LocFaults: A new flow-driven and constraint-based error localization approach

International audienceWe introduce in this paper LocFaults, a new flow-driven and constraint-based approach for error localization. The input is a faulty program for which a counter-example and a postcondition are provided. To identify helpful informa-tion for error location, we generate a constraint system for the paths of the control flow graph for which at most k con-ditional statements may be erroneous. Then, we calculate Minimal Correction Sets (MCS) of bounded size for each of these paths. The removal of one of these sets of constraints yields a maximal satisfiable subset, in other words, a max-imal subset of constraints satisfying the post condition. To compute the MCS, we extend the algorithm proposed by Liffiton and Sakallah [21] in order to handle programs with numerical statements more efficiently. The main advantage of this flow-driven approach is that the computed sets of suspicious instructions are small, each of them being asso-ciated with an identified path. Moreover, the constraint-programming based framework of LocFaults allows mix-ing Boolean and numerical constraints in an efficient and straightforward way. Preliminary experiments are quite en-couraging. * This work was partially supported by ANR VAC-SIM (ANR-11-INSE-0004), ANR AEOLUS (ANR-10-SEGI-0013), and OSEO ISI PAJERO projects

Efficient Constraint-Based Dynamic Strategies For Generating Counterexamples

Rapport de RechercheChecking safety properties is mandatory in the validation process of critical software. When formal verification tools fail to prove some properties, testing is necessary. Generation of counterexamples violating some properties is therefore an important issue, especially for tricky programs the test cases of which are very difficult to compute. We propose in this paper different constraint based dynamic strategies for generating structural test cases that violate a postcondition of C or JAVA programs. These strategies have been evaluated on standard benchmarks and on real applications. Experiments on a real industrial Flasher Manager controller and on the public available implementation of the Traffic Collision Avoidance System (TCAS) show that our system outperforms state of the art model checking tools and constraint based test generation systems

Contribution à la vérication formelle et programmation par contraintes

This habilitation thesis presents my contributions to the formal verification of processors and programs, and to constraint programming. Formal verification of hardware and software is crucial for the safety of critical systems, is an important economic issue and remains a challenge for research. The formal methods we explored for the verification of processors and programs are entirely automatic and based on decision procedures. For the formal verification of programs, the resolution of constraints on finite domains provides a decision procedure on bounded integers (i.e. machine-codable). The combinatorial explosion is delayed by the combination of specific solvers (Boolean, linear, finite domains). This has made possible to obtain experimental results outperforming in some cases state of the art bounded model checkers based on SAT solvers. In a second step, the formal verification of programs is also approached under the angle of the joint development of a complete proof and an exploration by model checking. Both complete proof and model checking are based on the formal semantics of the language defined in the proof assistant HOL4. Lastly, this habilitation thesis presents my contributions on numerical constraints (i.e where variables are real numbers). These constraints have many practical applications, for example in mechanics or avionics. Furthermore, their resolution mechanisms can be a basis for the formal verification of programs with floating point numbers.Ce mémoire d'Habilitation à Diriger des Recherches présente mes contributions à la vérification formelle des processeurs et des programmes, ainsi qu'à la programmation par contraintes. La vérification formelle, tant de matériel que de logiciel, est cruciale pour la sécurité des systèmes critiques, est un enjeu économique important et reste un défi pour la recherche. Les méthodes de vérification formelle retenues, aussi bien pour la vérification des processeurs que des programmes sont des méthodes entièrement automatiques qui reposent sur l'utilisation de procédures de décision. Pour la vérification de programmes, la résolution de contraintes sur domaines finis fournit une procédure de décision sur les entiers bornés (codables en machine). L'explosion combinatoire est retardée par la combinaison de solveurs spécifiques (booléen, linéaires, domaines finis), ce qui a permis d'obtenir des résultats expérimentaux qui surpassent dans certains cas les outils de "bounded model checking" basés sur l'utilisation de solveurs SAT. Dans un second temps, la vérification formelle des programmes est également abordée sous l'angle du développement conjoint d'une vérification complète et d'une exploration par model checking, basés sur la sémantique formelle du langage définie dans l'assistant de preuves HOL4. Enfin, ce mémoire présente mes contributions sur les contraintes en domaines continus (i.e. où les variables sont des nombres réels). Ces contraintes ont de nombreuses applications pratiques, par exemple en mécanique ou avionique, et leurs mécanismes de résolution peuvent servir de base à la vérification de programmes en présence de nombres flottants

Exploring different constraint-based modelings for program verification

Abstract. Recently, constraint-programming techniques have been used to generate test data and to verify the conformity of a program with its specification. Constraint generated for these tasks may involve integer ranging on all machine-integers, thus, the constraint-based modeling of the program and its specification is a critical issue. In this paper we investigate different models. We show that a straightforward translation of a program and its specification in a system of guarded constraints is ineffective. We outline the key role of Boolean abstractions and explore different search strategies on standard benchmarks.

Comparing Partial Consistencies

. Global search algorithms have been widely used in the constraint programming framework to solve constraint systems over continuous domains. This paper precisely states the relations among the different partial consistencies which are main emphasis of these algorithms. The capability of these partial consistencies to handle the so-called dependency problem is analysed and some efficiency aspects of the filtering algorithms are mentioned. Keywords: Constraint systems, interval narrowing, partial consistencies 1. Introduction Global search algorithms that are based upon partial consistency filtering techniques have proven their efficiency to solve non-trivial constraint systems over the reals. For instance, systems like Newton and Numerica [2, 28] behave better than interval methods on classical benchmarks of numerical analysis and interval analysis (e.g., Mor'e-Cosnard non-linear integral equation, Broyden banded functions). Moreover, it has been shown recently [9] that combining alg..

Un algorithme incrémental dirigé par les flots et basé sur les contraintes pour l'aide à la localisation d'erreurs

National audienceDans cet exposé, nous présentons notre algorithme amélioré de localisation d'erreurs a partir de contre-exemples, LocFaults, basé sur la programmation par contraintes et dirigé par les flots. Cet algorithme analyse les chemins du CFG (Control Flow Graph) du programme erroné pour calculer les sous-ensembles d'instructions suspectes permettant de corriger le programme. En effet, nous générons un système de contraintes pour les chemins du graphe de flot de contrôle pour lesquels au plus k instructions conditionnelles peuvent être erronées. Ensuite, nous calculons les MCS (Minimal Correction Set) de taille limitée sur chacun de ces chemins. La suppression de l'un de ces ensembles de contraintes donne un sous-ensemble satisfiable maximal, en d'autres termes, un sous-ensemble maximal de contraintes satis-faisant la postcondition. Pour calculer les MCS, nous étendons l'algorithme générique proposé par Liffiton et Sakallah dans le but de traiter des programmes avec des instructions numériques plus efficace-ment. Nous nous intéressons a présenter l'aspect incrémental de ce nouvel algorithme qui n'est pas encore présenté aux JFPC