A Complete Approach to Loop Verification with Invariants and Summaries

TL;DR

This paper explores loop contracts as an alternative to invariants for loop verification, providing a comprehensive theory, concrete examples, and a novel translation method to enhance verification techniques.

Contribution

It offers the first complete exposition of loop contracts, characterizes their completeness, and introduces a translation method decoupling specification from verification.

Findings

Loop contracts can naturally capture correctness conditions.

A constructive translation between invariants and loop contracts is developed.

Loop contracts demonstrate advantages on standard algorithms.

Abstract

Invariants are the predominant approach to verify the correctness of loops. As an alternative, loop contracts, which make explicit the premise and conclusion of the underlying induction proof, can sometimes capture correctness conditions more naturally. But despite this advantage, the second approach receives little attention overall, and the goal of this paper is to lift it out of its niche. We give the first comprehensive exposition of the theory of loop contracts, including a characterization of its completeness. We show concrete examples on standard algorithms that showcase their relative merits. Moreover, we demonstrate a novel constructive translation between the two approaches, which decouples the chosen specification approach from the verification backend.