Explaining verification conditions
Download
1 / 31

Explaining Verification Conditions - PowerPoint PPT Presentation


  • 130 Views
  • Uploaded on

Explaining Verification Conditions. Ewen Denney, USRA/RIACS, NASA Ames Bernd Fischer, University of Southampton. Hoare-style program verification. Two-stage process: Verification condition generator (VCG) applies rules of Hoare-calculus to annotated program

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Explaining Verification Conditions' - bjorn


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Explaining verification conditions

Explaining Verification Conditions

Ewen Denney, USRA/RIACS, NASA Ames

Bernd Fischer, University of Southampton


Hoare style program verification
Hoare-style program verification

Two-stage process:

  • Verification condition generator (VCG)

    • applies rules of Hoare-calculus to annotated program

    • produces set of verification conditions (VCs)

  • Automated theorem prover (ATP)

    • tries to discharge VCs

  • separates decidable VCG from undecidable ATP

    • but also separates VCs from program

  • what to do in case of ATP failure?

    • wide variety of potential causes: resources, axioms, real errors

    • user confronted only with failed VC


Hoare style program verification1
Hoare-style program verification

Two-stage process:

Verification condition generator (VCG)

applies rules of Hoare-calculus to annotated program

produces set of verification conditions (VCs)

Automated theorem prover (ATP)

tries to discharge VCs

separates decidable VCG from undecidable ATP

but also separates VCs from program

what to do in case of ATP failure? doubt? curiosity?

wide variety of potential causes: resources, axioms, real errors

user confronted only with failed VC

need natural-language explanations


Example explanation
Example Explanation

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731; it is also used to show the preservation of the loop invariants at line 728, which in turn is used to show the preservation of the loop invariants at line 683.  Hence, given- the loop bounds at line 728 under the substitution originating in line 5,

- the invariant at line 729 (#1) under the substitution originating in line 5,

- the invariant at line 729 (#2) under the substitution originating in line 5,

- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5,

show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.


Example vc
Example VC

fof(twobody_vel_j2_bias_bierman_init_0036,conjecture,    ( ( hi(dminus,0) = 11      & hi(dminus,1) = 11      & hi(h,0) = 5      & hi(h,1) = 11      & hi(id,0) = 11      & hi(id,1) = 11      & hi(phi,0) = 11      & hi(phi,1) = 11      & hi(pminus,0) = 11      & hi(pminus,1) = 11      & hi(pplus,0) = 11      & hi(pplus,1) = 11      & hi(q,0) = 11      & hi(q,0) = 11      & hi(q,1) = 11      & hi(r,0) = 5      & hi(r,0) = 5      & hi(r,1) = 5      & hi(uminus,0) = 11      & hi(uminus,1) = 11      & hi(v1,0) = 11      & hi(v1,1) = 0      & hi(w,0) = 11      & hi(w,1) = 0      & hi(x,0) = 11      & hi(x_init_cov,0) = 11      & hi(xdot,0) = 11      & hi(xdot,1) = 0      & hi(xhat1,0) = 11      & hi(xhat1,1) = 0      & hi(xhat,0) = 11      & hi(xhat,1) = pred(n_steps)      & hi(xhatmin,0) = 11      & hi(xhatmin,1) = 0      & hi(z,0) = 5      & hi(z,1) = pred(n_steps)      & hi(zhat,0) = 5      & hi(zhat,1) = 0      & hi(zpred,0) = 5      & hi(zpred,1) = 0      & lo(dminus,0) = 0      & lo(dminus,1) = 0      & lo(h,0) = 0      & lo(h,1) = 0      & lo(id,0) = 0      & lo(id,1) = 0      & lo(phi,0) = 0      & lo(phi,1) = 0      & lo(pminus,0) = 0      & lo(pminus,1) = 0      & lo(pplus,0) = 0      & lo(pplus,1) = 0      & lo(q,0) = 0      & lo(q,0) = 0      & lo(q,1) = 0      & lo(r,0) = 0      & lo(r,0) = 0      & lo(r,1) = 0      & lo(uminus,0) = 0      & lo(uminus,1) = 0

      & lo(v1,0) = 0      & lo(v1,1) = 0      & lo(w,0) = 0      & lo(w,1) = 0      & lo(x,0) = 0      & lo(x_init_cov,0) = 0      & lo(xdot,0) = 0      & lo(xdot,1) = 0      & lo(xhat1,0) = 0      & lo(xhat1,1) = 0      & lo(xhat,0) = 0      & lo(xhat,1) = 0      & lo(xhatmin,0) = 0      & lo(xhatmin,1) = 0      & lo(z,0) = 0      & lo(z,1) = 0      & lo(zhat,0) = 0      & lo(zhat,1) = 0      & lo(zpred,0) = 0      & lo(zpred,1) = 0 )   => ! [A] :        ( ( leq(0,pv5)          & leq(0,pv108)          & leq(0,pv109)          & leq(pv108,11)          & leq(pv109,11)          & gt(A,pv5)          & ! [D,E] :              ( ( leq(0,D)                & leq(0,E)                & leq(D,5)                & leq(E,0) )             => a_select3(zpred_init,D,E) = init )          & ! [F,G] :              ( ( leq(0,F)                & leq(0,G)                & leq(F,5)                & leq(G,0) )             => a_select3(zhat_init,F,G) = init )          & ! [H,I] :              ( ( leq(0,H)                & leq(0,I)                & leq(H,11)                & leq(I,0) )             => a_select3(xhatmin_init,H,I) = init )          & ! [J,K] :              ( ( leq(0,J)                & leq(0,K)                & leq(J,11)                & leq(K,11) )             => ( ( J = pv108                  & gt(pv109,K) )               => a_select3(uminus_init,J,K) = init ) )          & ! [L,M] :              ( ( leq(0,L)                & leq(0,M)                & leq(L,11)                & leq(M,11) )             => ( gt(pv108,L)               => a_select3(uminus_init,L,M) = init ) )

          & ! [N,O] :              ( ( leq(0,N)                & leq(0,O)                & leq(N,5)                & leq(O,5) )             => a_select3(r_init,N,O) = init )          & ! [P,Q] :              ( ( leq(0,P)                & leq(0,Q)                & leq(P,11)                & leq(Q,11) )             => a_select3(q_init,P,Q) = init )          & ! [R,S] :              ( ( leq(0,R)                & leq(0,S)                & leq(R,11)                & leq(S,11) )             => a_select3(pminus_init,R,S) = init )          & ! [T,U] :              ( ( leq(0,T)                & leq(0,U)                & leq(T,11)                & leq(U,11) )             => a_select3(phi_init,T,U) = init )          & ! [V,W] :              ( ( leq(0,V)                & leq(0,W)                & leq(V,5)                & leq(W,11) )             => a_select3(h_init,V,W) = init )          & ! [X,Y] :              ( ( leq(0,X)                & leq(0,Y)                & leq(X,11)                & leq(Y,11) )             => ( ( X = pv108                  & gt(pv109,Y) )               => a_select3(dminus_init,X,Y) = init ) )          & ! [Z,A1] :              ( ( leq(0,Z)                & leq(0,A1)                & leq(Z,11)                & leq(A1,11) )             => ( gt(pv108,Z)               => a_select3(dminus_init,Z,A1) = init ) ) )       => ! [B1,C1] :            ( ( leq(0,B1)              & leq(0,C1)              & leq(B1,11)              & leq(C1,11) )           => ( ( pv109 != C1                & B1 = pv108                & leq(C1,pv109) )             => a_select3(dminus_init,B1,C1) = init ) ) ) )).


Approach
Approach

Mantra: Only explain what has been declared significant!

  • No analysis of underlying (logical) formula structure

  • Use term labels to represent significant concepts

  • Use different label structures to explain different aspects

    Three-stage process:

  • labeled Hoare-rules ⇒ introduce labels

  • labeled rewriting ⇒ maintain labels

  • rendering ⇒ turn labels into text


Structural explanations
Structural Explanations

Assumption: VCs are of the form

Concept

Proposition

Hypothesis

Given Form

Assertion

Invariant

Precondition

Exit Form

Postcondition

If-true

Control Flow

Predicate

If

If-false

While

While-true

Loop Bounds

While-false

Base Form

Conclusion

Establish

Assertion

Invariant

Precondition

Step Form

Postcondition

Qualification

Substitution

Assignment

Scalar

Array

Contribution

Invariant Preservation


Example explanation1
Example Explanation

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731; it is also used to show the preservation of the loop invariants at line 728, which in turn is used to show the preservation of the loop invariants at line 683.  Hence, given- the loop bounds at line 728 under the substitution originating in line 5,

- the invariant at line 729 (#1) under the substitution originating in line 5,

- the invariant at line 729 (#2) under the substitution originating in line 5,

- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5,

show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.


Example explanation2
Example Explanation

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731; it is also used to show the preservation of the loop invariants at line 728, which in turn is used to show the preservation of the loop invariants at line 683.  Hence, given- the loop bounds at line 728 under the substitution originating in line 5,

- the invariant at line 729 (#1) under the substitution originating in line 5,

- the invariant at line 729 (#2) under the substitution originating in line 5,

- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5,

show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.

Conclusion: establish invariant (step form)


Example explanation3
Example Explanation

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731; it is also used to show the preservation of the loop invariants at line 728, which in turn is used to show the preservation of the loop invariants at line 683.  Hence, given- the loop bounds at line 728 under the substitution originating in line 5,

- the invariant at line 729 (#1) under the substitution originating in line 5,

- the invariant at line 729 (#2) under the substitution originating in line 5,

- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5,

show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.

Conclusion: establish invariant (step form)


Example explanation4
Example Explanation

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731; it is also used to show the preservation of the loop invariants at line 728, which in turn is used to show the preservation of the loop invariants at line 683.  Hence, given- the loop bounds at line 728 under the substitution originating in line 5,

- the invariant at line 729 (#1) under the substitution originating in line 5,

- the invariant at line 729 (#2) under the substitution originating in line 5,

- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5,

show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.

Contribution: invariant preservation


Example explanation5
Example Explanation

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731; it is also used to show the preservation of the loop invariants at line 728, which in turn is used to show the preservation of the loop invariants at line 683.  Hence, given- the loop bounds at line 728 under the substitution originating in line 5,

- the invariant at line 729 (#1) under the substitution originating in line 5,

- the invariant at line 729 (#2) under the substitution originating in line 5,

- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5,

show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.

Contribution: invariant preservation (twice – nested loops)


Example explanation6
Example Explanation

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731; it is also used to show the preservation of the loop invariants at line 728, which in turn is used to show the preservation of the loop invariants at line 683.  Hence, given- the loop bounds at line 728 under the substitution originating in line 5,

- the invariant at line 729 (#1) under the substitution originating in line 5,

- the invariant at line 729 (#2) under the substitution originating in line 5,

- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5,

show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.

Hypotheses: control flow predicates


Example explanation7
Example Explanation

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731; it is also used to show the preservation of the loop invariants at line 728, which in turn is used to show the preservation of the loop invariants at line 683.  Hence, given- the loop bounds at line 728 under the substitution originating in line 5,

- the invariant at line 729 (#1) under the substitution originating in line 5,

- the invariant at line 729 (#2) under the substitution originating in line 5,

- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5,

show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.

Hypotheses: control flow predicates and invariants


Example explanation8
Example Explanation

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731; it is also used to show the preservation of the loop invariants at line 728, which in turn is used to show the preservation of the loop invariants at line 683.  Hence, given- the loop bounds at line 728 under the substitution originating in line 5,

- the invariant at line 729 (#1) under the substitution originating in line 5,

- the invariant at line 729 (#2) under the substitution originating in line 5,

- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5,

show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.

Qualifications: origin of substitutions


Example explanation9
Example Explanation

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731; it is also used to show the preservation of the loop invariants at line 728, which in turn is used to show the preservation of the loop invariants at line 683.  Hence, given- the loop bounds at line 728 under the substitution originating in line 5,

- the invariant at line 729 (#1) under the substitution originating in line 5,

- the invariant at line 729 (#2) under the substitution originating in line 5,

- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5,

show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.

Boilerplate text


Labeled hoare rules
Labeled Hoare-Rules

Basic idea: modify rules to add “right” labels at “right” places

⇒ cannot be recovered “post hoc”

(assign)

┌ ┐sub

Q[ e /x] { x := e } Q

P₁{ c₁} Q

P₂{ c₂} Q

labeled term, label includes source location (ignored here)

(if)

┌ ┐if_ff

┌ ┐if_tt

( b ⇒ P₁) ∧ ( ¬b ⇒P₂){ifb then c₁else c₂} Q

┌ ┐pres_inv

┌ ┐while_tt

┌ ┐ass_inv

I ∧ b ⇒P

┌ ┐pres_inv

┌ ┐est_inv_step

┌ ┐ass_inv_exit

┌ ┐while_ff

P{ c } I

I ∧ ¬b ⇒Q

(while)

┌ ┐est_inv

I{whileb inv I do c } Q


Labeled rewrite rules
Labeled Rewrite Rules

Basic idea: dedicated set of rewrite rules to

  • remove redundant labels

  • keep failure explanations

  • minimize scope of labels

  • encode specific behavior


Labeled rewrite rules1
Labeled Rewrite Rules

Basic idea: dedicated set of rewrite rules to

  • remove redundant labels (i), (ii)

  • keep failure explanations (iii)

  • minimize scope of labels (iv)

  • encode specific behavior (v)

    Example rules:

(i)

(ii)

(iii)

(iv)

(v)


Rendering
Rendering

Basic idea:

  • extract (structured) label from labeled term using〚•〛

  • traverse label

  • use templates to produce text for each label type

  • use auxiliary functions derived from concept structure

    • for control

    • to produce glue text

  • currently: overall structure hardcoded

    • could be changed by writing “smarter” template interpreter


Meta labels
Meta-Labels

Assumption: VCs are of the form

(and H / C are simple literals)

… doesn’t always hold: existential quantifiers introduce scope

  • simultaneous conclusions (introduced at ∃d : DCM)

  • local assumptions (introduced at ∃q : quat)

  • need meta-labels to reflect scope+ more boiler-plate text+ more labeled rewrite rules, e.g.,


Meta labels explanation
Meta-Labels - Explanation

… Hence, given- the precondition at line 728 (#1),

- the condition at line 798 under the substitution originating in line 794,

show that there exists a DCM that will simultaneously

- establish the function precondition for the call at line 799 (#1),

- establish the function precondition for the call at line 799 (#2),

- establish the function precondition for the call at line 799 (#3) under the substitution originating in line 794,

- establish the postcondition at line 815 (#1), assuming the function postcondition for the call at line 799 (#1).


Loop index information
Loop Index Information

Problem: for-loop explanations are generic

Solution: introduce qualifiers to for-loop labels

  • added by VCG: est_inv(l:=0..N-1), ass_inv_exit(l:=0..N-1),…

  • never moved over base label

  • can be rendered relative to base label

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731;…

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731 (i.e., in the form with l+1 replacing l);…


Domain specific explanations
Domain-Specific Explanations

Problem: all explanations are generic

… Hence, given- the loop bounds at line 728 under the substitution originating in line 5,

- the invariant at line 729 (#1) under the substitution originating in line 5,

- the invariant at line 729 (#11) under the substitution originating in line 5,

- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5,

show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.


Domain specific explanations1
Domain-Specific Explanations

Problem: all explanations are generic

Solution: introduce domain-specific qualifiers

  • added by user to annotations

    • init(a,o) array a is fully initialized after line o

    • init_upto(a,k,l) array a is partially initialized (row-major) up to position (k,l)

  • woven in by VCG via modified assert-rule


Domain specific explanations2
Domain-Specific Explanations

… Hence, given- the loop bounds at line 728 under the substitution originating in line 5,

- the invariant at line 729 (#1) (i.e., the array h is fully initialized, which is established at line 183) under the substitution originating in line 5,

- the invariant at line 729 (#11) (i.e., the array r is fully initialized, which is established at line 183) under the substitution originating in line 5,

- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5,

show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731 (i.e., the array u is initialized up to position (k,l)).

remains unrefined – no qualifier


Conclusions future work
Conclusions & Future Work

  • flexible mechanism to generate natural-language explanations

  • implemented

  • used to explain VCs for automatically generated code

  • need more theory

    • explanation normal form: each VC has a unique conclusion

    • proofs that (Hoare- and rewrite) rules respect ENF

  • need better implementation

    • generic template interpreter

    • more application examples






ad