Generalized Homogeneous Polynomials for Efficient Template-Based Nonlinear Invariant Synthesis

Abstract

The template-based method is one of the most successful approaches to algebraic invariant synthesis. In this method, an algorithm designates a template polynomial \(p\) over program variables, generates constraints for \(p=0\) to be an invariant, and solves the generated constraints. However, this approach often suffers from an increasing template size if the degree of a template polynomial is too high.

We propose a technique to make template-based methods more efficient. Our technique is based on the following finding: If an algebraic invariant exists, then there is a specific algebraic invariant that we call a generalized homogeneous algebraic invariant that is often smaller. This finding justifies using only a smaller template that corresponds to a generalized homogeneous algebraic invariant.

Concretely, we state our finding above formally based on the abstract semantics of an imperative program proposed by Cachera et al. Then, we modify their template-based invariant synthesis so that it generates only generalized homogeneous algebraic invariants. This modification is proved to be sound. Furthermore, we also empirically demonstrate the merit of the restriction to generalized homogeneous algebraic invariants. Our implementation outperforms that of Cachera et al. for programs that require a higher-degree template.

A Proof of Theorem 4

To prove Theorem 4, we define renaming of parameters and constraints.

Definition 7

For an injection \(\iota : A \rightarrow A'\), we write \(\iota : (A,G,C) \preceq (A',G',C')\) if \(G' = \iota ^*(G)\) and \(C' = \iota ^*(C)\) where \(\iota ^*\) maps \(a' \in \iota (A)\) to \(\iota ^{-1}(a')\) and \(a' \in \iota (A' \backslash \iota (A))\) to \(0\).

The injection \(\iota \) gives a renaming of parameters. The relation \(\iota : (A,G,C) \preceq (A',G',C')\) reads \(G\) and \(C\) are obtained from \(G'\) and \(C'\) by renaming the parameters in \(\iota (A)\) using \(\iota \) and substituting \(0\) to those not in \(\iota (A)\).

Lemma 2

If \(\iota : (A,G,C) \preceq (A',G',C')\), then there exists \(\kappa \) such that (1) \(\kappa : \llbracket c \rrbracket ^{\sharp \mathtt {cH}}_{{\mathbf {Rem}^{\mathtt {par}}},\varGamma }(A,G,C) \preceq \llbracket c \rrbracket ^{\sharp \mathtt {c}}_{{\mathbf {Rem}^{\mathtt {par}}}}(A',G',C')\) and (2) \(\kappa \) is an extension of \(\iota \).

Proof

Induction on the structure of \(c\).    \(\square \)

Proof of Theorem  4. Let \(g \in T(A_0)\) be the most general template of generalized degree \(\tau \) and degree d and \(g' \in T(A_0')\) be the most general template of degree d. Without loss of generality, we assume \(A_0 \subseteq A_0'\) and \(g' = g + g_1\) for some \(g_1 \in T(A_0' \backslash A_0)\). Let \((A, G, C) = \llbracket c \rrbracket ^{\sharp \mathtt {cH}}_{{\mathbf {Rem}^{\mathtt {par}}},\varGamma }(A_0, \{{g}\}, \emptyset )\) and \((A', G', C') = \llbracket c \rrbracket ^{\sharp \mathtt {c}}_{{\mathbf {Rem}^{\mathtt {par}}}}(A_0', \{{g'}\}, \emptyset )\). Then, from Lemma 2, there exists \(\kappa \) such that \(\kappa : (A, G, C) \preceq (A', G', C')\) and \(\kappa \) is an extension of the inclusion mapping \(\iota : A_0 \rightarrow A_0'\). Suppose \(v(g)\) is a result of \(\textsc {InvInf}^{\mathtt {H}}(c, d, \tau )\) where \(v\) is a solution to \(C \cup \{{\langle G \equiv \{{0}\} \rangle }\}\). Define a valuation \(v'\) on \(A'\) by

$$ v'(a') = \left\{ \begin{array}{ll} v(a) &{} a' = \kappa (a) \text{ for } \text{ some } a \in A\\ 0 &{} \text{ Otherwise. } \end{array} \right. $$

Then, \(v'(g') = v'(g + g_1) = v'(g)\); the second equation holds because \(v'(a')\) is constantly \(0\) on any \(a' \in A' \backslash A\). All the parameters in \(g\) are in \(A_0\) and \(\kappa \) is an identity on \(A_0\). Therefore, \(v'(g) = v(g)\). It suffices to show that \(v' \models C' \cup \{{\langle G' \equiv \{{0}\} \rangle }\}\), which indeed holds from the definition of \(v'\) since \(v \models C \cup \{{\langle G \equiv \{{0}\} \rangle }\}\) and \(C\) and \(G\) are renaming of \(C'\) and \(G'\).   \(\square \)