Constraint-Based Invariant Inference over Predicate Abstraction

This paper describes a constraint-based invariant generation technique for proving the validity of safety assertions over the domain of predicate abstraction in an interprocedural setting. The key idea of the technique is to represent each invariant in bounded DNF form by means of boolean indicator variables, one for each predicate p and each disjunct d denoting whether p is present in d or not. The verification condition of the program is then encoded by means of a boolean formula over these boolean indicator variables such that any satisfying assignment to the formula yields the inductive invariants for proving the validity of given program assertions. This paper also describes how to use the constraint-based methodology for generating maximally-weak preconditions for safety assertions. An interesting application of maximally-weak precondition generation is to produce maximally-general counterexamples for safety assertions. We also present preliminary experimental evidence demonstrating the feasibility of this technique.

[1]  Sriram K. Rajamani,et al.  Counterexample Driven Refinement for Abstract Interpretation , 2006, TACAS.

[2]  Frank Pfenning,et al.  Automated Deduction - CADE-21, 21st International Conference on Automated Deduction, Bremen, Germany, July 17-20, 2007, Proceedings , 2007, CADE.

[3]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[4]  Nebojsa Jojic,et al.  Program verification as probabilistic inference , 2007, POPL '07.

[5]  Andreas Podelski,et al.  A Complete Method for the Synthesis of Linear Ranking Functions , 2004, VMCAI.

[6]  Henny B. Sipma,et al.  Linear Ranking with Reachability , 2005, CAV.

[7]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[8]  Henny B. Sipma,et al.  Linear Invariant Generation Using Non-linear Constraint Solving , 2003, CAV.

[9]  Kenneth L. McMillan,et al.  Applications of Craig Interpolants in Model Checking , 2005, TACAS.

[10]  Thomas A. Henzinger,et al.  Invariant Synthesis for Combined Theories , 2007, VMCAI.

[11]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[12]  Nikolaj Bjørner,et al.  Efficient E-Matching for SMT Solvers , 2007, CADE.

[13]  Henny B. Sipma,et al.  Scalable Analysis of Linear Systems Using Mathematical Programming , 2005, VMCAI.

[14]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[15]  Henny B. Sipma,et al.  Non-linear loop invariant generation using Gröbner bases , 2004, POPL.

[16]  Deepak Kapur Automatically Generating Loop Invariants Using Quantifier Elimination , 2005, Deduction and Applications.

[17]  Tomás E. Uribe,et al.  Generating Finite-State Abstractions of Reactive Systems Using Decision Procedures , 1998, CAV.

[18]  Sriram Sankaranarayanan,et al.  Static Analysis in Disjunctive Numerical Domains , 2006, SAS.

[19]  Patrick Cousot,et al.  Fixpoint-Guided Abstraction Refinements , 2007, SAS.

[20]  Henny B. Sipma,et al.  Constraint-Based Linear-Relations Analysis , 2004, SAS.

[21]  Alexander Aiken,et al.  Saturn: A SAT-Based Tool for Bug Detection , 2005, CAV.

[22]  Andrew G. Glen,et al.  APPL , 2001 .

[23]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[24]  Sumit Gulwani,et al.  Program analysis as constraint solving , 2008, PLDI '08.

[25]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[26]  Helmut Seidl,et al.  Interprocedurally Analysing Linear Inequality Relations , 2007, ESOP.