Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA

2 Spec# Programming System V.C. generator automatic theorem prover verification condition Spec# “correct” or list of errors Spec# compiler MSIL (“bytecode”) translator Boogie PL inference engine Spec# program verifier runtime monitoring

3 Spec# demo

4 Spec# Demo: What It Showed Non-null type system Pre- and postconditions Object invariants Dynamic monitoring Static verification

5 Verification Condition First-order logical formula Valid if and only if program meets its specification This leaves a lot of room for engineering…

6 General Problem Duplication of postconditions for if- statements wp( if (b) {x++;} else {x--;}, p ≠ null ) = (b ⇒ wp( x++, p ≠ null )) ∧ (¬b ⇒wp( x--, p ≠ null ))

7 Definition of Language Program::=Block + Block::=BlockId : Stmt; goto BlockId * Stmt::=VarId := Expr | havoc VarId |assert Expr | assume Expr |Stmt ; Stmt | skip

8 Example y := … x … z := x x := … z 1 := x 0 x 1 := …x 2 := … x 1 := … x 3 := x 1 x 2 := … x 3 := x 2 y 1 := … x 3 … goto S,T; assume E; S; assume ¬E; T; … if (E){ S; }else{ T; }

9 The recipe 0. Cut Loops Consider arbitrary loop iteration 1. Passify the program Combine control flow and data flow 2. Construct weakest precondition formula Connect the program to its semantics

10 Cutting Loops: the general idea x := … Without a loop invariant, this loses all information about x. havoc x;

11 Cut Loops: Sub-steps 0.0. assert P assert P; assume P 0.1. Push asserts up-stream Delete back edges after “havoc”-ing loop targets.

12 Cutting the loops… Putting the steps together assert J; x := … assert J; assume J; assume J; x := … assert J; assert J; Note how this corresponds to the classical notion of a loop invariant: checking it in two places allows you to assume it at the top of the loop. havoc x; assume J;

13 Passification y := … x … z := x x := … z 1 := x 0 x 1 := …x 2 := … x 1 := … x 3 := x 1 x 2 := … x 3 := x 2 y 1 := … x 3 … assume z 1 = x 0 assume x 1 = … assume x 3 = x 1 assume x 2 = … assume x 3 = x 2 assume y 1 = … x 3 …

14 Weakest Precondition For each block A, A ok holds when all executions starting at A are okay. Block Equation for each block A (BE A ): VC (semantics of entire program): VC is obviously linear (in size of the passive program) A ok ≡ wp(S, (∧ B ∈ Succ(A) : B ok )) (∧ A : BE A ) ⇒ Start ok

15 Example int M(int x) requires 100 <= x; ensures result == 0; { while (0 < x) invariant 0 <= x; { x = x – 1; } return x; }

16 CFG assert 0 ≤ x; assume 100 ≤ x; assume 0 < x; x := x – 1; assume ¬(0 < x); r := x; assert r = 0; postcondition precondition loop invariant loop guard negation of guard Body Start LoopHead After

17 Loop-Free CFG havoc x; assume 0 ≤ x; assume 100 ≤ x; assert 0 ≤ x; assume 0 < x; x := x – 1; assert 0 ≤ x; assume ¬(0 < x); r := x; assert r = 0; Body Start LoopHead After

18 Passive Program skip; assume 0 ≤ x 1 ; assume 100 ≤ x 0 ; assert 0 ≤ x 0 ; assume 0 < x 1 ; assume x 2 = x 1 – 1; assert 0 ≤ x 2 ; assume ¬(0 < x 1 ); assume r 1 = x 1 ; assert r 1 = 0; Body Start LoopHead After

19 Block Equations LoopHead ok ≡ 0 ≤ x 1 ⇒ Body ok ∧ After ok Start ok ≡ 100 ≤ x 0 ⇒ 0 ≤ x 0 ∧ LoopHead ok Body ok ≡ 0 < x 1 ⇒ x 2 = x 1 – 1 ⇒ 0 ≤ x 2 ∧ true After ok ≡ ¬(0 < x 1 ) ⇒ r 1 = x 1 ⇒r 1 = 0 ∧ true

20 Verification Condition LoopHead ok ≡ 0 ≤ x 1 ⇒ Body ok ∧ After ok ∧ Body ok ≡ 0 < x 1 ⇒ x 2 = x 1 – 1 ⇒ 0 ≤ x 2 ∧ true After ok ≡ ¬(0 < x 1 ) ⇒ r 1 = x 1 ⇒r 1 = 0 ∧ true Start ok ∧ ∧ ⇒ Start ok ≡ 100 ≤ x 0 ⇒ 0 ≤ x 0 ∧ LoopHead ok

21 Related Work Distribution via wlp: We could have done this too (it is ESC/Java’s technique), but converting to a structured program leads to a blow up (and requires heuristics). Possibly could have used a target language with “S!T” (and “raise”) for exceptional composition.

22 Conclusion Room for more improvement –Recent experiments on directing theorem prover along certain paths. Useful even for systems that use structured programs.