Learning inductive invariants by sampling from frequency distributions

Automated verification for program safety is reduced to the discovery safe inductive invariants, i.e., formulas that over-approximate the sets of reachable program states, but precise enough to prove unreachability of the error state. We present a framework, called FreqHorn , that follows the Syntax-Guided Synthesis paradigm to iteratively sample candidate invariants from a formal grammar and check them with an SMT solver. FreqHorn automatically constructs grammars based on either source code or bounded proofs. After each (un-)successful candidate, FreqHorn adjusts the grammars to ensure the candidate is not sampled again. The process continues either until the conjunction of successful candidates (called lemmas) is sufficient, or the search space is exhausted. Additionally, FreqHorn keeps a history of counterexamples-to-induction (CTI) which block learning a lemma. With some periodicity, it checks if there is a CTI which is invalidated by the currently learned lemmas and rechecks the failed lemma if needed. FreqHorn is able to check several candidates at the same time to filter them effectively using the well known Houdini algorithm.

[1]  Sanjit A. Seshia,et al.  Combinatorial sketching for finite programs , 2006, ASPLOS XII.

[2]  Naoki Kobayashi,et al.  HoIce: An ICE-Based Non-linear Horn Clause Solver , 2018, APLAS.

[3]  Suresh Jagannathan,et al.  A data-driven CHC solver , 2018, PLDI.

[4]  Jochen Hoenicke,et al.  Nested interpolants , 2010, POPL '10.

[5]  Grigory Fedyukovich,et al.  Solving Constrained Horn Clauses Using Syntax and Data , 2018, 2018 Formal Methods in Computer Aided Design (FMCAD).

[6]  Christof Löding,et al.  ICE: A Robust Framework for Learning Invariants , 2014, CAV.

[7]  Kenneth L. McMillan Lazy Annotation Revisited , 2014, CAV.

[8]  Isil Dillig,et al.  Inductive invariant generation via abductive inference , 2013, OOPSLA.

[9]  Martin Suda Triggered Clause Pushing for IC3 , 2013, ArXiv.

[10]  Arie Gurfinkel,et al.  Automated Discovery of Simulation Between Programs , 2015, LPAR.

[11]  Dirk Beyer,et al.  Boosting k-Induction with Continuously-Refined Invariants , 2015, CAV.

[12]  Simon L. Peyton Jones,et al.  Refinement types for Haskell , 2014, ICFP.

[13]  Yueling Zhang,et al.  Syntax-Guided Termination Analysis , 2018, CAV.

[14]  Jan Kofron,et al.  Decomposing Farkas Interpolants , 2019, TACAS.

[15]  Viktor Kuncak,et al.  A Verification Toolkit for Numerical Transition Systems - Tool Paper , 2012, FM.

[16]  Rastislav Bodík,et al.  Sampling invariants from frequency distributions , 2017, 2017 Formal Methods in Computer Aided Design (FMCAD).

[17]  Nebojsa Jojic,et al.  Program verification as probabilistic inference , 2007, POPL '07.

[18]  Bruno Dutertre,et al.  Property-directed k-induction , 2016, 2016 Formal Methods in Computer-Aided Design (FMCAD).

[19]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[20]  William Craig,et al.  Three uses of the Herbrand-Gentzen theorem in relating model theory and proof theory , 1957, Journal of Symbolic Logic.

[21]  Edmund M. Clarke,et al.  Counterexample-Guided Abstraction Refinement , 2000, CAV.

[22]  Andreas Zeller,et al.  Mining Input Grammars with AUTOGRAM , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C).

[23]  Aaron R. Bradley Understanding IC3 , 2012, SAT.

[24]  Maaz Bin Safeer Ahmad,et al.  Gradual synthesis for static parallelization of single-pass array-processing programs , 2017, PLDI.

[25]  Zachary Kincaid,et al.  Non-linear reasoning for invariant synthesis , 2017, Proc. ACM Program. Lang..

[26]  Alexander Aiken,et al.  From invariant checking to invariant inference using randomized search , 2014, Formal Methods Syst. Des..

[27]  Rastislav Bodík,et al.  Synthesis of first-order dynamic programming algorithms , 2011, OOPSLA '11.

[28]  Jochen Hoenicke,et al.  Ultimate TreeAutomizer (CHC-COMP Tool Description) , 2019, HCVS/PERR@ETAPS.

[29]  Rajeev Alur,et al.  Syntax-guided synthesis , 2013, 2013 Formal Methods in Computer-Aided Design.

[30]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[31]  K. Rustan M. Leino,et al.  Houdini, an Annotation Assistant for ESC/Java , 2001, FME.

[32]  Dan Roth,et al.  Learning invariants using decision trees and implication counterexamples , 2016, POPL.

[33]  Sagar Chaki,et al.  Automatic Abstraction in SMT-Based Unbounded Software Model Checking , 2013, CAV.

[34]  Andreas Zeller,et al.  Mining input grammars from dynamic taints , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[35]  Rastislav Bodík,et al.  Accelerating Syntax-Guided Invariant Synthesis , 2018, TACAS.

[36]  Nikolaj Bjørner,et al.  Generalized Property Directed Reachability , 2012, SAT.

[37]  Kenneth L. McMillan,et al.  Interpolation and SAT-Based Model Checking , 2003, CAV.

[38]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[39]  Arie Gurfinkel,et al.  Incremental Verification of Compiler Optimizations , 2014, NASA Formal Methods.

[40]  John P. Gallagher,et al.  Rahft: A Tool for Verifying Horn Clauses Using Abstract Interpretation and Finite Tree Automata , 2016, CAV.

[41]  Zohar Manna,et al.  Property-directed incremental invariant generation , 2008, Formal Aspects of Computing.

[42]  Guolong Zheng,et al.  SLING: using dynamic analysis to infer program invariants in separation logic , 2019, PLDI.

[43]  Sagar Chaki,et al.  SMT-Based Model Checking for Recursive Programs , 2014, CAV.

[44]  Rajeev Alur,et al.  Syntax-guided synthesis , 2013, FMCAD 2013.

[45]  Grigory Fedyukovich,et al.  Lemma Synthesis for Automating Induction over Algebraic Data Types , 2019, CP.

[46]  Andrey Rybalchenko,et al.  Synthesizing software verifiers from proof rules , 2012, PLDI.

[47]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, SIGP.

[48]  Armando Solar-Lezama,et al.  Synthesis of Recursive ADT Transformations from Reusable Templates , 2015, TACAS.

[49]  Rastislav Bodík,et al.  Chlorophyll : Synthesis-Aided Compiler for Low-Power Spatial Architectures by Phitchaya Mangpo Phothilimthana , 2015 .

[50]  Kenneth L. McMillan,et al.  Lazy Abstraction with Interpolants , 2006, CAV.

[51]  Kenneth L. McMillan,et al.  Ivy: safety verification by interactive generalization , 2016, PLDI.

[52]  Marsha Chechik,et al.  From Under-Approximations to Over-Approximations and Back , 2012, TACAS.

[53]  Grigory Fedyukovich,et al.  Quantified Invariants via Syntax-Guided Synthesis , 2019, CAV.

[54]  Grigory Fedyukovich,et al.  Exploiting Synchrony and Symmetry in Relational Verification , 2018, CAV.

[55]  Arie Gurfinkel,et al.  Property Directed Equivalence via Abstract Simulation , 2016, CAV.

[56]  David Monniaux,et al.  Formula Slicing: Inductive Invariants from Preconditions , 2016, Haifa Verification Conference.

[57]  Robert K. Brayton,et al.  Efficient implementation of property directed reachability , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).