Li Bin,Tang Zhenhao,Zhai Juan,Zhao Jianhua

DOI: https://doi.org/10.1109/qrs.2016.23

2016-01-01

Abstract:This paper proposes a way of using abstract interpretation for discovering properties about array contents in programs which manipulate arrays by sequential traversal. The method summarizes an array property as a universally quantified property. It directly treats invariant properties (including universally quantified formulas and atomic formulas) as abstract domains. Our method is sound and converges in finite time, and it is flexible. The method has been used to automatically discover nontrivial invariants for several examples. In particular, the method can represent and process multidimensional array properties.

Bin Li,Zhenhao Tang,Jianhua Zhao

DOI: https://doi.org/10.1145/2875913.2875942

2015-01-01

Abstract:This paper proposes a way of using abstract interpretation for discovering properties about array contents in some restricted cases: one-dimensional arrays, traversed by simple loops. The method summarizes an array property as an interval property. According to different statements, an interval property may be generated, updated or killed. The method is able to discover the properties of non-trivial examples.

Shengchao Qin,Guanhua He,Chenguang Luo,Wei-Ngan Chin,Xin Chen

DOI: https://doi.org/10.1016/j.jsc.2012.08.007

IF: 0.97

2013-01-01

Journal of Symbolic Computation

Abstract:Automated verification of memory safety and functional correctness for heap-manipulating programs has been a challenging task, especially when dealing with complex data structures with strong invariants involving both shape and numerical properties. Existing verification systems usually rely on users to supply annotations to guide the verification, which can be cumbersome and error-prone by hand and can significantly restrict the usability of the verification system. In this paper, we reduce the need for some user annotations by automatically inferring loop invariants over an abstract domain with both shape and numerical information. Our loop invariant synthesis is conducted automatically by a fixed-point iteration process, equipped with newly designed abstraction mechanism, together with join and widening operators over the combined domain. We have also proven the soundness and termination of our approach. Initial experiments confirm that we can synthesise loop invariants with non-trivial constraints.

Shikun Chen,Zhoujun Li,Mengjun Li

DOI: https://doi.org/10.1109/tase.2009.35

2010-01-01

Abstract:Constructing program invariants is one of the key problems of program verification. A lot of approaches to invariant generation have been reported, and all of these methods assume that program variables are evaluated over infinite domains such as rational or integer. Actually, during the execution of program, all variables are expressed using bit-vectors with limited width and evaluated over finite domains. Many invariants suit for infinite domains may be invalid in finite domains, and vice versa. This paper proposes an approach to construct invariants for program whose variables are evaluated over finite domains. This method translates a program into constraints that are solved using a QBF (Quantified Boolean Formula) solver to yield desired program invariants. It can be used to discover a rich class of invariants including linear (or polynomial) equality (or inequality) invariants involving operations like addition, multiplication, division, shift, bitwise operation, even quantifiers. And we also show how this technique can be used to prove partial correctness, termination and total correctness.

Thomas Gawlitza,David Monniaux

DOI: https://doi.org/10.2168/lmcs-8(3:29)2012

2012-09-30

Logical Methods in Computer Science

Abstract:We consider the problem of computing numerical invariants of programs, for instance bounds on the values of numerical program variables. More specifically, we study the problem of performing static analysis by abstract interpretation using template linear constraint domains. Such invariants can be obtained by Kleene iterations that are, in order to guarantee termination, accelerated by widening operators. In many cases, however, applying this form of extrapolation leads to invariants that are weaker than the strongest inductive invariant that can be expressed within the abstract domain in use. Another well-known source of imprecision of traditional abstract interpretation techniques stems from their use of join operators at merge nodes in the control flow graph. The mentioned weaknesses may prevent these methods from proving safety properties. The technique we develop in this article addresses both of these issues: contrary to Kleene iterations accelerated by widening operators, it is guaranteed to yield the strongest inductive invariant that can be expressed within the template linear constraint domain in use. It also eschews join operators by distinguishing all paths of loop-free code segments. Formally speaking, our technique computes the least fixpoint within a given template linear constraint domain of a transition relation that is succinctly expressed as an existentially quantified linear real arithmetic formula. In contrast to previously published techniques that rely on quantifier elimination, our algorithm is proved to have optimal complexity: we prove that the decision problem associated with our fixpoint problem is in the second level of the polynomial-time hierarchy.

computer science, theory & methods,logic

Shikun Chen,Zhoujun Li,Xiaoyu Song,Mengjun Li

DOI: https://doi.org/10.1007/978-3-642-21204-8_29

2011-01-01

Abstract:Automatic derivation of invariants is one of the critical conundrums in the framework of the inductive program verification methodologies. This paper presents a novel and simple approach to generating polynomial equations as loop invariants. Finite difference of expressions and linear equation solving are harnessed. Unlike related work, the generated constraints are linear equalities, which can be solved efficiently. Furthermore, invariants of higher degree can be constructed in terms of those of lower degree. The case studies demonstrate the effectiveness of the approach.

ThanhVu Nguyen,Deepak Kapur,Westley Weimer,Stephanie Forrest

DOI: https://doi.org/10.1145/2568225.2568275

2019-04-16

Abstract:Program invariants are important for defect detection, program verification, and program repair. However, existing techniques have limited support for important classes of invariants such as disjunctions, which express the semantics of conditional statements. We propose a method for generating disjunctive invariants over numerical domains, which are inexpressible using classical convex polyhedra. Using dynamic analysis and reformulating the problem in non-standard "max-plus" and "min-plus" algebras, our method constructs hulls over program trace points. Critically, we introduce and infer a weak class of such invariants that balances expressive power against the computational cost of generating nonconvex shapes in high dimensions. Existing dynamic inference techniques often generate spurious invariants that fit some program traces but do not generalize. With the insight that generating dynamic invariants is easy, we propose to verify these invariants statically using k-inductive SMT theorem proving which allows us to validate invariants that are not classically inductive. Results on difficult kernels involving nonlinear arithmetic and abstract arrays suggest that this hybrid approach efficiently generates and proves correct program invariants.

Software Engineering,Programming Languages

Juan Zhai,Hanfei Wang,Jianhua Zhao

DOI: https://doi.org/10.1109/sere-c.2014.40

2014-01-01

Abstract:In the automatic code verification, it is often necessary for programmers to provide logical annotations in the form of pre-/post-conditions and loop invariants. In this paper, we propose a framework that automatically infers loop invariants of loops manipulating commonly-used data structures. These data structures include one-dimensional arrays, singly-linked lists, doubly-linked lists and static lists. In practical cases, a majority of the loops operating on such data structures work by iterating over the elements of these data structures. The loop invariants of this kind of loops are usually similar in form with their corresponding post-conditions. The framework takes advantage of this observation by generating invariant candidates automatically from a given post-condition following several heuristics. These invariant candidates are subsequently validated via the SMT solver Z3 and the weakest-precondition calculator provided in the interactive code-verification tool Accumulator. The framework, which has been implemented for a small C-like language, suffices to infer suitable loop invariants of a range of loops w.r.t. given post-conditions. The framework has been integrated into the tool Accumulator to ease the verification tasks by alleviating the burden of providing loop invariants manually.

Yucheng Ji,Hongfei Fu,Bin Fang,Haibo Chen

DOI: https://doi.org/10.1007/978-3-031-13185-1_13

2022-01-01

Abstract:Loop invariant generation, which automates the generation of assertions that always hold at the entry of a while loop, has many important applications in program analysis and formal verification. In this work, we target an important category of while loops, namely affine while loops, that are unnested while loops with affine loop guards and variable updates. Such a class of loops widely exists in many programs yet still lacks a general but efficient approach to invariant generation. We propose a novel matrix-algebra approach to automatically synthesizing affine inductive invariants in the form of an affine inequality. The main novelty of our approach is that (i) the approach is general in the sense that it theoretically addresses all the cases of affine invariant generation over an affine while loop, and (ii) it can be efficiently automated through matrix-algebra (such as eigenvalue, matrix inverse) methods. The details of our approach are as follows. First, for the case where the loop guard is a tautology (i.e., 'true'), we show that the eigenvalues and their eigenvectors of the matrices derived from the variable updates of the loop body encompass all meaningful affine inductive invariants. Second, for the more general case where the loop guard is a conjunction of affine inequalities, our approach completely addresses the invariant-generation problem by first establishing through matrix inverse the relationship between the invariants and a key parameter in the application of Farkas' lemma, then solving the feasible domain of the key parameter from the inductive conditions, and finally illustrating that a finite number of values suffices for the key parameter w.r.t a tightness condition for the invariants to be generated. Experimental results show that compared with previous approaches, our approach generates much more accurate affine inductive invariants over affine while loops from existing and new benchmarks within a few seconds, demonstrating the generality and efficiency of our approach.

Jason R. Koenig,Oded Padon,Sharon Shoham,Alex Aiken

DOI: https://doi.org/10.48550/arXiv.2112.05304

2021-12-10

Abstract:We present a PDR/IC3 algorithm for finding inductive invariants with quantifier alternations. We tackle scalability issues that arise due to the large search space of quantified invariants by combining a breadth-first search strategy and a new syntactic form for quantifier-free bodies. The breadth-first strategy prevents inductive generalization from getting stuck in regions of the search space that are expensive to search and focuses instead on lemmas that are easy to discover. The new syntactic form is well-suited to lemmas with quantifier alternations by allowing both limited conjunction and disjunction in the quantifier-free body, while carefully controlling the size of the search space. Combining the breadth-first strategy with the new syntactic form results in useful inductive bias by prioritizing lemmas according to: (i) well-defined syntactic metrics for simple quantifier structures and quantifier-free bodies, and (ii) the empirically useful heuristic of preferring lemmas that are fast to discover. On a benchmark suite of primarily distributed protocols and complex Paxos variants, we demonstrate that our algorithm can solve more of the most complicated examples than state-of-the-art techniques.

Programming Languages

Zhenpeng Fang,Xibin Zhao,Min Zhou

DOI: https://doi.org/10.1109/compsac.2017.149

2017-01-01

Abstract:Program invariant is formal description of properties that should hold at certain program location in every valid execution. It is very useful for program analysis and verification. In this paper, we introduce an abstraction interpretation approach for generating program invariant efficiently and precisely. A polynomial interval domain is proposed for representing abstract state and precise loop effect is summarized by recognizing and solving recurrence relations. Our method has implemented and its effectiveness is shown in various kinds of cases. Experiment results show that our approach generates more accurate program invariants quickly.

Qiuye Wang,Mingshuai Chen,Bai Xue,Naijun Zhan,Joost-Pieter Katoen

DOI: https://doi.org/10.1016/j.ic.2022.104965

2022-01-01

Abstract:We present the invariant barrier-certificate condition that witnesses unbounded-time safety of differential dynamical systems. The proposed condition is the weakest possible one to attain inductive invariance. We show that discharging the invariant barrier-certificate condition —thereby synthesizing invariant barrier certificates— can be encoded as solving an optimization problem subject to bilinear matrix inequalities (BMIs). We further propose a synthesis algorithm based on difference-of-convex programming, which approaches a local optimum of the BMI problem via solving a series of convex optimization problems . This algorithm is incorporated in a branch-and-bound framework that searches for the global optimum in a divide-and-conquer fashion. We present a weak completeness result of our method, namely, a barrier certificate is guaranteed to be found (under some mild assumptions) whenever there exists an inductive invariant (in the form of a given template) that suffices to certify safety. Experimental results on benchmarks demonstrate the effectiveness and efficiency of our approach.

Yuting Chen

2016-01-01

Abstract:The search for automated loop invariants generation has been popularly pursued due to the fact that invariants play a critical role in the verification process. Invariants with quantifiers are particularly interesting for these quantified invariants can be used to express relationships among the elements of array variables and other scalar variables. Automated invariant generation using a first-order theorem prover was first introduced by the work of Kovacs and Voronkov [KV09a] in 2009. This approach employs a theorem prover, in our case the Vampire, as consequences inferencing engine and further to perform the symbol elimination for invariant generation. The entire approach can be separated into two phases: first, by performing static program analysis, one collects a set of static properties as static knowledge about the program and its variables. Second, these properties are sent to Vampire to infer invariants. This novel idea was further developed into a robust implementation introduced by the work of Ahrendt et al. [AKR15]. Our research originated from the idea of enhancing the existing implementation by adding in domain-specic theory. Particularly, we extended the work of Ahrendt et al. [AKR15] with first-order array theory reasoning. Using first-order array theory, we present an extension on the existing automated invariant generation approach by this research. The extension aims at enhancing the reasoning process of automated invariant generation for loop programs over unbounded arrays. In addition to the extension on domain specic theory reasoning, this study also explored the enhancement of the static program analysis phase by proposing new static properties over the indexing variables. Experiment results compared with the previous implementation showed the improvement in reasoning over previously unprovable examples. The improvement came from both domain specific theory reasoning and the newly proposed static property. Our study suggests the inclusion of domain specific theory can enrich the reasoning process of a theorem prover, in our case the first-order theorem prover Vampire. This enhancement can be further applied in program verification purposes such as automated invariant generation and direct proof of correctness. Also, with the theory-specific reasoning, the first-order theorem provers can deliver complex reasoning results containing quantifier alternation. We illustrate our approach on a number of examples coming from program verification.

Mnacho Echenim,Nicolas Peltier,Yanis Sellami

DOI: https://doi.org/10.48550/arXiv.1906.11033

2019-06-26

Abstract:We describe a system to prove properties of programs. The key feature of this approach is a method to automatically synthesize inductive invariants of the loops contained in the program. The method is generic, i.e., it applies to a large set of programming languages and application domains; and lazy, in the sense that it only generates invariants that allow one to derive the required properties. It relies on an existing system called GPiD for abductive reasoning modulo theories, and on the platform for program verification Why3. Experiments show evidence of the practical relevance of our approach.

Logic in Computer Science

Kevin Batz,Mingshuai Chen,Sebastian Junges,Benjamin Lucien Kaminski,Joost-Pieter Katoen,Christoph Matheja

DOI: https://doi.org/10.1007/978-3-031-30820-8_25

2023-01-01

Abstract:Essential tasks for the verification of probabilistic programs include bounding expected outcomes and proving termination in finite expected runtime. We contribute a simple yet effective inductive synthesis approach for proving such quantitative reachability properties by generating inductive invariants on source-code level . Our implementation shows promise: It finds invariants for (in)finite-state programs, can beat state-of-the-art probabilistic model checkers, and is competitive with modern tools dedicated to invariant synthesis and expected runtime reasoning.

Steven de Oliveira,Saddek Bensalem,Virgile Prevosto

DOI: https://doi.org/10.48550/arXiv.1611.07753

2016-11-23

Abstract:When proving invariance properties of a program, we face two problems. The first problem is related to the necessity of proving tautologies of considered assertion language, whereas the second manifests in the need of finding sufficiently strong invariants. This paper focuses on the second problem and describes a new method for the automatic generation of loop invariants that handles polynomial and non deterministic assignments. This technique is based on the eigenvector generation for a given linear transformation and on the polynomial optimization problem, which we implemented in the open-source tool Pilat.

Logic in Computer Science

Gianluca Redondi,Alessandro Cimatti,Alberto Griggio,Kenneth McMillan

2024-02-29

Abstract:This paper addresses the problem of checking invariant properties for a large class of symbolic transition systems, defined by a combination of SMT theories and quantifiers. State variables can be functions from an uninterpreted sort (finite, but unbounded) to an interpreted sort, such as the the integers under the theory of linear arithmetic. This formalism is very expressive and can be used for modeling parameterized systems, array-manipulating programs, and more. We propose two algorithms for finding universal inductive invariants for such systems. The first algorithm combines an IC3-style loop with a form of implicit predicate abstraction to construct an invariant in an incremental manner. The second algorithm constructs an under-approximation of the original problem, and searches for a formula which is an inductive invariant for this case; then, the invariant is generalized to the original case, and checked with a portfolio of techniques. We have implemented the two algorithms and conducted an extensive experimental evaluation, considering various benchmarks and different tools from the literature. As far as we know, our method is the first capable of handling in a large class of systems in a uniform way. The experiment shows that both algorithms are competitive with the state of the art.

Logic in Computer Science

S. Hitarth,George Kenison,Laura Kovács,Anton Varonka

DOI: https://doi.org/10.48550/arXiv.2310.05120

2023-10-08

Logic in Computer Science

Abstract:Invariants are key to formal loop verification as they capture loop properties that are valid before and after each loop iteration. Yet, generating invariants is a notorious task already for syntactically restricted classes of loops. Rather than generating invariants for given loops, in this paper we synthesise loops that exhibit a predefined behaviour given by an invariant. From the perspective of formal loop verification, the synthesised loops are thus correct by design and no longer need to be verified. To overcome the hardness of reasoning with arbitrarily strong invariants, in this paper we construct simple (non-nested) while loops with linear updates that exhibit polynomial equality invariants. Rather than solving arbitrary polynomial equations, we consider loop properties defined by a single quadratic invariant in any number of variables. We present a procedure that, given a quadratic equation, decides whether a loop with affine updates satisfying this equation exists. Furthermore, if the answer is positive, the procedure synthesises a loop and ensures its variables achieve infinitely many different values.

Yijun Feng,Lijun Zhang,David N. Jansen,Naijun Zhan,Bican Xia

DOI: https://doi.org/10.1007/978-3-319-68167-2_26

2017-01-01

Abstract:Quantitative loop invariants are an essential element in the verification of probabilistic programs. Recently, multivariate Lagrange interpolation has been applied to synthesizing polynomial invariants. In this paper, we propose an alternative approach. First, we fix a polynomial template as a candidate of a loop invariant. Using Stengle's Positivstellensatz and a transformation to a sum-of-squares problem, we find sufficient conditions on the coefficients. Then, we solve a semidefinite programming feasibility problem to synthesize the loop invariants. If the semidefinite program is unfeasible, we backtrack after increasing the degree of the template. Our approach is semi-complete in the sense that it will always lead us to a feasible solution if one exists and numerical errors are small. Experimental results show the efficiency of our approach.

Yurii Kostyukov,Dmitry Mordvinov,Grigory Fedyukovich

DOI: https://doi.org/10.1145/3453483.3454055

2021-06-18

Abstract:First-order logic is a natural way of expressing properties of computation. It is traditionally used in various program logics for expressing the correctness properties and certificates. Although such representations are expressive for some theories, they fail to express many interesting properties of algebraic data types (ADTs). In this paper, we explore three different approaches to represent program invariants of ADT-manipulating programs: tree automata, and first-order formulas with or without size constraints. We compare the expressive power of these representations and prove the negative definability of both first-order representations using the pumping lemmas. We present an approach to automatically infer program invariants of ADT-manipulating programs by a reduction to a finite model finder. The implementation called RInGen has been evaluated against state-of-the-art invariant synthesizers and has been experimentally shown to be competitive. In particular, program invariants represented by automata are capable of expressing more complex properties of computation and their automatic construction is often less expensive.