We consider the problem of checking whether a proposed invariant ϕ expressed in first-order logic with quantifier alternation is inductive, i.e. preserved by a piece of code. While the problem is undecidable, modern SMT solvers can sometimes solve it automatically. However, they employ powerful quantifier instantiation methods that may diverge, especially when ϕ is not preserved. A notable difficulty arises due to counterexamples of infinite size.This paper studies Bounded-Horizon instantiation, a natural method for guaranteeing the termination of SMT solvers. The method bounds the depth of terms used in the quantifier instantiation process. We show that this method is surprisingly powerful for checking quantified invariants in uninterpreted domains. Furthermore, by producing partial models it can help the user diagnose the case when ϕ is not inductive, especially when the underlying reason is the existence of infinite counterexamples.Our main technical result is that Bounded-Horizon is at least as powerful as instrumentation, which is a manual method to guarantee convergence of the solver by modifying the program so that it admits a purely universal invariant. We show that with a bound of 1 we can simulate a natural class of instrumentations, without the need to modify the code and in a fully automatic way. We also report on a prototype implementation on top of Z3, which we used to verify several examples by Bounded-Horizon of bound 1.
IntroductionThis paper addresses a fundamental problem in automatic program verification: how to prove that a piece of code preserves a given invariant. In Floyd-Hoare style verification this means that we want to automatically prove the validity of the Hoare triple {P }C{P } where P is an assertion and C is a command. Often this is shown by proving the unsatisfiability of a formula of the form P (V ) ∧ δ(V, V ) ∧ ¬P (V ) (the verification condition) where P (V ) denotes the assertion P before the command, P (V ) denotes the assertion P after the command, and δ(V, V ) is a two-vocabulary formula expressing the meaning of the command transition relations can be extracted from code by existing tools for C code manipulating linked lists [IBI + 13, IBR + 14, KBI + 17] and for the modeling language RML [PMP + 16] which is Turing-complete. Vol. 15:3 BOUNDED QUANTIFIER INSTANTIATION FOR CHECKING INDUCTIVE INVARIANTS 18:3For example, [HHK + 15] describes a client-server scenario with the invariant that "For every reply message sent by the server, there exists a corresponding request message sent by a client". (See Example 3.7 for further details.) This invariant is ∀ * ∃ * and thus leads to verification conditions with quantifier alternation. This kind of quantifier alternation may lead to divergence of the solver as problems (1) and (2) re-emerge.This paper aims to expand the applicability of the EPR-based verification approach to invariants of more complex quantification. We focus on the class of ∀ * ∃ * invariants. ∀ * ∃ * invariants arise in interesting programs, but, as we show, chec...
