Abstract
Invariants are the predominant approach to verify the correctness of loops. As an alternative, loop contracts, which make explicit the premise and conclusion of the underlying induction proof, can sometimes capture correctness conditions more naturally. But despite this advantage, the second approach receives little attention overall, and the goal of this paper is to lift it out of its niche. We give the first comprehensive exposition of the theory of loop contracts, including a characterization of its completeness. We show concrete examples on standard algorithms that showcase their relative merits. Moreover, we demonstrate a novel constructive translation between the two approaches, which decouples the chosen specification approach from the verification backend.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Dually to invariants, non-relational version of summary R would quantify over final states as \({\forall }s_n.\, \lnot t(s_n)\,\implies \,R(s_i,s_n)\), but that condition is too strong at loop exit.
- 2.
Tuerk [54] remarks that, more generally, the inductive hypothesis may encompass a subsequent program fragment C right after the loop, i.e., \(\texttt {while}\ t\ \texttt {do}\ B; C\), and this (concrete) C would then replace \(\texttt {skip}\) in the second premise, with \(\overline{x}= \text {mod}(B,C)\).
- 3.
Presentation adapted from http://toccata.lri.fr/gallery/power.en.html.
- 4.
Example communicated by Rustan Leino, who based his verification on Eq. (11).
- 5.
References
Alexandru, G.: Specifying loops with contracts. Bachelor’s thesis, LMU Munich (2019)
Beyer, D.: Advances in automatic software verification: SV-COMP 2020. In: TACAS 2020. LNCS, vol. 12079, pp. 347–367. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45237-7_21
Beyer, D., Dangl, M., Wendler, P.: A unifying view on SMT-based software verification. J. Autom. Reason. (JAR) 60(3), 299–335 (2018)
Beyer, D., Keremoglu, M.E.: CPAchecker: a tool for configurable software verification. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 184–190. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_16
Bjørner, N., Gurfinkel, A., McMillan, K., Rybalchenko, A.: Horn clause solvers for program verification. In: Beklemishev, L.D., Blass, A., Dershowitz, N., Finkbeiner, B., Schulte, W. (eds.) Fields of Logic and Computation II. LNCS, vol. 9300, pp. 24–51. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23534-9_2
Blanc, R., Kuncak, V., Kneuss, E., Suter, P.: An overview of the Leon verification system: Verification by translation to recursive functions. In: Proceedings of the Workshop on Scala, pp. 1–10 (2013)
Bohórquez, J.: An elementary and unified approach to program correctness. Formal Aspects Comput. (FAC) 22, 611–627 (2010)
Bormer, T., et al.: The COST IC0701 verification competition 2011. In: Beckert, B., Damiani, F., Gurov, D. (eds.) FoVeOOS 2011. LNCS, vol. 7421, pp. 3–21. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31762-0_2
Brotherston, J.: Cyclic proofs for first-order logic with inductive definitions. In: Beckert, B. (ed.) TABLEAUX 2005. LNCS (LNAI), vol. 3702, pp. 78–92. Springer, Heidelberg (2005). https://doi.org/10.1007/11554554_8
Burstall, R.M.: Some techniques for proving correctness of programs which alter data structures. Mach. Intell. 7(23–50), 3 (1972)
Champion, A., Kobayashi, N., Sato, R.: HoIce: an ICE-based non-linear horn clause solver. In: Ryu, S. (ed.) APLAS 2018. LNCS, vol. 11275, pp. 146–156. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02768-1_8
Charguéraud, A.: Characteristic formulae for mechanized program verification. Ph.D. thesis, Ph.D. thesis, Université Paris-Diderot (2010)
Chen, X., Trinh, M.T., Rodrigues, N., Peña, L., Roşu, G.: Towards a unified proof framework for automated fixpoint reasoning using matching logic. Proc. ACM Program. Lang. 4(OOPSLA), 1–29 (2020)
De Angelis, E., Fioravanti, F., Pettorossi, A., Proietti, M.: Verifying array programs by transforming verification conditions. In: McMillan, K.L., Rival, X. (eds.) VMCAI 2014. LNCS, vol. 8318, pp. 182–202. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54013-4_11
de Vries, E., Koutavas, V.: Reverse hoare logic. In: Barthe, G., Pardo, A., Schneider, G. (eds.) SEFM 2011. LNCS, vol. 7041, pp. 155–171. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24690-6_12
Donaldson, A.F., Haller, L., Kroening, D., Rümmer, P.: Software verification using k-induction. In: Yahav, E. (ed.) SAS 2011. LNCS, vol. 6887, pp. 351–368. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23702-7_26
Ernst, G., Pfähler, J., Schellhorn, G., Haneberg, D., Reif, W.: KIV–overview and VerifyThis competition. Softw. Tools Technol. Transf. (STTT) 17(6), 677–694 (2015)
Ernst, G.: A complete approach to loop verification with invariants and summaries (2020). https://arxiv.org/abs/2010.05812. Extended version of this article
Fedyukovich, G., Prabhu, S., Madhukar, K., Gupta, A.: Quantified invariants via syntax-guided synthesis. In: Dillig, I., Tasiran, S. (eds.) CAV 2019. LNCS, vol. 11561, pp. 259–277. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25540-4_14
Floyd, R.W.: Assigning meanings to programs. In: Colburn, T.R., Fetzer, J.H., Rankin, T.L. (eds.) Program Verification. Studies in Cognitive Systems, vol. 14, pp. 65–81. Springer, Dordrecht (1993). https://doi.org/10.1007/978-94-011-1793-7_4
Furia, C.A., Meyer, B., Velder, S.: Loop invariants: analysis, classification, and examples. ACM Comput. Surv. (CSUR) 46(3), 1–51 (2014)
Furia, C.A., Meyer, B.: Inferring loop invariants using postconditions. In: Blass, A., Dershowitz, N., Reisig, W. (eds.) Fields of Logic and Computation. LNCS, vol. 6300, pp. 277–300. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15025-8_15
Grebenshchikov, S., Lopes, N.P., Popeea, C., Rybalchenko, A.: Synthesizing software verifiers from proof rules. ACM SIGPLAN Not. 47(6), 405–416 (2012)
Gurfinkel, A., Bjørner, N.: The science, art, and magic of constrained Horn clauses. In: Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), pp. 6–10. IEEE (2019)
Gurfinkel, A., Kahsai, T., Komuravelli, A., Navas, J.A.: The SeaHorn verification framework. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 343–361. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_20
Hehner, E.C.R.: Specified blocks. In: Meyer, B., Woodcock, J. (eds.) VSTTE 2005. LNCS, vol. 4171, pp. 384–391. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-69149-5_41
Hehner, E.C.R., Gravel, A.M.: Refinement semantics and loop rules. In: Wing, J.M., Woodcock, J., Davies, J. (eds.) FM 1999. LNCS, vol. 1709, pp. 1497–1510. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48118-4_29
Heizmann, M., Hoenicke, J., Podelski, A.: Refinement of trace abstraction. In: Palsberg, J., Su, Z. (eds.) SAS 2009. LNCS, vol. 5673, pp. 69–85. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03237-0_7
Hoang, D., Moy, Y., Wallenburg, A., Chapman, R.: SPARK 2014 and GNATprove. Softw. Tools Technol. Transf. (STTT) 17(6), 695–707 (2015)
Hoare, C.A.R.: An axiomatic basis for computer programming. Commun. ACM 12(10), 576–580 (1969)
Hoder, K., Bjørner, N., de Moura, L.: \(\mu \)Z– an efficient engine for fixed points with constraints. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 457–462. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_36
Hojjat, H., Rümmer, P.: The Eldarica horn solver. In: Proceedings of Formal Methods in Computer Aided Design (FMCAD), pp. 1–7. IEEE (2018)
Huisman, M., Jacobs, B.: Java program verification via a Hoare logic with abrupt termination. In: Maibaum, T. (ed.) FASE 2000. LNCS, vol. 1783, pp. 284–303. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-46428-X_20
Huisman, M., Klebanov, V., Monahan, R.: VerifyThis verification competition 2012: organizers report. Technical report, KIT, Fakultät für Informatik (2013)
Huisman, M., Klebanov, V., Monahan, R.: Verifythis 2012 (2015)
Hutton, G.: A tutorial on the universality and expressiveness of fold. J. Funct. Program. (JAR) 9(4), 355–372 (1999)
Jacobs, B., Smans, J., Piessens, F.: Solving the VerifyThis 2012 challenges with VeriFast. Int. J. Softw. Tools Technol. Transf. 17(6), 659–676 (2014). https://doi.org/10.1007/s10009-014-0310-9
Komuravelli, A., Gurfinkel, A., Chaki, S., Clarke, E.M.: Automatic abstraction in SMT-based unbounded software model checking. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 846–862. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_59
Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR 2010. LNCS (LNAI), vol. 6355, pp. 348–370. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17511-4_20
Lin, S.W., Sun, J., Xiao, H., Liu, Y., Sanán, D., Hansen, H.: Squeezing loop invariants by interpolation between forward/backward predicate transformers. In: Proceedings of Automated Software Engineering (ASE), pp. 793–803. IEEE (2017)
Lundberg, D., Guanciale, R., Lindner, A., Dam, M.: Hoare-style logic for unstructured programs. In: de Boer, F., Cerone, A. (eds.) SEFM 2020. LNCS, vol. 12310, pp. 193–213. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58768-0_11
McMillan, K.L.: Interpolation and SAT-based model checking. In: Hunt, W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 1–13. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45069-6_1
Morgan, C.: The specification statement. ACM Trans. Program. Lang. Syst. (TOPLAS) 10(3), 403–419 (1988)
Mraihi, O., Louhichi, A., Jilani, L.L., Desharnais, J., Mili, A.: Invariant assertions, invariant relations, and invariant functions. Sci. Comput. Program. (SCP) 78(9), 1212–1239 (2013)
Myreen, M.O., Gordon, M.J.: Transforming programs into recursive functions. Electron. Notes Theor. Comput. Sci. 240, 185–200 (2009)
Nipkow, T., Eberl, M., Haslbeck, M.P.L.: Verified textbook algorithms. In: Hung, D.V., Sokolsky, O. (eds.) ATVA 2020. LNCS, vol. 12302, pp. 25–53. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59152-6_2
Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A Proof Assistant for Higher-Order Logic, vol. 2283. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45949-9
O’Hearn, P.W.: Incorrectness logic. Proc. ACM Program. Lang. 4(POPL), 1–32 (2019)
Philippaerts, P., Mühlberg, J.T., Penninckx, W., Smans, J., Jacobs, B., Piessens, F.: Software verification with VeriFast: industrial case studies. Sci. Comput. Program. (SCP) 82, 77–97 (2014)
Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: Proceedings of Logic in Computer Science (LICS), pp. 55–74. IEEE (2002)
Roşu, G., Lucanu, D.: Circular coinduction: a proof theoretical foundation. In: Kurz, A., Lenisa, M., Tarlecki, A. (eds.) CALCO 2009. LNCS, vol. 5728, pp. 127–144. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03741-2_10
Schellhorn, G., Tofan, B., Ernst, G., Pfähler, J., Reif, W.: RGITL: a temporal logic framework for compositional reasoning about interleaved programs. Ann. Math. Artif. Intell. 71(1–3), 131–174 (2014)
Schwerhoff, M., Summers, A.J.: Lightweight suppoert for magic wands in an automatic verifier. In: European Conference on Object-Oriented Programming (ECOOP), vol. 37, pp. 614–638. Schloss Dagstuhl-Leibniz-Zentrum für Informatik (2015)
Tuerk, T.: Local reasoning about while-loops. In: 2010 Proceedings of Verified Software: Theory, Tools, and Experiments (VSTTE), p. 29 (2010)
Unno, H., Torii, S., Sakamoto, H.: Automating induction for solving horn clauses. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp. 571–591. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63390-9_30
Vizel, Y., Grumberg, O., Shoham, S.: Intertwined forward-backward reachability analysis using interpolants. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 308–323. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36742-7_22
Acknowledgement
We very are grateful for the detailed feedback and suggestions received from the reviewers at TACAS’21, CAV’21, and VMCAI’22, as well as their insightful questions (which unfortunately cannot all be addressed here). Many thanks to Toby Murray for valuable feedback and encouragement. The presentation in Sect. 6 is part of Gregor Alexandru’s bachelor thesis [1]. The treatment of \(\texttt {break}\) and \(\texttt {goto}\) in loop contracts was explored by Johannes Blau in a student project. We thank Rustan Leino for the phone number example.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Ernst, G. (2022). Loop Verification with Invariants and Contracts. In: Finkbeiner, B., Wies, T. (eds) Verification, Model Checking, and Abstract Interpretation. VMCAI 2022. Lecture Notes in Computer Science(), vol 13182. Springer, Cham. https://doi.org/10.1007/978-3-030-94583-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-94583-1_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-94582-4
Online ISBN: 978-3-030-94583-1
eBook Packages: Computer ScienceComputer Science (R0)