Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Verification Conditions for Single-Assignment Programs
1. Verification Conditions for Single-assignment
Programs
Daniela da Cruz, Maria João Frade, and Jorge Sousa Pinto
Departamento de Informática
Universidade do Minho
SAC-SVT 2012
March 30, 2012
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
2. Context
The generation of verification conditions (VCs) from imperative
code is a well-known problem, with standard solutions.
But surprisingly some aspects of each major approach are still not
very clear: weakest precondition and bounded model checking.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
3. Motivation
Our goal is to:
Use single-assignment (SA) as a vehicle for program
verification;
Show how the calculation of efficient WPs can be seen as
generating verification conditions from path formulas in the
CFG of the program;
Give an account of BMC as an efficient method for VC
generation
Compare VC generation by symbolic execution, weakest
precondition and bounded-model checking.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
4. Outline
1 Setting
2 Encoding Programs as Formulas using SA
3 VCs with Symbolic Execution
4 VCs with Weakest Preconditions
5 VCs with Bounded Model Checking
6 Conclusions
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
5. Setting (1)
C ::= skip | x := e | if b then S else S | assert ψ
S ::= C | C ; S
A program is correct if for every execution, whenever a command
assert ψ is met, the assertion ψ is satisfied by the current state.
The command assert ψ fails when it is executed in a state that
does not satisfy ψ.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
6. Setting (2)
Definition (Verification Conditions)
A set F of assertions is a set of verification conditions for a
command block S whenever |= F implies that S is correct.
Remarks:
It is indifferent to use one or another set of VCs to establish
the correctness of a program, but this does not mean that the
effort involved in automatically proving them is the same.
We write VCs in a normalized form, as implicative formulas
γ → ψ.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
7. Setting (3)
Criteria comparison:
1 The size of generated VCs, in terms of the size of the input
program.
2 How closely the VCs are related to execution paths.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
8. Setting (4)
VC methods differ with respect to the structure of the formulas,
but also the usage of assert commands:
1 “Lemma” usage: in addition, each assert provides information
that is added to the context (hypotheses) available to prove
subsequent asserts.
2 “Proof-Goal”-usage: asserts simply provide proof goals (but of
course methods are static and exhaustive);
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
9. Outline
1 Setting
2 Encoding Programs as Formulas using SA
3 VCs with Symbolic Execution
4 VCs with Weakest Preconditions
5 VCs with Bounded Model Checking
6 Conclusions
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
10. Encoding Programs as Formulas using SA (1)
The key to verification condition generation is the encoding of the
behavior of programs as logical formulas.
Consider the assignment x := x + 10.
Writing it directly as a formula leads to x = x + 10, which is a
contradiction: there is no state of the program that satisfies it.
The logical value of an equality (or boolean expression) changes
with the execution of a subsequent command.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
11. Encoding Programs as Formulas using SA (2)
For programs without loops, one way to solve this problem is by
first converting them into a single-assignment form in which
multiple indexed versions of each variable are used - a new version
is introduced with each assignment made to the original variable.
The program
x := x + y ; y := 10; x := x − 10
would have the SA form:
x1 := x0 + y 0; y 1 := 10; x2 := x1 − 10
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
12. Encoding Programs as Formulas using SA (3)
Single-assignment programs have the following fundamental
property:
once a variable has been used (either assigned or read as part of a
program expression), it will surely not be assigned again.
Crucially, if an assert command fails in the original program, it will
fail in the single-assignment form.
It is sound thus to check correctness of a program by
checking a single-assignment form of it.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
13. Example DSA
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
14. Outline
1 Setting
2 Encoding Programs as Formulas using SA
3 VCs with Symbolic Execution
4 VCs with Weakest Preconditions
5 VCs with Bounded Model Checking
6 Conclusions
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
15. VCs with Symbolic Execution (1)
Given a single-assignment command block S, let P be the set of
execution paths of its control-flow graph, from START to END, and
Ψ(p) denote the set of assert formulas in a path p ∈ P. The set of
symbolic execution verification conditions of S is defined as follows:
VCse (S) = Fe(assert ψ, p) → ψ | for all occurrences
of assert ψ in p, p ∈ P and ψ ∈ Ψ(p)
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
16. VCs with Symbolic Execution (2)
Given an execution path p in the control-flow graph of a program,
its path formula Fe(p) is the conjunctive formula obtained by
traversing the path from START to END and combining:
for every assignment x := e, the formula x = e;
for every conditional if b then S t else S f , if the corresponding
branching node is crossed towards the then branch (resp. else
branch), the formula b (resp. ¬b);
for skip and assert φ commands, the formula true.
Fe(C , p) denotes the formula obtained by traversing the prefix of
path p between START and C (exclusive of C ).
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
17. VCs with Symbolic Execution (3)
Clearly the validity of all VCs implies that a particular command
assert ψ will be executed (in any path containing it) only in states
that satisfy ψ, thus VCse (S) indeed constitutes a set of verification
conditions for the program.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
18. VCs with Symbolic Execution (3)
Remarks:
There is potentially an exponential number of paths, thus an
exponential number of VCs will be generated in the worst case.
VCse can be modified to avoid exponential explosion of the
size of the generated formulas, but the assertions need to be
added to crucial points of the programs (e.g. SPARK tool).
The one-to-one association between execution paths and VCs
is advantageous for debugging.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
20. Outline
1 Setting
2 Encoding Programs as Formulas using SA
3 VCs with Symbolic Execution
4 VCs with Weakest Preconditions
5 VCs with Bounded Model Checking
6 Conclusions
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
21. VCs with Weakest Preconditions (1)
Given an assertion φ, the weakest precondition of a program with
respect to φ is defined as follows:
wp(skip, φ) = φ
wp(x := e, φ) = φ[e/x]
wp(if b then S t else S f , φ) = (b → wp(S t , φ))
∧ (¬b → wp(S f , φ))
wp(C ; S, φ) = wp(C , wp(S, φ))
wp(assert ψ, φ) = ψ ∧ φ
This notion of weakest precondition is conservative.
The assertion wp(S, true) is a verification condition for the
program block S, since it ensures that no assert fails.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
22. VCs with Weakest Preconditions (2)
Remarks:
Produces a single VC, but its size is in the worst case
exponential in the size of the program.
wp(Swc ; assert ψ, true)
where
t f t f
Swc = if b1 then S1 else S1 ; . . . ; if bn then Sn else Sn
This method has the advantage of not requiring conversion to
single assignment form.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
24. VCs with Weakest Preconditions (4) - Example
1. x < 0 → c > 0 → −x ≥ 0
2. x < 0 → ¬c > 0 → −x ≥ 0
3. ¬x < 0 → y < 0 → c > 0 → x ≥ 0
4. ¬x < 0 → y < 0 → ¬c > 0 → x ≥ 0
5. ¬x < 0 → ¬y < 0 → c > 0 → x ≥ 0
6. ¬x < 0 → ¬y < 0 → ¬c > 0 → x ≥ 0
In this normalized form it becomes obvious that the effort of
discharging the proof obligations is basically the same as for path
analysis by symbolic execution.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
25. VCs with Efficient Weakest Preconditions (1)
An alternative notion to the conservative weakest precondition is
that of weakest liberal precondition wlp(S, φ): the postcondition is
only required to be satisfied if the program terminates correctly.
For programs without iteration, the weakest liberal precondition is
defined in the same way as the conservative weakest precondition,
except for the assert command:
wlp(assert ψ, φ) = ψ → φ
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
26. VCs with Efficient Weakest Preconditions (2)
The relation between both notions is well-known:
Lemma
For any command block S and assertion φ,
wp(S, φ) ≡ wlp(S, φ) ∧ wp(S, true)
The relevance of this notion is that the weakest liberal precondition
of a single-assignment program S with respect to φ can be
computed from the linear size formula F(S) of the program without
requiring further traversals of S, so there are no opportunities for
duplicating φ.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
27. VCs with Efficient Weakest Preconditions (3)
F(skip) = true
F(x := e) = x = e
F(if b then S else S f ) = (b ∧ F(S t )) ∨ (¬b ∧ F(S f ))
t
F(C ; S) = F(C ) ∧ F(S)
F(assert ψ) = ψ
Let S be a single-assignment command block. Then for any
assertion φ, wlp(S, φ) ≡ F(S) → φ.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
29. VCs with Efficient Weakest Preconditions (5)
The set of efficient weakest precondition verification conditions of S
is defined as follows:
VCwp (S) = Fp(assert ψ, S) → ψ | for all assertions ψ
and all occurrences of assert ψ in S
The path formula Fp(C , S) of C in S describes the entire set of
paths from START to a specific command, at a concrete point of
the program.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
30. VCs with Efficient Weakest Preconditions (6)
Remarks:
Unlike with symbolic execution, there is no direct association
between a single invalid VC and an error path, which is the
price to pay for efficiency.
We avoid exponential explosion: in general, the size of each
VC is worst-case linear in the size n of the program, and there
are k VCs, with k the number of assert commands, which is
also linear in n in the worst-case. So overall VCwc is of
quadratic size in n.
“Lemma-usage” of asserts: Fp includes assert information.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
31. Outline
1 Setting
2 Encoding Programs as Formulas using SA
3 VCs with Symbolic Execution
4 VCs with Weakest Preconditions
5 VCs with Bounded Model Checking
6 Conclusions
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
32. VCs with Bounded Model Checking (1)
From a program S we extract two sets of formulas, such that:
P is a logical consequence of C (the entailment C |= P holds), if
and only if no assert command fails in any execution of S.
C describes logically the operational contents of the program, and
P is extracted from the assert formulas that can be found in it.
This technique explicitly assumes that a satisfiability-based tool is
used to find models corresponding to an execution of the program
that violates at least one assert command:
C ∪ {¬ P}
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
33. VCs with Bounded Model Checking (2)
To see that this can be formulated in terms of verification
conditions, it suffices to observe that for finite C the semantic
entailment problem
C |= P
is equivalent to the validity problem
|= C→ P
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
34. VCs with Bounded Model Checking (3)
For our programs without loops the method applies the following
steps:
1 The program is converted into single-assignment form;
2 The resulting program is then converted into a sequence of
commands on the form if b then Ca else skip, with Ca an
atomic command.
3 Extract the model from the Conditional Normal Form.
For every command if b then x := e else skip in the program,
C includes the formula b → x = e;
For every command if b then assert ψ else skip in the
program, P includes the formula b → ψ.
4 Generate VC: C→ P.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
35. VCs with Bounded Model Checking (3) - Example
ABSCNF : if x0 < 0 then x1 := −x0 else skip ;
if x0 < 0 then x2 := x1 else skip ;
if x0 < 0 then y3 := y0 else skip ;
if ¬(x0 < 0) ∧ y0 < 0 then y1 := −y0 else skip ;
if ¬(x0 < 0) ∧ y0 < 0 then y2 := y1 else skip ;
if ¬(x0 < 0) ∧ ¬(y0 < 0) then y2 := y0 else skip ;
if ¬(x0 < 0) then x2 := x0 else skip ;
if ¬(x0 < 0) then y3 := y2 else skip ;
if c0 > 0 then c1 := c0 − 1 else skip ;
if c0 > 0 then c2 := c1 else skip ;
if ¬(c0 > 0) then c2 := c0 else skip ;
if true then assert x2 ≥ 0 else skip
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
37. VCs with Bounded Model Checking (4)
C can then be written as Fbmc(S), where:
S denotes the program that results from replacing every
command assert ψ in S by skip.
Fbmc(S) is a variant of F(S);
P on the other hand can be written as follows:
Fb(assert ψ, S) → ψ | for all assertions ψ
and all occurrences of assert ψ in S
Fb(C,S) captures only the branching information that enables the
execution of the command C .
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
38. VCs with Bounded Model Checking (5)
The verification condition C → P can now be split using basic
equivalences to obtain a set of normalized VCs:
Given a single-assignment command block S, the set of bounded
model checking verification conditions of S is defined as follows:
VCbmc (S) = Fbmc(S) ∧ Fb(assert ψ, S) → ψ | for
all assertions ψ and all occurrences of assert ψ in S
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
39. Outline
1 Setting
2 Encoding Programs as Formulas using SA
3 VCs with Symbolic Execution
4 VCs with Weakest Preconditions
5 VCs with Bounded Model Checking
6 Conclusions
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
40. Conclusions
In BMC, the formulas occurring as antecedents of VCs do not
include assert formulas, whereas in the efficient WP method it
does, which allows them to be used as lemmas.
The size of VCs is in both cases linear for programs with a
single postcondition assert command; for programs with an
arbitrary number of such commands both have a quadratic
bound.
Symbolic execution generates VCs of exponential-size in the
worst-case, but offers a one-to-one association between VCs
and execution paths, valuable for error-tracing.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs
41. Conclusions
None of the methods can be said to always generate smaller
VCs than the other.
Since it is difficult to judge the performance of automatic
provers (and the effect of operations like splitting, which
increase the size of formulas but not necessarily make proofs
harder), an empirical comparison seems to be required.
Build a VCGen based on the BMC technique for Boogie
programs.
Include the iteration.
Cruz, Frade & Pinto Verification Conditions for Single-assignment Programs