Bounded Quantifier Instantiation for Checking Inductive Invariants

TL;DR

This paper introduces Bounded-Horizon instantiation, a method to ensure termination of SMT solvers when checking inductive invariants with quantifier alternation, and demonstrates its effectiveness and power in uninterpreted domains.

Contribution

It presents Bounded-Horizon as a powerful, automatic technique for verifying quantified invariants, matching manual instrumentation methods without code modification.

Findings

Bounded-Horizon guarantees termination for certain classes of invariants.

The method can simulate natural instrumentation techniques automatically.

Prototype implementation successfully verified several examples with bound 1.

Abstract

We consider the problem of checking whether a proposed invariant $\varphi$ expressed in first-order logic with quantifier alternation is inductive, i.e. preserved by a piece of code. While the problem is undecidable, modern SMT solvers can sometimes solve it automatically. However, they employ powerful quantifier instantiation methods that may diverge, especially when $\varphi$ is not preserved. A notable difficulty arises due to counterexamples of infinite size. This paper studies Bounded-Horizon instantiation, a natural method for guaranteeing the termination of SMT solvers. The method bounds the depth of terms used in the quantifier instantiation process. We show that this method is surprisingly powerful for checking quantified invariants in uninterpreted domains. Furthermore, by producing partial models it can help the user diagnose the case when $\varphi$ is not inductive, especially when the underlying reason is the existence of infinite counterexamples. Our main technical result is that Bounded-Horizon is at least as powerful as instrumentation, which is a manual method to guarantee convergence of the solver by modifying the program so that it admits a purely universal invariant. We show that with a bound of 1 we can simulate a natural class of instrumentations, without the need to modify the code and in a fully automatic way. We also report on a prototype implementation on top of Z3, which we used to verify several examples by Bounded-Horizon of bound 1.