A Weakest Precondition Calculus for Programs and Linear Temporal Specifications

Auto-active program verification rests on the ability to effectively the translation from annotated programs into verification conditions that are then discharged by automated theorem provers in the background. Characteristic such tools, e.g., Why3, Dafny, and Viper, is that this process does not involve user interaction, expecting all guiding hints like invariants to be given upfront. For sequential correctness, this paradigm is well established, thanks to approaches like weakest precondition generation and symbolic execution. However, to capture temporal properties, the specification language of choice for a broader system perspective, additional concerns and challenges are introduced into the translation and proof. Approaches based on symbolic model-checking can verify such properties on system models, e.g., using automata constructions. However, ascribing temporal properties to structured and data-intensive programs is more difficult. Several program calculi have been proposed in the literature, each of which on their own falls short in some regard of supporting an auto-active workflow. However, all essential ideas, while perhaps some are not widely acknowledged, are in fact found in the literature. In this paper, we demonstrate how to assemble these ideas into a weakest-precondition calculus for linear temporal properties and demonstrate it with examples.

💡 Research Summary

The paper addresses a gap in modern auto‑active verification tools such as Why3, Dafny, and Viper: while these systems excel at generating verification conditions (VCs) for sequential, state‑based contracts, they lack seamless support for linear temporal logic (LTL) specifications that describe properties over infinite execution traces. The authors propose a weakest‑precondition (wp) calculus that directly integrates LTL guarantees into the auto‑active workflow, enabling the automatic generation of VCs that can be discharged by off‑the‑shelf theorem provers without additional user interaction beyond the usual invariant annotations.

The work begins with a concise motivation and a survey of related literature. It highlights that classic Hoare logic handles sequential composition via an intermediate assertion, but this approach does not scale to temporal properties because the “intermediate” must now be a temporal formula. Prior attempts—TLA⁺ encoding, Nakata‑Uustalu’s infinite‑trace Hoare rules, Gurov‑Hähnle’s finite‑trace calculus, Beckert‑Bruns’s dynamic‑logic‑style wp, and RGITL’s inductive/co‑inductive reasoning—each contribute useful ideas but fall short of a ready‑to‑use auto‑active pipeline. The authors argue that the missing piece is a syntactic, compositional wp operator that works uniformly for program constructs and temporal formulas.

In the technical core, the paper defines a small imperative language with atomic actions, sequential composition, nondeterministic choice, and Kleene‑star iteration. The assertion language consists of state predicates (p) and LTL operators (next ◦, always □, eventually ♢, until U, weak‑until W, etc.). To bridge the gap between finite program steps and infinite traces, the authors introduce continuations κ, which are either pure temporal formulas or a command followed by another continuation (c;κ). The wp operator is defined as wp(κ, ψ) ≜ (κ ⇒ ψ), and a set of syntax‑directed rules systematically rewrites any wp expression into a pure LTL formula.

Key rules include:

• Non‑deterministic choice – wp((c₁ ⊔ c₂);κ, ψ) ≜ wp(c₁;κ, ψ) ∧ wp(c₂;κ, ψ).
• Sequential composition – wp((c₁ ; c₂);κ, ψ) ≜ wp(c₁; (c₂;κ), ψ), thereby pushing the outer command inward.
• Atomic actions – wp(a;κ, ◦φ) ≜ wp(a, wp(κ, φ)), exploiting the fact that the guarantee does not depend on the current state.
• Logical distribution – wp distributes over ∧, ∨, ⇒, and over state predicates when the continuation is not false.

Temporal operators are handled via classic fixed‑point characterizations. The authors adopt the least‑fixed‑point µ for eventually (♢) and the greatest‑fixed‑point ν for always (□), but they rewrite these using the “R+” and “W+” operators introduced by Beckert and Bruns: ♢φ = µω. φ ∨ ◦ω becomes φ R + ω, and □φ = νω. φ ∧ ◦ω becomes φ W + ω. This reformulation makes it easier to align temporal unfolding with loop bodies.

Induction (for µ) and co‑induction (for ν) are expressed by rules (6)–(8). The paper emphasizes a uniform co‑induction rule that adds an extra assumption, enabling nested proofs such as □ ♢ φ, which require an outer co‑inductive argument (□) and an inner inductive argument (♢). The authors also discuss how to embed well‑founded measures (decreases clauses) and auxiliary variables into the wp calculus for loops, following the template of Gurov‑Hähnle’s ω‑skolem constant and Beckert‑Bruns’s progress operator.

The calculus is formalized in Isabelle/HOL, and a prototype implementation is provided as an embedded domain‑specific language (DSL) in Scala. The implementation translates annotated programs into pure LTL formulas, which can be fed to any SMT‑based or specialized LTL model‑checking prover. The authors present several illustrative examples that combine sequential composition, nondeterministic choice, and loops with safety (□) and liveness (♢) guarantees, demonstrating that the wp calculus yields concise verification conditions without manual history variables.

Strengths of the work include:

• A clear, compositional wp calculus that respects the syntax of both programs and LTL.
• Integration of induction/co‑induction principles that support nested temporal specifications.
• Minimal reliance on user‑provided auxiliary constructs; the calculus itself generates the necessary intermediate temporal assertions.
• A concrete implementation and formalization that prove feasibility.

Limitations and open issues are also acknowledged:

• The approach is confined to linear temporal logic; branching‑time logics (CTL, μ‑calculus) are not addressed.
• The calculus assumes that users supply appropriate loop invariants, decreases measures, and any needed auxiliary variables; automatic inference of these is not tackled.
• No empirical evaluation on large‑scale case studies is presented, leaving performance and scalability questions open.
• Integration with mainstream auto‑active tools remains prototype‑level; the DSL is separate from Why3/Dafny pipelines.

The paper concludes by outlining future work: extending the calculus to richer temporal logics, automating the synthesis of well‑founded measures, building tool adapters for existing verification ecosystems, and conducting extensive benchmarks. All artifacts are deposited on Zenodo, ensuring reproducibility. Overall, the contribution is a well‑structured synthesis of existing ideas into a practical wp framework for LTL, paving the way for more expressive auto‑active verification.