Implementing and Evaluating Candidate-Based Invariant Generation

TL;DR

This paper enhances GPU program verification by applying candidate-based invariant generation, improving success rates but also increasing computational effort, and explores methods to speed up candidate validation.

Contribution

It demonstrates the application of candidate-based invariant generation in GPUVerify, improving verification success on GPU programs and proposing techniques to accelerate candidate validation.

Findings

GPUVerify verified 231 out of 253 programs using candidate invariants.

Candidate generation increases verification success but also computational time.

Proposed analyses aim to quickly reject false candidates to improve efficiency.

Abstract

The discovery of inductive invariants lies at the heart of static program verification. Presently, many automatic solutions to inductive invariant generation are inflexible, only applicable to certain classes of programs, or unpredictable. An automatic technique that circumvents these deficiencies to some extent is candidate-based invariant generation. This paper describes our efforts to apply candidate-based invariant generation in GPUVerify, a static checker for programs that run on GPUs. We study a set of GPU programs that contain loops, drawn from a number of open source suites and vendor SDKs. We describe the methodology we used to incrementally improve the invariant generation capabilities of GPUVerify to handle these benchmarks, through candidate-based invariant generation, using cheap static analysis to speculate potential program invariants. We also describe a set of experiments that we used to examine the effectiveness of our rules for candidate generation, assessing rules based on their generality (the extent to which they generate candidate invariants), hit rate (the extent to which the generated candidates hold), worth (the extent to which provable candidates actually help in allowing verification to succeed), and influence (the extent to which the success of one generation rule depends on candidates generated by another rule). The candidates produced by GPUVerify help to verify 231 of the 253 programs. This increase in precision, however, makes GPUVerify sluggish: the more candidates that are generated, the more time is spent determining which are inductive invariants. To speed up this process, we have investigated four under-approximating program analyses that aim to reject false candidates quickly and a framework whereby these analyses can run in sequence or in parallel.