Constraints

, Volume 15, Issue 2, pp 238–264 | Cite as

CPBPV: a constraint-programming framework for bounded program verification

  • Hélène Collavizza
  • Michel Rueher
  • Pascal Van Hentenryck
Article

Abstract

This paper studies how to verify the conformity of a program with its specification and proposes a novel constraint-programming framework for bounded program verification (CPBPV). The CPBPV framework uses constraint stores to represent both the specification and the program and explores execution paths of bounded length nondeterministically. The CPBPV framework detects non-conformities and provides counter examples when a path of bounded length that refutes some properties exists. The input program is partially correct under the boundness restrictions, if each constraint store so produced implies the post-condition. CPBPV does not explore spurious execution paths, as it incrementally prunes execution paths early by detecting that the constraint store is not consistent. CPBPV uses the rich language of constraint programming to express the constraint store. Finally, CPBPV is parameterized with a list of solvers which are tried in sequence, starting with the least expensive and less general. Experimental results often produce orders of magnitude improvements over earlier approaches, running times being often independent of the size of the variable domains. Moreover, CPBPV was able to detect subtle errors in some programs for which other frameworks based on bounded model checking have failed.

Keywords

Bounded program verification Constraint-based symbolic execution Detection of nonconformities Test cases generation 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aït-Kaci, H., Berstel, B., Junker, U., Leconte, M., Podelski, A. (2007). Satisfiability modulo structures as constraint satisfaction: An introduction. In Procs of JFLA 2007.Google Scholar
  2. 2.
    Albert, E., Gómez-Zamalloa, M., & Puebla, G. (2008). Test data generation of bytecode by CLP partial evaluation. In Proc. of LOPSTR 2008 (pp. 4–23).Google Scholar
  3. 3.
    Armando, A., Benerecetti, M., & Mantovani, J. (2007). Abstraction refinement of linear programs with arrays. In Proc. of TACAS 2007 (pp. 373–388).Google Scholar
  4. 4.
    Armando, A., Mantovani, J., & Platania, L. (2006). Bounded model checking of software using SMT solvers instead of SAT solvers. In Proc. of Spin 2006 (pp. 146–162).Google Scholar
  5. 5.
    Ball, T., Podelski, A., & Rajamani, S. K. (2001). Boolean and Cartesian abstraction for model checking C programs. In Proc. of TACAS 2001 (pp. 268–283).Google Scholar
  6. 6.
    Ball, T., & Rajamani, S. K. (2000). Bebop: A symbolic model checker for Boolean programs. In Proc. of SPIN 2000 (pp. 113–130).Google Scholar
  7. 7.
    Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., & Muntean, T. (2005). Construction and analysis of safe, secure, and interoperable smart devices. In Proc. of international workshop, CASSIS 2004, Marseille, France, March 2004. Revised selected papers. LNCS (Vol. 3362, pp. 108–128). New York: Springer.Google Scholar
  8. 8.
    Beyer, D., Henzinger, T. A., Jhala, R., & Majumdar, R. (2007). The software model checker BLAST: Applications to software. STTT(Journal on Software Tools for Technology Transfer), 9(5–6), 505–525.CrossRefGoogle Scholar
  9. 9.
    Botella, B., Gotlieb, A., & Michel, C. (2006). Symbolic execution of floating-point computations. Software Testing, Verification and Reliability, 16(2), 97–121.CrossRefGoogle Scholar
  10. 10.
    Burdy, L., Cheon, Y., Cok, D. R., Ernst, M. D., Kiniry, J. R., Leavens, G. T., et al. (2005). An overview of JML tools and applications. International Journal on Software Tools for Technology Transfer, 7(3), 212–232.CrossRefGoogle Scholar
  11. 11.
    Clarke, E. M., Biere, A., Raimi, R., & Zhu, Y. (2001). Bounded model checking using satisfiability solving. Formal Methods in System Design, 19(1), 7–34.CrossRefMATHGoogle Scholar
  12. 12.
    Clarke, E. M., Kroening, D., & Lerda, F. (2004). A tool for checking ANSI-C programs. In Proc. of TACAS 2004 (pp. 168–176).Google Scholar
  13. 13.
    Clarke, E. M., Kroening, D., Sharygina, N., & Yorav, K. (2004). Predicate abstraction of ANSI-C programs using SAT. Formal Methods in System Design, 25(2–3), 105–127.CrossRefMATHGoogle Scholar
  14. 14.
    Clarke, E. M., Kroening, D., Sharygina, N., & Yorav, K. (2005). SATABS: SAT-based predicate abstraction for ANSI-C. In Proc. of TACAS 2005 (pp. 570–574).Google Scholar
  15. 15.
    Clarke, E. M., Kroening, D., & Yorav, K. (2003). Behavioral consistency of C and verilog programs using bounded model checking. In Proc. of DAC 2003 (pp. 368–371).Google Scholar
  16. 16.
    Collavizza, H., & Rueher, M. (2006). Exploration of the capabilities of constraint programming for software verification. In Proc. of TACAS 2006 (pp. 182–196).Google Scholar
  17. 17.
    Collavizza, H., & Rueher, M. (2007). Exploring different constraint-based modelings for program verification. In Proc. of CP 2007 (pp. 49–63).Google Scholar
  18. 18.
    Collavizza, H., Rueher, M., & Van Hentenryck, P. (2008). Comparison between CPBPV, ESC/Java, CBMC, Blast, EUREKA and Why for bounded program verification CoRR. abs/0808.1508.
  19. 19.
    Cytron, R., Ferrante, J., Rosen, B. K., Wegman, M. N., Zadeck, F. K. (1991). Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, 13(4), 451–490.CrossRefGoogle Scholar
  20. 20.
    D’Silva, V., Kroening, D., & Weissenbacher, G. (2008). A survey of automated techniques for formal software verification. IEEE Transactions on CAD of Integrated Circuits and Systems, 27(7), 1165–1178.CrossRefGoogle Scholar
  21. 21.
    Delzanno, G., & Podelski, A. (1999). Model checking in CLP. In Proc. of TACAS 1999 (pp. 223–239).Google Scholar
  22. 22.
    Dutertre, B., & de Moura, L. M. (2006). A fast linear-arithmetic solver for DPLL(T). In Proc. of CAV 2006 (pp. 81–94).Google Scholar
  23. 23.
    Filliâtre, J.-C., & Marché, C. (2007). The Why/Krakatoa/Caduceus platform for deductive program verification. In Proc. of CAV 2007 (pp. 173–177).Google Scholar
  24. 24.
    Flanagan, C. (2004). Automatic software model checking via constraint logic. Science of Computer Programming, 50(1–3), 253–270.CrossRefMathSciNetMATHGoogle Scholar
  25. 25.
    Ganzinger, H., Hagen, G., Nieuwenhuis, R., Oliveras, A., & Tinelli, C. (2004). DPLL(T): Fast decision procedures. In Proc. of CAV 2004 (pp. 175–188).Google Scholar
  26. 26.
    Godefroid, P., Levin, M. Y., & Molnar, D. A. (2008). Automated whitebox fuzz testing. In NDSS(Network and distributed system security symposium) 2008.Google Scholar
  27. 27.
    Gotlieb, A., Bernard, B., & Rueher, M. (1998). Automatic test data generation using constraint solving techniques. In Proc. of ISSTA 1998 (pp. 53–62).Google Scholar
  28. 28.
    Ivancic, F., Yang, Z., Ganai, M., Gupta, A., & Ashar, P. (2008). Efficient SAT-based bounded model checking for software verification. Theoretical Computer Science, 404(3), 256–274.CrossRefMathSciNetMATHGoogle Scholar
  29. 29.
    Jackson, D., & Vaziri, M. (2000). Finding bugs with a constraint solver. In Proc. ISSTA 2000 (pp. 14–25).Google Scholar
  30. 30.
    Khurshid, S., Pasareanu, C. S., & Visser, W. (2003). Generalized symbolic execution for model checking and testing. In Proc. of TACAS 2003 (pp. 553–568).Google Scholar
  31. 31.
    Nieuwenhuis, R., Oliveras, A., Rodríguez-Carbonell, E., & Rubio, A. (2007). Challenges in satisfiability modulo theories. In RTA 2007 (pp. 2–18).Google Scholar
  32. 32.
    Pasareanu, C. S., & Visser, W. (2004). Verification of Java programs using symbolic execution and invariant generation. In SPIN 2004 (pp. 164–181).Google Scholar
  33. 33.
    Régin, J.-C. (1994). A filtering algorithm for constraints of difference in CSPs. In AAAI 1994 (pp. 362–367).Google Scholar
  34. 34.
    Sy, N. T., & Deville, Y. (2001). Automatic test data generation for programs with integer and float variables. In ASE 2001 (pp. 13–21).Google Scholar
  35. 35.
    Van Hentenryck, P. (1989). Constraint satisfaction in logic programming. Cambridge: MIT.Google Scholar
  36. 36.
    Van Hentenryck, P., Michel, L., & Deville, Y. (1997). Numerica: A modeling language for global optimization. Cambridge: MIT.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2009

Authors and Affiliations

  • Hélène Collavizza
    • 1
  • Michel Rueher
    • 1
  • Pascal Van Hentenryck
    • 2
  1. 1.I3S/CNRSUniversity of Nice–Sophia AntipolisSophia Antipolis CedexFrance
  2. 2.Brown UniversityProvidenceUSA

Personalised recommendations