Property-Directed Inference of Universal Invariants or Proving Their Absence

Karbyshev, Aleksandr; Bjørner, Nikolaj; Itzhaky, Shachar; Rinetzky, Noam; Shoham, Sharon

doi:10.1145/3022187

Cited by 33 publications

(34 citation statements)

References 57 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Phase-PDR ∀ . Our procedure is based on PDR ∀ [39], a variant of PDR [10,21] that infers universally quantified inductive invariants. PDR computes a sequence of frames F 0 , .…”

Section: Phase-pdr ∀ For Inferring Universally Quantified Characterizmentioning

confidence: 99%

“…One case is when there does not exist an inductive phase invariant with universal phase characterizations over the given structure. When this occurs, our tool can return an abstract counterexample trace-a sequence of program transitions and transitions of the automaton (inspired by [39,48])-which constitutes a proof of that fact (see Appendix B). The counterexample trace can assist the user in debugging the automaton or the program and modifying them.…”

Section: Phase-pdr ∀ For Inferring Universally Quantified Characterizmentioning

confidence: 99%

See 1 more Smart Citation

Inferring Inductive Invariants from Phase Structures

Feldman

Wilcox

Shoham

et al. 2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Infinite-state systems such as distributed protocols are challenging to verify using interactive theorem provers or automatic verification tools. Of these techniques, deductive verification is highly expressive but requires the user to annotate the system with inductive invariants. To relieve the user from this laborintensive and challenging task, invariant inference aims to find inductive invariants automatically. Unfortunately, when applied to infinite-state systems such as distributed protocols, existing inference techniques often diverge, which limits their applicability. This paper proposes user-guided invariant inference based on phase invariants, which capture the different logical phases of the protocol. Users conveys their intuition by specifying a phase structure, an automaton with edges labeled by program transitions; the tool automatically infers assertions that hold in the automaton's states, resulting in a full safety proof. The additional structure from phases guides the inference procedure towards finding an invariant. Our results show that user guidance by phase structures facilitates successful inference beyond the state of the art. We find that phase structures are pleasantly well matched to the intuitive reasoning routinely used by domain experts to understand why distributed protocols are correct, so that providing a phase structure reuses this existing intuition. 1 type key 2 type value 3 type node 4 type sequnum 5 6 relation owner: node, key 7 relation table: node, key, value 8 relation transfer_msg: node, node, 9 key, value, seqnum 10 relation ack_msg: node, node, seqnum 11 relation seqnum_sent: node, seqnum 12 relation unacked: node, node, 13 key, value, seqnum 14 relation seqnum_recvd: node, node, seqnum 15 16 init ∀n1, n2, k. owner(n1,k)∧owner(n2,k) 17 → n1 = n2 18 init // all other relations are empty 19 20 action reshard(n_old:node, n_new:node, 21 k:key, value:sequnum) 22 require table(n_old, k, v)23 ∧¬seqnum_sent(n_old, s) 24 seqnum_sent(n_old, s) := true 25 table(n_old, k, v) := false 26 owner(n_old, k) := false 27 transfer_msg(n_old, n_new, k, v, s) := true 28 unacked(n_old, n_new, k, v, s) := true 29 30 action drop_transfer_msg(src:node, dst:node, 31 k:key, v:value, s:seqnum) 32 require transfer_msg(src, dst, k, v, s) 33 transfer_msg(src, dst, k, v, s) := false 34 35 action retransmit(src:node, dst:node, 36 k:key, v:value, s:seqnum) 37 require unacked(src, dst, k, v, s) 38 transfer_msg(src, dst, k, v, s) := true 39 action recv_transfer_msg(src:node, n:node, 40 k:key, v:value, s:seqnum) 41 require transfer_msg(src, n, k, v, s) 42 ∧¬seqnum_recvd(n, src, s) 43 seqnum_recvd(n, src, s) := true 44 table(n, k, v) := true 45 owner(n, k) := true 46 47 action send_ack(src:node, n:node, 48

show abstract

“…Phase-PDR ∀ . Our procedure is based on PDR ∀ [39], a variant of PDR [10,21] that infers universally quantified inductive invariants. PDR computes a sequence of frames F 0 , .…”

Section: Phase-pdr ∀ For Inferring Universally Quantified Characterizmentioning

confidence: 99%

Section: Phase-pdr ∀ For Inferring Universally Quantified Characterizmentioning

confidence: 99%

Inferring Inductive Invariants from Phase Structures

Feldman

Wilcox

Shoham

et al. 2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Recently, this algorithm has been extended and generalized to software systems [e.g. Bjørner and Gurfinkel 2015;Cimatti et al 2014;Hoder and Bjørner 2012;Karbyshev et al 2017;Komuravelli et al 2014].…”

Section: Introductionmentioning

confidence: 99%

“…We analyze these questions in the foundational case of Boolean programs, which is applicable to infinite-state systems through predicate abstraction [Flanagan and Qadeer 2002;Graf and Saïdi 1997;Lahiri and Qadeer 2009], and is also a core part of other invariant inference techniques for infinite-state systems [e.g. Hoder and Bjørner 2012;Karbyshev et al 2017;Komuravelli et al 2014].…”

Section: Introductionmentioning

confidence: 99%

Complexity and information in invariant inference

Feldman

Immerman

Sagiv

et al. 2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

This paper addresses the complexity of SAT-based invariant inference, a prominent approach to safety verification. We consider the problem of inferring an inductive invariant of polynomial length given a transition system and a safety property. We analyze the complexity of this problem in a black-box model, called the Hoare-query model, which is general enough to capture algorithms such as IC3/PDR and its variants. An algorithm in this model learns about the system's reachable states by querying the validity of Hoare triples.We show that in general an algorithm in the Hoare-query model requires an exponential number of queries. Our lower bound is information-theoretic and applies even to computationally unrestricted algorithms, showing that no choice of generalization from the partial information obtained in a polynomial number of Hoare queries can lead to an efficient invariant inference procedure in this class.We then show, for the first time, that by utilizing rich Hoare queries, as done in PDR, inference can be exponentially more efficient than approaches such as ICE learning, which only utilize inductiveness checks of candidates. We do so by constructing a class of transition systems for which a simple version of PDR with a single frame infers invariants in a polynomial number of queries, whereas every algorithm using only inductiveness checks and counterexamples requires an exponential number of queries.Our results also shed light on connections and differences with the classical theory of exact concept learning with queries, and imply that learning from counterexamples to induction is harder than classical exact learning from labeled examples. This demonstrates that the convergence rate of Counterexample-Guided Inductive Synthesis depends on the form of counterexamples.

show abstract

“…Related Work. A large number of different techniques have been proposed to generate loop invariants automatically, especially on numeric domains [9,10], but also in more expressive logics, for programs containing arrays or expressible using combination of theories [26,8,23,18,22,24]. We only briefly review the main ideas of the most popular and successful approaches.…”

Section: Introductionmentioning

confidence: 99%

Ilinva: Using Abduction to Generate Loop Invariants

Echenim

Peltier

Sellami

2019

Frontiers of Combining Systems

View full text Add to dashboard Cite

We describe a system to prove properties of programs. The key feature of this approach is a method to automatically synthesize inductive invariants of the loops contained in the program. The method is generic, i.e., it applies to a large set of programming languages and application domains; and lazy, in the sense that it only generates invariants that allow one to derive the required properties. It relies on an existing system called GPiD for abductive reasoning modulo theories [14], and on the platform for program verification Why3 [16]. Experiments show evidence of the practical relevance of our approach.

show abstract

Property-Directed Inference of Universal Invariants or Proving Their Absence

Cited by 33 publications

References 57 publications

Inferring Inductive Invariants from Phase Structures

Inferring Inductive Invariants from Phase Structures

Complexity and information in invariant inference

Ilinva: Using Abduction to Generate Loop Invariants

Contact Info

Product

Resources

About