Bounded Quantifier Instantiation for Checking Inductive Invariants

10/24/2017 ∙ by Yotam M. Y. Feldman, et al. ∙ 0

We consider the problem of checking whether a proposed invariant ϕ expressed in first-order logic with quantifier alternation is inductive, i.e. preserved by a piece of code. While the problem is undecidable, modern SMT solvers can sometimes solve it automatically. However, they employ powerful quantifier instantiation methods that may diverge, especially when ϕ is not preserved. A notable difficulty arises due to counterexamples of infinite size. This paper studies Bounded-Horizon instantiation, a natural method for guaranteeing the termination of SMT solvers. The method bounds the depth of terms used in the quantifier instantiation process. We show that this method is surprisingly powerful for checking quantified invariants in uninterpreted domains. Furthermore, by producing partial models it can help the user diagnose the case when ϕ is not inductive, especially when the underlying reason is the existence of infinite counterexamples. Our main technical result is that Bounded-Horizon is at least as powerful as instrumentation, which is a manual method to guarantee convergence of the solver by modifying the program so that it admits a purely universal invariant. We show that with a bound of 1 we can simulate a natural class of instrumentations, without the need to modify the code and in a fully automatic way. We also report on a prototype implementation on top of Z3, which we used to verify several examples by Bounded-Horizon of bound 1.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

This paper addresses a fundamental problem in automatic program verification: how to prove that a piece of code preserves a given invariant. In Floyd-Hoare style verification this means that we want to automatically prove the validity of the Hoare triple where is an assertion and is a command. Often this is shown by proving the unsatisfiability of a formula of the form (the verification condition) where denotes the assertion before the command, denotes the assertion after the command, and is a two-vocabulary formula expressing the meaning of the command as a transition relation between pre- and post-states. When is a loop body, such a is an inductive invariant and can be used to prove safety properties of the loop (if it also holds initially and implies the desired property).

For infinite-state programs, proving the validity of is generally undecidable even when does not include loops. Indeed, existing Satisfiability Modulo Theory (SMT) solvers can diverge even for simple assertions and simple commands. Recent attempts to apply program verification to prove the correctness of critical system’s design and code [HHK15] identify this as the main hurdle for using program verification.

The difficulty is rooted in powerful constructs used in the SMT-based verification of interesting programs. Prominent among these constructs are arithmetic and other program operations modelled using background theories, and logical quantifiers. In this paper we target the verification of applications in which the problem can be modelled without interpreted theories. This is in line with recent works that show that although reasoning about arithmetic is crucial for low-level code, in many cases the verification of high-level programs and designs can be performed by reasoning about quantification in uninterpreted theories. Specifically, the decidable Effectively Propositional logic (EPR) has been successfully applied to application domains such as linked-list manipulation [IBI13], Software-Defined Networks [BBG14] and some distributed protocols [PMP16, PLSS17]. Without interpreted theories it remains to address the complications induced by the use of quantifiers, and specifically by the use of alternating universal () and existential () quantifiers.

In the presence of quantifier alternation, the solver’s ability to check assertions is hindered by the following issues:

  1. An infinite search space of proofs that must be explored for correct assertions. A standard form of proofs with quantified formulas is instantiation, in which the solver attempts to replace universal quantifiers by a set of ground terms. The problem of exploring the inifnite set of candidates for instantiation is sometimes manifested in matching loops [DNS05].

  2. A difficulty of finding counterexamples for invalid assertions, notably when counterexamples may be of infinite size. Current SMT techniques often fail to produce models of satisfiable quantified formulas [GM09, RTG13]. This is somewhat unfortunate since one of the main values of program verification is the early detection of flaws in designs and programs. The possibility of infinite counterexamples is a major complication in this task, as they are especially difficult to find. In uninterpreted domains, infinite counterexamples usually do not indicate a real violation and are counterintuitive to programmers, yet render assertions invalid in the context of general first-order logic (on which SMT proof techniques are based). Hence infinite counter-models pose a real problem in the verification process.

Previous works on EPR-based verification [IBI13, BBG14, PMP16] used universally quantified invariants with programs expressed by formulas (EPR programs)111 transition relations can be extracted from code by existing tools for C code manipulating linked lists [IBI13, IBR14, KBI17] and for the modeling language RML [PMP16] which is Turing-complete. . In that setting, checking inductive invariants is decidable, hence problems (1) and (2) do not occur. In particular, EPR enjoys the finite-model property, and so counterexamples are of finite size. EPR programs are in fact Turing-complete [PMP16], but universal invariants are not always sufficient to express the program properties required for verification.

For example, [HHK15] describes a client-server scenario with the invariant that “For every reply message sent by the server, there exists a corresponding request message sent by a client”. (See Section 3 for further details.) This invariant is and thus leads to verification conditions with quantifier alternation. This kind of quantifier alternation may lead to divergence of the solver as problems (1) and (2) re-emerge.

This paper aims to expand the applicability of the EPR-based verification approach to invariants of more complex quantification. We focus on the class of invariants. invariants arise in interesting programs, but, as we show, checking inductiveness of invariants in this class is undecidable. We thus study problems (1),(2) above for this setting using the notion of bounded quantifier instantiation, a technique we term Bounded-Horizon.

Main results

This paper explores the utility of limited quantifier instantiations for checking invariants, and for dealing with the problems that arise from quantifier alternation: divergence of the proof search and infinite counter-models.

We consider instantiations that are bounded in the depth of terms. Bounded instantiations trivially prevent divergence while maintaining soundness. Although for a given bound the technique is not complete, i.e. unable to prove every correct invariant, we provide completeness guarantees by comparing bounded instantiations to the method of instrumentation, a powerful technique implicitly employed in previous works [IBI13, KBI17, PMP16]. Instrumentation tackles a invariant by transforming the program in a way that allows the invariant to be expressed using just universal quantifiers, and, accordingly, makes the verification conditions fall in EPR. We show that for invariants that can be proven using a typical form of instrumentation, bounded instantiations of a small bound are also complete, meaning they are sufficiently powerful to prove the original program without modifications and in a fully automatic way. This is encouraging since instrumentation is labor-intensive and error-prone while bounded instantiations are completely automatic.

This result suggests that in many cases correct invariants of EPR programs can be proven using a simple proof technique. Typically in such cases existing tools such as Z3 will also manage to automatically prove the verification conditions. However, bounded instantiations guarantee termination a-priori even when the invariant is not correct. In this case, when the bounded instantiation procedure terminates, it returns a logical structure which satisfies all the bounded instantiations. This structures is not necessarily a true counterexample but “approximates” one. Interestingly, this capability suggests a way to overcome the problem of infinite models. This problem arises when the user provides an invariant that is correct for finite models but is not correct in general first-order logic. In such cases, state-of-the-art SMT solvers typically produce “unknown” or timeout as they fail to find infinite models. The user is thus left with very little aid from the solver when attempting to make progress and successfully verify the program. In contrast, bounded quantifier instantiation can be used to find finite models with increasing sizes, potentially indicating the existence of an infinite model, and provide hints as to the source of the error. This information allows the user to modify the program or the invariant to exclude the problematic models. We demonstrate this approach on a real example in which such a scenario occurred in one of our verification attempts. We show that the provided models assist in identifying and fixing the error, allowing the user to successfully verify the program.

We also implemented a prototype tool that performs bounded instantiations of bound 1, and used it to verify several distributed protocols and heap-manipulating programs. The implementation efficiently reduces the problem of checking inductiveness with bound 1 to a Z3 satisfiability check on which the solver always terminates, thereby taking advantage of Z3’s instantiation techniques while guaranteeing termination.

Outline

The rest of the paper is organized as follows: Section 2 provides some technical background and notations. In Section 3 we define the Bounded-Horizon algorithm and discuss its basic properties. Section 4 defines the concept of instrumentation as used in this work, and shows that Bounded-Horizon with a low bound is at least as powerful. Section 5 relates instrumentation to bounded instantiation in the converse direction, showing that other forms of instrumentation can simulate quantifier instantiation of arbitrarily high depth. In Section 6 we show how bounded instantiations can be used to tackle the problem of infinite counterexamples to induction when the verification conditions are not valid. Section 7 describes our implementation of Bounded-Horizon of bound 1, and provides initial evaluation of its ability to prove some examples correct by bound 1 instantiation. Section 8 discusses related work, and Section 9 concludes. The discussion of the undecidability of checking inductiveness of invariants is deferred to Appendix A.

2. Preliminaries

In this section we provide background and explain our notation. will always denote a relational first-order vocabulary, which may contain constant symbols, , and relation symbols, , but no function symbols. For a formula we denote by the set of constants that appear in . We write that to mean that is an existential formula defined over vocabulary . Similarly, the class of universal formulas is denoted by . We say that is quantifier-free, denoted if it contains no quantifiers, and that it is alternation free, denoted , if it can be written as a Boolean combination of formulas in . stands for arbitrary first-order formulas over . A term or formula is ground if it does not contain free variables. A sentence is a ground formula.

Epr

The effectively-propositional (EPR) fragment of first-order logic, also known as the Bernays-Schönfinkel-Ramsey class, consists of sentences. Such sentences enjoy the small model property; in fact, a satisfiable EPR sentence has a model of size no larger than the number of its constants plus existential quantifiers. Thus satisfiability of EPR sentences is decidable [Ram30].

EPR Transition Relation

We specify a transition relation via an EPR sentence, , over a vocabulary where is a relational vocabulary used to describe the source (or pre-) state of a transition and is used to describe the target (or post-) state.

Inductive Invariants

A first-order sentence over is an inductive invariant for if is valid, or, equivalently, if is unsatisfiable222 In this paper, unless otherwise stated, satisfiability and validity refer to general models and are not restricted to finite models. Note that for EPR formulas, finite satisfiability and general satisfiability coincide. , where results from substituting every constant and relation symbol in by its primed version (i.e. ).

Counterexample to Induction

Given a first-order sentence over and transition relation (over ), a counterexample to induction is a structure (over ) s.t. .

Skolemization

Let . The Skolemization of , denoted , is a universal formula over , where consists of fresh constant symbols and function symbols, obtained as follows. We first convert to negation normal form (NNF) using the standard rules. For every existential quantifier that appears under the scope of the universal quantifiers , we introduce a fresh function symbol of arity . We replace each bound occurrence of by , and remove the existential quantifier. If (i.e., has no free variables and does not appear in the scope of a universal quantifier) a fresh constant symbol is used to replace . It is well known that is valid and and that are equi-satisfiable.

3. Bounded-Horizon

In this section, we define a systematic method of quantifier instantiation called Bounded-Horizon as a way of checking the inductiveness of first-order logic formulas, and explore some of its basic properties.

Undecidability

We first justify the use of sound but incomplete algorithms, such as the Bounded-Horizon algorithm, for the problem of checking inductiveness of formulas. For a universal formula , the formula is in EPR (recall that is specified in EPR). Hence, checking inductiveness amounts to checking the unsatisfiability of an EPR formula, and is therefore decidable. The same holds for . However, this is no longer true when quantifier alternation is introduced. In Appendix A we show that checking inductiveness of formulas is indeed undecidable, even when the transition relation is restricted to EPR (see Section A.2). Thus, an attempt to check inductiveness must sacrifice either soundness, completeness, or termination. Techniques based on quantifier instantiation usually prefer completeness over termination. In contrast, the Bounded-Horizon algorithm guarantees termination a-priori, possibly at the expense of completeness (but is surprisingly powerful nonetheless). We now move to define the Bounded-Horizon algorithm for and discuss its basic properties in checking inductiveness.

Bounded-Horizon Instantiations

Let be an EPR transition relation and a candidate invariant. We would like to check the satisfiability of , and equivalently of . Recall that denotes the Skolemization of , and note that and possibly add Skolem functions to the vocabulary. Roughly speaking, for a given , Bounded-Horizon instantiates the universal quantifiers in Ind, while restricting the instantiations to produce ground-terms of function nesting at most . We then check if this (finite) set of instantiations is unsatisfiable; if it is already unsatisfiable then we have a proof that is inductive. Otherwise we report that is not known to be inductive. The idea is to choose a (preferably small) number and perform instantiations bounded by instead of full-blown instantiation. As we will show, this algorithm is sound but not necessarily complete for a given .

Below we provide the formal definitions. We start with the notion of instantiations, and recall Herbrand’s theorem which establishes completeness of proof by unrestricted instantiations. Suppose that some vocabulary including constants and function symbols is understood (e.g., , where includes Skolem constants and function symbols).

Definition (Instantiation).

Let be a universal formula with free variables and universal quantifiers. An instantiation of by a tuple of ground terms, denoted by , is obtained by substituting for the free variables and the universally quantified variables, and then removing the universal quantifiers.

Note that an instantiation is a quantifier-free sentence.

Theorem (Herbrand’s Theorem).

Let . Then is satisfiable iff the (potentially infinite) set is satisfiable.

We now turn to restrict the depth of terms used in instantiations.

Definition (Bounded-Depth Terms).

For every , we define to be the set of ground terms over with function symbols nested to depth at most . is defined by induction over , as follows. Let be the set of constants in , the set of functions, and for every let be the arity of . Then

We will also write for a tuple of terms , to mean that every entry of is in (the number of elements in should be clear from the context). Note that the set of ground terms is .

Definition (Depth of Instantiation).

Let and . The depth of instantiation, denoted , is the smallest such that all ground terms that appear in are included in .

We are now ready to define the algorithm and discuss its basic soundness and completeness properties.

Bounded-Horizon algorithm

Given a candidate invariant , a transition relation over , and , the Bounded-Horizon algorithm constructs the formula , and checks if the set

(1)

is unsatisfiable. If it is unsatisfiable, then is provably inductive w.r.t.  with Bounded-Horizon of bound . Otherwise we report that is not known to be inductive.

Note that the satisfiability check performed by Bounded-Horizon is decidable since the set of instantiations is finite, and each instantiation is a ground quantifier-free formula.

Bounded-Horizon for Invariants

We illustrate the definition of Bounded-Horizon in the case that . Let where . Then where are new Skolem function symbols. introduces Skolem constants but no function symbols, and in this case so does . The Bounded-Horizon check of bound can be approximately333 Equation 2 is an under-approximation of the set of instantiations used for bound ; variables that do not appear in under a function symbol can be taken from in the conjunction without increasing the total depth of instantiation beyond , and are therefore allowed in bounded instantiation of bound . This approximation is illustrative nonetheless, and will be useful in the proofs in Section 4. understood as checking the (un)satisfiability of

(2)
Lemma (Soundness).

For every , Bounded-Horizon with bound is sound, i.e., if Bounded-Horizon of bound reports that is inductive w.r.t. , then is indeed inductive.

Proof.

Assume that is not inductive w.r.t. , so there is a structure such that . In particular for every and in particular for every such that . Hence, Bounded-Horizon of bound will not report that is inductive. ∎

As the algorithm is sound for any , the crucial question that remains is an appropriate choice of . A small is preferable for efficiency, but a larger could allow for proving more invariants. In the following example, a bound of even 1 suffices for proving that the invariant is inductive. We then show that for every correct invariant there is a suitable bound , but a single choice of cannot prove all correct invariants. Later, in Section 4, we show that bound of or is surprisingly powerful nonetheless.

Example .
Figure 1. Example demonstrating a  invariant that is provable with bound 1. The reader should first ignore the instrumentation code denoted by (see Section 4.1). This example models a simple client-server scenario, with the safety property that every response sent by the server was triggered by a request from a client. Verification of this example requires a invariant. This example is inspired by [HHK15]. The complete program is provided in [add] (files client_server_ae.ivy, client_server_instr.ivy).

Figure 1 presents a simple model of the client-server scenario described in [HHK15]. The program induces an EPR transition relation, and its invariant is provable by Bounded-Horizon of bound 1.

We first explain this example while ignoring the annotations denoted by “”. The system state is modeled using three binary relations. The req relation stores pairs of users and requests, representing requests sent by users. The resp relation similarly stores pairs of users and replies, representing replies sent back from the server. The match relation maintains the correspondence between a request and its reply.

The action new_request models an event where a user sends a new request to the server. The action respond models an event where the server responds to a pending request by sending a reply to the user. The request and response are related by the match relation. The action check is used to verify the safety property that every response sent by the server has a matching request, by aborting the system if this does not hold.

A natural inductive invariant for this system is

The invariant proves that the then branch in action check will never happen and thus the system will never abort. This invariant is preserved under execution of all actions, and this fact is provable by Bounded Horizon of bound 1.

Lemma (Completeness for some ).

For every and such that is inductive w.r.t.  there exists a finite s.t. is provably inductive w.r.t.  with Bounded-Horizon of bound .

Proof.

From Section 3 and compactness there is a finite unsatisfiable set of instantiations. Take to be the maximal depth of the instantiations in . ∎

For example, if then Bounded-Horizon of bound is complete. However, as expected due to the undecidability of checking inductiveness (see Appendix A), Bounded-Horizon is not complete for a given for arbitrary invariants.

Example .
Figure 2. Example demonstrating a invariant that is provable only with bound 2. The server anonymizes requests from clients to the database (DB) and forwards the answer to the client. The server performs a translation t between clients’ identity and an anonymous unique id. The safety property is that every response sent by the server to a client was triggered by a request from the client. The inductive invariant further states that every server request to the DB was triggered by a client’s request from the server, and that every DB response was triggered by a server’s request. The complete program corresponding to this Figure appears in [add] (file client_server_db_ae.ivy).

An example of a program and an inductive invariant for which a bound of 0 or 1 is insufficient appears in Figure 2. In this example the server operates as a middleman between clients and the database (DB), and is used to anonymize user requests before they reach the database. The server performs a translation between clients’ identity and an anonymous unique id, sends a translated request to the DB, and forwards the DB’s response to the clients. The safety property is that every response sent by the server was triggered by a request from a client. The inductive invariant states, in addition to the safety property, that every server request to the DB was triggered by a client’s request from the server, and that every DB response was triggered by a server’s request. Proving that the invariant is inductive under the action server_recv_db_response requires the prover to understand that for the response from the DB there is a matching request from the server to the DB, and that for this request to the DB there is a matching request from the client to the server. Every such translation requires another level of nesting in the instantiation. In this example, a bound of 2 manages to prove inductiveness. This example can be lifted to require an even larger depth of instantiation by adding more translation entities similar to the server, and describing the invariant in a similar, modular, way.

Small Bounded-Horizon for Invariants

Despite the incompleteness, we conjecture that a small depth of instantiations typically suffices to prove inductiveness. The intuition is that an EPR transition relation has a very limited “horizon” of the domain: it interacts only with a small fraction of the domain, namely elements pointed to by program variables (that correspond to logical constants in the vocabulary).

When performing the Bounded-Horizon check with bound 1 on a invariant , we essentially assume that the existential part of the invariant holds on all program variables — but not necessarily on all elements of the domain — and try to prove that it holds on all elements of the domain after the transition. We expect that for most elements of the domain, the correctness of is maintained simply because they were not modified at all by the transition. For elements that are modified by the transition, we expect the correctness after modification to result from the fact that holds for the elements of the domain that are directly involved in the transition. If this is indeed the reason that is maintained, a bound of 1 sufficiently utilizes in the pre-state to prove the invariant in the post-state, i.e. to prove that it is inductive.

This is the case in Section 3. Additional examples are listed in Section 7. The example of Figure 2 itself also admits a different invariant that is provable by bound 1. Section 4 further studies the power of Bounded-Horizon with a low bound.

4. Power of Bounded-Horizon for Proving Inductiveness

We now turn to investigate the ability of Bounded-Horizon to verify inductiveness. In this section we provide sufficient conditions for its success by relating it to the notion of instrumentation (which we explain below). We show that Bounded-Horizon with a low bound of 1 or 2 is as powerful as a natural class of sound program instrumentations, those that do not add existential quantifiers. Section 7 demonstrates the method’s power on several interesting programs that we verified using Bounded-Horizon of bound 1.

4.1. Instrumentation

We present our view of the instrumentation procedure used in previous works [IBI13, KBI17, PMP16] to eliminate the need for quantifier-alternation, thus reducing the verification task to a decidable fragment. The procedure begins with a program that induces a transition relation . The purpose of instrumentation is to modify into another transition relation that admits an inductive invariant with simpler quantification (e.g., universal, in which case it is decidable to check). We note that instrumentation is generally a manual procedure. For simplicity, we describe the instrumentation process informally, but provide the semantic soundness requirement in Section 4.1. The instrumentation process is thoroughly described in a recent work [PLSS17]. The instrumentation procedure consists of the following three steps:

  1. Identify a formula (usually will be existential) that captures information that is needed in the inductive invariant. Extend the vocabulary with an instrumentation relation that intentionally should capture the derived relation defined by . Let denote the extended vocabulary444It is also possible to instrument the program with constants rather than relations. This can be emulated by adding a unary relation representing the constant, and adding the assumption that contains exactly one element to the invariant. This form is in line with the conditions of Section 4.4. .

  2. Add update code that updates when the original (“core”) relations are modified, and maintains the meaning of as encoding . The update code must not block executions of real code, and can possibly be a sound approximation. Sometimes it can be generated automatically via finite differencing [RSL10].

  3. Modify the program to use . Often this is performed by rewriting some program conditions, keeping in mind that encodes . This means replacing some quantified expressions by uses of .

Example .

In the example of Figure 1, to achieve a universal invariant we add an instrumentation relation r defined by (step 1). The simple form of allows us to obtain precise update code, which appears as annotations marked with in lines that mutate req and match (step 2). We also replace the if condition in the action check by an equivalent condition that uses r (step 3). The line marked with in the check action replaces the line above it. The resulting program has the invariant , which is universal.

Let denote the transition relation induced by the modified program (modifications occur in steps 2,3). The soundness of the instrumentation procedure is formalized in the following connection between , , and :

Definition (Sound Instrumentation).

is a sound instrumentation for and if

is valid.

Section 4.1 ensures that the instrumented program includes at least all the behaviors of the original program, when is interpreted according to . Thus, if the instrumented program is safe, then it is sound to infer that the original program is safe.

The instrumentation procedure does not require the user to know an inductive invariant for the original program. However, if a sound instrumentation which leads to an invariant exists, then an inductive invariant for the original can be produced by substituting back the “meaning” of as (thus, safety of the original program is implied):

Lemma .

Let be a sound instrumentation for and , and be an inductive invariant for . Then is inductive w.r.t. .

Proof.

is valid, thus, so is . is a sound instrumentation for , so (using Section 4.1) is valid. ∎

Note that typically the quantification structure of is more complex than that of .

Remark .

In the expression the update code of in becomes a constraint over the core relations in . In a sound instrumentation this constraint is required to follow from the way the core relations are updated by , essentially meaning that is updated in a way that is consistent with its interpretation as .

Instrumentation without additional existential quantifiers

In order to relate instrumentation to Bounded-Horizon instantiations, we consider the typical case where the instrumentation process of does not add new existential quantifiers to . This happens when the update code does not introduce additional existential quantifiers. Formally:

Definition (Existential Naming).

Let where . An existential naming for is a mapping . We define to be .

An existential naming provides a Skolemization procedure which uses existing constants rather than fresh ones. If such exists, it maps the (Skolemized) existential quantifiers in to their counterparts in . For example, the instrumentation in Figure 1 results in that has an existential naming w.r.t. the original . Note that it is possible that has in fact fewer existential quantifiers than , for example due to the rewriting of conditions (as happens in the example of Figure 1 — see the if statement in action check).

An instrumentation without additional existentials is an instrumentation from to whose soundness can be shown while respecting an existential naming from to ; the existential naming matches the existential quantifiers of with the vocabulary of in a sound way:

Definition (Instrumentation Without Additional Existenials).

is a sound instrumentation without additional existentials for if there exists an existential naming such that

is valid.

4.2. From Instrumentation to Bounded-Horizon

The results described in this section show that if there is an instrumentation without additional existentials, then Bounded-Horizon with a low bound is able to prove the original invariant, without specific knowledge of the instrumentation and without manual assistance from the programmer. This is the case in the example of Figure 1, which admits an instrumentation that transforms the invariant to a universal invariant (see Section 4.1) in a form that matches Section 4.3, and indeed the original invariant is provable by Bounded-Horizon of bound 1.

Interestingly, in case Bounded-Horizon with a small bound does not prove inductiveness the results imply that either the invariant is not inductive or no instrumentation that does not add existential quantifiers can be used to show that it is inductive (even with the programmer’s manual assistance). This is the case in the example of Figure 2, where a bound of 1 does not suffice.555Strictly speaking this shows that there is no such instrumentation where the instrumentation relation appears only positively in the invariant, which is the most common case. Examples that require an even larger bound (sketched above) do not admit any instrumentation without additional existential quantifiers that transforms the invariant to a universal form.

While we show that instrumentation that does not add existentials is at most as powerful as Bounded-Horizon with a low bound, sound instrumentations that do add existentials to the program (thereby not satisfying Section 4.1) can be used to simulate quantifier instantiation of an arbitrary depth. This topic is explored in Section 5.

In the remainder of this section we will assume that is a sound instrumentation without additional existentials for , and is the corresponding naming of existentials. Further, we assume that is an inductive invariant for and denote .

Results.

We now state the results whose proofs are presented in the rest of this section. Section 4.3 and Section 4.3 consider that is transformed to . In Section 4.3 we show that a bound of 1 suffices to prove that is inductive for when (that is, the instrumentation defining formula is existential) and the instrumentation relation appears only positively in , or when and appears only negatively in . This is an attempt to explain the success of bound 1 instantiations in proving our examples (see Section 7). In Section 4.3 we show that a bound of 2 suffices in the more general setting of (with no restriction on appearances of in ).

Section 4.4 considers a generalization to that is 1-alternation and transformed to . We show that a bound of 2 suffices in this case.

Proof idea.

The rest of the section is devoted to proofs of the these claims. The intuition behind the proofs is that the instrumented invariant is universal, so the fact that it is inductive can be shown by instantiating the universal quantifiers with the constants. Relating between the instrumented and original program, this constitutes a proof that the instrumented invariant is inductive (for the original program), where the proof is by instantiating the universal quantifiers with the constants, essentially by the same set of instantiations. With the existential quantifiers present in the program without instrumentation, this implies a proof by bounded instantiations. The formal proofs handle the fine details of which quantifiers are instantiated, and with what constants, to establish the results.

To highlight the main points in the formal proof, the crux of the argument is as follows: Assume for the sake of contradiction that cannot be shown to be inductive for by Bounded-Horizon of a low bound, and take a counterexample to induction of the instantiated (see Equation 4 in the proof of Section 4.3). By the assumption that is an instrumentation without additional existentials for , we can utilize properties of substitution to obtain a counterexample to induction for the instantiated w.r.t.  (see Equation 7). By the assumption that and , we use complete instantiation to argue that we have obtained a true counterexample to induction of w.r.t.  (see Equation 11), in contradiction to the premise.

Remark .

The results of this section also apply when multiple instrumentation relations are simultaneously substituted instead of the relation symbols in and .

4.3. Power for Invariants

We now establish that low bounds are sufficient for the Bounded-Horizon check, assuming that a sound instrumentation without additional existentials exists, in the case of and . To do so, we first prove the following lemma.

Lemma .

Let be a sound instrumentation of without new existentials and with naming . Write where and let . Then,

(3)

is unsatisfiable, where and is the number of universal quantifiers in .

Proof.

Assume not, i.e., there exists a structure such that,

(4)

We will show that is not inductive for . Let . Then,

(5)

where is the same as but also interprets any constant in as some arbitrary constant in . Thus holds for the new constants as well.

Removing some conjuncts from Equation 5, we get,

(6)

By assumption (Section 4.1), it follows that,

(7)

Recall that . Since , it follows that . In the latter formula, some existentially quantified variables from or may remain, whereas in the former formula they were replaced by Skolem constants. Thus this is just a corollary of the fact that is valid for any .

Thus we have shown,

(8)

Now, consider the structure that expands by interpreting and the way that interprets and , respectively. Then,

(9)

Since the formula in Equation 9 is universal, it is also satisfied by , the substructure of with universe , i.e., ’s interpretation of the constant symbols (recall that ). Thus,

(10)

Finally, since is valid and so is (for the same reasons), we know,

(11)

But this contradicts the fact that is inductive for . ∎

The following results are corollaries of Section 4.3.

Theorem .

Let . Assume and appears only positively in , or and appears only negatively in . Then is inductive for with Bounded-Horizon of bound . (Note that .)

Proof.

Let where . In both cases of the claim , and so all the universal quantifiers in are those of . This implies that the satisfiability check of Section 4.3 is simply the Bounded-Horizon satisfiability check with bound , and it shows that the result must be unsatisfiable.

More formally, assume for the sake of contradiction that is not inductive w.r.t.  with Bounded-Horizon of bound . Let where , and let

be its Skolemization with fresh Skolem function symbols (introduced for , respectively). Then there is a structure satisfying

(12)

Since has no universal quantifiers, the instantiation is just a substitution of the free variables, and satisfies

(13)

By reducing to the elements pointed to by terms we have that

(14)

Note that in the interpretations of the Skolem functions are possibly partial functions. The functions appear in the formula of Equation 14 only grounded, and applied on , and these cases the interpretations of the functions are defined. (In particular, they can be extended to total functions in an arbitrary way, and the resulting structure still satisfies Equation 14.)

We now move from the Skolem functions back to existential quantifiers. By the valuation that to every existentially quantified variable in assigns the interpretation of in (recall that appears in instead of the quantifier in ), we know that

(15)

Recall that . Therefore, Equation 15 can be rewritten as

(16)

where and is the number of universal quantifiers in (and ).

By Section 4.3 this is a contradiction to the assumption that is inductive w.r.t. , and the claim follows. ∎

Theorem .

Let . If then is inductive for with Bounded-Horizon of bound . (Note that .)

Proof.

As before, Let where . implies that . Let

(17)

where .

Assume for the sake of contradiction that is not inductive w.r.t.  with Bounded-Horizon of bound .

For brevity denote

and let denote the fresh Skolem function introduced for in .

By the assumption that inductiveness is not provable using Bounded-Horizon of bound ,

(18)

is satisfiable by a structure .

In particular