Long H. Pham,Jun Sun,Ly,Jingyi Wang,Xin Peng

DOI: https://doi.org/10.1109/iceccs.2017.12

2017-01-01

Abstract:Debugging is difficult. Recent studies show that automatic bug localization techniques have limited usefulness. One of the reasons is that programmers typically have to understand why the program fails before fixing it. In this work, we aim to help programmers understand a bug by automatically generating likely invariants which are violated in the failed tests. Given a program with an initial assertion and at least one test case failing the assertion, we first generate random test cases, identify potential bug locations through bug localization, and then generate program state mutation based on active learning techniques to identify a predicate "explaining" the cause of the bug. The predicate is a classifier for the passed test cases and failed test cases. Our main contribution is the application of invariant learning for bug explanation, as well as a novel approach to overcome the problem of lack of test cases in practice. We apply our method to real-world bugs and show the generated invariants are often correlated to the actual bug fixes.

Li Bin,Zhai Juan,Tang Zhenhao,Tang Enyi,Zhao Jianhua

DOI: https://doi.org/10.1109/apsec.2017.8

2017-01-01

Abstract:interpretation is capable of inferring a wide variety of quantifier-free program invariants. In this paper, we propose a general framework for building universally quantified abstract domains that leverage existing quantifier-free domains in induction-loop programs. This method is sound and converges in finite time. We instantiate this framework using two quantifier free domains: difference-bound matrices with disequality constraints (dDBM) domain and polynomial equations domain. The experiments on a variety of programs using arrays demonstrate the feasibility of the approach.

Thomas Gawlitza,David Monniaux

DOI: https://doi.org/10.2168/lmcs-8(3:29)2012

2012-09-30

Logical Methods in Computer Science

Abstract:We consider the problem of computing numerical invariants of programs, for instance bounds on the values of numerical program variables. More specifically, we study the problem of performing static analysis by abstract interpretation using template linear constraint domains. Such invariants can be obtained by Kleene iterations that are, in order to guarantee termination, accelerated by widening operators. In many cases, however, applying this form of extrapolation leads to invariants that are weaker than the strongest inductive invariant that can be expressed within the abstract domain in use. Another well-known source of imprecision of traditional abstract interpretation techniques stems from their use of join operators at merge nodes in the control flow graph. The mentioned weaknesses may prevent these methods from proving safety properties. The technique we develop in this article addresses both of these issues: contrary to Kleene iterations accelerated by widening operators, it is guaranteed to yield the strongest inductive invariant that can be expressed within the template linear constraint domain in use. It also eschews join operators by distinguishing all paths of loop-free code segments. Formally speaking, our technique computes the least fixpoint within a given template linear constraint domain of a transition relation that is succinctly expressed as an existentially quantified linear real arithmetic formula. In contrast to previously published techniques that rely on quantifier elimination, our algorithm is proved to have optimal complexity: we prove that the decision problem associated with our fixpoint problem is in the second level of the polynomial-time hierarchy.

computer science, theory & methods,logic

Bin Li,Zhenhao Tang,Jianhua Zhao

DOI: https://doi.org/10.1145/2875913.2875942

2015-01-01

Abstract:This paper proposes a way of using abstract interpretation for discovering properties about array contents in some restricted cases: one-dimensional arrays, traversed by simple loops. The method summarizes an array property as an interval property. According to different statements, an interval property may be generated, updated or killed. The method is able to discover the properties of non-trivial examples.

Juan Zhai,Hanfei Wang,Jianhua Zhao

DOI: https://doi.org/10.1109/sere-c.2014.40

2014-01-01

Abstract:In the automatic code verification, it is often necessary for programmers to provide logical annotations in the form of pre-/post-conditions and loop invariants. In this paper, we propose a framework that automatically infers loop invariants of loops manipulating commonly-used data structures. These data structures include one-dimensional arrays, singly-linked lists, doubly-linked lists and static lists. In practical cases, a majority of the loops operating on such data structures work by iterating over the elements of these data structures. The loop invariants of this kind of loops are usually similar in form with their corresponding post-conditions. The framework takes advantage of this observation by generating invariant candidates automatically from a given post-condition following several heuristics. These invariant candidates are subsequently validated via the SMT solver Z3 and the weakest-precondition calculator provided in the interactive code-verification tool Accumulator. The framework, which has been implemented for a small C-like language, suffices to infer suitable loop invariants of a range of loops w.r.t. given post-conditions. The framework has been integrated into the tool Accumulator to ease the verification tasks by alleviating the burden of providing loop invariants manually.

Hong Lu,Huitao Wang,Jiacheng Gui,Panfeng Chen,Hao Huang

DOI: https://doi.org/10.1016/j.cola.2022.101135

IF: 1.778

2022-01-01

Journal of Computer Languages

Abstract:Inspired by the procedure that experts construct loop invariants, we propose a novel data-driven approach to automatically infer loop invariants. The approach consists of two phases, data-driven inference of candidate invariants and validity check of loop invariants. Inspired by the procedure that experts construct loop invariants, we propose a novel data-driven approach to automatically infer loop invariants for C programs. The approach consists of two phases, data-driven inference of candidate invariants and validity check of loop invariants. The first phase generates candidate invariants by solving polynomial equations and synthesizing the extended loop conditions. The second phase prunes out spurious predicates and redundant predicates in the candidate invariants. The experimental results demonstrate that the proposed approach generates valid invariants for 35 benchmarks out of 38. The proposed approach costs less time to generate more informative and precise invariants than the state-of-the-art methods.

Shengchao Qin,Guanhua He,Chenguang Luo,Wei-Ngan Chin,Xin Chen

DOI: https://doi.org/10.1016/j.jsc.2012.08.007

IF: 0.97

2013-01-01

Journal of Symbolic Computation

Abstract:Automated verification of memory safety and functional correctness for heap-manipulating programs has been a challenging task, especially when dealing with complex data structures with strong invariants involving both shape and numerical properties. Existing verification systems usually rely on users to supply annotations to guide the verification, which can be cumbersome and error-prone by hand and can significantly restrict the usability of the verification system. In this paper, we reduce the need for some user annotations by automatically inferring loop invariants over an abstract domain with both shape and numerical information. Our loop invariant synthesis is conducted automatically by a fixed-point iteration process, equipped with newly designed abstraction mechanism, together with join and widening operators over the combined domain. We have also proven the soundness and termination of our approach. Initial experiments confirm that we can synthesise loop invariants with non-trivial constraints.

Li Bin,Tang Zhenhao,Zhai Juan,Zhao Jianhua

DOI: https://doi.org/10.1109/qrs.2016.23

2016-01-01

Abstract:This paper proposes a way of using abstract interpretation for discovering properties about array contents in programs which manipulate arrays by sequential traversal. The method summarizes an array property as a universally quantified property. It directly treats invariant properties (including universally quantified formulas and atomic formulas) as abstract domains. Our method is sound and converges in finite time, and it is flexible. The method has been used to automatically discover nontrivial invariants for several examples. In particular, the method can represent and process multidimensional array properties.

Yijun Feng,Lijun Zhang,David N. Jansen,Naijun Zhan,Bican Xia

DOI: https://doi.org/10.1007/978-3-319-68167-2_26

2017-01-01

Abstract:Quantitative loop invariants are an essential element in the verification of probabilistic programs. Recently, multivariate Lagrange interpolation has been applied to synthesizing polynomial invariants. In this paper, we propose an alternative approach. First, we fix a polynomial template as a candidate of a loop invariant. Using Stengle's Positivstellensatz and a transformation to a sum-of-squares problem, we find sufficient conditions on the coefficients. Then, we solve a semidefinite programming feasibility problem to synthesize the loop invariants. If the semidefinite program is unfeasible, we backtrack after increasing the degree of the template. Our approach is semi-complete in the sense that it will always lead us to a feasible solution if one exists and numerical errors are small. Experimental results show the efficiency of our approach.

Peisen Yao,Jingyu Ke,Jiahui Sun,Hongfei Fu,Rongxin Wu,Kui Ren

DOI: https://doi.org/10.1109/ase56229.2023.00069

2024-01-01

Abstract:The template-based approach to invariant generation is a parametric and relatively complete methodology for inferring loop invariants. The relative completeness ensures the generated invariants' accuracy up to the template's form and the inductive condition. However, there has been limited in advancing the approach to bit-precise reasoning, which involves modeling integers using bit-vector arithmetic. This is unfortunate because bit-precise reasoning is crucial for faithfully and accurately modeling machine integer semantics and, thus, for ensuring sound and precise program verification. In this experience paper, we present an experimental study of bit-precise, template-based invariant generation on three fronts: the precision of different invariant templates, the performance of different constraint solvers for solving the constraints, and the effectiveness of the template-based approach compared to existing bit-precise verification techniques. Through an extensive experimental evaluation over a wide range of benchmarks, we find that (1) the choices of invariant templates and constraint solvers have varying degrees of impact on the precision and efficiency of invariant generation; (2) the template-based approach can handle benchmarks that other approaches for bit-vectors cannot handle. The results also reveal several guidelines for advancing future research on template-based invariant generation.

Daneshvar Amrollahi,Ezio Bartocci,George Kenison,Laura Kovács,Marcel Moosbrugger,Miroslav Stankovič

2024-03-05

Abstract:Automatically generating invariants, key to computer-aided analysis of probabilistic and deterministic programs and compiler optimisation, is a challenging open problem. Whilst the problem is in general undecidable, the goal is settled for restricted classes of loops. For the class of solvable loops, introduced by Kapur and Rodríguez-Carbonell in 2004, one can automatically compute invariants from closed-form solutions of recurrence equations that model the loop behaviour. In this paper we establish a technique for invariant synthesis for loops that are not solvable, termed unsolvable loops. Our approach automatically partitions the program variables and identifies the so-called defective variables that characterise unsolvability. Herein we consider the following two applications. First, we present a novel technique that automatically synthesises polynomials from defective monomials, that admit closed-form solutions and thus lead to polynomial loop invariants. Second, given an unsolvable loop, we synthesise solvable loops with the following property: the invariant polynomials of the solvable loops are all invariants of the given unsolvable loop. Our implementation and experiments demonstrate both the feasibility and applicability of our approach to both deterministic and probabilistic programs.

Programming Languages

ThanhVu Nguyen,Deepak Kapur,Westley Weimer,Stephanie Forrest

DOI: https://doi.org/10.1145/2568225.2568275

2019-04-16

Abstract:Program invariants are important for defect detection, program verification, and program repair. However, existing techniques have limited support for important classes of invariants such as disjunctions, which express the semantics of conditional statements. We propose a method for generating disjunctive invariants over numerical domains, which are inexpressible using classical convex polyhedra. Using dynamic analysis and reformulating the problem in non-standard "max-plus" and "min-plus" algebras, our method constructs hulls over program trace points. Critically, we introduce and infer a weak class of such invariants that balances expressive power against the computational cost of generating nonconvex shapes in high dimensions. Existing dynamic inference techniques often generate spurious invariants that fit some program traces but do not generalize. With the insight that generating dynamic invariants is easy, we propose to verify these invariants statically using k-inductive SMT theorem proving which allows us to validate invariants that are not classically inductive. Results on difficult kernels involving nonlinear arithmetic and abstract arrays suggest that this hybrid approach efficiently generates and proves correct program invariants.

Software Engineering,Programming Languages

Wei He

DOI: https://doi.org/10.48550/arXiv.1906.11929

2019-06-28

Abstract:Compilers can specialize programs having invariants for performance improvement. Detecting program invariants that span large and complex code, however, is difficult for compilers. Traditional compilers do not perform very expensive analysis and thus only identify limited invariants, which limits the potential of subsequent optimizations. We would like to address the invariant detection problem via more sophisticated analyses using program verification tools. In this paper, we reveal pitfalls of choosing program verification tools for invariant detection, identify challenges of modeling program behavior using one of these tools---CVC4, and propose some ideas about how to address the challenges.

Programming Languages

Yurii Kostyukov,Dmitry Mordvinov,Grigory Fedyukovich

DOI: https://doi.org/10.1145/3453483.3454055

2021-06-18

Abstract:First-order logic is a natural way of expressing properties of computation. It is traditionally used in various program logics for expressing the correctness properties and certificates. Although such representations are expressive for some theories, they fail to express many interesting properties of algebraic data types (ADTs). In this paper, we explore three different approaches to represent program invariants of ADT-manipulating programs: tree automata, and first-order formulas with or without size constraints. We compare the expressive power of these representations and prove the negative definability of both first-order representations using the pumping lemmas. We present an approach to automatically infer program invariants of ADT-manipulating programs by a reduction to a finite model finder. The implementation called RInGen has been evaluated against state-of-the-art invariant synthesizers and has been experimentally shown to be competitive. In particular, program invariants represented by automata are capable of expressing more complex properties of computation and their automatic construction is often less expensive.

Erdenebayar Bayarmagnai,Fatemeh Mohammadi,Rémi Prébet

2024-05-15

Abstract:Loop invariants are properties of a program loop that hold before and after each iteration of the loop. They are often employed to verify programs and ensure that algorithms consistently produce correct results during execution. Consequently, the generation of invariants becomes a crucial task for loops. We specifically focus on polynomial loops, where both the loop conditions and assignments within the loop are expressed as polynomials. Although computing polynomial invariants for general loops is undecidable, efficient algorithms have been developed for certain classes of loops. For instance, when all assignments within a while loop involve linear polynomials, the loop becomes solvable. In this work, we study the more general case where the polynomials exhibit arbitrary degrees.

Symbolic Computation,Programming Languages,Algebraic Geometry

Kevin Batz,Mingshuai Chen,Sebastian Junges,Benjamin Lucien Kaminski,Joost-Pieter Katoen,Christoph Matheja

DOI: https://doi.org/10.1007/978-3-031-30820-8_25

2023-01-01

Abstract:Essential tasks for the verification of probabilistic programs include bounding expected outcomes and proving termination in finite expected runtime. We contribute a simple yet effective inductive synthesis approach for proving such quantitative reachability properties by generating inductive invariants on source-code level . Our implementation shows promise: It finds invariants for (in)finite-state programs, can beat state-of-the-art probabilistic model checkers, and is competitive with modern tools dedicated to invariant synthesis and expected runtime reasoning.

Steven de Oliveira,Saddek Bensalem,Virgile Prevosto

DOI: https://doi.org/10.48550/arXiv.1611.07753

2016-11-23

Abstract:When proving invariance properties of a program, we face two problems. The first problem is related to the necessity of proving tautologies of considered assertion language, whereas the second manifests in the need of finding sufficiently strong invariants. This paper focuses on the second problem and describes a new method for the automatic generation of loop invariants that handles polynomial and non deterministic assignments. This technique is based on the eigenvector generation for a given linear transformation and on the polynomial optimization problem, which we implemented in the open-source tool Pilat.

Logic in Computer Science

Bican Xia,Lu Yang,Naijun Zhan

DOI: https://doi.org/10.1007/978-3-540-88479-8_20

2008-01-01

Abstract:The discovery of invariants and ranking functions plays a central role in program verification. In our previous work, we investigated invariant generation and non-linear ranking function discovering of polynomial programs by reduction to semi-algebraic systems solving. In this paper we will first summarize our results on the two topics and then show how to generalize the approach to discovering more expressive invariants and ranking functions, and applying to more general programs.

John Cyphert,Zachary Kincaid

2023-12-07

Abstract:This paper presents a program analysis method that generates program summaries involving polynomial arithmetic. Our approach builds on prior techniques that use solvable polynomial maps for summarizing loops. These techniques are able to generate all polynomial invariants for a restricted class of programs, but cannot be applied to programs outside of this class -- for instance, programs with nested loops, conditional branching, unstructured control flow, etc. There currently lacks approaches to apply these prior methods to the case of general programs. This paper bridges that gap. Instead of restricting the kinds of programs we can handle, our method abstracts every loop into a model that can be solved with prior techniques, bringing to bear prior work on solvable polynomial maps to general programs. While no method can generate all polynomial invariants for arbitrary programs, our method establishes its merit through a monotonicty result. We have implemented our techniques, and tested them on a suite of benchmarks from the literature. Our experiments indicate our techniques show promise on challenging verification tasks requiring non-linear reasoning.

Programming Languages