Property-Directed Inference of Universal Invariants or Proving Their Absence

We present Universal Property Directed Reachability (\(\mathsf PDR ^{\forall }\)), a property-directed procedure for automatic inference of invariants in a universal fragment of first-order logic. \(\mathsf PDR ^{\forall }\) is an extension of Bradley’s PDR/IC3 algorithm for inference of propositional invariants. \(\mathsf PDR ^{\forall }\) terminates when it either discovers a concrete counterexample, infers an inductive universal invariant strong enough to establish the desired safety property, or finds a proof that such an invariant does not exist. We implemented an analyzer based on \(\mathsf PDR ^{\forall }\), and applied it to a collection of list-manipulating programs. Our analyzer was able to automatically infer universal invariants strong enough to establish memory safety and certain functional correctness properties, show the absence of such invariants for certain natural programs and specifications, and detect bugs. All this, without the need for user-supplied abstraction predicates. Open image in new window

[1]  Christof Löding,et al.  Learning Universally Quantified Invariants of Linear Data Structures , 2013, CAV.

[2]  Peter W. O'Hearn,et al.  Shape Analysis for Composite Data Structures , 2007, CAV.

[3]  Alberto Griggio,et al.  Software Model Checking via IC3 , 2012, CAV.

[4]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[5]  Nikolaj Bjørner,et al.  On Solving Universally Quantified Horn Clauses , 2013, SAS.

[6]  Silvio Ghilardi,et al.  Backward Reachability of Array-based Systems by SMT solving: Termination and Invariant Synthesis , 2010, Log. Methods Comput. Sci..

[7]  Nikolaj Bjørner,et al.  Property-Directed Shape Analysis , 2014, CAV.

[8]  Aws Albarghouthi,et al.  Spatial Interpolants , 2015, ESOP.

[9]  Silvio Ghilardi,et al.  MCMT: A Model Checker Modulo Theories , 2010, IJCAR.

[10]  Alberto Griggio,et al.  IC3 Modulo Theories via Implicit Predicate Abstraction , 2013, TACAS.

[11]  Daniel Kroening,et al.  Behavioral consistency of C and Verilog programs using bounded model checking , 2003, Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451).

[12]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[13]  Neil Immerman,et al.  Effectively-Propositional Reasoning about Reachability in Linked Data Structures , 2013, CAV.

[14]  Sylvain Conchon,et al.  Invariants for finite instances and beyond , 2013, 2013 Formal Methods in Computer-Aided Design.

[15]  K. Rustan M. Leino,et al.  Houdini, an Annotation Assistant for ESC/Java , 2001, FME.

[16]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 2002, TOPL.

[17]  Andrei Voronkov,et al.  Invariant Generation in Vampire , 2011, TACAS.

[18]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[19]  Roberto Bruttomesso,et al.  SAFARI: SMT-Based Abstraction for Arrays with Interpolants , 2012, CAV.

[20]  Neil Immerman,et al.  Abstraction for Shape Analysis with Fast and Precise Transformers , 2006, CAV.

[21]  Shuvendu K. Lahiri,et al.  Predicate abstraction with indexed predicates , 2004, TOCL.

[22]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[23]  Nikolaj Bjørner,et al.  Generalized Property Directed Reachability , 2012, SAT.

[24]  Eran Yahav,et al.  Predicate Abstraction and Canonical Abstraction for Singly-Linked Lists , 2005, VMCAI.

[25]  Isil Dillig,et al.  Symbolic heap abstraction with demand-driven axiomatization of memory invariants , 2010, OOPSLA.

[26]  Sylvain Conchon,et al.  Cubicle: A Parallel SMT-Based Model Checker for Parameterized Systems - Tool Paper , 2012, CAV.

[27]  Georg Weissenbacher,et al.  Counterexample to Induction-Guided Abstraction-Refinement (CTIGAR) , 2014, CAV.

[28]  Ofer Strichman,et al.  Bounded model checking , 2003, Adv. Comput..

[29]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[30]  David L. Dill,et al.  Counter-Example Based Predicate Discovery in Predicate Abstraction , 2002, FMCAD.

[31]  Andreas Podelski,et al.  Counterexample-guided focus , 2010, POPL '10.

[32]  Thomas W. Reps,et al.  Symbolically Computing Most-Precise Abstract Operations for Shape Analysis , 2004, TACAS.

[33]  Gennaro Parlato,et al.  Quantified Data Automata on Skinny Trees: An Abstract Domain for Lists , 2013, SAS.