ICE-Based Refinement Type Discovery for Higher-Order Functional Programs

Abstract

We propose a method for automatically finding refinement types of higher-order function programs. Our method is an extension of the Ice framework of Garg et al. for finding invariants. In addition to the usual positive and negative samples in machine learning, their Ice framework uses implication constraints, which consist of pairs (x, y) such that if x satisfies an invariant, so does y. From these constraints, Ice infers inductive invariants effectively. We observe that the implication constraints in the original Ice framework are not suitable for finding invariants of recursive functions with multiple function calls. We thus generalize the implication constraints to those of the form \((\{x_1,\dots ,x_k\}, y)\), which means that if all of \(x_1,\dots ,x_k\) satisfy an invariant, so does y. We extend their algorithms for inferring likely invariants from samples, verifying the inferred invariants, and generating new samples. We have implemented our method and confirmed its effectiveness through experiments.

Appendices

Appendix

Comparing Model Complexity

This section illustrates the difference in complexity between Z3’s Spacer and PDR models. We use the Horn clause problem

https://github.com/hopv/benchmarks/blob/master/clauses/lia/termination/up_down01.smt2.

There are 11 predicates to infer in this satisfiable problem. Our predicate synthesis engine HoIce immediately returns the following model where all variables are of type Int, and we write \(\bullet \) for variables that do not appear in the predicate’s definition

Note that we have abbreviated the name of the predicates slightly for the sake of readability. While this model could be made slightly simpler by inlining the predicate applications, it is already quite concise.

Z3’s Spacer also returns immediately with a model that is much more complex. We only look at two of the predicates. First,

$$\begin{aligned} app\_1030_{12}(v_1, v_2, v_3, v_4, v_5, v_6, v_7, v_8) \end{aligned}$$

defined as

$$\begin{aligned} \begin{array}{c r c l} &{} \exists (v, v'), &{}&{} (\; (v = 0) = (0 \le v_1) \;) \;\wedge \;\lnot (v = 0) \;\wedge \;v' \le 0 \\ &{}&{}\wedge \;&{} v_2 = 0 \;\wedge \;v_3 = 0 \;\wedge \;v_4 = 0 \;\wedge \;v_5 = 0 \;\wedge \;v_6 = 0 \;\wedge \;v_7 = 0 \;\wedge \;v_8 = 0 \\ \vee \quad &{} \exists v, &{}&{} (\; (v = 0) = (v_1 \le 0) \;) \;\wedge \;\lnot (v = 0) \\ &{}&{}\wedge \;&{} v_2 = 0 \;\wedge \;v_3 = 0 \;\wedge \;v_4 = 0 \;\wedge \;v_5 = 0 \;\wedge \;v_6 = 0 \;\wedge \;v_7 = 0 \;\wedge \;v_8 = 0 \\ \end{array} \end{aligned}$$

Another example is \(fail_{20}(v_1)\), defined as \( \exists (x_1, x_2, x_3, x_4, x_5, x_6, x_7, x_8), \quad \)

$$\begin{aligned} \begin{array}{c l} &{} (\; \mathbf{A } \;\vee \;\mathbf{B } \;) \;\wedge \;\lnot (x_1 = 0) \\ \wedge &{} (x_7 = - x_3) \;\wedge \;(x_5 = - x_3) \;\wedge \;(x_4 = - x_2) \\ \wedge &{} (\; (x_6 = 0) \;=\; (x_4 \le x_5) \;) \\ \wedge &{} (\; (x_6 = 0) \;\vee \;(x_8 = 0) \;) \\ \wedge &{} (\; \lnot (x_8 = 0) \;=\; (x_7 \ge 0) \;) \\ \wedge &{} v_1 = 0 \end{array} \end{aligned}$$

where \(\mathbf{A }\) is \(\exists (x_9, x_{10}, x_{11}),\)

$$\begin{aligned} \begin{array}{c l} &{} \lnot (x_9 = 0) \;\wedge \;(\; (x_{11} = 0) \;=\; (0 \le x_{10}) \;) \\ \wedge &{} (\; (x_9 = 0) = (\mathbf{0} \le \mathbf{x} _\mathbf{3} ) \;) \;\wedge \;\lnot (x_{11} = 0) \\ \wedge &{} x_2 = 0 \;\wedge \;x_1 = 0 \end{array} \end{aligned}$$

and \(\mathbf{B }\) is \(\exists (x_9, x_{10}, x_{11}),\)

$$\begin{aligned} \begin{array}{c l} &{} \lnot (x_9 = 0) \;\wedge \;(\; (x_{11} = 0) \;=\; (0 \le x_{10}) \;) \\ \wedge &{} (\; (x_9 = 0) = (\mathbf{x} _\mathbf{3} \le \mathbf{0} ) \;) \;\wedge \;\lnot (x_{11} = 0) \\ \wedge &{} x_2 = 0 \;\wedge \;x_1 = 0 \end{array} \end{aligned}$$

which is equivalent to \(\textit{false}\): https://rise4fun.com/Z3/XPN.