Rahul Sharma and Alex Aiken (Stanford University)
1
x = i;
y = j;
while y!=0 do
x = x-1;
y = y-1;
if( i==j )
assert x==0


𝑥=0
𝑥+𝑦 =0
⋮

𝑖+𝑦 =𝑥+𝑗


No!
Yes!
2
Numerical
Arrays
Heap
delete
PLDI08-1
NECLA-2
init
d-swap
delete-all
PLDI08-2
NECLA-3
init-nc
strcpy
find
PLDI08-3
SVCOMP-1
init-p
strlen
filter
PLDI08-4
SVCOMP-2
init-e
memcpy
last
synergy-1
SVCOMP-3
2darray
find
reverse
synergy-2
SVCOMP-4
copy
find-n
TACAS06
monniaux
copy-p
append
Strings
NECLA-1
nested
copy-o
merge
length
reverse
alloc-f
replace
swap
alloc-nf
index
substring
3
assume P
while B do
S
assert Q

Find 𝐼 that satisfies

𝑃⇒𝐼

𝐼 ∧ 𝐵 𝑆 {𝐼}

𝐼 ∧ ¬𝐵 ⇒ 𝑄
Find a valuation of unknown predicates that
makes the verification conditions (VCs) valid
4

Given a set 𝑆 of candidates
 Goal is to find a candidate that satisfies the VCs

This problem is hard!

Effective domain specific approaches
 Numerical, arrays, linked lists, etc.
Is it possible to have a general search procedure?
5

(Domain-specific) Checker + (General) Search = Inference

To obtain an invariant inference engine
 Instantiate the search with a search space
 An SMT solver to check
6

A generally applicable randomized search

Numerical, array, linked lists, and strings

Competitive performance with specialized approaches
7

Markov Chain Monte Carlo (MCMC) sampling

The only known tractable solution method for high
dimensional irregular search spaces [andrieu
03][chenney 00]
8
37
73
47
17
29
42
23
9
1.
2.
3.
4.
5.
6.
7.
𝐶 ≔ 𝑡𝑟𝑢𝑒
while( 𝑐𝑜𝑠𝑡 𝐶 ≠ 0 )
Propose a random modification to 𝐶
if cost decreased then accept
if cost increased then
with some probability accept anyway
return 𝐶
10

𝑐𝑜𝑠𝑡 𝐶 =

Problems
0
1
if 𝐶 makes VCs valid
if 𝐶 is not an invariant
 Throughput < 1000 iterations per second
 No incremental feedback
11

Given sets of concrete states
 G: some reachable states
 B: some bad states
b
g
 Z: some implications

𝑐𝑜𝑠𝑡(𝐶) =
𝑔∈𝐺 ¬𝐶(𝑔)
𝑏∈𝐵 𝐶(𝑏)
𝑠,𝑡
…
+
s
I
t
Incremental feedback
+
∈𝑍 𝐶 𝑠 ∧ ¬𝐶(𝑡) +
Efficient to evaluate
12

𝑃⇒𝐶

Reachable state 𝑔, 𝐼 𝑔 = true
 𝐶 𝑔 = false

𝐶 ∧ 𝐵 𝑆 {𝐶}


 𝐶 𝑠 ∧ ¬𝐶 𝑡 = true
𝐶 ∧ ¬𝐵 ⇒ 𝑄
assume P
while B do
S
assert Q
Pair (𝑠, 𝑡), 𝐼 𝑠 ⇒ 𝐼(𝑡)

Bad state 𝑏, 𝐼 𝑏 = false
 𝐶 𝑏 = true
13

Given G, Z, and B, for the cost function

Run search until a 0-cost candidate 𝐶 is found

𝐶ℎ𝑒𝑐𝑘 𝐶, 𝑉𝐶
 SMT solver checks that 𝐶 satisfies all the VCs
 If yes, then done

Update G, Z, or B and repeat
 SMT solvers can generate counterexamples
 If not then generate from executions
14

Program has integral variables 𝑥1 … 𝑥𝑛

Search space:

Transformations for MCMC:
10
𝑖=1
10
𝑗=1
𝑖,𝑗
𝑛
𝑤
𝑘=1 𝑘 𝑥𝑘
≤ 𝑑𝑖,𝑗
 Update a 𝑤
 Update a 𝑑
 Update all 𝑤 ′ 𝑠 and 𝑑 of a single inequality
15
16
17

Fluid updates abstraction of DDA (ESOP’10)
 ∀𝑢, 𝑣. 𝑇 𝑥1 , … , 𝑥𝑛 , 𝑢, 𝑣 ⇒ 𝑓 𝑢 = 𝑔[𝑣]

Z3 fails to generate counterexamples

MCMC on this search space times out on ~30%
 Restrict search space: handle each in under a second
18

Search space: Boolean combinations of atoms
 Atoms are relations 𝑅(𝑥1 , … , 𝑥𝑛 )
 Reachability relations

Use EPR (CAV’13) for check
19

Operations that intermix strings and integers
 length(s), indexOf(s1, s2), substr(s1, i1, i2), …

Search space: Boolean combinations of predicates

Z3-Str (FSE’13) for check
20

Static invariant inference is a hard problem,
made easier by separating search and check

Search based techniques can work
 Competitive with other methods
 Easier to retarget to new domains

Future work, scale MCMC to full program proofs
21

Pranav Garg, Christof Löding, P. Madhusudan, Daniel Neider: ICE: A Robust
Framework for Learning Invariants. CAV 2014

Shachar Itzhaky, Nikolaj Bjørner, Thomas W. Reps, Mooly Sagiv, Aditya V. Thakur:
Property-Directed Shape Analysis. CAV 2014

Rajeev Alur, Rastislav Bodík, Garvit Juniwal, Milo M. K. Martin, Mukund
Raghothaman, Sanjit A. Seshia, Rishabh Singh, Armando Solar-Lezama, Emina
Torlak, Abhishek Udupa: Syntax-guided synthesis. FMCAD 2013

Ashutosh Gupta, Rupak Majumdar, Andrey Rybalchenko: From tests to proofs.
STTT 15(4) (2013)

Yungbum Jung, Soonho Kong, Bow-Yaw Wang, KwangkeunYi:
Deriving Invariants by Algorithmic Learning, Decision Procedures,
and Predicate Abstraction. VMCAI 2010

Sumit Gulwani, Nebojsa Jojic: Program verification as probabilistic
inference. POPL 2007: 277-289
22