Verification Conditions for Single-Assignment Programs

Veriﬁcation Conditions for Single-assignment
Programs

Daniela da Cruz, Maria João Frade, and Jorge Sousa Pinto

Departamento de Informática
Universidade do Minho

SAC-SVT 2012

March 30, 2012

Cruz, Frade & Pinto Veriﬁcation Conditions for Single-assignment Programs

Context

The generation of veriﬁcation conditions (VCs) from imperative
code is a well-known problem, with standard solutions.
But surprisingly some aspects of each major approach are still not
very clear: weakest precondition and bounded model checking.


Motivation

Our goal is to:
Use single-assignment (SA) as a vehicle for program
verification;
Show how the calculation of efficient WPs can be seen as
generating verification conditions from path formulas in the
CFG of the program;
Give an account of BMC as an efficient method for VC
generation
Compare VC generation by symbolic execution, weakest
precondition and bounded-model checking.


Outline

1 Setting

2 Encoding Programs as Formulas using SA

3 VCs with Symbolic Execution

4 VCs with Weakest Preconditions

5 VCs with Bounded Model Checking

6 Conclusions


Setting (1)

C ::= skip | x := e | if b then S else S | assert ψ
S ::= C | C ; S

A program is correct if for every execution, whenever a command
assert ψ is met, the assertion ψ is satisﬁed by the current state.
The command assert ψ fails when it is executed in a state that
does not satisfy ψ.


Setting (2)

Definition (Verification Conditions)
A set F of assertions is a set of verification conditions for a
command block S whenever |= F implies that S is correct.

Remarks:
It is indifferent to use one or another set of VCs to establish
the correctness of a program, but this does not mean that the
effort involved in automatically proving them is the same.
We write VCs in a normalized form, as implicative formulas
γ → ψ.


Setting (3)

Criteria comparison:
1 The size of generated VCs, in terms of the size of the input
program.
2 How closely the VCs are related to execution paths.


Setting (4)

VC methods diﬀer with respect to the structure of the formulas,
but also the usage of assert commands:
1 “Lemma” usage: in addition, each assert provides information
that is added to the context (hypotheses) available to prove
subsequent asserts.
2 “Proof-Goal”-usage: asserts simply provide proof goals (but of
course methods are static and exhaustive);


Encoding Programs as Formulas using SA (1)

The key to veriﬁcation condition generation is the encoding of the
behavior of programs as logical formulas.
Consider the assignment x := x + 10.
Writing it directly as a formula leads to x = x + 10, which is a
contradiction: there is no state of the program that satisﬁes it.
The logical value of an equality (or boolean expression) changes
with the execution of a subsequent command.



For programs without loops, one way to solve this problem is by
ﬁrst converting them into a single-assignment form in which
multiple indexed versions of each variable are used - a new version
is introduced with each assignment made to the original variable.
The program

x := x + y ; y := 10; x := x − 10
would have the SA form:

x1 := x0 + y 0; y 1 := 10; x2 := x1 − 10



Single-assignment programs have the following fundamental
property:
once a variable has been used (either assigned or read as part of a
program expression), it will surely not be assigned again.

Crucially, if an assert command fails in the original program, it will
fail in the single-assignment form.
It is sound thus to check correctness of a program by
checking a single-assignment form of it.


Example DSA


VCs with Symbolic Execution (1)

Given a single-assignment command block S, let P be the set of
execution paths of its control-flow graph, from START to END, and
Ψ(p) denote the set of assert formulas in a path p ∈ P. The set of
symbolic execution verification conditions of S is defined as follows:

VCse (S) = Fe(assert ψ, p) → ψ | for all occurrences
of assert ψ in p, p ∈ P and ψ ∈ Ψ(p)



Given an execution path p in the control-ﬂow graph of a program,
its path formula Fe(p) is the conjunctive formula obtained by
traversing the path from START to END and combining:
for every assignment x := e, the formula x = e;
for every conditional if b then S t else S f , if the corresponding
branching node is crossed towards the then branch (resp. else
branch), the formula b (resp. ¬b);
for skip and assert φ commands, the formula true.

Fe(C , p) denotes the formula obtained by traversing the preﬁx of
path p between START and C (exclusive of C ).



Clearly the validity of all VCs implies that a particular command
assert ψ will be executed (in any path containing it) only in states
that satisfy ψ, thus VCse (S) indeed constitutes a set of veriﬁcation
conditions for the program.



Remarks:
There is potentially an exponential number of paths, thus an
exponential number of VCs will be generated in the worst case.
VCse can be modiﬁed to avoid exponential explosion of the
size of the generated formulas, but the assertions need to be
added to crucial points of the programs (e.g. SPARK tool).
The one-to-one association between execution paths and VCs
is advantageous for debugging.


VCs with Symbolic Execution - Example

1. x0 < 0 ∧ x1 = −x0 ∧ x2 = x1 ∧ y3 = y0 ∧ c0 > 0∧
c1 = c0 − 1 ∧ c2 = c1 → x2 ≥ 0
2. x0 < 0 ∧ x1 = −x0 ∧ x2 = x1 ∧ y3 = y0 ∧ ¬c0 > 0
∧ c2 = c0 → x2 ≥ 0
3. ¬x0 < 0 ∧ y0 < 0 ∧ y1 = −y0 ∧ y2 = y1 ∧ x2 = x0
∧ y 3 = y 2 ∧ c0 > 0 ∧ c1 = c0 − 1 ∧ c2 = c1 → x2 ≥ 0
4. ¬x0 < 0 ∧ y0 < 0 ∧ y1 = −y0 ∧ y2 = y1 ∧ x2 = x0 ∧
y3 = y2 ∧ ¬c0 > 0 ∧ c2 = c0 → x2 ≥ 0
5. ¬x0 < 0 ∧ ¬y0 < 0 ∧ y2 = y0 ∧ x2 = x0 ∧ y3 = y2 ∧
c0 > 0 ∧ c1 = c0 − 1 ∧ c2 = c1 → x2 ≥ 0
6. ¬x0 < 0 ∧ ¬y0 < 0 ∧ y2 = y0 ∧ x2 = x0 ∧ y3 = y2 ∧
¬c0 > 0 ∧ c2 = c0 → x2 ≥ 0


VCs with Weakest Preconditions (1)

Given an assertion φ, the weakest precondition of a program with
respect to φ is deﬁned as follows:

wp(skip, φ) = φ
wp(x := e, φ) = φ[e/x]
wp(if b then S t else S f , φ) = (b → wp(S t , φ))
∧ (¬b → wp(S f , φ))
wp(C ; S, φ) = wp(C , wp(S, φ))
wp(assert ψ, φ) = ψ ∧ φ

This notion of weakest precondition is conservative.
The assertion wp(S, true) is a veriﬁcation condition for the
program block S, since it ensures that no assert fails.


VCs with Weakest Preconditions (2)

Remarks:
Produces a single VC, but its size is in the worst case
exponential in the size of the program.

wp(Swc ; assert ψ, true)
where

t f t f
Swc = if b1 then S1 else S1 ; . . . ; if bn then Sn else Sn

This method has the advantage of not requiring conversion to
single assignment form.


VCs with Weakest Preconditions (3) - Example

wp(ABS, true)
= wp(C1 ; C2 , x ≥ 0)
= wp(C1 , (c > 0 → x ≥ 0) ∧ (¬c > 0 → x ≥ 0))
= (x < 0 → (c > 0 → −x ≥ 0) ∧ (¬c > 0 → −x ≥ 0))
∧ (¬x < 0 → wp(if y < 0 then y := −y else skip,
(c > 0 → x ≥ 0) ∧ (¬c > 0 → x ≥ 0)))
= (x < 0 → (c > 0 → −x ≥ 0) ∧ (¬c > 0 → −x ≥ 0))
∧ (¬x < 0 → (y < 0 → (c > 0 → x ≥ 0) ∧ (¬c > 0 → x ≥ 0))
∧ (¬y < 0 → (c > 0 → x ≥ 0) ∧ (¬c > 0 → x ≥ 0)))

Normalizing, by applying distributivity yields...


VCs with Weakest Preconditions (4) - Example

1. x < 0 → c > 0 → −x ≥ 0
2. x < 0 → ¬c > 0 → −x ≥ 0
3. ¬x < 0 → y < 0 → c > 0 → x ≥ 0
4. ¬x < 0 → y < 0 → ¬c > 0 → x ≥ 0
5. ¬x < 0 → ¬y < 0 → c > 0 → x ≥ 0
6. ¬x < 0 → ¬y < 0 → ¬c > 0 → x ≥ 0

In this normalized form it becomes obvious that the eﬀort of
discharging the proof obligations is basically the same as for path
analysis by symbolic execution.


VCs with Efficient Weakest Preconditions (1)

An alternative notion to the conservative weakest precondition is
that of weakest liberal precondition wlp(S, φ): the postcondition is
only required to be satisfied if the program terminates correctly.
For programs without iteration, the weakest liberal precondition is
defined in the same way as the conservative weakest precondition,
except for the assert command:

wlp(assert ψ, φ) = ψ → φ



The relation between both notions is well-known:
Lemma
For any command block S and assertion φ,

wp(S, φ) ≡ wlp(S, φ) ∧ wp(S, true)

The relevance of this notion is that the weakest liberal precondition
of a single-assignment program S with respect to φ can be
computed from the linear size formula F(S) of the program without
requiring further traversals of S, so there are no opportunities for
duplicating φ.



F(skip) = true
F(x := e) = x = e
F(if b then S else S f ) = (b ∧ F(S t )) ∨ (¬b ∧ F(S f ))
t

F(C ; S) = F(C ) ∧ F(S)
F(assert ψ) = ψ

Let S be a single-assignment command block. Then for any
assertion φ, wlp(S, φ) ≡ F(S) → φ.


VCs with Eﬃcient Weakest Preconditions (4) —
Example

wp(ABSSA, true)
= wp(C1 ; C2 ; assert x2 ≥ 0, true)
= F(C1 ; C2 ) → x2 ≥ 0
= ((x0 < 0 ∧ x1 = −x0 ∧ x2 = x1 ∧ y3 = y0 )∨
(¬x0 < 0 ∧ ((y0 < 0 ∧ y1 = −y0 ∧ y2 = y1 )∨
(¬y0 < 0 ∧ y2 = y0 )) ∧ x2 = x0 ∧ y3 = y2 ))
∧ ((c0 > 0 ∧ c1 = c0 − 1 ∧ c2 = c1 )
∨ (¬c0 > 0 ∧ c2 = c0 )) → x2 ≥ 0

But what does the VC look like in general?



The set of efficient weakest precondition verification conditions of S
is defined as follows:
VCwp (S) = Fp(assert ψ, S) → ψ | for all assertions ψ
and all occurrences of assert ψ in S

The path formula Fp(C , S) of C in S describes the entire set of
paths from START to a specific command, at a concrete point of
the program.



Remarks:
Unlike with symbolic execution, there is no direct association
between a single invalid VC and an error path, which is the
price to pay for eﬃciency.
We avoid exponential explosion: in general, the size of each
VC is worst-case linear in the size n of the program, and there
are k VCs, with k the number of assert commands, which is
also linear in n in the worst-case. So overall VCwc is of
quadratic size in n.
“Lemma-usage” of asserts: Fp includes assert information.


VCs with Bounded Model Checking (1)

From a program S we extract two sets of formulas, such that:
P is a logical consequence of C (the entailment C |= P holds), if
and only if no assert command fails in any execution of S.
C describes logically the operational contents of the program, and
P is extracted from the assert formulas that can be found in it.
This technique explicitly assumes that a satisﬁability-based tool is
used to ﬁnd models corresponding to an execution of the program
that violates at least one assert command:

C ∪ {¬ P}



To see that this can be formulated in terms of verification
conditions, it suffices to observe that for finite C the semantic
entailment problem
C |= P
is equivalent to the validity problem

|= C→ P



For our programs without loops the method applies the following
steps:
1 The program is converted into single-assignment form;
2 The resulting program is then converted into a sequence of
commands on the form if b then Ca else skip, with Ca an
atomic command.
3 Extract the model from the Conditional Normal Form.
For every command if b then x := e else skip in the program,
C includes the formula b → x = e;
For every command if b then assert ψ else skip in the
program, P includes the formula b → ψ.
4 Generate VC: C→ P.


VCs with Bounded Model Checking (3) - Example

ABSCNF : if x0 < 0 then x1 := −x0 else skip ;
if x0 < 0 then x2 := x1 else skip ;
if x0 < 0 then y3 := y0 else skip ;
if ¬(x0 < 0) ∧ y0 < 0 then y1 := −y0 else skip ;
if ¬(x0 < 0) ∧ y0 < 0 then y2 := y1 else skip ;
if ¬(x0 < 0) ∧ ¬(y0 < 0) then y2 := y0 else skip ;
if ¬(x0 < 0) then x2 := x0 else skip ;
if ¬(x0 < 0) then y3 := y2 else skip ;
if c0 > 0 then c1 := c0 − 1 else skip ;
if c0 > 0 then c2 := c1 else skip ;
if ¬(c0 > 0) then c2 := c0 else skip ;
if true then assert x2 ≥ 0 else skip


VCs with Bounded Model Checking (4) - Example

C : 1. x0 < 0 → x1 = −x0
2. x0 < 0 → x2 = x1
3. x0 < 0 → y3 = y0
4. ¬(x0 < 0) ∧ y0 < 0 → y1 = −y0
5. ¬(x0 < 0) ∧ y0 < 0 → y2 = y1
6. ¬(x0 < 0) ∧ ¬(y0 < 0) → y2 = y0
7. ¬(x0 < 0) → x2 = x0
8. ¬(x0 < 0) → y3 = y2
9. c0 > 0 → c1 = c0 − 1
10. c0 > 0 → c2 = c1
11. ¬(c0 > 0) → c2 = c0
P : 1. true → x2 ≥ 0



C can then be written as Fbmc(S), where:
S denotes the program that results from replacing every
command assert ψ in S by skip.
Fbmc(S) is a variant of F(S);

P on the other hand can be written as follows:
Fb(assert ψ, S) → ψ | for all assertions ψ
and all occurrences of assert ψ in S

Fb(C,S) captures only the branching information that enables the
execution of the command C .



The verification condition C → P can now be split using basic
equivalences to obtain a set of normalized VCs:
Given a single-assignment command block S, the set of bounded
model checking verification conditions of S is defined as follows:

VCbmc (S) = Fbmc(S) ∧ Fb(assert ψ, S) → ψ | for
all assertions ψ and all occurrences of assert ψ in S


Conclusions

In BMC, the formulas occurring as antecedents of VCs do not
include assert formulas, whereas in the eﬃcient WP method it
does, which allows them to be used as lemmas.
The size of VCs is in both cases linear for programs with a
single postcondition assert command; for programs with an
arbitrary number of such commands both have a quadratic
bound.
Symbolic execution generates VCs of exponential-size in the
worst-case, but oﬀers a one-to-one association between VCs
and execution paths, valuable for error-tracing.


Conclusions

None of the methods can be said to always generate smaller
VCs than the other.
Since it is diﬃcult to judge the performance of automatic
provers (and the eﬀect of operations like splitting, which
increase the size of formulas but not necessarily make proofs
harder), an empirical comparison seems to be required.
Build a VCGen based on the BMC technique for Boogie
programs.
Include the iteration.


Verification Conditions for Single-Assignment Programs

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (20)

Similar a Verification Conditions for Single-Assignment Programs

Similar a Verification Conditions for Single-Assignment Programs (20)

Último

Último (20)

Verification Conditions for Single-Assignment Programs