2em Experiments with Invariant Generation Using a...

Experiments with Invariant Generation Usinga Saturation Theorem Prover

Laura Kovacs

TU Vienna, Austria

joint work with Krystof Hoder and Andrei Voronkov

Loop Symbol Elimination within 1s Symbol Elimination within 10s] SEI ] Min SEI % Redundancy ∀-Inv ∀∃-Inv ] SEI ] Min SEI % Redund ∀-Inv ∀∃-Inv

Initialisation 15 5 67% yes no 40 5 88% yes noCopy 24 5 79% yes no 25 5 80% yes noFind 151 13 91% yes no 474 21 96% yes noVararg 1 1 0% yes no 1 1 0% yes noPartition 166 38 77% yes yes 849 59 93% yes yesPartition Init 168 24 86% yes yes 692 127 82% yes yes

Table: Vampire with 1 and 10 seconds of time limit on challenging benchmarks.

Loop Shape ] of Loops Average ] of SEI Average ] of Non-Redundant SEI % of SEI Redundancy ∀-Inv ∀∃-InvSimple 33 168 18 89.3% yes no

Multi-path 5 340 46 86.4% yes yes

Table: Vampire on industrial benchmarks of Dassault Aviation.

Array Copy

Program and Specification Invariants

Pre:N > 0 ∧Pre:(∀k) (0 ≤ k < N → D[k ] = 0)

c := 0; d := 0;

while (c < N) do

C[c] := D[d ];

c := c + 1;

d := d + 1

end do

Post:(∀k)(0 ≤ k < N → C[k ] = 0)

c = d

c ≤ N ∨ N ≤ 0

(∀k) (0 ≤ k < c → C[k ] = D[k ])

Specification Program

Quantified Invariant

Verification Conditions

Proving

Quantified InvariantGosper, C-finite

Algebraic Dependencies

Grobner basis

Cylindrical Algebraic Decomp.

Symbol Elimination

Consequence Finding

Example: Array Partitiona := 0; b := 0; c := 0;while (a ≤ k ) do

if A[a] ≥ 0then B[b] := A[a];b := b + 1;else C[c] := A[a];c := c + 1;

a := a + 1;end do



a := a + 1;end do

A : -1 -3 -1 -5 -8 -0 -2a = 0

B : - * - * - * - * - * - * - *b = 0

C : - * - * - * - * - * - * - *c = 0



a := a + 1;end do

A : -1 -3 -1 -5 -8 -0 -2a = 7

B : -1 -3 -8 -0 - * - * - *b = 4

C : -1 -5 -2 - * - * - * - *c = 3



a := a + 1;end do

A : -1 -3 -1 -5 -8 -0 -2a = 7

B : -1 -3 -8 -0 - * - * - *b = 4

C : -1 -5 -2 - * - * - * - *c = 3

Invariants with ∀ ∃I Each of B[0], . . . ,B[b − 1] is non-negative and equal to one of

A[0], . . . ,A[a− 1].

(∀p)(0 ≤ p < b → B[p] ≥ 0 ∧ (∃i)(0 ≤ i < a ∧ A[i] = B[p]))



a := a + 1;end do

A : -1 -3 -1 -5 -8 -0 -2a = 7

B : -1 -3 -8 -0 - * - * - *b = 4

C : -1 -5 -2 - * - * - * - *c = 3

Invariants with ∀ ∃I Each of B[0], . . . ,B[b − 1] is non-negative and equal to one of

A[0], . . . ,A[a− 1].

I Each of C[0], . . . ,C[c − 1] is negative and equal to one ofA[0], . . . ,A[a− 1].

Invariants with ∀I For every p ≥ b, the value of B[p] is equal to its initial value.

I For every p ≥ c, the value of C[p] is equal to its initial value.

Example: Array Partition - Vampire Experiments

a := 0; b := 0; c := 0;while (a ≤ k ) do


a := a + 1;end do

1. B doesn’t change at positions after final value of b (1s):

∀p(p ≥ b → B[p] = B0[p])

2. Each B[0], . . . ,B[b − 1] is a positive value in {A[0], . . . ,A[a− 1]} (1s):

∀p(b > p ∧ p ≥ 0→ B[p] ≥ 0 ∧ ∃k(a > k ∧ k ≥ 0 ∧ A[k ] = B[p])

Outline

Symbol Elimination and Invariant Generation

Experiments with Invariant Generation in Vampire

Programming Model

G1 → α11; . . . ;α1m

...

Gp → αp1; . . . ;αpm

with

Gi ∧Gj → falseG1 ∨ · · · ∨Gp → true

if for some i{αik : A[e1] := e2

αil : A[e3] := e4then e1 6= e3

A[a] ≥ 0 → B[b] := A[a]; b := b + 1; a := a + 1¬A[a] ≥ 0 → C[c] := A[a]; c := c + 1; a := a + 1.

Notation: Loop counter n

Invariant Generation - The Methoda := 0; b := 0; c := 0;while (a ≤ k ) do


a := a + 1;end do

1. Extend the language:I variables as functions of n:

v (i), i :: F with 0 ≤ i < nI predicates as loop properties:

iter , updV (i , p), updV (i , p, x)

(∀i)(i ∈ iter ⇔ 0 ≤ i ∧ i < n)

updB(i , p)⇔ i ∈ iter ∧ p = b(i) ∧ A[a(i)] ≥ 0

updB(i , p, x)⇔ updB(i , p) ∧ x = A[a(i)]

a = b + c, a ≥ 0, b ≥ 0, c ≥ 0

(∀i ∈ iter)(a(i+1) > a(i))

(∀i ∈ iter)(b(i+1) = b(i) ∨ b(i+1) = b(i) + 1)

(∀i ∈ iter)(a(i) = a(0) + i)

(∀j , k ∈ iter)(k ≥ j → b(k) ≥ b(j))

(∀j , k ∈ iter)(k ≥ j → b(j) + k ≥ b(k) + j)

(∀p)(b(0) ≤ p < b(n)→(∃i ∈ iter)(b(i) = p∧A[a(i)] ≥ 0))

(∀i)¬updB(i , p)→ B(n)[p] = B(0)[p]

updB(i , p, x)∧(∀j > i)¬updB(j , p)→B(n)[p]=x

(∀i ∈ iter)(A[a(i)] ≥ 0→B(i+1)[b(i)] = A[a(i)]∧b(i+1) = b(i) + 1∧c(i+1) = c(i) )



a := a + 1;end do




- updV (i , p) : at iteration i , V is updatedat position p;

- updV (i , p, x) : at iteration i , V isupdated at position p by value x .

(∀i)(i ∈ iter ⇔ 0 ≤ i ∧ i < n)



a = b + c, a ≥ 0, b ≥ 0, c ≥ 0

(∀i ∈ iter)(a(i+1) > a(i))

(∀i ∈ iter)(b(i+1) = b(i) ∨ b(i+1) = b(i) + 1)

(∀i ∈ iter)(a(i) = a(0) + i)

(∀j , k ∈ iter)(k ≥ j → b(k) ≥ b(j))

(∀j , k ∈ iter)(k ≥ j → b(j) + k ≥ b(k) + j)


(∀i)¬updB(i , p)→ B(n)[p] = B(0)[p]





a := a + 1;end do




2. Collect loop properties:

(∀i)(i ∈ iter ⇔ 0 ≤ i ∧ i < n)



a = b + c, a ≥ 0, b ≥ 0, c ≥ 0

(∀i ∈ iter)(a(i+1) > a(i))

(∀i ∈ iter)(b(i+1) = b(i) ∨ b(i+1) = b(i) + 1)

(∀i ∈ iter)(a(i) = a(0) + i)

(∀j , k ∈ iter)(k ≥ j → b(k) ≥ b(j))

(∀j , k ∈ iter)(k ≥ j → b(j) + k ≥ b(k) + j)


(∀i)¬updB(i , p)→ B(n)[p] = B(0)[p]





a := a + 1;end do




2. Collect loop properties:I Polynomial scalar properties

(∀i)(i ∈ iter ⇔ 0 ≤ i ∧ i < n)



a = b + c, a ≥ 0, b ≥ 0, c ≥ 0

(∀i ∈ iter)(a(i+1) > a(i))

(∀i ∈ iter)(b(i+1) = b(i) ∨ b(i+1) = b(i) + 1)

(∀i ∈ iter)(a(i) = a(0) + i)

(∀j , k ∈ iter)(k ≥ j → b(k) ≥ b(j))

(∀j , k ∈ iter)(k ≥ j → b(j) + k ≥ b(k) + j)


(∀i)¬updB(i , p)→ B(n)[p] = B(0)[p]





a := a + 1;end do




2. Collect loop properties:I Polynomial scalar propertiesI Monotonicity properties of scalars

• Increasing/decreasing (strictly):(∀i ∈ iter)(v (i+1) ≥ v (i))

• Dense:(∀i ∈ iter)(v (i+1) = v (i)∨v (i+1) = v (i)+1)

(∀i)(i ∈ iter ⇔ 0 ≤ i ∧ i < n)



a = b + c, a ≥ 0, b ≥ 0, c ≥ 0

(∀i ∈ iter)(a(i+1) > a(i))

(∀i ∈ iter)(b(i+1) = b(i) ∨ b(i+1) = b(i) + 1)

(∀i ∈ iter)(a(i) = a(0) + i)

(∀j , k ∈ iter)(k ≥ j → b(k) ≥ b(j))

(∀j , k ∈ iter)(k ≥ j → b(j) + k ≥ b(k) + j)


(∀i)¬updB(i , p)→ B(n)[p] = B(0)[p]





a := a + 1;end do





I Update predicates of arrays

• Stabilityno array update at p→ (final) value of V [p] is unchanged

• Last updateV [p] updated at iteration i and no further→ final value V [p]

(∀i)(i ∈ iter ⇔ 0 ≤ i ∧ i < n)



a = b + c, a ≥ 0, b ≥ 0, c ≥ 0

(∀i ∈ iter)(a(i+1) > a(i))

(∀i ∈ iter)(b(i+1) = b(i) ∨ b(i+1) = b(i) + 1)

(∀i ∈ iter)(a(i) = a(0) + i)

(∀j , k ∈ iter)(k ≥ j → b(k) ≥ b(j))

(∀j , k ∈ iter)(k ≥ j → b(j) + k ≥ b(k) + j)


(∀i)¬updB(i , p)→ B(n)[p] = B(0)[p]





a := a + 1;end do





I Update predicates of arraysI Translation of guarded assignments

(∀i)(i ∈ iter ⇔ 0 ≤ i ∧ i < n)



a = b + c, a ≥ 0, b ≥ 0, c ≥ 0

(∀i ∈ iter)(a(i+1) > a(i))

(∀i ∈ iter)(b(i+1) = b(i) ∨ b(i+1) = b(i) + 1)

(∀i ∈ iter)(a(i) = a(0) + i)

(∀j , k ∈ iter)(k ≥ j → b(k) ≥ b(j))

(∀j , k ∈ iter)(k ≥ j → b(j) + k ≥ b(k) + j)


(∀i)¬updB(i , p)→ B(n)[p] = B(0)[p]





a := a + 1;end do






3. Eliminate symbols→ Invariants

(∀i)(i ∈ iter ⇔ 0 ≤ i ∧ i < n)



a = b + c, a ≥ 0, b ≥ 0, c ≥ 0

(∀i ∈ iter)(a(i+1) > a(i))

(∀i ∈ iter)(b(i+1) = b(i) ∨ b(i+1) = b(i) + 1)

(∀i ∈ iter)(a(i) = a(0) + i)

(∀j , k ∈ iter)(k ≥ j → b(k) ≥ b(j))

(∀j , k ∈ iter)(k ≥ j → b(j) + k ≥ b(k) + j)


(∀i)¬updB(i , p)→ B(n)[p] = B(0)[p]





a := a + 1;end do






3. Eliminate symbols︸︷︷︸Symbol Elimination

→ Invariants

(∀i)(i ∈ iter ⇔ 0 ≤ i ∧ i < n)



a = b + c, a ≥ 0, b ≥ 0, c ≥ 0

(∀i ∈ iter)(a(i+1) > a(i))

(∀i ∈ iter)(b(i+1) = b(i) ∨ b(i+1) = b(i) + 1)

(∀i ∈ iter)(a(i) = a(0) + i)

(∀j , k ∈ iter)(k ≥ j → b(k) ≥ b(j))

(∀j , k ∈ iter)(k ≥ j → b(j) + k ≥ b(k) + j)


(∀i)¬updB(i , p)→ B(n)[p] = B(0)[p]



Invariant Generation by Symbol Elimination

(∀i)(i ∈ iter ⇔ 0 ≤ i ∧ i < n)


updB(i , p, x)⇔ updB(i , p) ∧ x = A[a(i)]a = b + c, a ≥ 0, b ≥ 0, c ≥ 0

(∀i ∈ iter)(a(i+1) > a(i))

(∀i ∈ iter)(b(i+1) = b(i) ∨ b(i+1) = b(i) + 1)

(∀i ∈ iter)(a(i) = a(0) + i)

(∀j , k ∈ iter)(k ≥ j → b(k) ≥ b(j))

(∀j , k ∈ iter)(k ≥ j → b(j) + k ≥ b(k) + j)


(∀i)¬updB(i , p)→ B(n)[p] = B(0)[p]

updB(i , p, x) ∧ (∀j > i)¬updB(j , p)→B(n)[p]=x


Saturation

Theorem ProvingI1, I2, I3, I4, I5, . . .

Symbol Elimination by Vampire1. Reasoning with quantifiers and linear arithmetic [Korovin&V07]

x ≥ y ⇐⇒ x > y ∨ x = yx > y → x 6= yx ≥ y ∧ y ≥ z → x ≥ zs(x) > xx ≥ s(y)⇐⇒ x > y

2. Procedures for eliminating symbols→ USEFUL clauses

Symbol Elimination by Vampire1. Reasoning with quantifiers and linear arithmetic






I For every loop variable v → TARGET SYMBOLS v0 and v ′:

v (0)=v0 and v (n)=v ′

I USABLE symbols (variables are not symbols):- target or interpreted symbols;- skolem functions introduced by Vampire;

I USEFUL clauses:- contains only usable symbols;- contains at least a target symbol or a skolem function;

I Reduction ordering �: useless symbols � usable symbols.





v (0)=v0 and v (n)=v ′


I USEFUL clauses: x + y = y + x is not useful- contains only usable symbols;- contains at least a target symbol or a skolem function;






v (0)=v0 and v (n)=v ′


I USEFUL clauses:- contains only usable symbols;- contains at least a target symbol or a skolem function;





3. Turning USEFUL clauses into INVARIANTS

I Replace v ′ by v for all loop variables v ;

I No skolem functions in the clause→ Invariant;

¬p ≥ b′ ∨ B′[p] = B0[p] → ∀p(p ≥ b → B[p] = B0[p])

I Skolem function in the clause→ (De-skolemise)→ Invariant.

¬b′ > p ∨ ¬p ≥ 0 ∨ A′[$i(p)] = B′[p]

↓

∀p(b > p ∧ p ≥ 0→ (∃k)A[k ] = B[p])

Example: Array Partition - Vampire Experiments

a := 0; b := 0; c := 0;while (a ≤ k ) do


a := a + 1;end do

1. B doesn’t change at positions after final value of b (1s):

∀p(p ≥ b → B[p] = B0[p])

2. Each B[0], . . . ,B[b − 1] is a positive value in {A[0], . . . ,A[a− 1]} (1s):

∀p(b > p ∧ p ≥ 0→ B[p] ≥ 0 ∧ ∃k(a > k ∧ k ≥ 0 ∧ A[k ] = B[p])

a := 0; b := 0; c := 0;while (a ≤ k ) do


a := a + 1;end do

Loop

Poly Invariants

Symbolic

Comp.

StaticAnalys

is

a = b + c

b ≥ 0

c ≥ 0

a ≥ 0

a := 0; b := 0; c := 0;while (a ≤ k ) do


a := a + 1;end do

Loop

Poly Invariants

Symbolic

Comp.

StaticAnalys

is

a = b + c

b ≥ 0

c ≥ 0

a ≥ 0

Scalar Props over Loop Cnt

Sym

bolic

Com

p.S

tatic

Ana

lysi

s

(∀i ∈ iter)(a(i) = a(0) + i)

(∀j , k ∈ iter)(k ≥ j ⇒ b(k) ≥ b(j))

(∀j , k ∈ iter)(k ≥ j ⇒ b(j) + k ≥ b(k) + j)

a := 0; b := 0; c := 0;while (a ≤ k ) do


a := a + 1;end do

Loop

Poly Invariants

Symbolic

Comp.

StaticAnalys

is

a = b + c

b ≥ 0

c ≥ 0

a ≥ 0

Scalar Props over Loop Cnt

Sym

bolic

Com

p.S

tatic

Ana

lysi

s

(∀i ∈ iter)(a(i) = a(0) + i)

(∀j , k ∈ iter)(k ≥ j ⇒ b(k) ≥ b(j))

(∀j , k ∈ iter)(k ≥ j ⇒ b(j) + k ≥ b(k) + j)

Array Update Predicates

Symbolic Comp.

Static Analysis

(∀i)¬updB(i , p)⇒ B(n)[p] = B(0)[p]

(∀v)(b(0) ≤ v < b(n) ⇒

b(i+1) = b(i) + 1 ∧ c(i+1) = c(i) + 1

(∀i ∈ iter)(A[a(i)] ≥ 0⇒ B(i+1)[b(i)] = A[a(i)] ∧

(∀v)(b(0) ≤ v < b(n) ⇒ (∃i ∈ iter)(b(i) = v ∧ (A[a(i)] ≥ 0))

a := 0; b := 0; c := 0;while (a ≤ k ) do


a := a + 1;end do

Loop

Poly Invariants Scalar Props over Loop Cnt Array Update Predicates

Symbolic

Comp.

StaticAnalys

is

Sym

bolic

Com

p.S

tatic

Ana

lysi

s Symbolic Comp.

Static Analysisex:Aligator

Set of FO Loop Properties

Vampire


Saturation

Thm.

Proving

Sym

bolElim

.

Loop

Poly Invariants Scalar Props over Loop Cnt Array Update Predicates

Symbolic

Comp.

StaticAnalys

is

Sym

bolic

Com

p.S

tatic

Ana

lysi

s Symbolic Comp.

Static AnalysisVampire

Set of FO Loop Properties

Vampire


Saturation

Thm.

Proving

Sym

bolElim

.


1. Program analysis (new Vampire mode);1. Theory loading;1. Elimination of “colored” symbols (new Vampire mode);1. Generation of “minimal” set of invariants.


1. Program analysis (new Vampire mode);2. Theory loading (new Vampire opion);3. Elimination of “colored” symbols (new Vampire option);4. Generation of “minimal” set of invariants (new Vampire mode).

1. Sample Output for Program Analysis in Vampire

vampire --mode program analysis

Loops found: 1Analyzing loop...---------------------while (a < m){if (A[a] >= 0){B[b] = A[a]; b = b + 1;}else{C[c] = A[a]; c = c + 1;}a = a + 1;}---------------------Variable: B: (updated)Variable: a: (updated)Variable: b: (updated)Variable: m: constantVariable: A: constantVariable: C: (updated)Variable: c: (updated)Counter: aCounter: bCounter: c

qqPath:false: A[a] >= 0C[c] = A[a];c = c + 1;a = a + 1;Path:true: A[a] >= 0B[b] = A[a];b = b + 1;a = a + 1;Counter a: 1 min, 1 max, 1 gcdCounter b: 0 min, 1 max, 1 gcdCounter c: 0 min, 1 max, 1 gcd7. ![X1,X0,X3]:(X1>X0 & c(X1)>X3 & X3>c(X0)) =>

?[X2]:(c(X2)=X3 & X2>X0 & X1>X2) [program analysis]6. ![X0]:c(X0)>=c0 (0:4) [program analysis]5. ![X0]:c(X0)<=c0+X0 (0:6) [program analysis]4. ![X1,X0,X3]:(X1>X0 & b(X1)>X3 & X3>b(X0))

=> ?[X2]:(b(X2)=X3 & X2>X0 & X1>X2) [programanalysis]3. ![X0]:b(X0)>=b0 (0:4) [program analysis]2. ![X0]:b(X0)<=b0+X0 (0:6) [program analysis]1. ![X0]:a(X0)=a0+X0 (0:6) [program analysis]

Figure: Partial output of Vampire’s program analyser on the Partition program.

2. Theory Loading in Vampire

vampire(option, theory axioms, on).

vampire --theory axioms on

We use incomplete but sound theory axiomatisation.

Example: Integers in VampireI 0, 1, 2, etc;I Integer predicates/funcions:

I addition;I subtraction;I multiplication;I successor;I division;I inequality relations;

I Automated theory loading:

vampire(interpreted symbol, geq, integer greater equal)

3. Elimination of Colored Symbolsvampire(option,show symbol elimination,on).vampire(option,time limit,1).ivampire(option, theory axioms,on).vampire(interpreted symbol,geq, integer greater equal).vampire(interpreted symbol,greater, integer greater).vampire(interpreted symbol,plus,integer plus).vampire(interpreted symbol,s,successor).vampire(interpreted symbol,minus,integer minus).ivampire(symbol,function,n,0,left).vampire(symbol,function,a,1,left).vampire(symbol,function,b,1,left).vampire(symbol,function,c,1,left).vampire(symbol,function,bb,2,left).vampire(symbol,function,cc,2,left).vampire(symbol,predicate,updB,2,left).vampire(symbol,predicate,updB,3,left).vampire(symbol,predicate,updC,2,left).vampire(symbol,predicate,updC,3,left).vampire(symbol,predicate,iter,1,left).vampire(symbol,predicate,geq,2,skip).ivampire(symbol,predicate,greater,2,skip).vampire(symbol,function,s,1,skip).vampire(symbol,function,zero,0,skip).vampire(symbol,function,plus,2,skip).vampire(symbol, function, minus,2,skip).vampire(symbol,function,a,0,skip).vampire(symbol,function,b,0,skip).vampire(symbol,function,c,0,skip).vampire(symbol,function,m,0,left).vampire(symbol,function,aa,1,skip).vampire(symbol,function,bb0,2,skip).vampire(symbol,function,bb0,1,skip).vampire(symbol,function,cc0,2,skip).vampire(symbol,function,cc0,1,skip).

Figure: Partial input for symbol elimination in Vampire.

4. Generation of Minimal Set of Invariants

vampire --mode consequence elimination

Set of invariants: S

Minimal set S′ of invariants with S′ ⊂ S:Remove C ∈ S iff S \ {C} ⇒ C

Compute S′ ⊂ SRun Vampire on S within, e.g., 20s time limit

Experiments:I consequence elimination ran in conjunction with 4 combination of

strategiesI eliminated ∼ 80% invariants

Experiments: Invariant Generation in Vampire

I Challenging academic benchmarks

I Industrial Benchmarks

Loop ] SEI ] Min SEI Inv of interest Generated invariants implying Inv

Copya = 0;while (a < m) doB[a] = A[a]; a = a + 1end do

24 5 ∀x : 0 ≤ x < a →B[x ] = A[x ]

inv8:∀x0, x1 : A[x0 ] = B[x1 ]∨

x0 6= x1∨¬a > x0∨¬x0 ≥ 0

Finda = 0; spot = mwhile (a < m) doif (spot = m&&A[a] 6= 0)then spot = aend if;B[a] = (A[a] 6= 0);a = a + 1end do

151 13 spot = m∨A[spot] 6= 0

inv3:a ≥ spot

inv39:spot = sk1 ∨ a = spot

inv25:0 ≥ sk1 ∨ a = spot

inv5:∀x1 : ¬a > x1∨

¬x1 ≥ 0 ∨ a = spot∨A(spot) 6= 0

Partitiona = 0; b = 0; c = 0;while (a < m) doif (A[a] >= 0)then B[b] = A[a]; b = b + 1else C[c] = A[a]; c = c + 1end if;a = a + 1end do

166 38∀x : 0 ≤ x < b →

B[x ] ≥ 0∧∃y : B[x ] = A[y ]

inv1:∀x0 : A(sk2(x0)) ≥ 0∨

¬b > x0∨¬x0 ≥ 0

inv81:∀x0 : ¬b > x0∨

¬x0 ≥ 0∨A(sk2(x0)) = B(x0)

Partition Inita = 0; c = 0;while (a < m) doif (A[a] == B[a])then C[c] = a; c = c + 1end if;a = a + 1end do

168 24 ∀x : 0 ≤ x < c →A[C[x ]] = B[C[x ]]

inv0:∀x0 : A(sk1(x0)) = B(sk1(x0))∨

¬c > x0∨¬x0 ≥ 0

inv30:∀x0, x1, x2 : sk1(x0) 6= x1∨

x0 6= x2∨¬c > x0∨¬x0 ≥ 0∨C(x2) = x1

Table: Vampire with 1 second time limit on challenging benchmarks.

Loop Symbol Elimination within 1s Symbol Elimination within 10s] SEI ] Min SEI % Redundancy ∀-Inv ∀∃-Inv ] SEI ] Min SEI % Redund ∀-Inv ∀∃-Inv

Initialisation 15 5 67% yes no 40 5 88% yes noCopy 24 5 79% yes no 25 5 80% yes noFind 151 13 91% yes no 474 21 96% yes noVararg 1 1 0% yes no 1 1 0% yes noPartition 166 38 77% yes yes 849 59 93% yes yesPartition Init 168 24 86% yes yes 692 127 82% yes yes

Table: Vampire with 1 and 10 seconds of time limit on challenging benchmarks.

Loop Shape ] of Loops Average ] of SEI Average ] of Non-Redundant SEI % of SEI Redundancy ∀-Inv ∀∃-InvSimple 33 168 18 89.3% yes no

Multi-path 5 340 46 86.4% yes yes

Table: Vampire on industrial benchmarks of Dassault Aviation.

Summary: Invariant Generation and Symbol Elimination

Given a loop:

1. Express loop properties in a language containing extra symbols(loop counter, predicates expressing array updates, etc.);

2. Every logical consequence of these properties is a valid loop property,but not an invariant;

3. Run a theorem prover for eliminating extra symbols;

4. Every derived formula in the language of the loop is a loop invariant;

5. Invariants are consequences of symbol-eliminating inferences (SEI).

SEI: premise contains extra symbols, conclusion is in the loop language.

Conclusions: Experiments with Invariant Generation using Vampire

VAMPIRE FOR INVARIANT GENERATION

I Complex invariants were generated, already within 1s;

I Invariants implied intended loop properties;

I Consequence elimination significantly reduces the number ofinteresting invariants (by an 80% average);

I Theory reasoning and program analysis needs furtherimprovements.

2em Experiments with Invariant Generation Using a...

Documents

Transcript of 2em Experiments with Invariant Generation Using a...