Inductive Predicate Synthesis Modulo Programs (Extended)

TL;DR

This work introduces Inductive Predicate Synthesis Modulo Programs (IPS-MP), a synthesis framework that bridges flexible verification strategies and efficient solver back-ends by letting verification conditions contain unknown predicates inside assume and assert. IPS-MP reduces the synthesis task to constrained Horn clause (CHC) solving, enabling practical, solver-driven invariant discovery even for complex tasks such as class invariants, array abstractions, and parameterized model checking. The authors prove that IPS-MP is decidable in the Boolean case with a complexity matching standard verification, and show undecidability in general, while providing sound CHC-based realizability and unrealizability rules. They implement an IPS-MP solver inside SeaHorn and demonstrate its effectiveness across a suite of benchmarks, including 70 real-world smart-contract verifications, where CHC solvers outperform general synthesis tools. The work also provides concrete reductions from verification problems to IPS-MP (class invariants, array abstractions, PCMC), suggesting broad applicability to program analysis and verification pipelines.

Abstract

A growing trend in program analysis is to encode verification conditions within the language of the input program. This simplifies the design of analysis tools by utilizing off-the-shelf verifiers, but makes communication with the underlying solver more challenging. Essentially, the analyzer operates at the level of input programs, whereas the solver operates at the level of problem encodings. To bridge this gap, the verifier must pass along proof-rules from the analyzer to the solver. For example, an analyzer for concurrent programs built on an inductive program verifier might need to declare Owicki-Gries style proof-rules for the underlying solver. Each such proof-rule further specifies how a program should be verified, meaning that the problem of passing proof-rules is a form of invariant synthesis. Similarly, many program analysis tasks reduce to the synthesis of pure, loop-free Boolean functions (i.e., predicates), relative to a program. From this observation, we propose Inductive Predicate Synthesis Modulo Programs (IPS-MP) which extends high-level languages with minimal synthesis features to guide analysis. In IPS-MP, unknown predicates appear under assume and assert statements, acting as specifications modulo the program semantics. Existing synthesis solvers are inefficient at IPS-MP as they target more general problems. In this paper, we show that IPS-MP admits an efficient solution in the Boolean case, despite being generally undecidable. Moreover, we show that IPS-MP reduces to the satisfiability of constrained Horn clauses, which is less general than existing synthesis problems, yet expressive enough to encode verification tasks. We provide reductions from challenging verification tasks -- such as parameterized model checking -- to IPS-MP. We realize these reductions with an efficient IPS-MP-solver based on SeaHorn, and describe a application to smart-contract verification.

Figures (15)

• Figure 1: The architecture of an analysis framework built atop an off-the-shelf software verifier. Examples are given with respect to SmartACE.
• Figure 2: Overview of the IPS-MP problem.
• Figure 3: A simple example of the IPS-MP problem.
• Figure 4: A program (see \ref{['Fig:Overview:ClassProb']}) which is correct relative to the choice of class invariant $( 0 < \textsf{o.max} ) \land ( 0 \le \textsf{o.pos} \le \textsf{o.max} )$, and a corresponding IPS-MP instance.
• Figure 5: A program (see \ref{['Fig:Overview:ArrayProb']}) which is correct relative to the choice of array abstraction $( i = \textsf{s} \land v = 0 ) \lor ( i \ne \textsf{s} \land 0 \le v \le \textsf{max} )$, and a corresponding IPS-MP instance.

Theorems & Definitions (24)

• Definition 1
• Definition 2: AlurBouajjani2018
• Example 3
• Definition 4
• Example 5
• Definition 6
• Theorem 7
• Theorem 8
• Corollary 9
• Theorem 10