ponsini automatic slides
DESCRIPTION
TRANSCRIPT
AUTOMATIC
VERIFICATION OF
LOOP INVARIANTSOlivier Ponsini, Hélène Collavizza, Carine Fédèle,
Claude Michel, Michel RueherICSM 2010
2/8
Outline
Loop invariants are useful
Automatic generation may produce spurious loop
invariants
We contribute a constraint-based approach for
effectively filtering out spurious invariants
3/8
Why loop invariants?
Program testing and verification
Program maintenance
• Program understanding and documentation
• Error finding and correction
• Optimization and refactoring
Program design and implementation
4/8
How to obtain loop invariants?
Correct
Time demanding
Weak invariants
Automatic generation of correct invariants
Fast
Strong invariants
Spurious
Automatic generation of candidate invariants
Interproc
InvGen
Daikon
Gin-Pink
Candidate invariants
Invariant checking
Fast
Strong
Correct
5/8
Verification of loop invariants
/*@ requires Pre
@ ensures Post
@*/
... method(...) {
Init
while (Cond) {
Body
}
Final
}
Base case:
Pre enc(Init) I
Inductive case:
I Cond enc(Body) I
{I Cond} Body {I}
{I} while (Cond) Body {I Cond}Hoare rule:
6/8
CP
CPLEX
CPBPV
CPBPV
Constraint-based program verification
JML (Java Modeling Language) pre and post conditions
On-the-fly execution path exploration
Refutation proof with
counter-example
Bounded approach
Integer domain size
Array size
method1
method2
method3
JML annotated methods
False assertions
+ test cases
True
assertions
7/8
Experimentations
5 classical programs from verification domain
180 candidate invariants from different sources
Heuristics (125)
Daikon (48)
InvGen (3)
Textbooks (7)
8, 16, and 32-bit integers
< 1 s
< 1 s
< 1min
< 1min
Time out
Time out
0
20
40
60
80
100
120
140
160
Valid Spurious
# checked invariants (32 bits)
8/8
Conclusion and perspectives
An effective checker for candidate loop invariants
Refuting spurious invariants is fast
No false positive
Test cases are produced as counter-examples
Perspectives
Extend to programs with multiple and nested loops
Integrate CPBPV