verification conditions for single-assignment programs

Verification Conditions for Single-assignmentPrograms

Daniela da Cruz, Maria João Frade, and Jorge Sousa Pinto

Departamento de InformáticaUniversidade do Minho

SAC-SVT 2012

March 30, 2012

Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs

Context

The generation of verification conditions (VCs) from imperativecode is a well-known problem, with standard solutions.But surprisingly some aspects of each major approach are still notvery clear: weakest precondition and bounded model checking.


Motivation

Our goal is to:

Use single-assignment (SA) as a vehicle for programverification;Show how the calculation of efficient WPs can be seen asgenerating verification conditions from path formulas in theCFG of the program;Give an account of BMC as an efficient method for VCgenerationCompare VC generation by symbolic execution, weakestprecondition and bounded-model checking.


Outline

1 Setting

2 Encoding Programs as Formulas using SA

3 VCs with Symbolic Execution

4 VCs with Weakest Preconditions

5 VCs with Bounded Model Checking

6 Conclusions


Setting (1)

C ::= skip | x := e | if b then S else S | assertψS ::= C | C ; S

A program is correct if for every execution, whenever a commandassertψ is met, the assertion ψ is satisfied by the current state.

The command assertψ fails when it is executed in a state thatdoes not satisfy ψ.


Setting (2)

Definition (Verification Conditions)

A set F of assertions is a set of verification conditions for acommand block S whenever |= F implies that S is correct.

Remarks:It is indifferent to use one or another set of VCs to establishthe correctness of a program, but this does not mean that theeffort involved in automatically proving them is the same.We write VCs in a normalized form, as implicative formulasγ → ψ.


Setting (3)

Criteria comparison:

1 The size of generated VCs, in terms of the size of the inputprogram.

2 How closely the VCs are related to execution paths.


Setting (4)

VC methods differ with respect to the structure of the formulas,but also the usage of assert commands:

1 “Lemma” usage: in addition, each assert provides informationthat is added to the context (hypotheses) available to provesubsequent asserts.

2 “Proof-Goal”-usage: asserts simply provide proof goals (but ofcourse methods are static and exhaustive);


Outline

1 Setting





6 Conclusions


Encoding Programs as Formulas using SA (1)

The key to verification condition generation is the encoding of thebehavior of programs as logical formulas.

Consider the assignment x := x + 10.Writing it directly as a formula leads to x = x + 10, which is acontradiction: there is no state of the program that satisfies it.

The logical value of an equality (or boolean expression) changeswith the execution of a subsequent command.



For programs without loops, one way to solve this problem is byfirst converting them into a single-assignment form in whichmultiple indexed versions of each variable are used - a new versionis introduced with each assignment made to the original variable.

The program

x := x + y ; y := 10; x := x − 10

would have the SA form:

x1 := x0 + y0; y1 := 10; x2 := x1− 10



Single-assignment programs have the following fundamentalproperty:once a variable has been used (either assigned or read as part of aprogram expression), it will surely not be assigned again.

Crucially, if an assert command fails in the original program, it willfail in the single-assignment form.

It is sound thus to check correctness of a program bychecking a single-assignment form of it.


Example DSA


Outline

1 Setting





6 Conclusions


VCs with Symbolic Execution (1)

Given a single-assignment command block S , let P be the set ofexecution paths of its control-flow graph, from START to END, andΨ(p) denote the set of assert formulas in a path p ∈ P . The set ofsymbolic execution verification conditions of S is defined as follows:

VCse(S) ={Fe(assertψ, p) → ψ | for all occurrencesof assertψ in p, p ∈ P and ψ ∈ Ψ(p)

}



Given an execution path p in the control-flow graph of a program,its path formula Fe(p) is the conjunctive formula obtained bytraversing the path from START to END and combining:

for every assignment x := e, the formula x = e;for every conditional if b then S t else S f , if the correspondingbranching node is crossed towards the then branch (resp. elsebranch), the formula b (resp. ¬b);for skip and assertφ commands, the formula true.

Fe(C , p) denotes the formula obtained by traversing the prefix ofpath p between START and C (exclusive of C ).



Clearly the validity of all VCs implies that a particular commandassertψ will be executed (in any path containing it) only in statesthat satisfy ψ, thus VCse(S) indeed constitutes a set of verificationconditions for the program.



Remarks:There is potentially an exponential number of paths, thus anexponential number of VCs will be generated in the worst case.VCse can be modified to avoid exponential explosion of thesize of the generated formulas, but the assertions need to beadded to crucial points of the programs (e.g. SPARK tool).The one-to-one association between execution paths and VCsis advantageous for debugging.


VCs with Symbolic Execution - Example

1. x0 < 0 ∧ x1 = −x0 ∧ x2 = x1 ∧ y3 = y0 ∧ c0 > 0∧c1 = c0 − 1 ∧ c2 = c1 → x2 ≥ 0

2. x0 < 0 ∧ x1 = −x0 ∧ x2 = x1 ∧ y3 = y0 ∧ ¬c0 > 0

∧ c2 = c0 → x2 ≥ 0

3. ¬x0 < 0 ∧ y0 < 0 ∧ y1 = −y0 ∧ y2 = y1 ∧ x2 = x0∧ y3 = y2 ∧ c0 > 0 ∧ c1 = c0 − 1 ∧ c2 = c1 → x2 ≥ 0

4. ¬x0 < 0 ∧ y0 < 0 ∧ y1 = −y0 ∧ y2 = y1 ∧ x2 = x0∧y3 = y2 ∧ ¬c0 > 0 ∧ c2 = c0 → x2 ≥ 0

5. ¬x0 < 0 ∧ ¬y0 < 0 ∧ y2 = y0 ∧ x2 = x0 ∧ y3 = y2∧c0 > 0 ∧ c1 = c0 − 1 ∧ c2 = c1 → x2 ≥ 0

6. ¬x0 < 0 ∧ ¬y0 < 0 ∧ y2 = y0 ∧ x2 = x0 ∧ y3 = y2∧¬c0 > 0 ∧ c2 = c0 → x2 ≥ 0


Outline

1 Setting





6 Conclusions


VCs with Weakest Preconditions (1)

Given an assertion φ, the weakest precondition of a program withrespect to φ is defined as follows:

wp(skip, φ) = φ

wp(x := e, φ) = φ[e/x ]

wp(if b then S t else S f , φ) = (b → wp(S t , φ))

∧ (¬b → wp(S f , φ))

wp(C ; S , φ) = wp(C ,wp(S , φ))

wp(assertψ, φ) = ψ ∧ φ

This notion of weakest precondition is conservative.The assertion wp(S , true) is a verification condition for theprogram block S , since it ensures that no assert fails.


VCs with Weakest Preconditions (2)

Remarks:

Produces a single VC, but its size is in the worst caseexponential in the size of the program.

wp(Swc ; assertψ, true)

where

Swc = if b1 then S t1 else S f

1 ; . . . ; if bn then S tn else S f

n

This method has the advantage of not requiring conversion tosingle assignment form.


VCs with Weakest Preconditions (3) - Example

wp(ABS, true)

= wp(C1 ; C2, x ≥ 0)

= wp(C1, (c > 0→ x ≥ 0) ∧ (¬c > 0→ x ≥ 0))

= (x < 0→ (c > 0→ −x ≥ 0) ∧ (¬c > 0→ −x ≥ 0))

∧ (¬x < 0→ wp(if y < 0 then y := −y else skip,(c > 0→ x ≥ 0) ∧ (¬c > 0→ x ≥ 0)))

= (x < 0→ (c > 0→ −x ≥ 0) ∧ (¬c > 0→ −x ≥ 0))

∧ (¬x < 0→ (y < 0→ (c > 0→ x ≥ 0) ∧ (¬c > 0→ x ≥ 0))

∧ (¬y < 0→ (c > 0→ x ≥ 0) ∧ (¬c > 0→ x ≥ 0)))

Normalizing, by applying distributivity yields...


VCs with Weakest Preconditions (4) - Example

1. x < 0→ c > 0→ −x ≥ 0

2. x < 0→ ¬c > 0→ −x ≥ 0

3. ¬x < 0→ y < 0→ c > 0→ x ≥ 0

4. ¬x < 0→ y < 0→ ¬c > 0→ x ≥ 0

5. ¬x < 0→ ¬y < 0→ c > 0→ x ≥ 0

6. ¬x < 0→ ¬y < 0→ ¬c > 0→ x ≥ 0

In this normalized form it becomes obvious that the effort ofdischarging the proof obligations is basically the same as for pathanalysis by symbolic execution.


VCs with Efficient Weakest Preconditions (1)

An alternative notion to the conservative weakest precondition isthat of weakest liberal precondition wlp(S , φ): the postcondition isonly required to be satisfied if the program terminates correctly.For programs without iteration, the weakest liberal precondition isdefined in the same way as the conservative weakest precondition,except for the assert command:

wlp(assertψ, φ) = ψ → φ



The relation between both notions is well-known:

Lemma

For any command block S and assertion φ,

wp(S , φ) ≡ wlp(S , φ) ∧ wp(S , true)

The relevance of this notion is that the weakest liberal preconditionof a single-assignment program S with respect to φ can becomputed from the linear size formula F(S) of the program withoutrequiring further traversals of S , so there are no opportunities forduplicating φ.



F(skip) = trueF(x := e) = x = e

F(if b then S t else S f ) = (b ∧ F(S t)) ∨ (¬b ∧ F(S f ))

F(C ; S) = F(C ) ∧ F(S)

F(assertψ) = ψ

Let S be a single-assignment command block. Then for anyassertion φ, wlp(S , φ) ≡ F(S)→ φ.


VCs with Efficient Weakest Preconditions (4) —Example

wp(ABSSA, true)

= wp(C ′1 ; C ′2 ; assert x2 ≥ 0, true)

= F(C ′1 ; C ′2)→ x2 ≥ 0= ((x0 < 0 ∧ x1 = −x0 ∧ x2 = x1 ∧ y3 = y0)∨

(¬x0 < 0 ∧ ((y0 < 0 ∧ y1 = −y0 ∧ y2 = y1)∨(¬y0 < 0 ∧ y2 = y0)) ∧ x2 = x0 ∧ y3 = y2))

∧ ((c0 > 0 ∧ c1 = c0 − 1 ∧ c2 = c1)

∨ (¬c0 > 0 ∧ c2 = c0)) → x2 ≥ 0

But what does the VC look like in general?



The set of efficient weakest precondition verification conditions of Sis defined as follows:

VCwp(S) ={Fp(assertψ, S) → ψ | for all assertions ψand all occurrences of assertψ in S

}The path formula Fp(C , S) of C in S describes the entire set ofpaths from START to a specific command, at a concrete point ofthe program.



Remarks:

Unlike with symbolic execution, there is no direct associationbetween a single invalid VC and an error path, which is theprice to pay for efficiency.We avoid exponential explosion: in general, the size of eachVC is worst-case linear in the size n of the program, and thereare k VCs, with k the number of assert commands, which isalso linear in n in the worst-case. So overall VCwc is ofquadratic size in n.“Lemma-usage” of asserts: Fp includes assert information.


Outline

1 Setting





6 Conclusions


VCs with Bounded Model Checking (1)

From a program S we extract two sets of formulas, such that:P is a logical consequence of C (the entailment C |=

∧P holds), if

and only if no assert command fails in any execution of S .C describes logically the operational contents of the program, andP is extracted from the assert formulas that can be found in it.

This technique explicitly assumes that a satisfiability-based tool isused to find models corresponding to an execution of the programthat violates at least one assert command:

C ∪ {¬∧P}



To see that this can be formulated in terms of verificationconditions, it suffices to observe that for finite C the semanticentailment problem

C |=∧P

is equivalent to the validity problem

|=∧C →

∧P



For our programs without loops the method applies the followingsteps:

1 The program is converted into single-assignment form;2 The resulting program is then converted into a sequence of

commands on the form if b then Ca else skip, with Ca anatomic command.

3 Extract the model from the Conditional Normal Form.

For every command if b then x := e else skip in the program,C includes the formula b → x = e;For every command if b then assertψ else skip in theprogram, P includes the formula b → ψ.

4 Generate VC:∧C →

∧P.


VCs with Bounded Model Checking (3) - Example

ABSCNF : if x0 < 0 then x1 := −x0 else skip ;if x0 < 0 then x2 := x1 else skip ;if x0 < 0 then y3 := y0 else skip ;if ¬(x0 < 0) ∧ y0 < 0 then y1 := −y0 else skip ;if ¬(x0 < 0) ∧ y0 < 0 then y2 := y1 else skip ;if ¬(x0 < 0) ∧ ¬(y0 < 0) then y2 := y0 else skip ;if ¬(x0 < 0) then x2 := x0 else skip ;if ¬(x0 < 0) then y3 := y2 else skip ;if c0 > 0 then c1 := c0 − 1 else skip ;if c0 > 0 then c2 := c1 else skip ;if ¬(c0 > 0) then c2 := c0 else skip ;if true then assert x2 ≥ 0 else skip


VCs with Bounded Model Checking (4) - Example

C : 1. x0 < 0→ x1 = −x02. x0 < 0→ x2 = x13. x0 < 0→ y3 = y04. ¬(x0 < 0) ∧ y0 < 0→ y1 = −y05. ¬(x0 < 0) ∧ y0 < 0→ y2 = y16. ¬(x0 < 0) ∧ ¬(y0 < 0)→ y2 = y07. ¬(x0 < 0)→ x2 = x08. ¬(x0 < 0)→ y3 = y29. c0 > 0 → c1 = c0 − 1

10. c0 > 0 → c2 = c111. ¬(c0 > 0) → c2 = c0

P : 1. true → x2 ≥ 0



∧C can then be written as Fbmc(S), where:

S denotes the program that results from replacing everycommand assertψ in S by skip.Fbmc(S) is a variant of F(S);

P on the other hand can be written as follows:{Fb(assertψ, S) → ψ | for all assertions ψ

and all occurrences of assertψ in S}

Fb(C,S) captures only the branching information that enables theexecution of the command C .



The verification condition∧C →

∧P can now be split using basic

equivalences to obtain a set of normalized VCs:

Given a single-assignment command block S , the set of boundedmodel checking verification conditions of S is defined as follows:

VCbmc(S) ={(

Fbmc(S) ∧ Fb(assertψ, S))→ ψ | for

all assertions ψ and all occurrences of assertψ in S}


Outline

1 Setting





6 Conclusions


Conclusions

In BMC, the formulas occurring as antecedents of VCs do notinclude assert formulas, whereas in the efficient WP method itdoes, which allows them to be used as lemmas.The size of VCs is in both cases linear for programs with asingle postcondition assert command; for programs with anarbitrary number of such commands both have a quadraticbound.Symbolic execution generates VCs of exponential-size in theworst-case, but offers a one-to-one association between VCsand execution paths, valuable for error-tracing.


Conclusions

None of the methods can be said to always generate smallerVCs than the other.Since it is difficult to judge the performance of automaticprovers (and the effect of operations like splitting, whichincrease the size of formulas but not necessarily make proofsharder), an empirical comparison seems to be required.Build a VCGen based on the BMC technique for Boogieprograms.Include the iteration.


verification conditions for single-assignment programs

Technology

singleassignment programs

singleassignment sa

singleassignment form

set of verication conditions

assignment x

set of vcs

sa3 vcs

set of assert formulas