a limited number of failing condi=ons

•  Efficient consistency checking for LP, MIP, floa,ng point numbers

•  Path of the counter example and all paths with at most k false condi,ons

71

On going work (2)

MCS are computed on constraints systems collected on : •  The path of the counter-‐example •  Paths sa,sfying the post condi,on when at most k condi,ons

are deviated, and containing not any deviated condi,on from a path : –  with less than k devia,ons, –  and which sa,sfies the post condi,on

72

Conclusion

Constraint techniques are efficient for program verifica-on if … and only if

they are combined with other techniques

73

Documents

Hélène)Collavizza,))Claude)Michel,)Olivier)Ponsini,)) Le ... › ~provilla › journeeMDSC › 2014 › rueher.pdfVariaonsautourdelavériﬁcaonsous contraintes) Michel)Rueher))!