Inductive Invariant Generation via Abductive Inference IsilDillig ThomasDillig BoyangLi DepartmentofComputerScience DepartmentofComputerScience DepartmentofComputerScience CollegeofWilliam&Mary CollegeofWilliam&Mary CollegeofWilliam&Mary [email protected] [email protected] [email protected] KenMcMillan MicrosoftResearch [email protected] Abstract counterexampleguidedabstractionrefinement(CEGAR)[7, 8],andinterpolation-basedapproaches[9–11]. This paper presents a new method for generating inductive Inthispaper,wepresentanewmethodforautomatically loopinvariantsthatareexpressibleasbooleancombinations generating inductive loop invariants which are expressible of linear integer constraints. The key idea underlying our as boolean combinations of linear integer constraints over techniqueistoperformabacktrackingsearchthatcombines program variables. A loop invariant is said to be inductive Hoare-style verification condition generation with a logical if it is implied by the loop’s precondition and is preserved abductionprocedurebasedonquantifiereliminationtospec- in each iteration of the loop’s body. Since the correctness ulatecandidateinvariants.Startingwithtrue,ourmethodit- of inductive loop invariants can be checked locally given erativelystrengthensloopinvariantsuntiltheyareinductive the loop precondition, inductive invariants play a key role and strong enough to verify the program. A key feature of inmanyprogramverificationsystems[12–14]. ourtechniqueisthatitislazy:Itonlyinfersthoseinvariants Our approach to loop invariant generation is intended that are necessary for verifying program correctness. Fur- mainlyforprogramverification.Therefore,similartometh- thermore, our technique can infer arbitrary boolean combi- ods like CEGAR, our goal is to lazily infer only those in- nations(includingdisjunctions)oflinearinvariants.Wehave variantsthatarenecessaryforshowingprogramcorrectness. implementedtheproposedapproachinatoolcalled HOLA. Furthermore,wefocusonnumericloopinvariantsinthispa- Ourexperimentsdemonstratethat HOLA caninferinterest- perbecausesuchinvariantsplayacrucialruleinmanybasic inginvariantsthatarebeyondthereachofexistingstate-of- verification tasks such as proving the absence of array-out- the-artinvariantgenerationtools. of-boundsexceptionsorbufferoverflows. Asalientfeatureofourtechniqueisthatitcannaturally 1. Introduction infer invariants that are arbitrary boolean combinations of The automated inference of numeric loop invariants is linearintegerconstraints.Here,bylinearintegerconstraints, a fundamental program analysis problem with important we mean linear inequalities over integers as well as divisi- applications in software verification, compiler optimiza- bilitypredicates.Furthermore,theinvariantsinferredbyour tions, and program understanding. Prominent approaches method can involve disjunctions and implications. For in- forautomaticgenerationofloopinvariantsincludeabstract- stance,ourtechniqueiscapableofinferringcomplexinvari- interpretation [1–4], constraint-based techniques [5, 6], antsthatareexpressibleusingthefollowingformula: (x%2=0⇒x+2y <n)∧(x%2=1⇒x+2y =n) Another advantage of our method is that it does not re- Permissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalor quire users to specify a pre-defined syntactic template over classroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributed forprofitorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitation whichtoexpresstheinvariants.Forexample,someloopin- onthefirstpage.Tocopyotherwise,torepublish,topostonserversortoredistribute variantinferencetechniquessuchas[5,6]requiretheuserto tolists,requirespriorspecificpermissionand/orafee. annotateatemplatedescribingtheshapeoftheinvariantsto Copyright(cid:13)c ACM[tobesupplied]...$10.00 beinferredsuchax+by ≤candthensolvefortheunknown parameters a,b,c. In contrast, our technique automatically ofallinvariants,includingψ.Therefore,ifψ isanincorrect inferstheshapeoftherequiredinvariantswithoutrequiring speculation, the new VC will contain an invalid clause that hintsorannotationfromtheuser. needs to be fixed. If the algorithm reaches a point where a given VC clause can no longer be fixed through abductive 1.1 OverviewoftheApproach strengthening (for instance, when χ ⇒ γ is unsatisfiable), The key idea underlying our approach to loop invariant thismeanswehavemadeawrongspeculationandwemust inference is to perform a backtracking search that com- backtrack.Ontheotherhand,ifallVCclausesbecomevalid, binesHoare-styleprogramreasoningwithlogicalabduction, thismeansallofourspeculationsarecorrect.Thus,whenthe which is the inference of missing hypotheses for a given algorithm terminates, we have identified correct inductive conclusion. Starting with the weakest possible but always loop invariants that are strong enough to show the correct- correct loop invariant true, our technique sets up verifica- nessoftheprogram.However,ourtechniquedoesnothave tion conditions whose validity guarantees the correctness terminationorcompletenessguarantees;itisindeedpossible of the program. If a verification condition (VC) is invalid, for the algorithm to diverge in an infinite chain of specula- our technique employs abductive inference to fix this in- tions. valid VC, which corresponds to the speculation of a new In principle, this combination of Hoare-style VC gener- loopinvariant.Thecurrentspeculationisusedtostrengthen ation and logical abduction can be used to infer any class theexistinginvariants,andnewVCsaresetuptocheckthe of invariants. However, since our algorithm for performing correctness of the speculation. This process continues until abduction is based on quantifier elimination, this paper fo- eitheralltheVCsbecomevalidorwederiveacontradiction. cusesonlyontheinferenceofloopinvariantsexpressiblein The former outcome means that we have found inductive Presburgerarithmetic. loopinvariantsstrongenoughtoshowthecorrectnessofthe program and our algorithm terminates. The latter outcome 1.2 OrganizationandContributions means that we have made a wrong speculation; therefore, webacktrackandtryadifferentinference. The rest of this paper is organized as follows: Section 2 Inourapproach,thegeneratedverificationconditionsare walks the reader through a small example illustrating how conjunctions of clauses of the form χ ⇒ γ, asserting the our technique infers loops invariants. Section 3 presents a inductivenessofloopinvariantsandcorrectnessofassertions smallimperativelanguagethatweusefortheformaldevel- in the program. Specifically, the right hand side γ of the opment,andSection4presentsthemaininvariantinference implicationisagoalwewanttoshow,suchasalooppost- algorithm.Section5discussesextensionstothebasicalgo- condition. On the other hand, the left-hand-side χ encodes rithmanddescribesourimplementation.Section6presents knownfactsabouttheprogram,suchasalreadyinferredloop anexperimentalevaluationofourapproach,comparingour invariants. tool HOLA withthreeotherloopinvariantgenerationtools. Now, given an invalid clause χ ⇒ γ of the VC, our Finally,Sections7and8discussrelatedworkandhighlight technique tries to fix this “broken” clause by strengthening futureresearchdirections. the left-hand side of the implication. In particular, we want Tosummarize,thispapermakesthefollowingkeycontri- toinferastrengtheningψofthecurrentloopinvariantχsuch butions: that: 1. |=(χ∧ψ)⇒γ • We present a novel algorithm based on backtracking 2. SAT(χ∧ψ) search for automatically inferring inductive loop invari- Here, condition (1) states that the strengthening ψ is suffi- antsthatareexpressibleasbooleancombinationsoflin- cienttomakeaparticularclauseoftheVCvalid.Condition earintegerconstraints. (2) states that the strengthening ψ must be consistent with • WeshowhowHoare-styleprogramreasoningandalog- theleft-handsideχ,sinceχencodesknown(orspeculated) icalabductionprocedurebasedonquantifierelimination invariants about the program. The inference of a formula can be combined for linear invariant generation. To the ψ satisfying these two requirements is an instance of logi- bestofourknowledge,thisisthefirstapplicationoflog- calabduction,asdefinedbyPeirce[15].Therefore,amain icalabductionforautomaticgenerationofnumericloop insight underlying our approach is that logical abduction is invariants. useful for finding suitable strengthenings of loop invariants thataresufficientformakingtheprogram’sverificationcon- • We have implemented the proposed technique in a tool ditionvalid. called HOLA and present a comparison between HOLA Now,whileourinferredstrengtheningψ fixesaninvalid and other available state-of-the-art invariant generation clause of the VC, it is nonetheless a speculation and may tools,namelyBLAST,InvGen,andInterproc.Ourexper- or may not correspond to a correct loop invariant. There- imentsonasetofloopinvariantgenerationbenchmarks fore,toensurethesoundnessofourapproach,ourtechnique show that our approach is promising for advancing the generates new VCs at every step encoding the correctness state-of-the-artinnumericloopinvariantgeneration. voidfoo(intflag){ Our algorithm for performing abduction again computes 1. inti,j,a,b; several solutions, including ¬flag,j = i + 1, and flag ⇒ 2. a=0;b=0;j=1; j =i+1. 3. if(flag)i=0;elsei=1; Now, suppose we initially pick a wrong solution, say 4. while(*)[φ]{ j = i+1. This means our new candidate loop invariant is 5. a++;b+=(j-i);i+=2; nowj =i+1∧(flag⇒a=b).Sincej =i+1doesnothold 6. if(i%2==0)j+=2;elsej++; initially(i.e.,theweakestpreconditionofj =i+1∧(flag⇒ 7. } a = b) with respect to lines 1-3 is invalid), we therefore 8. if(flag)assert(a==b); reject this candidate and backtrack to our speculation from } thepreviouslevel,namelyflag⇒a=b. Now, having backtracked to the previous decision level, Figure1. Codeexampletoillustrateourapproach we try another solution to our abduction problem from (*). Supposethatwenowchoosethesolution: 2. ExampleIllustratingourTechnique φ=(flag⇒j =i+1) Weillustratethemainideasofourtechniqueusingthecode Combining this strengthening with the existing invariant example shown in Figure 1. Here, the annotation [φ] next flag ⇒ a = b,wenowobtainthefollowingcandidateloop to the while loop at line 4 means that φ is a placeholder invariant: variablerepresentinganunknowninvariantofthisloop.Our goal in this section is to infer a concrete formula ϕ for the I = (flag⇒(a=b∧j =i+1)) placeholderφsuchthatϕisbothinductiveaswellasstrong ItturnsoutthatthisnewspeculationIisnowcorrect,but, enoughtoprovetheassertionatline8. unfortunately, I is still not inductive because the following Ourtechniquestartsbyinstantiatingtheplaceholdervari- VCclauseassertingtheinductivenessofI isnotvalid: ableφwiththeweakestpossiblebutalwayscorrectloopin- variant, namely true. Using Hoare-style reasoning,we then generate verification conditions for the program, which, in (flag⇒(a=b∧j =i+1)) thiscase,yields: ⇒ (flag⇒(a+1=b+j−i∧(i%2=0⇒j =i+1)∧ true⇒(flag⇒a=b) (i%2(cid:54)=0⇒i=j))) This VC stipulates that the current loop invariant true is Here,notethattheright-handsideoftheouter-levelim- strong enough to imply the loop post-condition, which is plication corresponds to the weakest precondition of I. To flag ⇒ a = b. Clearly, this VC is not valid, therefore, makethisVCvalid,wenowsolveafinalabductionproblem we attempt to fix this broken VC by finding an abductive tofindyetanotherstrengtheningofI.Inthiscase,oneofthe strengtheningφoftheleft-handsidesuchthat: solutions we obtain is flag ⇒ i%2 = 0. Thus, we obtain a new candidate loopinvariant I(cid:48) by conjoining thissolution (true∧φ)⇒(flag⇒a=b) withI: Therearemanysolutionstothisabductionproblem,includ- I(cid:48) = (flag⇒(a=b∧j =i+1∧i%2=0)) ingthesolutions¬flag,a = b,andflag ⇒ a = bcomputed At this point, the new VC becomes valid. In other words, byourabductionalgorithm.Tokeepourdiscussionconcise, wehaveshownthatI(cid:48)isacorrectinductiveinvariantstrong let us start with the solution φ = (flag ⇒ a = b), which enoughtoprovetheassertionatline(8). means(flag⇒a=b)isourspeculatedloopinvariant. We now proceed by generating new VCs that assert the 3. Language correctness of our candidate invariant. This results in the generationofthefollowingnewVC: Inthissection,wegiveasimpleimperativelanguagethatwe useforformalizingourtechnique: (flag⇒a=b)⇒(flag⇒(a+1=b+j−i)) Programπ := s ThisVCsimplystipulatesthatourcandidateinvariantisin- Statements := skip|v :=e ductive,astheright-handsideoftheimplicationistheweak- |s1;s2|chooses1s2 est precondition of the candidate invariant. Unfortunately, |whileC [φ] do{s} however,theVCisagainnotvalid;thus,weproceedtoset | assertp|assumep upanotherabductionproblemtofindasuitablestrengthen- Expressione := v|int|e1+e2 ingφoftheloopinvariant: |e∗int|e%int ConditionalC := e (cid:12)e ((cid:12)∈{<,>,=}) 1 2 (flag⇒a=b ∧ φ)⇒(flag⇒(a+1=b+j−i)) (∗) |C ∧C |C ∨C |¬C 1 2 1 2 procedureINVGEN(π): AsmentionedinSection1,ouralgorithmstartsbyinitial- input:programπ izing each φ to true and iteratively strengthens loop invari- output:mapping∆fromeachplaceholderφ antsuntiltheybecomeinductiveandstrongenoughtoverify i toaconcreteloopinvariantψ theprogram.Thus,atline1,weinitialize∆bymappingall i placeholders φ to true. The iterative strengthening of loop i (1) let∆=[φi (cid:55)→true|φi ∈invs(π)] invariants in ∆ is performed by the recursive VERIFY pro- (2) ∆(cid:48) = VERIFY(π,∆) cedure,alsogiveninFigure2. (3) return∆(cid:48) IntheVERIFYprocedure,theinput∆representsourcur- rentsetofspeculatedloopinvariants.Usingthesecandidate invariants ∆, we then invoke a VCGEN procedure to com- procedureVERIFY(π,∆): putetheweakestpreconditionχofprogramπ aswellasits input:programπandmapping∆ VC ϕ (line 4). We defer discussion of the VCGEN proce- output:newmapping∆(cid:48)fromeachplaceholderφ i dure to Section 4.1. The generated VC ϕ asserts that each toaconcreteloopinvariantψ i candidate invariant ψ in ∆ is inductive and that it implies thelooppostcondition.Specifically,thegeneratedVC’sare (4) (χ,ϕ)= VCGEN(π,∆) conjunctionsofclausesoftheform(β∧φ)⇒γ.Here,φisa (5) if (cid:54)|=χreturn∅ placeholderforapotentialstrengtheningofthecurrentloop (6) if |=elim(ϕ) return∆ invariant. Formulas β and γ do not contain any placehold- (7) letϕ ∈clauses(ϕ)suchthat(cid:54)|=elim(ϕ ) i i ersandaregeneratedusingthecandidateinvariantsgivenby (8) (φ,S)= ABDUCE(ϕi) ∆. If the VC ϕ with all placeholders φ replaced by true is (9) foreachψ ∈S i valid,thismeansthecurrent∆isasolutiontoourverifica- (10) ψ =∆(φ)∧ψ i tionproblem. (11) ∆(cid:48) = VERIFY(π,∆[φ(cid:55)→ψ]) Line 5 of VERIFY checks the validity of the program’s (12) if∆(cid:48) (cid:54)=∅return∆(cid:48) weakestpreconditionχ.Ifχisnotvalid,thismeansourcan- (13) done didateinvariantsgivenby∆arenotcorrect.Inthiscase,we (14) return∅ return∅toindicatefailure,whichcausesbacktrackinginthe overallalgorithm.Next,atline6,wecheckwhetherthecur- Figure2. Themaininvariantgenerationalgorithm rentVCϕisvalid.Asmentionedbefore,ϕcontainsplace- holdervariablesφ,whichrepresentpotentialstrengthenings In this language, programs consist of one or more state- ofthecurrentloopinvariants.Therefore,tocheckthevalid- ments. Statements include skip, assignments, sequencing, ity of the VC, we need to replace all placeholders φ with choose statements (which non-deterministically execute s true. For this purpose, we use the notation elim(ϕ) to indi- 1 ors ),whileloops,assertions,andassumptions.Expressions catethesubstitutionofφwithtrueinϕ.Ifelim(ϕ)isvalid, 2 includevariablesv,integerconstantsint,addition(e +e ), we have found a set ∆ of inductive loop invariants strong 1 2 linearmultiplication(e∗int),andmodexpressionse%int.Fi- enoughtoverifytheprogram,andwethereforereturn∆as nally,conditionalscanbecomparisonsbetweenexpressions oursolution. aswellaslogicalconjunction,disjunction,andnegation. On the other hand, if elim(ϕ) is not valid, this means Loops in this language are decorated with unique place- our current loop invariants are not strong enough, and we holderformulasφwhichrepresentunknownloopinvariants needtostrengthenthemfurther.Forthispurpose,weselect buthavenoeffectontheprogramsemantics.Foreachplace- oneinvalidclauseϕi oftheVCcontainingoneplaceholder holderφ,thegoalofourtechniqueistoinferaconcretelog- variableφandattempttofixit.Specifically,recallthatϕi is icalformulaψsuchthatψisbothinductiveaswellasstrong of the form (β ∧ φ) ⇒ γ where β and γ do not contain enoughtoimplythelooppostcondition.Intheremainderof any placeholders. To fix clause ϕi, we call the procedure the paper, we use the notation invs(π) to refer to all place- ABDUCE to find a set S of suitable strengthenings for the holdersφusedinπ. left-hand side. As we will see in Section 4.2, each ψi ∈ S isguaranteedtomakeϕ valid,butψ mayormaynotbea i i 4. AlgorithmforGeneratingInductiveLoop validinvariant.Therefore,atline11,werecursivelyinvoke Invariants VERIFYtocheckthecorrectnessofthespeculatedinvariant. In the recursive invocation, we add our current speculation OuralgorithmINVGENforgeneratinginductiveloopinvari- ψ to ∆. Specifically, since ψ is a strengthening for the i i antsisshowninFigure2.Ittakesasinputaprogramπ that currentloopinvariant∆(φ),weconjoinψ withtheexisting i wewanttoverifyandoutputsamapping∆fromeachplace- ∆(φ)whenmakingtherecursivecalltoVERIFY.IfVERIFY holder invariant φ in π to an inductive loop invariant ψ. If doesnotreturn∅,thismeanswehavefoundasuitablesetof wecannotverifytheprogram,thenthealgorithmreturnsthe inductiveloopinvariantsandreturn∆(cid:48)asthesolution. emptymapping∅. (1) (2) ∆,χ(cid:96)skip:χ,true ∆,χ(cid:96)v :=e:χ[e/v],true (3) (4) ∆,χ(cid:96) assertC :χ∧C,true ∆,χ(cid:96)assumeC :C ⇒χ,true ∆,χ (cid:96)s :χ ,ϕ ∆,χ(cid:96)s :χ ,ϕ 2 2 2 1 1 1 ∆,χ (cid:96)s :χ ,ϕ ∆,χ(cid:96)s :χ ,ϕ 2 1 1 1 2 2 2 (5) (6) ∆,χ(cid:96)s ;s :χ ,ϕ ∧ϕ ∆,χ(cid:96)chooses s :χ ∧χ ,ϕ ∧ϕ 1 2 1 1 2 1 2 1 2 1 2 ∆,∆(φ)(cid:96)s:χ(cid:48),ϕ(cid:48) ϕ = (¬C∧∆(φ)∧φ)⇒χ 1 ϕ = (C∧∆(φ)∧φ)⇒χ(cid:48) 2 (7) ∆,χ(cid:96)whileC [φ]do{s}:∆(φ),ϕ ∧ϕ ∧ϕ(cid:48) 1 2 Figure3. VCGeneration Ofcourse,itisalsopossiblethatourcurrentstrengthen- invariant ∆(φ). In particular, if φ is true, these are just the ingψ doesnotleadtoavalidproof;thisisindicatedbythe standard VC’s for a while loop. The addition of the place- i recursiveinvocationofVERIFYreturning∅.Inthiscase,we holderφallowsustoweakentheVCbyaddinganassump- backtrack from our current speculation and try the next so- tion,whichweobtainbyabduction. lution to the abduction problem defined by (χ∧φ) ⇒ γ. THEOREM1 (Soundness). If ∆,χ (cid:96) s : χ(cid:48),ϕ is derivable Ifweexhaustallabductivesolutionswithoutfindingavalid andelim(ϕ)isvalid,then{χ}s{χ(cid:48)}isvalid. proof,ourcurrentproofattempthasfailed,andwetherefore return∅toindicatefailure. PROOF1. The proof for rules (1)-(6) follow immediately from standard Hoare logic; we only give the proof for 4.1 VCGeneration rule(7).Assumingthatelim(ϕ ∧ϕ ∧ϕ(cid:48))isvalidweneed 1 2 OurVCgenerationprocedure VCGEN ispresentedasaset toshow: ofinferencerulesinFigure3.Therulesproducejudgments {∆(φ)}whileC [φ]do{s}{χ} (1) oftheform: By inductive hypothesis, we have {χ(cid:48)} s {∆(φ)}. Since ∆,χ(cid:96)s:χ(cid:48),ϕ elim(ϕ )impliesC∧∆(φ)⇒χ(cid:48),wehave{C∧∆(φ)}s{∆(φ)} 2 by precondition strengthening. Using the standard Hoare Here, ∆ is a candidate invariant represented as a mapping logicruleforwhileloops,weobtain: from each placeholder φ to a formula ψ. The VC ϕ is a conjunction of clauses of the form (β ∧ φ) ⇒ γ where {∆(φ)}whileC do{s}{∆(φ)∧¬C} (2) β,γ are placeholder-free formulas and φ is a placeholder Sinceelim(ϕ )isvalid,wehave¬C ∧∆(φ) ⇒ χ.Finally, representing a possible strengthening of the current loop 1 byapplyingpostconditionweakeningto(2),weobtain(1). invariant. The meaning of this judgment is that, if elim(ϕ) (theVCwithallplaceholdersreplacedbytrue)isvalid,then 4.2 GeneratingCandidateStrengtheningsvia {χ(cid:48)}s{χ}isavalidHoaretriple. Abduction Rules(1)-(6)inFigure3describeastandardweakestpre- Inthissection,wedescribeanABDUCEprocedureforfind- condition computation; hence we omit the explanation for ingpossiblestrengtheningsforthecurrentcandidateloopin- these rules. Since Rule (7) for while loops is non-standard, variant.TheprocedureABDUCEtakesasinputaVCclause weonlyelaborateonthisrule. oftheform(χ∧φ)⇒γwhereφisaplaceholderandinfers For generating the VC and the weakest precondition of astrengtheningψtopluginforφsuchthat: the while loop, Rule (7) utilizes the current speculated in- variants given by ∆. Specifically, the weakest precondition 1. |=(χ∧ψ)⇒γ for the while loop is ∆(φ), which represents the current 2. SAT(χ∧ψ) speculatedinvariantfortheloop.Intherule,χ(cid:48) istheweak- Oneobvious-butnotparticularlyuseful-solutiontothis est precondition for the loop body s to establish the candi- abductionproblemisφ=γ.Toseewhyγisnotausefulso- dateloopinvariant∆(φ).Clauseϕ oftheVCsaysthaton 1 lution,considertheVCclausethatassertstheinductiveness loop exit, the candidate invariant ∆(φ), strengthened with ofsomecandidateinvariantI foraloopwithbodys: φ,impliestheloop’spost-conditionχ.Clauseϕ oftheVC 2 saysthatexecutingtheloopwhenφholdsre-establishesthe I∧C ⇒wp(s,I) Hence, in our setting, the abductive solution γ corresponds procedureABDUCE(ϕ): tostrengtheningthecurrentloopinvariantI withitsweakest input:formulaϕoftheformχ∧φ⇒γ preconditionwp(s,I).However,ingeneral,wp(s,I)istoo output:(φ,S)suchthat|=χ∧ψ ⇒γ foreveryψ ∈S i i weakofastrengtheningandtypicallyleadstodivergence.In fact, starting with the loop postcondition I and repeatedly (1) letφ = (χ∧φ)⇒γ conjoining it with wp(s,I) is equivalent to unrolling the (2) letθ ={χ} loopbody! (3) letS =[] Therefore,weareinterestedinsolutionstotheabduction (4) whiletrue problemthatarelogicallystrongerthanjusttheweakestpre- (5) V = MUS(χ⇒γ,θ) condition of the current invariant. The main strengthening (6) ifV =∅thenbreak mechanismwewillusehereisquantifierelimination.Tosee (7) ψ = QE(∀V.χ⇒γ) howwecanusequantifiereliminationtosolveourabduction (8) S =S ::ψ problem,wefirstobservethattheentailment (9) θ =θ∪{¬ψ} (10) done |=(χ∧ψ)⇒γ (11) return(φ,S) canberewrittenas: Figure 4. Algorithm for computing an ordered list S of ψ |=χ⇒γ solutionstoabductionproblem χ∧φ ⇒ γ.Theprocedure MUS(φ,χ)computesamaximumuniversalsubsetofφwith Now, consider any subset of the free variables V of the respecttoχ. formulaχ⇒γ.Clearly,wehave: ∀V.χ⇒γ |=χ⇒γ by universally quantifying n and applying quantifier elimi- nation,weobtainy ≥ x,whichisindeedaninductiveloop Therefore, any formula ϕ that is logically equivalent to invariant. Intuitively, here, quantifier elimination allows us ∀V.χ ⇒ γ and that does not contradict χ is a solution to to generalize the last iteration of the loop to an inductive ourabductionproblem. assertion. DEFINITION1. (Universalsubset)Wecallasetofvariables Based on this observation, Figure 4 summarizes the full V a universal subset (US) of φ with respect to ψ if the abduction algorithm that we use for generating candidate formula(∀V.φ)∧ψissatisfiable. strengtheningsofthecurrentloopinvariant.Effectively,this Hence,ifV isauniversalsubsetofχ⇒φwithrespectto algorithmgeneratesallpossibleuniversalsubsetsofχ ⇒ γ χ,wecanobtainasolutiontoourabductionproblembypro- with respect to χ and infers a candidate strengthening by jectingoutvariablesV fromtheformulaχ⇒φthroughuni- projectingoutallvariablesinthatuniversalsubsetfromour versal quantifier elimination in Presburger arithmetic. Fur- verificationcondition. thermore,empirically,itturnsoutthatsolutionsobtainedin An important consideration in this algorithm is which thiswaythroughquantifiereliminationareveryusefulcan- universal subset to consider first. Specifically, since the didates for auxiliary loop invariants. Intuitively, quantifier invariant generation algorithm from Figure 2 performs a eliminationisusefulbecauseitallowsustoprojectoutvari- depth-first search, candidate strengthenings that are too ablesthatareirrelevantandpreventtheinvariantfrombeing weak can cause our algorithm to either take too long or, inductive. worse, diverge in an infinite chain of speculations. On the otherhand,ifwefirsttryastrengtheningthatistoostrong, EXAMPLE1. To get some intuition about why quantifier thisisoftennotaproblembecausethealgorithmcanquickly elimination is useful for generating inductive invariants, deriveacontradictionandbacktrack. considerthefollowingcodeexample: Now, observe that for a pair of universal subsets U,U(cid:48) intx=0;inty=0; ofsomeformulaφ,ifU ⊃ U(cid:48),then∀U.φlogicallyimplies while(x<n){ ∀U(cid:48).φ. Hence, to generate stronger auxiliary invariants be- x=x+1; foreweakerones,ourabductionalgorithmconsidersuniver- y=y+2; salsubsetsindecreasingorderoftheircardinality. } assert(y>=n); DEFINITION2. (Maximum universal subset) A universal subset U of φ is a maximum universal subset (MUS) if |U|≥|U(cid:48)|foranyotheruniversalsubsetU(cid:48)ofφ. Assumingtheinitialloopinvariantistrue,thegeneratedVC is x ≥ n ⇒ y ≥ n, which does not correspond to an in- Analgorithmforcomputingmaximumuniversalsubsets ductiveinvariant.Now,ifweprojectoutnfromthisformula offormulasisdescribedinourearlierwork[16]. We are now ready to explain the full algorithm shown wecanimmediatelyrejecttheabductivespeculationx = y in Figure 4 for generating an ordered list S of candidate sinceitcontradictstheloopprecondition.Hence,theuseof strengthenings.Ineachiterationofthewhileloop,wecom- forward reasoning allows us to locally reject many wrong puteamaximumuniversalsubsetofχ ⇒ γ consistentwith speculationsandpreventsunnecessarybacktracking. all constraints in set θ, which initially only includes χ. If A second important advantage of performing forwards there does not exist an MUS of χ ⇒ γ consistent with all reasoning is that it allows us to obtain stronger initial loop constraintsinθ,ouralgorithmterminatesandreturnsS asa invariants than just the trivial invariant true. Specifically, listofcandidatestrengthenings.However,ifthereexistsan recall that the INVGEN algorithm from Figure 2 initializes MUSV,wethenobtainanewcandidateinvariantψbypro- ∆ to map each φ to true. Now, if we know that the loop i jectingoutallvariablesinV fromtheformulaχ⇒γ using precondition is P and that variables V are not modified in aquantifiereliminationprocedureforPresburgerarithmetic, the loop, then we can safely initialize the loop invariant to suchasCooper’smethod[17].Now,sincewewanttoobtain ∃V. P where V represents variables that may be modified adifferentMUSinthenextiteration,weadd¬ψ toθ.This in the loop. As an example, suppose that the precondition strategyensuresthattheMUSobtainedinthenextiteration forsomeloopisx+y ≥n∧y ≤0.Ifweknowthatymay isdifferentfrompreviousonesbecauseV cannolongerbe bemodifiedintheloop,butxisdefinitelynotmodified,then anMUSconsistentwith¬ψ ≡ ¬(∀V.(χ ⇒ γ)).Therefore, wecansafelyconcludethatx≥nisaninvariantoftheloop thelistS computedbyourABDUCEprocedurecontainsthe byapplyingexistentialquantifiereliminationtotheformula set of auxiliary candidate invariants in decreasing order of ∃y.(x+y ≥ n∧y ≤ 0). This strategy gives us a sound logicalstrength. initialinvariantthatisbetterthanjusttrueandthereforecuts Observe that the abduction algorithm we present here is down substantially on the number of search paths explored not complete. That is, for an abduction problem defined by byouralgorithm. χ,γ, our method does not generate all possible formulas ψ Anotherimprovementofourimplementationovertheba- such that χ∧ψ ⇒ γ is valid. This is not surprising since sic algorithm is the lazy recomputation of verification con- there may be infinitely many ψ that solve a given abduc- ditions.Specifically,recallthatthe VERIFY algorithmfrom tionprobleminPresburgerarithmetic.Instead,ourapproach Figure2recomputestheVCfortheentireprogramineach onlycomputesthosesolutionsthatcanbeobtainedthrough recursive invocation, which is both expensive and unneces- applying quantifier elimination on the original formula. In sary. In our implementation, we therefore only recompute ourexperimentalevaluation(seeSection6),therearesome those clauses of the VC that could have changed due to benchmarkswhereourtechniqueisunsuccessfulduetothis strengthening a given loop invariant. For example, if we sourceofincompleteness. strengthen the invariant of some loop L, this only changes the VC of L, loops that immediately come before and af- 5. ImprovementsandExtensions terL,loopsinwhichLisnested,andloopsthatarenested We have implemented the algorithm described in this pa- insideL.Basedonthisobservation,ourimplementationup- per in a tool called HOLA 1. HOLA currently works on dates VCs locally rather than recomputing the VC for the the pointer-free fragment of the C language and uses the entireprogram. SAIL front-end for converting C programs to an interme- Our implementation also differs from the presentation diate language [18]. HOLA also utilizes the Mistral SMT in this paper in that it does not eagerly generate all possi- solver[16,19,20]fordeterminingsatisfiability,performing ble solutions to an abduction problem (as was done in the quantifiereliminationinPresburgerarithmetic,andcomput- ABDUCEalgorithmfromFigure4).Specifically,ourimple- ingmaximumuniversalsubsets. mentationgeneratesoneabductivesolutionatatimeandim- Animportantdifferencebetweenourimplementationand mediately tries to verify this speculation. A new abductive thebasicalgorithmdescribedinthispaperisthatourimple- solutionisgeneratedlazilyonlywhenthepreviousspecula- mentation performs a dual forwards and backwards analy- tion is wrong and forces backtracking to the previous deci- sisratherthanpurebackwardsreasoning.Specifically,while sionlevel. thealgorithmdescribedinthispapercomputesonlyweakest preconditions,ourimplementationsimultaneouslycomputes 6. ExperimentalEvaluation strongest postconditions and weakest preconditions. This To evaluate the proposed technique, we compared our tool combination of forwards and backwards reasoning has two HOLA with three available state-of-the-art invariant gen- significant advantages. First, the computation of strongest eration tools, namely BLAST [7], InvGen [5], and Inter- postconditions allows us to obtain (overapproximate) loop proc[21].Eachofthethreetoolswecomparedagainstrep- preconditions which are then used to reject abductive solu- resentsadifferentfamilyofinvariantgenerationtechniques: tionsthatviolatefactsknowntoholdonloopentry.Forex- Interproc is based on abstract interpretation and, in our ex- ample,ifweknowthatx=0andy =1holdonloopentry, periments, we compared against the most expressive ab- 1HOLAstandsfor“HOareLogicwithAbduction” stract domain implemented by Interproc, which is the re- Name LOC BLAST Time(s) InvGen Time(s) Interproc Time(s) HOLA Time(s) Benchmark1 21 (cid:52) 0.10 (cid:52) 0.14 (cid:52) 0.01 (cid:52) 0.03 Benchmark2 26 (cid:56) 0.08 (cid:56) 0.05 (cid:56) 0.01 (cid:52) 0.32 Benchmark3 22 (cid:52) 0.46 (cid:52) 0.20 (cid:56) 0.01 (cid:52) 0.04 Benchmark4 21 (cid:52) 1.22 (cid:56) 0.07 (cid:56) 0.01 (cid:52) 0.03 Benchmark5 27 (cid:56) — (cid:52) 0.21 (cid:52) 0.01 (cid:52) 0.06 Benchmark6 28 (cid:56) 0.08 (cid:56) 0.06 (cid:56) 0.01 (cid:52) 0.25 Benchmark7 27 (cid:56) 3.09 (cid:52) 0.22 (cid:52) 0.01 (cid:52) 0.56 Benchmark8 30 (cid:56) 5.68 (cid:52) 0.23 (cid:56) 0.01 (cid:52) 0.59 Benchmark9 49 (cid:56) — (cid:52) 0.34 (cid:52) 0.01 (cid:52) 0.06 Benchmark10 30 (cid:56) 0.08 (cid:56) 0.06 (cid:56) 0.01 (cid:52) 0.18 Benchmark11 24 (cid:56) — (cid:52) 0.16 (cid:52) 0.01 (cid:52) 0.20 Benchmark12 34 (cid:56) 7.94 (cid:56) — (cid:56) 0.01 (cid:52) 3.52 Benchmark13 25 (cid:52) 0.38 (cid:56) 0.20 (cid:52) 0.01 (cid:52) 0.38 Benchmark14 26 (cid:52) 1.14 (cid:52) 0.15 (cid:52) 0.01 (cid:52) 1.31 Benchmark15 28 (cid:52) 0.30 (cid:52) 0.15 (cid:52) 0.01 (cid:56) — Benchmark16 23 (cid:56) 1.13 (cid:52) 0.13 (cid:52) 0.01 (cid:52) 0.12 Benchmark17 22 (cid:52) 0.32 (cid:52) 0.19 (cid:52) 0.01 (cid:52) 0.05 Benchmark18 23 (cid:56) — (cid:56) 12.05 (cid:56) 0.01 (cid:52) 3.64 Benchmark19 24 (cid:52) 1.06 (cid:56) 0.08 (cid:56) 0.01 (cid:56) — Benchmark20 33 (cid:52) 2.11 (cid:56) 0.20 (cid:56) 0.01 (cid:52) 2.29 Benchmark21 39 (cid:56) 0.93 (cid:56) 0.04 (cid:52) 0.01 (cid:52) 1.55 Benchmark22 26 (cid:56) 0.10 (cid:56) 0.07 (cid:56) 0.01 (cid:52) 0.23 Benchmark23 20 (cid:56) — (cid:52) 0.16 (cid:56) 0.01 (cid:52) 0.03 Benchmark24 18 (cid:52) 0.08 (cid:52) 0.22 (cid:52) 0.01 (cid:52) 0.07 Benchmark25 33 (cid:52) 0.51 (cid:52) 4.63 (cid:56) 0.01 (cid:52) 0.07 Benchmark26 24 (cid:56) 0.07 (cid:56) 0.07 (cid:56) 0.01 (cid:52) 0.08 Benchmark27 23 (cid:52) 0.14 (cid:52) 0.21 (cid:52) 0.01 (cid:52) 0.08 Benchmark28 25 (cid:56) — (cid:52) 0.17 (cid:52) 0.01 (cid:52) 0.05 Benchmark29 32 (cid:56) 0.08 (cid:56) 0.05 (cid:56) 0.01 (cid:52) 0.37 Benchmark30 22 (cid:56) 0.55 (cid:52) 0.12 (cid:56) 0.01 (cid:52) 0.03 Benchmark31 29 (cid:52) 0.13 (cid:52) 0.25 (cid:56) 0.01 (cid:52) 0.25 Benchmark32 24 (cid:52) 0.11 (cid:56) 0.07 (cid:56) 0.01 (cid:52) 0.64 Benchmark33 36 (cid:52) 0.50 (cid:56) — (cid:56) 0.01 (cid:52) 0.10 Benchmark34 23 (cid:56) 1.12 (cid:56) 0.05 (cid:56) 0.01 (cid:56) — Benchmark35 17 (cid:52) 0.15 (cid:56) 0.10 (cid:56) 0.01 (cid:52) 0.09 Benchmark36 71 (cid:56) 1.01 (cid:56) 0.09 (cid:56) 0.01 (cid:52) 1.00 Benchmark37 21 (cid:52) 0.62 (cid:56) 0.14 (cid:56) 0.01 (cid:52) 0.87 Benchmark38 20 (cid:56) 0.14 (cid:56) 0.05 (cid:56) 0.01 (cid:52) 0.32 Benchmark39 62 (cid:52) 0.27 (cid:52) 0.28 (cid:52) 0.01 (cid:52) 0.40 Benchmark40 30 (cid:56) 0.86 (cid:56) 0.06 (cid:56) 0.01 (cid:52) 0.94 Benchmark41 25 (cid:56) 2.69 (cid:52) 0.16 (cid:56) 0.01 (cid:52) 0.53 Benchmark42 37 (cid:56) 0.08 (cid:52) 0.07 (cid:52) 0.01 (cid:52) 0.07 Benchmark43 27 (cid:52) 0.08 (cid:52) 0.18 (cid:52) 0.01 (cid:52) 0.05 Benchmark44 35 (cid:52) 0.36 (cid:56) 0.22 (cid:56) 0.01 (cid:52) 1.25 Benchmark45 44 (cid:56) 0.30 (cid:56) 0.11 (cid:56) 0.01 (cid:52) 0.65 Benchmark46 24 (cid:56) 0.12 (cid:56) 0.05 (cid:56) 0.01 (cid:52) 0.18 Figure5. Experimentalresults ducedproductofpolyhedraandlinearcongruencesabstract tools. For these benchmarks, HOLA fails to find an induc- domains. InvGen is a constraint-based invariant generator tive invariant because the required invariant can simply not andsolvesfortheunknownparametersofagiventemplate beobtainedbyperformingquantifiereliminationonthegen- of invariants. In our experiments, we used the default tem- eratedVCs.Inprinciple,however,adifferentalgorithmfor plates provided by InvGen. Finally, BLAST is a CEGAR- performingabductioncouldgeneratetherequiredinvariant. basedmodelcheckerwhichusesCraiginterpolationtogen- In contrast, HOLA can verify 13 benchmarks that no other eratecandidateinvariantsfromcounterexamples. tool can verify. Some of these benchmarks require disjunc- In our experimental evaluation, we used 46 loop invari- tive invariants and are therefore fundamentally beyond the ant benchmarks, each containing at least one loop and at capabilities of standard abstract interpretation tools such as least one assertion. Some benchmarks contain nested loops Interproc.3InvGenfailstoverifythesebenchmarksbecause ormultiplesequentialloops.26ofour46benchmarksareei- the required invariants are simply not in the vocabulary of thertakendirectlyoradaptedfromothersources,including thetemplatesusedbyInvGen.Incontrast,BLASTdiverges examplesfromotherloopinvariantgenerationpapers[2,22– on many of these benchmarks since the interpolants com- 31],theInvGentestsuite[32],andtheNECLAverification putedfromcounterexampletracesdonotgeneralizeintoin- benchmarks [33]. The remaining 20 benchmarks are taken ductiveinvariants.Webelievetheseresultsdemonstratethat fromtheHOLAtestsuite.Allbenchmarksareavailablefrom our new method complements existing techniques and ad- http://www.cs.wm.edu/˜tdillig/oopsla13-benchmarks.tar.gz. vancesthestate-of-the-artinloopinvariantgeneration. Intheexperiments,ourgoalistodeterminewhichofthe Figure6presentsmoredetailsaboutthebehaviorofour tools can infer strong enough invariants sufficient to verify algorithm on the experimental benchmarks. The column all assertions in the program. While BLAST, InvGen, and labeled “‘Strengthenings” shows the minimum number of HOLA can directly process assertions in the source code, strengthening steps required for computing the final invari- Interproc only outputs inferred invariants for each program ant. In contrast, the column labeled “Iterations” shows the point.Thus,forInterproc,weusedanSMTsolvertocheck number of recursive calls made by our algorithm. Observe whethertheinferredinvariantsimplythesafetyoftheasser- thatifoursearchstrategyisperfect(i.e.,thefirstabductive tion. solution always corresponds to a valid program invariant), Figure5presentstheresultsofourexperimentalevalua- then the number of iterations should be exactly one greater tion. These experiments were performed on an Intel i5 2.6 than the number of strengthenings. Therefore, a high ra- GHzCPUwith8GBofmemory.Foreachtool,(cid:52)indicates tio of strengthenings to iterations means that our algorithm thatthetoolwasabletoverifyallassertionsintheprogram, immediately homes in on the correct invariants. The col- while(cid:56)denotestheopposite(i.e.,eitherthetooldidnotter- umnlabeled“Backtracks”reportsthetotalnumberofback- minateorwasunabletoinferthenecessaryinvariants).The tracking steps performed by our algorithm. If the number columnslabeled“Time”nexttothetoolnamesindicatehow ofbacktracking stepsis high,this meanswe performmany long the tools took on each benchmark in seconds. A dash unnecessarystrengthenings. (—)inthiscolumnindicatesthatthetooldidnotterminate AccordingtothedatafromFigure6,ouralgorithmtakes in200seconds. anaverageof22.4iterationsand19.7backtrackingstepsto AsFigure5shows,theproposedtechniqueisquiteeffec- compute the final invariants required for verifying the pro- tive at finding strong enough invariants sufficient to verify gram.Formostbenchmarks,theratioofstrengtheningstoit- these benchmarks. Specifically, HOLA can verify 43 out of erationsishigh,indicatingthatthealgorithmquicklyhomes our46benchmarksanddivergesonthree.AsFigure5also inonthecorrectinvariant.However,forsomebenchmarks, indicates, HOLA can verify 13 benchmarks that cannot be suchas18,20,and37,thestrengtheningtoiterationratiois proven by any other tool. In contrast, there are two bench- lowandthenumberofbacktrackingstepsishigh.Thisindi- marksthatcanbeverifiedbyatleastoneothertool,butnot catesthatoursimpledepth-firstsearchstrategyissometimes by HOLA. Overall, HOLA has a success rate of 93.5% on ineffective.Thatis,ouralgorithmalwayschoosesstrength- thesebenchmarkswhileBLAST,InvGen,andInterprochave ening the current speculated invariant over exploring other asuccessrateof43.5%,47.8%,and37.0%respectively.2 speculations,butforsomebenchmarks,thissimplestrategy WhileHOLAperformsoverallbetterthantheothertools resultsinexploringmanydeadends.Thisdataindicatesthat on these benchmarks, the set of invariants that can be in- theperformanceofouralgorithmcouldbefurtherimproved ferred by HOLA is not a superset of those invariants that byformulatingeffectiveheuristicstoguidesearchspaceex- canbeinferredbyotherapproaches.Indeed, HOLA failsto ploration,whichweleaveasfuturework. verify benchmark 19 which can be verified by BLAST as ThelastthreecolumnsinFigure6giveinformationabout well as benchmark 15 which can be verified by all other the computed invariants. The column labeled “ Invariants” gives the number of non-trivial loop invariants required to 2Onthe26benchmarkstakenfromexternalsources,HOLAhasasuccess rateof96.2%whileBLAST,InvGen,andInterprochavesuccessratesof 3While some of these benchmarks do not require disjunctive invariants, 57.7%,65.4%,and50%respectively. Interprocstillfailsduetowidening. Name Strengthenings Iterations Backtracks #Invariants Disjunctive? Avg.Inv.Size Benchmark1 2 3 0 1 no 2.0 Benchmark2 3 4 0 1 no 5.0 Benchmark3 0 1 0 3 yes 1.7 Benchmark4 1 6 4 1 yes 2.0 Benchmark5 2 3 0 1 no 2.0 Benchmark6 4 5 0 2 yes 5.0 Benchmark7 2 14 11 1 yes 4.0 Benchmark8 3 14 10 1 no 3.0 Benchmark9 6 8 0 4 no 1.0 Benchmark10 2 3 1 1 yes 5.0 Benchmark11 2 14 12 1 yes 4.0 Benchmark12 7 74 68 2 yes 5.0 Benchmark13 2 28 25 1 yes 8.0 Benchmark14 2 29 26 1 no 5.0 Benchmark15 – – – – – – Benchmark16 1 23 21 1 yes 2.0 Benchmark17 7 7 2 2 no 2.0 Benchmark18 2 234 226 1 no 4.0 Benchmark19 – – – – – – Benchmark20 2 132 129 1 yes 1.5 Benchmark21 2 3 0 1 yes 9.0 Benchmark22 2 3 0 1 no 4.0 Benchmark23 2 3 0 1 no 3.0 Benchmark24 2 3 0 2 no 1.7 Benchmark25 4 5 0 2 no 2.0 Benchmark26 6 8 0 2 yes 5.0 Benchmark27 7 8 0 3 yes 2.7 Benchmark28 2 7 3 2 no 2.0 Benchmark29 2 3 0 2 no 1.0 Benchmark30 2 3 0 1 no 2.0 Benchmark31 2 4 0 3 yes 5.3 Benchmark32 3 27 25 1 yes 11.0 Benchmark33 6 7 0 3 no 1.7 Benchmark34 – – – – – – Benchmark35 1 19 17 1 yes 3.0 Benchmark36 2 7 4 4 no 3.5 Benchmark37 2 94 92 1 yes 2.0 Benchmark38 2 17 14 1 yes 4.0 Benchmark39 0 1 0 1 yes 11.0 Benchmark40 7 57 52 2 yes 3.0 Benchmark41 3 4 0 1 yes 10.0 Benchmark42 2 3 0 1 yes 5.0 Benchmark43 1 2 0 1 no 3.0 Benchmark44 1 46 44 1 yes 6.0 Benchmark45 10 11 0 3 yes 6.0 Benchmark46 2 10 7 1 yes 4.0 Figure6. Statisticsaboutalgorithmandthebenchmarks