Course on Program Verification

Wishnu Prasetya

wishnu@cs.uu.nlwww.cs.uu.nl/docs/vakken/pvWLP for Automated Testing1Testing problemGive test-cases that would cover all 4 paths in the above program.Observation: any input satisfying the wlp of a post-condition Q, specifies a test-case leading a terminal state satisfying Q.Idea : use Q to specify the target path.2tax(rate, income | tax) { if (income 10000) tax := 0 ; if (income 20000) tax := income / rate.low ; tax := tax + income / rate.high ; }WedgeA wedge is a finite path of primitive (non-composite) statements in the program, from the programs start, where we replace guard conditions with the corresponding assert.

The concept is from Tomb & Flanagan, Detecting Inconsistencies via Universal Reachability Analysis, ISSTA, 2012. They use assume. For our purpose, we need to turn them to assert.

We can use wedges to re-express coverage problem (e.g. cover this spot, or cover this path).Then we can calculate the wlp of each wedge.

33Wedge & coveragea wedge covering assert income 10000 ; tax := 0 ; assert income 20000 ;a wedge covering without passing (unfeasible) assert income 10000 ; tax := 0 ; assert income > 20000 ;4tax(rate, income | tax) { if (income 10000) tax := 0 ; if (income 20000) tax := income / rate.low ; tax := tax + income / rate.high ; }cover thiswlp of a wedgeLet p be a target path to cover in the CFG of Pr(x). Let w(x) be a wedge such that any execution of w is also an execution of Pr that covers p.

Calculate p = wlp w true.

Check the satisfiability of p; a witness to that is basically an instance of input x for Pr that would cover p.

5Covering by solving wlpif (x>9) { x := x+y ; if (x+y 0) { y := 0 ; if (x8) { cover-this ... }

a wedge to cover assert x>9 ; x := x+y ; assert x+y < 0 ; y := 0 ; assert x 8

wlp : x>9 /\ x+2y0 /\ x+y86Concolic approachProblems:A long wedge has more constraints; the wlp may be difficult for your theorem prover to solve. What to do with loops?

Combined concrete and symbolic calculation to incrementally solve the wedge.Imagine the wedge :w(x,y) = assert p1; x:=x+y; assert p2; y:=0; assert p3

wlp : p = p1 /\ p2[x+y/x] /\ p3[0/y][x+y/x]

7If the program to test is large, to cover a certain spot may require a quite long wedge.7Concolic approachwlp : p = p1 /\ p2[x+y/x] /\ p3[0/y][x+y/x]Execute w, e.g. w(0,9). Suppose this manages to pass the guards p1 and p2 but fails on p3 .

Try to solve p[0/x] or p[9/y] instead. This at least simplifies the formula to solve.Not necessarily leads to a solution.

8If the program to test is large, to cover a certain spot may require a quite long wedge.8Wedge passing a loopConsider : while g do S ; if h then { cover this } ...

A wedge to cover has to do some iterations of S. How many iterations ? Arbitrarily choosing k iterations may produce a wedge that is infeasible.Concolic: run a concrete execution; suppose it iterates n times, but fails to pass hat least we know that iterating n times is feasibleconstruct a wedge with n unfolding and solve itif unfeasible try a different concrete run9