Presentation is loading. Please wait.

Presentation is loading. Please wait.

Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA."— Presentation transcript:

1 Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA

2 2 Spec# Programming System V.C. generator automatic theorem prover verification condition Spec# “correct” or list of errors Spec# compiler MSIL (“bytecode”) translator Boogie PL inference engine Spec# program verifier runtime monitoring

3 3 Spec# demo

4 4 Spec# Demo: What It Showed Non-null type system Pre- and postconditions Object invariants Dynamic monitoring Static verification

5 5 Verification Condition First-order logical formula Valid if and only if program meets its specification This leaves a lot of room for engineering…

6 6 General Problem Duplication of postconditions for if- statements wp( if (b) {x++;} else {x--;}, p ≠ null ) = (b ⇒ wp( x++, p ≠ null )) ∧ (¬b ⇒wp( x--, p ≠ null ))

7 7 Definition of Language Program::=Block + Block::=BlockId : Stmt; goto BlockId * Stmt::=VarId := Expr | havoc VarId |assert Expr | assume Expr |Stmt ; Stmt | skip

8 8 Example y := … x … z := x x := … z 1 := x 0 x 1 := …x 2 := … x 1 := … x 3 := x 1 x 2 := … x 3 := x 2 y 1 := … x 3 … goto S,T; assume E; S; assume ¬E; T; … if (E){ S; }else{ T; }

9 9 The recipe 0. Cut Loops Consider arbitrary loop iteration 1. Passify the program Combine control flow and data flow 2. Construct weakest precondition formula Connect the program to its semantics

10 10 Cutting Loops: the general idea x := … Without a loop invariant, this loses all information about x. havoc x;

11 11 Cut Loops: Sub-steps 0.0. assert P assert P; assume P 0.1. Push asserts up-stream. 0.2. Delete back edges after “havoc”-ing loop targets.

12 12 Cutting the loops… Putting the steps together assert J; x := … assert J; assume J; assume J; x := … assert J; assert J; Note how this corresponds to the classical notion of a loop invariant: checking it in two places allows you to assume it at the top of the loop. havoc x; assume J;

13 13 Passification y := … x … z := x x := … z 1 := x 0 x 1 := …x 2 := … x 1 := … x 3 := x 1 x 2 := … x 3 := x 2 y 1 := … x 3 … assume z 1 = x 0 assume x 1 = … assume x 3 = x 1 assume x 2 = … assume x 3 = x 2 assume y 1 = … x 3 …

14 14 Weakest Precondition For each block A, A ok holds when all executions starting at A are okay. Block Equation for each block A (BE A ): VC (semantics of entire program): VC is obviously linear (in size of the passive program) A ok ≡ wp(S, (∧ B ∈ Succ(A) : B ok )) (∧ A : BE A ) ⇒ Start ok

15 15 Example int M(int x) requires 100 <= x; ensures result == 0; { while (0 < x) invariant 0 <= x; { x = x – 1; } return x; }

16 16 CFG assert 0 ≤ x; assume 100 ≤ x; assume 0 < x; x := x – 1; assume ¬(0 < x); r := x; assert r = 0; postcondition precondition loop invariant loop guard negation of guard Body Start LoopHead After

17 17 Loop-Free CFG havoc x; assume 0 ≤ x; assume 100 ≤ x; assert 0 ≤ x; assume 0 < x; x := x – 1; assert 0 ≤ x; assume ¬(0 < x); r := x; assert r = 0; Body Start LoopHead After

18 18 Passive Program skip; assume 0 ≤ x 1 ; assume 100 ≤ x 0 ; assert 0 ≤ x 0 ; assume 0 < x 1 ; assume x 2 = x 1 – 1; assert 0 ≤ x 2 ; assume ¬(0 < x 1 ); assume r 1 = x 1 ; assert r 1 = 0; Body Start LoopHead After

19 19 Block Equations LoopHead ok ≡ 0 ≤ x 1 ⇒ Body ok ∧ After ok Start ok ≡ 100 ≤ x 0 ⇒ 0 ≤ x 0 ∧ LoopHead ok Body ok ≡ 0 < x 1 ⇒ x 2 = x 1 – 1 ⇒ 0 ≤ x 2 ∧ true After ok ≡ ¬(0 < x 1 ) ⇒ r 1 = x 1 ⇒r 1 = 0 ∧ true

20 20 Verification Condition LoopHead ok ≡ 0 ≤ x 1 ⇒ Body ok ∧ After ok ∧ Body ok ≡ 0 < x 1 ⇒ x 2 = x 1 – 1 ⇒ 0 ≤ x 2 ∧ true After ok ≡ ¬(0 < x 1 ) ⇒ r 1 = x 1 ⇒r 1 = 0 ∧ true Start ok ∧ ∧ ⇒ Start ok ≡ 100 ≤ x 0 ⇒ 0 ≤ x 0 ∧ LoopHead ok

21 21 Related Work Distribution via wlp: We could have done this too (it is ESC/Java’s technique), but converting to a structured program leads to a blow up (and requires heuristics). Possibly could have used a target language with “S!T” (and “raise”) for exceptional composition.

22 22 Conclusion Room for more improvement –Recent experiments on directing theorem prover along certain paths. Useful even for systems that use structured programs.

Download ppt "Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA."

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.

Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,

Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Similar presentations

Ads by Google