By: Pashootan Vaezipoor

Path Invariant

Simon Fraser University – Spring 09

IntroductionCurrent trends in provable assertion derivation:

An abstract framework is set up by the userThe user must come up with a framework which is both

expressive enough and sufficiently inexpensiveAbstract domains

Shapes and TemplatesInvariant templates

Linear arithmeticUninterrupted functions

CEGARThe abstract interpretation refinement is done

automaticallyBut loops cause problem

Path ProgramsCounterexamples can be seen as a full-fledge

programA Path Program is not just a single infeasibilityIt can represent a whole family of them!So it is ideal for loopsWhen we remove a path program, we are

removing many false alarmsPath program decomposes a large program

into a set of smaller programsTo achieve all these we must add universal

quantifiers to the set!

AdvantagesWe can overcome two limitations of

CEGAR-based schemesAvoid iterative unwinding of loopsWe can treat infinite paths and also we can

treat finite paths more efficiently

We can handle a larger class of problemsDependence of correctness of program on

arrays

Example 1 (FORWARD)What does BLAST do?

No predicates are tracked and just reach ability checked

What does BLAST do?Is the contra example

genuine or spurious?

Example 1 (FORWARD)What does BLAST do?

In the third phase it extracts the predicates and adds them to predicate abstraction

But again for two iterations we need to do the same thing!

Path Invariant We infer path invariants

from Path ProgramsA path invariant map is a

map from a location of the prog to a set of formulasInitial location maps to trueFor each (l, ρ,l’) in the path

program, the successor of the formula at l with respect to the program operation ρ implies the formula at l’

The path is safe, if the error location is mapped to formula false

Example 2 (INIT-CHECK)

FormulationA program is P=(X, L, l0, T, le)Error location does not have any outgoing

edgesThese together make a directed graph

called the control-flow graph (CFG)A computation of the program is the

sequence <l0,s0><l1,s1>,…, <lk,sk>If (l, ρ,l’) is an edge in T then we have

(si ,si+1) satisfies ρ

Computation of Path InvariantsWe use the template-based invariant

generationIn template-based invariant synthesis, we

assume that for each control location in the domain of the map η, we have a so-called invariant template, which is a parametric constraint over program variables.

Universal QuantifiersWe construct a suitable template by

analyzing a given path program. If the program contains an assertion that is

iteratively checked, then we add a universally quantified implication to the template.