hélène)collavizza,))claude)michel,)olivier)ponsini,)) le ... › ~provilla › journeemdsc ›...
TRANSCRIPT
Varia%ons autour de la vérifica%on sous contraintes
Michel Rueher
(en collabora+on avec Hélène Collavizza, Claude Michel, Olivier Ponsini,
Le Vinh Nguyen, Mohamed Said Belaid, Mohammed Bekkouche)
Journée Pole MDSC
22/05/2014
Vérifica%on sous contraintes
Ø Vérifica%on de propriétés cri%ques est une contrainte de plus en plus forte dans de nombreux domaines :
• Contrôle d'une centrale nucléaire • Construc+on automobile • Ges+on hospitalière.
Ø U%lisa%on des nombres floLants è Nouveaux problèmes
2
PLAN
§ Vérifica3on de propriétés pour des programmes avec des tableaux et boucles de taille bornée
§ Approxima3on des erreurs / risques d’instabilité pour des programmes avec des calculs floGants
§ Aide à la localisa3on des erreurs pour des programmes avec des calculs numériques
3
Dra
ftOn Search Strategies forConstraint-Based Bounded Model
Checking
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVS
FM Application
Discussion
Outline
A CP framework for Bounded Program Verification
CPBPV, a Depth First Dynamic Exploration of the CFG
DPVS, a Dynamic Backjumping Strategy
The Flasher Manager Application
Discussion
5
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVS
FM Application
Discussion
Motivations
→ Automatic generation of counterexamplesviolating a property on a limited modelof the program is very useful
→ Challenge: finding bugs for realistic time periodsfor real time applications with Numeric operations
6
Dra
ft
CSP & BMC
The CPFrameworkOverall view
Pre-processing
Example
Constraint store
Scalar assignment
Array assignment
CPBPV
DPVS
FM Application
Discussion
Overall view of CP framework
I Bounded program verification(the array lengths, the variable values and the loopsare bounded)
• Constraint stores to represent the specification andthe program
• Program is partially correct if the constraint storeimplies the post-conditions
I Non deterministically exploration of execution paths
7
Dra
ft
CSP & BMC
The CPFrameworkOverall view
Pre-processing
Example
Constraint store
Scalar assignment
Array assignment
CPBPV
DPVS
FM Application
Discussion
CP-based BMC ...
CP-based BMC mainly involves three steps:
1. the program is unwound k times,
2. An annotated and simplified CFG is built
3. Program is translated in constraints on the fly
LP, MILP, Boolean, CP solvers tried in sequence
8
Dra
ft
CSP & BMC
The CPFrameworkOverall view
Pre-processing
Example
Constraint store
Scalar assignment
Array assignment
CPBPV
DPVS
FM Application
Discussion
CP framework & BMC ...
I CP framework• Specification→ constraints
Program→ constraints (on the fly)• Solving Process→ List of solvers tried in sequence
on each selected node of the CFG→ Takes advantage of the structure of the program
I BMC based on SAT / SMT solvers• Program & specification→ Big Boolean formula• Solving Process→ SAT /SMT solvers have a global view→ Critical issue: minimum conflict sets
(to limit backtracks & spurious solutions)
9
Dra
ft
CSP & BMC
The CPFrameworkOverall view
Pre-processing
Example
Constraint store
Scalar assignment
Array assignment
CPBPV
DPVS
FM Application
Discussion
CP framework, pre-processing
Pre-processing
1. P is unwound k times→ Puw
2. Puw → DSA, Dynamic Single Assignment form(each variable is assigned exactly once on eachprogram path)
3. DSA is simplified according to the specificproperty by applying slicing techniques
4. Domains of all variables are filtered by propagatingconstant values along the simplified CFG
10
Dra
ft
CSP & BMC
The CPFrameworkOverall view
Pre-processing
Example
Constraint store
Scalar assignment
Array assignment
CPBPV
DPVS
FM Application
Discussion
A small example
void foo(int a, int b)int c, d, e, f ;if(a >= 0) {
if(a < 10) {f = b − 1;}else {f = b − a; }c = a;if(b >= 0) {d = a; e = b;}else {d = a; e = −b;} }
else {c = b; d = 1; e = −a;if(a > b) {f = b + e + a;}else {f = e ∗ a− b;} }
c = c + d + e;assert(c >= d + e); // property p1assert(f >= −b ∗ e); // property p2
11
Dra
ft
CSP & BMC
The CPFrameworkOverall view
Pre-processing
Example
Constraint store
Scalar assignment
Array assignment
CPBPV
DPVS
FM Application
Discussion
A small example(continued)
Initial CFG
���
�������
���
�����
�
��
�����
�
�����
�������
�
���
�������
���
������
�
�������
�
���
������
�
������
�
� ��
���
�����
�����
�
����
���� �����
�����
� �
����� �
���
������
�����
�
���
������
����
���� �����
���
������
�
� �
������
�����
�����
�
� ��
������
�����
�����
�
���� �����
12
Dra
ft
CSP & BMC
The CPFrameworkOverall view
Pre-processing
Example
Constraint store
Scalar assignment
Array assignment
CPBPV
DPVS
FM Application
Discussion
A small example(continued)
Simplified CFG
���
�������
���
�����
�
��
�����
�
�����
�������
�
���
�������
���
������
�
�������
�
���
������
�
������
�
� ��
���
�����
�����
�
����
���� �����
�����
13
Dra
ft
CSP & BMC
The CPFrameworkOverall view
Pre-processing
Example
Constraint store
Scalar assignment
Array assignment
CPBPV
DPVS
FM Application
Discussion
Building the constraint store: principle
I Each expression is mapped to a constraint:ρ transforms program expressions into constraints
I SSA-like variable renaming: σ[v] is the currentrenaming of variable v
I JML Specifications :
• \forall i→ conjunction of conditions• \exist i→ disjunction of conditions
(i has bounded values)
14
Dra
ft
CSP & BMC
The CPFrameworkOverall view
Pre-processing
Example
Constraint store
Scalar assignment
Array assignment
CPBPV
DPVS
FM Application
Discussion
Building the constraint store ...
I scalar assignment
σ2 = σ1[v/σ1(v) + 1] & c2 ≡ (ρ σ2 v) = (ρ σ1 e)〈[v ← e , l], σ1, c1〉 7−→ 〈[l], σ2, c1 ∧ c2〉
Program
x=x+1; y=x*y; x=x+y;
Constraints{x1 = x0 + 1, y1 = x1 ∗ y0, x2 = x1 ∗ y1}
15
Dra
ft
CSP & BMC
The CPFrameworkOverall view
Pre-processing
Example
Constraint store
Scalar assignment
Array assignment
CPBPV
DPVS
FM Application
Discussion
Building the constraint store ...
I array assignmentσ2 = σ1[a/σ1(a) + 1]c2 ≡ (ρ σ2 a)[ρ σ1 e1] = (ρ σ1 e2)c3 ≡ ∀i ∈ 0..a.length(ρ σ1 e1) 6= i → (ρ σ2 a)[i] = (ρ σ1 a)[i]
〈[a[e1]← e2, l], σ1 , c1〉 7−→ 〈[l], σ2, c1 ∧ c2 ∧ c3〉
Program (a.length=8)
a[i] = x;
Constraints{a1[i0] = x0, i0 6= 0→ a1[0] = a0[0],i0 6= 1→ a1[1] = a0[1], ..., i0 6= 7→ a1[7] = a0[7]}
guard → body is a guarded constraint
a[i] = x is the element constraint: i and x are constrainedvariables whose values may be unknown
16
Dra
ft
CSP & BMC
The CPFramework
CPBPVOverall view
Experiments
DPVS
FM Application
Discussion
CPBPV, Overall view
CPBPV, Depth first exploration of the CFG
I Translate precondition of the specification (if it exists)into a set of constraints PRECOND
I Translate post condition of the specification into a setof constraints POSTCOND
I Explore each branch Bi of the program and translateinstructions of Bi into a set of constraints PROG_Bi
17
Dra
ft
CSP & BMC
The CPFramework
CPBPVOverall view
Experiments
DPVS
FM Application
Discussion
On the fly validation : if c then ... else ...
I If c can be simplified into constant value “true” or“false”, select the branch which corresponds to c
I If c is linear1. add decision c in linear_CSP2. solve linear_CSP
I if linear_CSP has no solution, condition c is notfeasible for the current path choose another path
I if linear_CSP has a solution, we can’t concludeanything on complete_CSP investigate both branches c and ¬c
18
Dra
ft
CSP & BMC
The CPFramework
CPBPVOverall view
Experiments
DPVS
FM Application
Discussion
On the fly validation : if c then ... else ...
I If c is NOT linear :1. abstract decision c and add it in boolean_CSP2. solve boolean_CSP
I boolean_CSP has no solution choose anotherpath
I if boolean_CSP has a solution investigate bothbranches c and ¬c
Boolean abstraction• hash-table of decisions : keys are decisions, values
are Boolean variables• sub-expressions are shared→ rewriting
19
Dra
ft
CSP & BMC
The CPFramework
CPBPVOverall view
Experiments
DPVS
FM Application
Discussion
On the fly validation : loops
Let c be the entrance condition
• if c is trivially simplified to “true” or “false” enter or exit the loop• if {c + linear_CSP } is inconsistent add ¬c to the CSPs and exit the loop
In other cases, unfold loop max times:
• If max is reached add ¬c to the CSPs and exit the loop• Else investigate both paths
20
Dra
ft
CSP & BMC
The CPFramework
CPBPVOverall view
Experiments
DPVS
FM Application
Discussion
Binary search
length 8 16 32 64 128CPBPV time 1.08s 1.69s 4.04s 17.01s 136.80sCBMC time 1.37s 1.43s KO
Table : Results for a correct binary search program
length CPBPV CBMC8 0.027s 1.38s
16 0.037s 1.69s32 0.064s 7.62s64 0.115s 27.05s
128 0.241s 189.20s
Table : Results for an incorrect binary search
21
Dra
ft
CSP & BMC
The CPFramework
CPBPVOverall view
Experiments
DPVS
FM Application
Discussion
Critical issues
I We do not need the Boolean abstraction to capture thecontrol structure of the program
→ Use the CFG and constraints to prune thesearch space
I Depth first dynamic exploration of the CFG
• Efficient if the variables are instantiated early
• Blind searching: post-condition becomes active verylate
22
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVSExample
FM Application
Discussion
DPVS
DPVS, a Dynamic Backjumping Strategy
→ Generating Counterexamples
→ Starts from the postcondition and jumps to thelocations where the variables are assigned
23
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVSExample
FM Application
Discussion
A Dynamic Backjumping Strategy
Why can we do it ?
Essential observation:
When the program is in an SSA-like form, a path can bebuilt in a non-sequential dynamic way
→ CFG does not have to be explored in a top down (orbottom up) way: compatible blocks can just be
collected in a non-deterministic way
24
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVSExample
FM Application
Discussion
A Dynamic Backjumping Strategy
DPVS starts from the post-condition anddynamically collects program blocks which involvevariables of the post-condition
Why does it pay off ?
→ Enforces the constraints on the domains of theselected variables
→ Detects inconsistencies earlier
25
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVSExample
FM Application
Discussion
A small exemple
void foo(int a, int b)int c, d, e, f ;if(a >= 0) {
if(a < 10) {f = b − 1;}else {f = b − a; }c = a;if(b >= 0) {d = a; e = b;}else {d = a; e = −b;} }
else {c = b; d = 1; e = −a;if(a > b) {f = b + e + a;}else {f = e ∗ a− b;} }
c = c + d + e;assert(c >= d + e); // property p1assert(f >= −b ∗ e); // property p2
26
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVSExample
FM Application
Discussion
A small exemple(continued)
To prove property p1, select node (12), then select node(4)→ the condition in node (0) must be trueS = {c1 < d0 + e0 ∧ c1 = c0 + d0 + e0 ∧ c0 = a0 ∧ a0 ≥ 0}
= {a0 < 0 ∧ a0 ≥ 0} ... inconsistent
27
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVSExample
FM Application
Discussion
A small exemple(continued)
Select node (8)→ condition in node (0) must be falseS = {c1 < d0 + e0 ∧ c1 = c0 + d0 + e0 ∧ c0 = b0
∧a0 < 0 ∧ d0 = 1 ∧ e0 = −a0}= {a0 < 0 ∧ b0 < 0}
Solution {a0 = −1,b0 = −1}
28
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVS
FM ApplicationDescription
Program
Exp. on FM
Discussion
FM Application: Description of the module
• A real time industrial application from a carmanufacturer (provided by Geensoft)
• Flasher Manager (FM): controller that drives severalfunctions related to the flashing lights
Purpose:
• to indicate a direction change• to lock and unlock the car from the distance• to activate the warning lights
• Simulink model of FM→ C function f1
29
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVS
FM ApplicationDescription
Program
Exp. on FM
Discussion
FM Application: functionalities
I Direction change: Boolean input R or L rises from 0to 1. The corresponding light then oscillates betweenon/off states with a period of 6 time-units (e.g. 3 s)→ output sequence of the form [111000]
I Lock and unlock of the carI If the unlock button is pressed while the car is
unlocked, nothing shall happen.I If the unlock button is pressed while the car is locked,
both lights shall flash with a period of 2 time-unitsduring 20 time-units (fast flashes for a short time)
I If the lock button is pressed while the car is unlocked,both lights shall go on for 10 time-units, and then shallgo off for another 10 time-units
I If the lock button is pressed while the car is locked,both lights shall flash during 60 time-units with aperiod of 2 time-units (fast flashes for a long time) ..
I Warning function: when the warning is on, both lightsflash with a period of 6 time-units 30
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVS
FM ApplicationDescription
Program
Exp. on FM
Discussion
FM Application: Simulink model
31
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVS
FM ApplicationDescription
Program
Exp. on FM
Discussion
FM Application: Function f1
Simulink model of FM→ C function f1
• 81 Boolean variables (6 inputs, 2 outputs) and 28integer variables
• 300 lines of code: nested conditionals includinglinear operations and constant assignmentsPiece of code:
32
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVS
FM ApplicationDescription
Program
Exp. on FM
Discussion
FM Application: properties
p1 The lights should never remain lit
p2 The Warning function has priority over other flashingfunctions
p3 When the warning button has been pushed and thenreleased, the Warning function resumes to theFlashers_left (or Flashers_right) function, ifthis function was active when the warning button waspushed
p4 When the F signal (for flasher active) is off, then theFlashers_left, Flashers_right and Warningfunctions are desabled. On the contrary, all thefunctions related to the lock and unlock of the car aremaintained
33
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVS
FM ApplicationDescription
Program
Exp. on FM
Discussion
Experiments (property p1)
Solving time:N CBMC DPVS CPBPV*5 0.03 0.02 0.84
100 58.52 1.11 TO200 232.19 1.7 TO400 TO 3.83 TO800 TO 9.35 TO
1600 TO 26.2 TOPresolving time:
N CBMC DPVS & CPBPV*5 0.366 0.48
100 96.21 14.95200 395.46 21.65400 TO 83.81800 TO 218.15
1600 TO 531.82
34
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVS
FM ApplicationDescription
Program
Exp. on FM
Discussion
Experiments (cont)
I Presolving, search, and total times in seconds forchecking Property p2 with 10 unfoldings
Tool Presolving Search TotalCBMC 0.89 0.23 1.12CBMCz3 0.85 2.7 3.55DPVS 3.89 0.08 3.97DPVSz3 0.34 4.23
This propety does not hold (only 3 unfoldings arerequired)
I Property 3 and 4 couldn’t be checked
35
Dra
ft
CSP & BMC
The CPFramework
CPBPV
DPVS
FM Application
Discussion
Discussion
Experiments on the binary searchLength CBMC DPVS CPBPV*4 5.732 0.529 0.1078 110.081 35.074 0.29816 TO TO 1.14964 TO TO 27.714128 TO TO 153.646
• DPVS and CBMC waste a lot of time in exploringthe different paths
• CPBPV* incrementally adds the decisions takenalong a path→ well adapted for the Binary Search program
On going work : Combining strategies (on multi-coreprocessor)
36
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
Motivatingexample
AI+CP
Experiments
Conclusion
Identifying suspicious values inprograms with floating-point numbers
38
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
Motivatingexample
AI+CP
Experiments
Conclusion
Outline
Problematic: Verifying Programs with FP computations
AI Approach: Abstraction of program states
Constraint Programming over continous domains
Motivating example
Combining AI and CP
Experiments
Conclusion
39
Dra
ft
Identifyingsuspicious
values
ProblematicIntroduction
Floating-point pitfalls
Outline
AI Approach
ConstraintProgramming
Motivatingexample
AI+CP
Experiments
Conclusion
Introduction
I Problem: verifying programs with floating-pointcomputations
Embedded systems written in C (transportation, nuclearplants,...)
I Programs use floating-point numbers butI Specifications are written with the semantics of reals
“in mind”I Programs are written with the semantics of reals “in
mind”
40
Dra
ft
Identifyingsuspicious
values
ProblematicIntroduction
Floating-point pitfalls
Outline
AI Approach
ConstraintProgramming
Motivatingexample
AI+CP
Experiments
Conclusion
Floating-point arithmetic pitfalls
Rounding Counter-intuitive properties
(0.1)10 = = (0.000110011001100 · · · )2simple precision
0.100000001490116119384765625
I Neither associative nor distributive operators(−10000001 + 107) + 0.5 6= −10000001 + (107 + 0.5)
I Absorption, cancellation phenomenaAbsorption: 107 + 0.5 = 107
Cancellation: ((1− 10−7)− 1) ∗ 107 = −1.192...( 6= −1)
→ Floats are source of errors in programs
41
Dra
ft
Identifyingsuspicious
values
ProblematicIntroduction
Floating-point pitfalls
Outline
AI Approach
ConstraintProgramming
Motivatingexample
AI+CP
Experiments
Conclusion
Objectives & Method
Goals: → bounds for variables with real numbers semantics andfloating-point numbers semantics
→ bounds for the error due to the use of floating-pointnumbers instead of real numbers
to identify suspicious values
Method: combining abstract interpretation & constraintprogramming
42
Dra
ft
Identifyingsuspicious
values
ProblematicIntroduction
Floating-point pitfalls
Outline
AI Approach
ConstraintProgramming
Motivatingexample
AI+CP
Experiments
Conclusion
Outline
Problematic: Verifying Programs with FP computations
AI Approach: Abstraction of program states
Constraint Programming over continous domains
Motivating example
Combining AI and CP
Experiments
Conclusion
43
Dra
ft
Identifyingsuspicious
values
Problematic
AI ApproachZonotopes
Static analysis with AI
False Alarm
ConstraintProgramming
Motivatingexample
AI+CP
Experiments
Conclusion
AI Approach: Abstraction of programstates
Intervals, zonotopes, polyhedra...
Zonotopes: convex polytopes with a central symmetrySets of affine forms
a = a0 + a1ε1 + · · ·+ anεn
b = b0 + b1ε1 + · · ·+ bnεn...
with εi ∈ [−1,1]
+ Good trade-off between performance and precision– Not very accurate for nonlinear expressions– Not accurate on very common program constructs
such as conditionals44
Dra
ft
Identifyingsuspicious
values
Problematic
AI ApproachZonotopes
Static analysis with AI
False Alarm
ConstraintProgramming
Motivatingexample
AI+CP
Experiments
Conclusion
AI: Static analysis (cont.)
+ Good scalability forI Showing absence of runtime errorsI Estimating rounding errors and their propagationI Checking properties of programs
– Lack of precisionI Approximations may be very coarseI Over-approximation possible false alarms
45
Dra
ft
Identifyingsuspicious
values
Problematic
AI ApproachZonotopes
Static analysis with AI
False Alarm
ConstraintProgramming
Motivatingexample
AI+CP
Experiments
Conclusion
AI & False alarm
From Cousot:http://www.di.ens.fr/~cousot/AI/IntroAbsInt.html
46
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgrammingLocal consistencies
2B–consistency
3B-Consistency
ConstraintProgrammingframework: sum up
Motivatingexample
AI+CP
Experiments
Conclusion
CP over continous domains: overallscheme
CP over continous domains ≡ a branch & prune process→ an iteration of two steps:
1. Pruning the search space2. Making a choice to generate two (or more)
sub-problems
Pruning step→ reduces an interval when the upperbound or the lower bound does not satisfy someconstraintBranching step→ splits the domain of somevariable in two or more intervals
47
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgrammingLocal consistencies
2B–consistency
3B-Consistency
ConstraintProgrammingframework: sum up
Motivatingexample
AI+CP
Experiments
Conclusion
Local consistencies
Working with a single constraint
Consider Dx = [x , x ] and c(x , x1, . . . , xn) :
If c(x , x1, . . . , xn) does not hold for any valuesa ∈ [x , x ′], then Dx → [x ′, x ]
48
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgrammingLocal consistencies
2B–consistency
3B-Consistency
ConstraintProgrammingframework: sum up
Motivatingexample
AI+CP
Experiments
Conclusion
2B–consistency
I A constraint cj is 2B–consistent if for any variable xi
of cj , the bounds Dxi and Dxi have a support in thedomains of all other variables of cj
→Variable x is 2B–consistent for f (x , x1, . . . , xn) = 0 ifthe lower (resp. upper) bound of the domain of x is thesmallest (resp. largest) solution of f (x , x1, . . . , xn)
A CSP is 2B–consistent iff all its constraints are2B–consistent
49
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgrammingLocal consistencies
2B–consistency
3B-Consistency
ConstraintProgrammingframework: sum up
Motivatingexample
AI+CP
Experiments
Conclusion
3B–Consistency (1)
3B–Consistency, a shaving process
→
checks whether 2B–Consistency can be enforced when thedomain of a variable is reduced to the value of one of its
bounds in the whole system
50
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgrammingLocal consistencies
2B–consistency
3B-Consistency
ConstraintProgrammingframework: sum up
Motivatingexample
AI+CP
Experiments
Conclusion
3B–Consistency (2)
Let (X ,D, C) be a CSP and Dx = [a,b], ifΦ2B(PDx←[a, a+b
2 ]) = ∅I then the part [a, a+b
2 ) of Dx will be removed and thefiltering process continues on the interval [a+b
2 ,b]I otherwise, the filtering process continues on the
interval [a, 3a+b4 ].
51
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgrammingLocal consistencies
2B–consistency
3B-Consistency
ConstraintProgrammingframework: sum up
Motivatingexample
AI+CP
Experiments
Conclusion
Constraint Programming framework: sumup
+ Good refutation capabilitiesFlexibility: handling of integers, floats, non-linearexpressions,...
– ScalabilityPruning may be costly for large domainsA CSP is a conjunction of constraints a differentconstraint system is required for each path of theCFG
52
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
MotivatingexampleAI example
CP example
AI+CP
Experiments
Conclusion
Motivating example
float x = [0,10];float y = x*x - x;if (y >= 0)y = x/10;
elsey = x*x + 2;
53
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
MotivatingexampleAI example
CP example
AI+CP
Experiments
Conclusion
Example 1: Abstract Interpretation(zonotopes)
float x = [0,10];float y = x*x - x;if (y >= 0)y = x/10;
elsey = x*x + 2;
y = x ∗ x − x
y ≥ 0
y = x/10 y = x ∗ x + 2
y ≥ 0 y < 0
P0
P0 : x0 = 5 + 5ε1 ε1 ∈ [−1, 1]D0
x = [0, 10]
P1
P1 : y1 = 32.5 + 45ε1 + 12.5η1
η1 ∈ [−1, 1]D1
x = [0, 10] D1y = [−10, 90]
P2
P2 : y2 = y1 D2x = [0, 10]
D2y = [0, 90]
P3
P3 : y3 = 0.5 + 0.5ε1
D3y = [0, 1]
P4
P4 : y4 = y1 D4x = [0, 10]
D4y = [−10, 0[
P5
P5 : y5 = 39.5 + 50ε1 + 12.5η1
D5y = [2, 102]
P6
P6 : y6 = y3 ∪ y5 = 39.5 + 0.5ε1 + 62η2
η2 ∈ [−1, 1]D6
y = D3y ∪ D5
y = [0, 102]
54
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
MotivatingexampleAI example
CP example
AI+CP
Experiments
Conclusion
Example 1: Abstract Interpretation(zonotopes)
float x = [0,10];float y = x*x - x;if (y >= 0)y = x/10;
elsey = x*x + 2;
y = x ∗ x − x
y ≥ 0
y = x/10 y = x ∗ x + 2
y ≥ 0 y < 0
P0
P0 : x0 = 5 + 5ε1 ε1 ∈ [−1, 1]D0
x = [0, 10]
P1
P1 : y1 = 32.5 + 45ε1 + 12.5η1
η1 ∈ [−1, 1]D1
x = [0, 10] D1y = [−10, 90]
P2
P2 : y2 = y1 D2x = [0, 10]
D2y = [0, 90]
P3
P3 : y3 = 0.5 + 0.5ε1
D3y = [0, 1]
P4
P4 : y4 = y1 D4x = [0, 10]
D4y = [−10, 0[
P5
P5 : y5 = 39.5 + 50ε1 + 12.5η1
D5y = [2, 102]
P6
P6 : y6 = y3 ∪ y5 = 39.5 + 0.5ε1 + 62η2
η2 ∈ [−1, 1]D6
y = D3y ∪ D5
y = [0, 102]
55
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
MotivatingexampleAI example
CP example
AI+CP
Experiments
Conclusion
Example 1: Abstract Interpretation(zonotopes)
float x = [0,10];float y = x*x - x;if (y >= 0)y = x/10;
elsey = x*x + 2;
y = x ∗ x − x
y ≥ 0
y = x/10 y = x ∗ x + 2
y ≥ 0 y < 0
P0
P0 : x0 = 5 + 5ε1 ε1 ∈ [−1, 1]D0
x = [0, 10]
P1
P1 : y1 = 32.5 + 45ε1 + 12.5η1
η1 ∈ [−1, 1]D1
x = [0, 10] D1y = [−10, 90]
P2
P2 : y2 = y1 D2x = [0, 10]
D2y = [0, 90]
P3
P3 : y3 = 0.5 + 0.5ε1
D3y = [0, 1]
P4
P4 : y4 = y1 D4x = [0, 10]
D4y = [−10, 0[
P5
P5 : y5 = 39.5 + 50ε1 + 12.5η1
D5y = [2, 102]
P6
P6 : y6 = y3 ∪ y5 = 39.5 + 0.5ε1 + 62η2
η2 ∈ [−1, 1]D6
y = D3y ∪ D5
y = [0, 102] 56
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
MotivatingexampleAI example
CP example
AI+CP
Experiments
Conclusion
Example 1: Constraint Programming
y0 = x0 ∗ x0 − x0
y0 ≥ 0
y1 = x0/10 y1 = x0 ∗ x0 + 2
y0 ≥ 0 y0 < 0
y0 = x0 ∗ x0 − x0
y0 ≥ 0y1 = x0/10
filtering
D1x0 = [0, 10]
D1y0 = [0, 90]
D1y1 = [0, 1]
P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102]
P6
y0 ≥ 0
y1 = x0/10
y0 = x0 ∗ x0 − x0
y0 ≥ 0y1 = x0/10
y0 < 0
y0 = x0 ∗ x0 − x0
y0 ≥ 0
y1 = x0 ∗ x0 + 2
y0 = x0 ∗ x0 − x0
y0 < 0y1 = x0 ∗ x0 + 2
filtering
D2x0 = [0, 1.026]
y0 ≥ 0
y1 = x0/10
P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102]
y0 = x0 ∗ x0 − x0
y0 < 0y1 = x0 ∗ x0 + 2
filtering
D2x0 = [0, 1.026]
D2y0 = [−0.257, 0]
D2y1 = [2, 3.027]
P6 : D3y1 = D1
y1 ∪ D2y1 = [0, 3.027]
57
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
MotivatingexampleAI example
CP example
AI+CP
Experiments
Conclusion
Example 1: Constraint Programming
y0 = x0 ∗ x0 − x0
y0 ≥ 0
y1 = x0/10 y1 = x0 ∗ x0 + 2
y0 ≥ 0 y0 < 0
y0 = x0 ∗ x0 − x0
y0 ≥ 0y1 = x0/10
filtering
D1x0 = [0, 10]
D1y0 = [0, 90]
D1y1 = [0, 1]
P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102]
P6
y0 ≥ 0
y1 = x0/10
y0 = x0 ∗ x0 − x0
y0 ≥ 0y1 = x0/10
y0 < 0
y0 = x0 ∗ x0 − x0
y0 ≥ 0
y1 = x0 ∗ x0 + 2
y0 = x0 ∗ x0 − x0
y0 < 0y1 = x0 ∗ x0 + 2
filtering
D2x0 = [0, 1.026]
y0 ≥ 0
y1 = x0/10
P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102]
y0 = x0 ∗ x0 − x0
y0 < 0y1 = x0 ∗ x0 + 2
filtering
D2x0 = [0, 1.026]
D2y0 = [−0.257, 0]
D2y1 = [2, 3.027]
P6 : D3y1 = D1
y1 ∪ D2y1 = [0, 3.027]
58
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
MotivatingexampleAI example
CP example
AI+CP
Experiments
Conclusion
Example 1: Constraint Programming
y0 = x0 ∗ x0 − x0
y0 ≥ 0
y1 = x0/10 y1 = x0 ∗ x0 + 2
y0 ≥ 0 y0 < 0
y0 = x0 ∗ x0 − x0
y0 ≥ 0y1 = x0/10
filtering
D1x0 = [0, 10]
D1y0 = [0, 90]
D1y1 = [0, 1]
P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102]
P6
y0 ≥ 0
y1 = x0/10
y0 = x0 ∗ x0 − x0
y0 ≥ 0y1 = x0/10
y0 < 0
y0 = x0 ∗ x0 − x0
y0 ≥ 0
y1 = x0 ∗ x0 + 2
y0 = x0 ∗ x0 − x0
y0 < 0y1 = x0 ∗ x0 + 2
filtering
D2x0 = [0, 1.026]
y0 ≥ 0
y1 = x0/10
P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102]
y0 = x0 ∗ x0 − x0
y0 < 0y1 = x0 ∗ x0 + 2
filtering
D2x0 = [0, 1.026]
D2y0 = [−0.257, 0]
D2y1 = [2, 3.027]
P6 : D3y1 = D1
y1 ∪ D2y1 = [0, 3.027]
59
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
Motivatingexample
AI+CPProposed approach: AI+ CP
Combining AI and CP:Filtering
Experiments
Conclusion
Proposed approach: Combining AI and CP
Successive exploration and merging steps
I Use of AI to compute a first approximation of thevalues of variables at a program node where twobranches join
I Building a constraint system for each branch betweentwo join nodes in the CFG of the program and use ofCP local consistencies to shrink the domainscomputed by AI
60
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
Motivatingexample
AI+CPProposed approach: AI+ CP
Combining AI and CP:Filtering
Experiments
Conclusion
Combining AI and CP: CP process
Use of local consistencies to “shave” the domainscomputed by AI
I Build a constraint system for each branch between twojoin points in the CFG of a program
I Compute union of domains at join pointsI Propagate domains from and to AI at join points
1. Build a constraint system Ci for each branch betweentwo join nodes (N1,N2) in the CFG of the program
2. With each Ci , use local consistencies to shrink thedomains computed by AI at node N2
3. Compute the union DN2 of the reduced domains fromeach Ci
61
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
Motivatingexample
AI+CPProposed approach: AI+ CP
Combining AI and CP:Filtering
Experiments
Conclusion
Filtering techniques
I FPCS: 3B(w)-consistency over the floatsI Projection functions for floatsI Handling of rounding modesI Handling of x86 architecture specifics
I RealPaver: 2B(w)-consistency & Box-consistencyover the reals
I Reliable approximations of continuous solution setsI Correctly rounded interval methods and constraint
satisfaction techniques
62
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
Motivatingexample
AI+CP
ExperimentsBenchmarks
CDFL
Conclusion
Experiments: eliminating false alarms
CDFL: Program analyzer for proving the absence of runtimeerrors in program with floating-point computationsbased on Conflict-Driven Learning
RAICP Fluctuat CDFLFalse alarms 0 11 0Total time 40.55 s 18.37 s 208.99 s
Computed on the 55 benchs from CDFL (Conflict-DrivenLearning) paper (TACAS’12, D’Silva, Leopold Haller,Daniel Kroening, Michael Tautschnig)
63
Dra
ft
Identifyingsuspicious
values
Problematic
AI Approach
ConstraintProgramming
Motivatingexample
AI+CP
Experiments
ConclusionConclusion
Conclusion
AI + CP framework: Efficient computation and sharp gooddomain approximations
Further works: interact with AI at the abstract domainlevelI Better approximationsI Keep statement contribution to rounding errors
64
Algorithms For Error Localiza2on On Numeric Constraints
65
Context
Ø Input • Some impera,ve program with numeric statements (over integers or floa,ng-‐point numbers)
• An asser-on to be checked • A counter-‐example that violates the asser,on
Ø Output : informa-on on loca-ons of poten-ally faulty statements
66
Goal
§ Provide helpful informa,on for error localiza,on on numeric constraint systems
§ Two categories of informa,on o How much of an unsa-sfiable constraint set can be sa-sfied ?
→ MaxSAT, Max CSP, MaxFS o Where in the constraint set the “problem” lies ? → Irreducible / Irredundant Infeasible / Inconsistent Subsystems (IIS),Minimal Unsa,sfiable Core (MUC)
67
Defini2ons
• MUS Minimal Unsa,sfiable Subset aka Irreducible Inconsistent Subsystem (IIS) M ⊆ C is a MUS ⇔ M is UNSAT and ∀c ∈ M : M \ {c} is SAT
• MSS Maximal Sa,sfiable Subset a generaliza,on of MaxSAT / MaxFS considering maximality instead of maximum cardinality M ⊆ C is a MSS ⇔ M is SAT and ∀c ∈ C \ M : M ∪ {c} is UNSAT
• MCS Minimal Correc,on Set the complement of some MSS: removal yields a sa,sfiable MSS (it “corrects” the infeasibility) M ⊆ C is a MCS ⇔ C \M is SAT and ∀c ∈ M : (C \M)∪{c} is UNSAT
68
Generic Algorithms • Irreducible infeasible subset (IIS) or MUS, (Chinneck -‐ 2008), Dele,on
Filter (Chinneck et Dravnieks – 1991), Addi,ve Method (Tamiz et al -‐1996), Addi,ve Dele,on Method ( Guieu et Chinneck -‐1999 ), The Elas-c filter
• Irreducible Conflict Sets (MUS) QUICKXPLAIN : Divide-‐and-‐Conquer for Explana,ons (Junker-‐2004)
• All MCS / MUS – Finding Mul-ple all MUSes: (Liffiton & Sakallah-‐2008); – Enhancements :
• MCS : adapta,on of QUICKXPLAIN : FastDiag & Enhanced FastDiag (Felfernig et al -‐2012, Silva et al-‐ 2013)
• MUSEs: Marco Polo -‐ Finding Mul-ple MUSes Quickly (Liffiton & Malik -‐2013)
69
Irreducible infeasible subset (IIS)
« An irreducible infeasible subset (IIS) of the constraints, is a (small) subset of constraints that is itself infeasible, but becomes feasible if one or more constraints is removed » (Chinneck -‐ 2008) • Used in global op,miza,on /opera,onal research • Correspond to MUS (Minimal Unsa2sfiable Subset) used in SAT
• Many algorithms: – Dele,on filter, Addi,ve method, Addi,ve/Dele,on method – The Elas,c filter – Heuris,c for MIN IIS COVER – All IIS of LP (based on the construc,on of a polytope using the simplex
method) – …
70
On going work (1)
• Efficient computa,on of MCS / MUS with a limited cardinality
• Efficient computa,on of MCS / MUSes with a limited number of failing condi=ons
• Efficient consistency checking for LP, MIP, floa,ng point numbers
• Path of the counter example and all paths with at most k false condi,ons
71
On going work (2)
MCS are computed on constraints systems collected on : • The path of the counter-‐example • Paths sa,sfying the post condi,on when at most k condi,ons
are deviated, and containing not any deviated condi,on from a path : – with less than k devia,ons, – and which sa,sfies the post condi,on
72
Conclusion
Constraint techniques are efficient for program verifica-on if … and only if
they are combined with other techniques
73