Constraint-based BMC: a backjumping strategy

  • Hélène Collavizza
  • Nguyen Le Vinh
  • Olivier Ponsini
  • Michel Rueher
  • Antoine Rollet
Regular Paper

Abstract

Safety property checking is mandatory in the validation process of critical software. When formal verification tools fail to prove some properties, the automatic generation of counterexamples for a given loop depth is an important issue in practice. We investigate in this paper the capabilities of constraint-based bounded model checking for program verification and counterexample generation on real applications. We introduce dynamic post-condition variable-driven strategy (DPVS), a new backjumping strategy we developed to handle an industrial application from a car manufacturer, the Flasher Manager. This backjumping strategy is used to search a faulty path and to collect the constraints of such a path. The simplified control flow graph (CFG) of the program is explored in a backward way, starting from the post-condition and jumping to the most promising node where the variables of the post-condition are defined. In other words, the constraints are collected by exploring the CFG in a dynamic and non-sequential backward way. The Flasher Manager application has been designed and simulated using the Simulink platform. However, this module is concretely embedded as a C program in a car computer, thus we have to check that the safety properties are preserved on this C code. We report experiments on the Flasher Manager with our constraint-based bounded model checker, and with CBMC, a state-of-the-art bounded model checker. Experiments show that DPVS and CBMC have similar performances on one property of the Flasher Manager; DPVS outperforms CBMC to find a counterexample for two properties; two of the properties of the Flasher Manager remain intractable for CBMC and DPVS.

Keywords

Embedded systems Validation  Constraint-based bounded model checking  Counterexample generation 

Notes

Acknowledgments

The authors would like to thank Geensoft for providing the Flasher Manager application and especially Thierry Gueguen and Samuel Devulder for their help.

References

  1. 1.
    Albert, E., Gómez-Zamalloa, M., Puebla, G.: Test data generation of bytecode by CLP partial evaluation. In: Logic-Based Program Synthesis and Transformation (LOPSTR), Revised Selected Papers, LNCS, vol. 5438, pp. 4–23. Springer, Berlin (2008)Google Scholar
  2. 2.
    Armando, A., Mantovani, J., Platania, L.: Bounded model checking of software using SMT solvers instead of SAT solvers. Int. J. Softw. Tools Technol. Transf. 11(1), 69–83 (2009)CrossRefGoogle Scholar
  3. 3.
    Ball, T., Levin, V., Rajami, S.K.: A decade of software model checking with SLAM. CACM 54(7), 68–76 (2011)CrossRefGoogle Scholar
  4. 4.
    Barnett, M., Leino, K.R.M.: Weakest-precondition of unstructured programs. Inf. Process. Lett. 93(6), 281–288 (2005)CrossRefGoogle Scholar
  5. 5.
    Biere, A., Cimatti, A., Clarke, E.M., Zhu, Y.: Symbolic model checking without bdds. In: TACAS, pp. 193–207. Springer, Berlin (1999)Google Scholar
  6. 6.
    Blanc, B., Junke, C., Marre, B., Gall, P.L., Andrieu, O.: Handling state-machines specifications with gatel. MBT 2010. Electr. Notes Theor. Comput. Sci. 264(3), 3–17 (2010)CrossRefGoogle Scholar
  7. 7.
    Bochot, T., Virelizier, P., Waeselynck, H., Wiels, V.: Model checking flight control systems: the airbus experience. In: ICSE 2009. 31st International Conference on Software Engineering, Companion Volume, pp. 18–27. IEEE, New York (2009)Google Scholar
  8. 8.
    Botella, B., Gotlieb, A., Michel, C.: Symbolic execution of floating-point computations. Softw. Test. Verif. Reliab. 16(2), 97–121 (2006)CrossRefGoogle Scholar
  9. 9.
    Charreteur, F., Gotlieb, A.: Constraint-based test input generation for java bytecode. In: IEEE 21st International Symposium on Software Reliability Engineering, pp. 131–140. IEEE Computer Society, New York (2010)Google Scholar
  10. 10.
    Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: TACAS, LNCS, vol. 2988, pp. 168–176 (2004)Google Scholar
  11. 11.
    Collavizza, H., Rueher, M., Hentenryck, P.V.: CPBPV: a constraint-programming framework for bounded program verification. In: CP 2008, 14th International Conference on Principles and Practice of Constraint Programming, LNCS, vol. 5202, pp. 327–341. Springer, Berlin (2008)Google Scholar
  12. 12.
    Collavizza, H., Rueher, M., Hentenryck, P.V.: A constraint-programming framework for bounded program verification. Constraints J. 15(2), 238–264 (2010)CrossRefMATHGoogle Scholar
  13. 13.
    Collavizza, H., Vinh, N.L., Rueher, M., Devulder, S., Gueguen, T.: A dynamic constraint-based bmc strategy for generating counterexamples. In: Proceedings of the 2011 ACM Symposium on Applied Computing (SAC), TaiChung, Taiwan, March 21–24, 2011, pp. 1633–1638. ACM, New York (2011)Google Scholar
  14. 14.
    Cordeiro, L., Fischer, B., Marques-Silva, J.: SMT-based bounded model checking for embedded ANSI-C software. In: Proceedings of the 24th IEEE/ACM International Conference on Automated Software Engineering (ASE’09), pp. 137–148. IEEE Computer Society, New York (2009)Google Scholar
  15. 15.
    Cordeiro, L., Fischer, B., Marques-Silva, J.: SMT-based bounded model checking for embedded ANSI-C software. ASE 0, 137–148 (2009). http://doi.ieeecomputersociety.org/10.1109/ASE.2009.63
  16. 16.
    Cousot, P., Cousot, R., Feret, J., Miné, A., Mauborgne, L., Monniaux, D., Rival, X.: Varieties of static analyzers: a comparison with ASTRÉE. In: First Joint IEEE/IFIP Symposium on Theoretical Aspects of Software Engineering (TASE’07), pp. 3–20. IEEE Computer Society, New York (2007)Google Scholar
  17. 17.
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst. 13(4), 451–490 (1991)CrossRefGoogle Scholar
  18. 18.
    Delmas, D., Goubault, E., Putot, S., Souyris, J., Tekkal, K., Védrine, F.: Towards an industrial use of fluctuat on safety-critical avionics software. In: 14th International Workshop on Formal Methods for Industrial Critical Systems (FMICS’09), Lecture Notes in Computer Science, vol. 5825, pp. 53–69. Springer, Berlin (2009)Google Scholar
  19. 19.
    de Moura, L.M., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) Proceedings of the 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08), LNCS, vol. 4963, pp. 337–340. Springer, Berlin (2008)Google Scholar
  20. 20.
    Denmat, T., Gotlieb, A., Ducassé, M.: Improving constraint-based testing with dynamic linear relaxations. In: Proceedings of ISSRE, The 18th IEEE International Symposium on Software, pp. 181–190. IEEE Computer Society, New York (2006)Google Scholar
  21. 21.
    D’Silva, V., Kroening, D., Weissenbacher, G.: A survey of automated techniques for formal software verification. IEEE Trans. CAD Integr. Circuits Syst. 27(7), 1165–1178 (2008) Google Scholar
  22. 22.
    Ganai, M.K., Gupta, A.: Accelerating high-level bounded model checking. In: International Conference on Computer-Aided Design (ICCAD’06), pp. 794–801 (2006)Google Scholar
  23. 23.
    Gotlieb, A.: Euclide: a constraint-based testing framework for critical C programs. In: ICST 2009, Second International Conference on Software Testing Verification and Validation, 1–4 April 2009, Denver, Colorado, USA, pp. 151–160. IEEE Computer Society, New York (2009)Google Scholar
  24. 24.
    Gotlieb, A.: TCAS software verification using constraint programming (Accepted for publication), The Knowledge Engineering Review (2010)Google Scholar
  25. 25.
    Gotlieb, A., Botella, B., Rueher, M.: Automatic test data generation using constraint solving techniques. In: ISSTA, International Symposium on Software Testing and Analysis, pp. 53–62 (1998)Google Scholar
  26. 26.
    Jackson, D., Vazir, M.: Finding bugs with a constraint solver. In: ISSTA, International Symposium on Software Testing and Analysis, pp. 14–25. ACM Press, New York (2000)Google Scholar
  27. 27.
    Marre, B., Arnould, A.: Test sequences generation from lustre descriptions: Gatel. ASE press, New York (2000)Google Scholar
  28. 28.
    Michel, L., Hentenryck, P.V.: The comet programming language and system. In: van Beek, P. (ed.) Proceedings of the 11th International Conference on Principles and Practice of Constraint Programming (CP’05), LNCS, vol. 3709, pp. 881–881. Springer, Berlin (2005)Google Scholar
  29. 29.
    Nguyen, L.V., Collavizza, H., Rueher, M., Devulder, S., Gueguen, T.: Stratégies dynamiques pour la génération de contre-exemples. In: Actes des Sixièmes Journées Francophones de Programmation par Contraintes (JFPC’2010), pp. 207–216 (2010)Google Scholar
  30. 30.
    Régin, J.C.: A filtering algorithm for constraints of difference in csps. In: AAAI, pp. 362–367 (1994)Google Scholar
  31. 31.
    Rossi, F., van Beek, P., Walsh, T. (eds.): Handbook of Constraint Programming. Elsevier, Amsterdam (2006)Google Scholar
  32. 32.
    Sy, N.T., Deville, Y.: Automatic test data generation for programs with integer and float variables. In: ASE (16th IEEE International Conference on Automated Software Engineering), pp. 13–21. IEEE Computer Society, New York (2001)Google Scholar

Copyright information

© Springer-Verlag 2012

Authors and Affiliations

  • Hélène Collavizza
    • 1
  • Nguyen Le Vinh
    • 1
  • Olivier Ponsini
    • 1
  • Michel Rueher
    • 1
  • Antoine Rollet
    • 2
  1. 1.University of Nice, I3S-CNRSSophia Antipolis CedexFrance
  2. 2.University of Bordeaux, LABRI–CNRSTalence cedexFrance

Personalised recommendations