Well-cooked Spaghetti:

Weakest-Precondition of Unstructured Programs

Mike Barnett and Rustan LeinoMicrosoft ResearchRedmond, WA, USA

2

Spec# Programming System

V.C. generator

automatictheorem prover

verification condition

Spec#

“correct” or list of errors

Spec# compilerMSIL (“bytecode”)translator

Boogie PLinference engine

Spec# program verifier

runtime monitoring

3

Spec# demo

4

Spec# Demo: What It Showed

• Non-null type system• Pre- and postconditions• Object invariants

• Dynamic monitoring• Static verification

5

Verification Condition

• First-order logical formula• Valid if and only if program meets

its specification

• This leaves a lot of room for engineering…

6

General Problem

• Duplication of postconditions for if-statements

wp( if (b) {x++;} else {x--;} , p ≠ null )= (b ⇒ wp( x++ , p ≠ null )) ∧ (¬b ⇒wp( x-- , p ≠ null ))

7

Definition of Language

Program ::= Block+

Block ::= BlockId : Stmt; goto BlockId*

Stmt ::= VarId := Expr | havoc VarId| assert Expr | assume Expr| Stmt ; Stmt | skip

8

Example

y := … x …

z := x

x := … x := …

z1 := x0

x1 := … x2 := …x1 := …x3 := x1

x2 := …x3 := x2

y1 := … x3 …

goto S,T;

assume E;S;

assume ¬E;T;

…

if (E){ S;}else{ T;}

9

The recipe

0. Cut LoopsConsider arbitrary loop iteration

1. Passify the programCombine control flow and data flow

2. Construct weakest precondition formulaConnect the program to its semantics

10

Cutting Loops: the general idea

x := …

Without a loop invariant, this loses all information about x.

havoc x;

11

Cut Loops: Sub-steps

0.0. assert P assert P; assume P

0.1. Push asserts up-stream.0.2. Delete back edges after “havoc”-ing

loop targets.

12

Cutting the loops… Putting the steps together

assert J;

x := …

assert J; assume J;assume J;

x := …assert J;

assert J; Note how this corresponds to the classical notion of a loop invariant: checking it in two places allows you to assume it at the top of the loop.

havoc x; assume J;

13

Passification

y := … x …

z := x

x := … x := …

z1 := x0

x1 := … x2 := …x1 := …x3 := x1

x2 := …x3 := x2

y1 := … x3 …

assume z1 = x0

assume x1 = …assume x3 = x1

assume x2 = …assume x3 = x2

assume y1 = … x3 …

14

Weakest Precondition

• For each block A, Aok holds when all executions starting at A are okay.

• Block Equation for each block A (BEA):

• VC (semantics of entire program):

• VC is obviously linear (in size of the passive program)

Aok ≡ wp(S, (∧ B ∈ Succ(A) : Bok))

(∧ A : BEA) ⇒ Startok

15

Example

int M(int x) requires 100 <= x; ensures result == 0;{ while (0 < x) invariant 0 <= x; { x = x – 1; } return x;}

16

CFG

assert 0 ≤ x;

assume 100 ≤ x;

assume 0 < x;x := x – 1;

assume ¬(0 < x);r := x;assert r = 0;

postcondition

precondition

loop invariant

loop guard

negation of guard

Body

Start

LoopHead

After

17

Loop-Free CFG

havoc x;assume 0 ≤ x;

assume 100 ≤ x;assert 0 ≤ x;

assume 0 < x;x := x – 1;assert 0 ≤ x;assume ¬(0 <

x);r := x;assert r = 0;

Body

Start

LoopHead

After

18

Passive Program

skip;assume 0 ≤ x1;

assume 100 ≤ x0;assert 0 ≤ x0;

assume 0 < x1;assume x2 = x1 – 1;assert 0 ≤ x2;assume ¬(0 <

x1);assume r1 = x1;assert r1 = 0;

Body

Start

LoopHead

After

19

Block Equations

LoopHeadok ≡ 0 ≤ x1 ⇒ Bodyok ∧ Afterok

Startok ≡ 100 ≤ x0 ⇒ 0 ≤ x0∧ LoopHeadok

Bodyok ≡ 0 < x1 ⇒ x2 = x1 – 1 ⇒ 0 ≤ x2 ∧ true

Afterok ≡ ¬(0 < x1) ⇒ r1 = x1⇒r1 = 0 ∧ true

20

Verification Condition

LoopHeadok ≡ 0 ≤ x1 ⇒ Bodyok ∧ Afterok

∧

Bodyok ≡ 0 < x1 ⇒ x2 = x1 – 1 ⇒ 0 ≤ x2 ∧ true

Afterok ≡ ¬(0 < x1) ⇒ r1 = x1⇒r1 = 0 ∧ true

Startok

∧

∧

⇒

Startok ≡ 100 ≤ x0 ⇒ 0 ≤ x0∧ LoopHeadok

21

Related Work

• Distribution via wlp: We could have done this too (it is ESC/Java’s technique), but converting to a structured program leads to a blow up (and requires heuristics).

• Possibly could have used a target language with “S!T” (and “raise”) for exceptional composition.

22

Conclusion

• Room for more improvement– Recent experiments on directing

theorem prover along certain paths.• Useful even for systems that use

structured programs.