Explaining Verification Conditions Ewen Denney, USRA/RIACS, NASA Ames Bernd Fischer, University of Southampton

Explaining Verification Conditions

Ewen Denney, USRA/RIACS, NASA Ames

Bernd Fischer, University of Southampton

Hoare-style program verification

Two-stage process:• Verification condition generator (VCG)

– applies rules of Hoare-calculus to annotated program

– produces set of verification conditions (VCs)

• Automated theorem prover (ATP)– tries to discharge VCs

⇒ separates decidable VCG from undecidable ATP– but also separates VCs from program

⇒ what to do in case of ATP failure? – wide variety of potential causes: resources, axioms, real errors

– user confronted only with failed VC

Hoare-style program verification

Two-stage process:• Verification condition generator (VCG)

– applies rules of Hoare-calculus to annotated program

– produces set of verification conditions (VCs)

• Automated theorem prover (ATP)– tries to discharge VCs

⇒ separates decidable VCG from undecidable ATP– but also separates VCs from program

⇒ what to do in case of ATP failure? doubt? curiosity?– wide variety of potential causes: resources, axioms, real errors

– user confronted only with failed VC

⇒ need natural-language explanations

Example Explanation

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731; it is also used to show the preservation of the loop invariants at line 728, which in turn is used to show the preservation of the loop invariants at line 683. Hence, given- the loop bounds at line 728 under the substitution originating in line 5, - the invariant at line 729 (#1) under the substitution originating in line 5, - the invariant at line 729 (#2) under the substitution originating in line 5, …- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5, show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.

Example VC fof(twobody_vel_j2_bias_bierman_init_0036,conjecture, ( ( hi(dminus,0) = 11 & hi(dminus,1) = 11 & hi(h,0) = 5 & hi(h,1) = 11 & hi(id,0) = 11 & hi(id,1) = 11 & hi(phi,0) = 11 & hi(phi,1) = 11 & hi(pminus,0) = 11 & hi(pminus,1) = 11 & hi(pplus,0) = 11 & hi(pplus,1) = 11 & hi(q,0) = 11 & hi(q,0) = 11 & hi(q,1) = 11 & hi(r,0) = 5 & hi(r,0) = 5 & hi(r,1) = 5 & hi(uminus,0) = 11 & hi(uminus,1) = 11 & hi(v1,0) = 11 & hi(v1,1) = 0 & hi(w,0) = 11 & hi(w,1) = 0 & hi(x,0) = 11 & hi(x_init_cov,0) = 11 & hi(xdot,0) = 11 & hi(xdot,1) = 0 & hi(xhat1,0) = 11 & hi(xhat1,1) = 0 & hi(xhat,0) = 11 & hi(xhat,1) = pred(n_steps) & hi(xhatmin,0) = 11 & hi(xhatmin,1) = 0 & hi(z,0) = 5 & hi(z,1) = pred(n_steps) & hi(zhat,0) = 5 & hi(zhat,1) = 0 & hi(zpred,0) = 5 & hi(zpred,1) = 0 & lo(dminus,0) = 0 & lo(dminus,1) = 0 & lo(h,0) = 0 & lo(h,1) = 0 & lo(id,0) = 0 & lo(id,1) = 0 & lo(phi,0) = 0 & lo(phi,1) = 0 & lo(pminus,0) = 0 & lo(pminus,1) = 0 & lo(pplus,0) = 0 & lo(pplus,1) = 0 & lo(q,0) = 0 & lo(q,0) = 0 & lo(q,1) = 0 & lo(r,0) = 0 & lo(r,0) = 0 & lo(r,1) = 0 & lo(uminus,0) = 0 & lo(uminus,1) = 0

& lo(v1,0) = 0 & lo(v1,1) = 0 & lo(w,0) = 0 & lo(w,1) = 0 & lo(x,0) = 0 & lo(x_init_cov,0) = 0 & lo(xdot,0) = 0 & lo(xdot,1) = 0 & lo(xhat1,0) = 0 & lo(xhat1,1) = 0 & lo(xhat,0) = 0 & lo(xhat,1) = 0 & lo(xhatmin,0) = 0 & lo(xhatmin,1) = 0 & lo(z,0) = 0 & lo(z,1) = 0 & lo(zhat,0) = 0 & lo(zhat,1) = 0 & lo(zpred,0) = 0 & lo(zpred,1) = 0 ) => ! [A] : ( ( leq(0,pv5) & leq(0,pv108) & leq(0,pv109) & leq(pv108,11) & leq(pv109,11) & gt(A,pv5) & ! [D,E] : ( ( leq(0,D) & leq(0,E) & leq(D,5) & leq(E,0) ) => a_select3(zpred_init,D,E) = init ) & ! [F,G] : ( ( leq(0,F) & leq(0,G) & leq(F,5) & leq(G,0) ) => a_select3(zhat_init,F,G) = init ) & ! [H,I] : ( ( leq(0,H) & leq(0,I) & leq(H,11) & leq(I,0) ) => a_select3(xhatmin_init,H,I) = init ) & ! [J,K] : ( ( leq(0,J) & leq(0,K) & leq(J,11) & leq(K,11) ) => ( ( J = pv108 & gt(pv109,K) ) => a_select3(uminus_init,J,K) = init ) ) & ! [L,M] : ( ( leq(0,L) & leq(0,M) & leq(L,11) & leq(M,11) ) => ( gt(pv108,L) => a_select3(uminus_init,L,M) = init ) )

& ! [N,O] : ( ( leq(0,N) & leq(0,O) & leq(N,5) & leq(O,5) ) => a_select3(r_init,N,O) = init ) & ! [P,Q] : ( ( leq(0,P) & leq(0,Q) & leq(P,11) & leq(Q,11) ) => a_select3(q_init,P,Q) = init ) & ! [R,S] : ( ( leq(0,R) & leq(0,S) & leq(R,11) & leq(S,11) ) => a_select3(pminus_init,R,S) = init ) & ! [T,U] : ( ( leq(0,T) & leq(0,U) & leq(T,11) & leq(U,11) ) => a_select3(phi_init,T,U) = init ) & ! [V,W] : ( ( leq(0,V) & leq(0,W) & leq(V,5) & leq(W,11) ) => a_select3(h_init,V,W) = init ) & ! [X,Y] : ( ( leq(0,X) & leq(0,Y) & leq(X,11) & leq(Y,11) ) => ( ( X = pv108 & gt(pv109,Y) ) => a_select3(dminus_init,X,Y) = init ) ) & ! [Z,A1] : ( ( leq(0,Z) & leq(0,A1) & leq(Z,11) & leq(A1,11) ) => ( gt(pv108,Z) => a_select3(dminus_init,Z,A1) = init ) ) ) => ! [B1,C1] : ( ( leq(0,B1) & leq(0,C1) & leq(B1,11) & leq(C1,11) ) => ( ( pv109 != C1 & B1 = pv108 & leq(C1,pv109) ) => a_select3(dminus_init,B1,C1) = init ) ) ) )).

Approach

Mantra: Only explain what has been declared significant!⇒ No analysis of underlying (logical) formula structure⇒ Use term labels to represent significant concepts⇒ Use different label structures to explain different aspects

Three-stage process:• labeled Hoare-rules ⇒ introduce labels• labeled rewriting ⇒ maintain labels• rendering ⇒ turn labels into text

Structural Explanations

Assumption: VCs are of the formConcept

Proposition

Hypothesis

Conclusion

Qualification

Contribution

Assertion

Precondition

Postcondition

Invariant Given Form

Exit Form

Control FlowPredicate

Loop Bounds

While

If If-true

If-false

While-true

While-false

EstablishAssertion Precondition

Postcondition

Invariant Base Form

Step Form

Substitution Assignment

Invariant Preservation

Scalar

Array

Example Explanation


Example Explanation


Conclusion: establish invariant (step form)

Example Explanation


Conclusion: establish invariant (step form)

Example Explanation


Contribution: invariant preservation

Example Explanation


Contribution: invariant preservation (twice – nested loops)

Example Explanation


Hypotheses: control flow predicates

Example Explanation


Hypotheses: control flow predicates and invariants

Example Explanation


Qualifications: origin of substitutions

Example Explanation


Boilerplate text

┌ ┐pres_inv

Labeled Hoare-Rules

Basic idea: modify rules to add “right” labels at “right” places

⇒ cannot be recovered “post hoc”

(assign)Q[ e / x] { x := e } Q┌ ┐sub

(if)( b ⇒ P₁) ∧ ( ¬b ⇒ P₂) { if b then c₁ else c₂ } Q┌ ┐if_tt

P₁ { c₁ } Q P₂ { c₂ } Q

┌ ┐if_ff

(while)I { while b inv I do c } Q┌ ┐est_inv

P { c } I I ∧ ¬b ⇒ Q┌ ┐est_inv_step

I ∧ b ⇒ P┌ ┐while_tt

┌ ┐while_ff┌ ┐pres_inv

┌ ┐ass_inv

┌ ┐ass_inv_exit

labeled term, label includes source location (ignored here)

Labeled Rewrite Rules

Basic idea: dedicated set of rewrite rules to• remove redundant labels• keep failure explanations• minimize scope of labels• encode specific behavior

Labeled Rewrite Rules

Basic idea: dedicated set of rewrite rules to• remove redundant labels (i), (ii)• keep failure explanations (iii)• minimize scope of labels (iv)• encode specific behavior (v)

Example rules:

(i)

(ii)(iii)

(iv)

(v)

Rendering

Basic idea:• extract (structured) label from labeled term using •〚〛• traverse label• use templates to produce text for each label type• use auxiliary functions derived from concept

structure– for control– to produce glue text

• currently: overall structure hardcoded– could be changed by writing “smarter” template

interpreter

Meta-Labels

Assumption: VCs are of the form

(and H / C are simple literals)

… doesn’t always hold: existential quantifiers introduce scope

• simultaneous conclusions (introduced at ∃d : DCM)• local assumptions (introduced at ∃q : quat)⇒ need meta-labels to reflect scope

+ more boiler-plate text+ more labeled rewrite rules, e.g.,

Meta-Labels - Explanation

… Hence, given- the precondition at line 728 (#1),- the condition at line 798 under the substitution originating in line 794, show that there exists a DCM that will simultaneously- establish the function precondition for the call at line 799 (#1),- establish the function precondition for the call at line 799 (#2),- establish the function precondition for the call at line 799 (#3) under the substitution originating in line 794,- establish the postcondition at line 815 (#1), assuming the function postcondition for the call at line 799 (#1).

Loop Index Information

Problem: for-loop explanations are generic

Solution: introduce qualifiers to for-loop labels• added by VCG: est_inv(l:=0..N-1), ass_inv_exit(l:=0..N-1),…• never moved over base label• can be rendered relative to base label

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731;…

The purpose of this VC is to show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731 (i.e., in the form with l+1 replacing l);…

Domain-Specific Explanations

Problem: all explanations are generic

… Hence, given- the loop bounds at line 728 under the substitution originating in line 5, - the invariant at line 729 (#1) under the substitution originating in line 5, …- the invariant at line 729 (#11) under the substitution originating in line 5, …- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5, show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731.


Problem: all explanations are generic

Solution: introduce domain-specific qualifiers• added by user to annotations

– init(a,o) array a is fully initialized after line o

– init_upto(a,k,l) array a is partially initialized (row-major) up to

position (k,l)

• woven in by VCG via modified assert-rule


… Hence, given- the loop bounds at line 728 under the substitution originating in line 5, - the invariant at line 729 (#1) (i.e., the array h is fully initialized, which is established at line 183) under the substitution originating in line 5, …- the invariant at line 729 (#11) (i.e., the array r is fully initialized, which is established at line 183) under the substitution originating in line 5, …- the invariant at line 729 (#15) under the substitution originating in line 5,- the loop bounds at line 729 under the substitution originating in line 5, show that the loop invariant at line 729 (#1) under the substitutions originating in line 5 and line 730 is still true after each iteration to line 731 (i.e., the array u is initialized up to position (k,l)).

remains unrefined – no qualifier

Conclusions & Future Work

• flexible mechanism to generate natural-language explanations

• implemented• used to explain VCs for automatically generated code• need more theory

– explanation normal form: each VC has a unique conclusion

– proofs that (Hoare- and rewrite) rules respect ENF

• need better implementation– generic template interpreter

– more application examples

Extras

Example Program Fragment

Example VC

Complete Rules for Safety Certification

Documents

Explaining Verification Conditions Ewen Denney, USRA/RIACS, NASA Ames Bernd Fischer, University of Southampton