Verifying Array Manipulating Programs with Full-Program Induction

We present a full-program induction technique for proving (a sub-class of) quantified as well as quantifier-free properties of programs manipulating arrays of parametric size N. Instead of inducting over individual loops, our technique inducts over the entire program (possibly containing multiple loops) directly via the program parameter N. Significantly, this does not require generation or use of loop-specific invariants. We have developed a prototype tool Vajra to assess the efficacy of our technique. We demonstrate the performance of Vajra vis-a-vis several state-of-the-art tools on a set of array manipulating benchmarks.


Introduction
Programs with loops manipulating arrays are common in a variety of applications. Unfortunately, assertion checking in such programs is undecidable. Existing tools therefore use a combination of techniques that work well for certain classes of programs and assertions, and yield conservative results otherwise. In this paper, we present a new technique to add to this arsenal of techniques. Specifically, we focus on programs with loops manipulating arrays, where the size of each array is a symbolic integer parameter N (> 0). We allow (a subclass of) quantified and quantifier-free pre-and post-conditions that may depend on the symbolic parameter N . Thus, the problem we wish to solve can be viewed as checking the validity of a parameterized Hoare triple {ϕ(N )} P N {ψ(N )} for all values of N (> 0), where the program P N computes with arrays of size N , and N is a free variable in ϕ(·) and ψ(·). Fig. 1(a) shows an example of one such Hoare triple, written using assume and assert. This triple effectively verifies that i−1 j=0 1 + j−1 k=0 6 · (k + 1) = i 3 for all i ∈ {0 . . . N −1}, and for all N > 0. Although each loop in Fig. 1(a) is simple, their sequential composition makes it difficult even for state-of-the-art tools like VIAP [26], VeriAbs [8], FreqHorn [10], Tiler [4], Vaphor [24], or Booster [1] to prove the post-condition correct. In fact, none of the above tools succeed in automatically proving the post-condition in Fig. 1(a). In contrast, the technique presented in this paper, called full-program induction, proves the post-condition in Fig. 1(a) correct within a few seconds.
Like several earlier approaches [29], full-program induction relies on mathematical induction to reason about programs with loops. However, the way in // assume(true) 1  which the inductive claim is formulated and proved differs significantly. Specifically, (i) we do not require explicit or implicit loop-specific invariants to be provided by the user or generated by a solver (viz. by constrained Horn clause solvers [21,15,10] or recurrence solvers [26,17]), (ii) we induct on the full program (possibly containing multiple loops) with parameter N and not on iterations of individual loops in the program, and (iii) we perform non-trivial correct-byconstruction code transformations, whenever feasible, to simplify the inductive step of reasoning. The combination of these factors often reduces reasoning about a program with multiple loops to reasoning about one with fewer (sometimes even none) and "simpler" loops, thereby simplifying proof goals. In this paper, we demonstrate this, focusing on programs with sequentially composed, but non-nested loops.
As an illustration of simplifications that can result from application of fullprogram induction, consider the problem in Fig. 1(a) again. Full-program induction reduces checking the validity of the Hoare triple in Fig. 1(a) to checking the validity of two "simpler" Hoare triples, represented in Figs. 1(b) and 1(c). Note that the programs in Figs. 1(b) and 1(c) are loop-free. In addition, their pre-and post-conditions are quantifier-free. The validity of these Hoare triples (Figs. 1(b) and 1(c)) can therefore be easily proved, e.g. by bounded model checking [6] with a back-end SMT solver like Z3 [25]. Note that the value computed in each iteration of each loop in Fig. 1(a) is data-dependent on previous iterations of the respective loops. Hence, none of these loops can be trivially translated to a set of parallel assignments.
Invariant-based techniques, viz. [13,16,23,7,14,30,2,19], are popularly used to reason about array manipulating programs. If we were to prove the assertion in Fig. 1(a) using such techniques, it would be necessary to use appropriate loop-specific invariants for each of the three loops in Fig. 1(a) [9][10][11][12]. Unfortunately, automatically deriving such quantified non-linear loop invariants is far from trivial. Template-based invariant generators, viz. [12,9], are among the best-performers when generating such complex invariants. However, their abilities are fundamentally limited by the set of templates from which they choose. We therefore choose not to depend on invariants for individual loops in our work at all. Instead of inducting over the iterations of each individual loop, we propose to reason about the entire program (containing one or more loops) directly, while inducting on the parameter N . Needless to say, each approach has its own strengths and limitations, and the right choice always depends on the problem at hand. Our experiments show that full-program induction is able to solve several difficult problem instances with an off-the-shelf SMT solver (Z3) at the back-end, which other techniques either fail to solve these instances, or rely on sophisticated recurrence solvers.
The primary contributions of our work can be summarized as follows.
-We introduce the notion of full-program induction for reasoning about assertions in programs with loops manipulating arrays. -We present practical algorithms for full-program induction.
-We describe a prototype tool Vajra that implements the algorithms, using an off-the-shelf SMT solver, viz. Z3, at the back-end to discharge verification conditions. Vajra outperforms several state-of-the-art tools on a suite of array-manipulating benchmark programs.
Related Work. Earlier work on inductive techniques can be broadly categorized into those that require loop-specific invariants to be provided or automatically generated, and those that work without them. Requiring a "good" inductive invariant for every loop in a program effectively shifts the onus of assertion checking to that of invariant generation. Among techniques that do not require explicit inductive invariants or mid-conditions for each loop, there are some that require loop invariants to be implicitly generated by a constraint solver. These include techniques based on constrained Horn clause solving [21,15,10,24], acceleration and lazy interpolation for arrays [1] and those that use inductively defined predicates and recurrence solving [26,17], among others. Thanks to the impressive capabilities of modern constraint solvers and the effectiveness of carefully tuned heuristics for stringing together multiple solvers, this approach has shown a lot of promise in recent years. However, at a fundamental level, these formulations rely on solving implicitly specified loop invariants garbed as constraint solving problems. There are yet other techniques, such as that in [28], that truly do not depend on loop invariants being generated. In fact, the technique of [28] comes closest to our work in principle. However, [28] imposes severe restrictions on the input programs, and the example in Fig. 1 does not meet these restrictions. Therefore, the technique of [28] is applicable only to a small part of the program-assertion space over which our technique works. Techniques such as tiling [4] reason one loop at a time and apply only when loops have simple data dependencies across iterations (called non-interference of tiles in [4]). It effectively uses a slice of the post-condition of a loop as an inductive invariant, and also requires strong enough mid-conditions to be generated in the case of sequentially composed loops. We circumvent all of these requirements in the current work. For some other techniques for analyzing array manipulating programs, please see [7,19,18].

Overview of Full-program Induction
Recall that our objective is to check the validity of the parameterized Hoare triple We rely on an important, yet reasonable, assumption that can be stated as follows: For every value of N (> 0), every loop in P N can be statically unrolled a fixed number (say f (N )) of times to yield a loop-free program P N that is semantically equivalent to P N . Note that this does not imply that reasoning about loops can be translated into loop-free reasoning. In general, f (N ) is a non-constant function, and hence, the number of unrollings of loops in P N may strongly depend on N . In our experience, loops in a vast majority of array manipulating programs (including Fig. 1(a)) satisfy the above assumption. Consequently, the base case of our induction reduces to checking a Hoare triple for a loop-free program. Checking such a Hoare triple is easily achieved by compiling the pre-condition, program and post-condition into an SMT formula, whose (un)satisfiability can be checked with an off-the-shelf back-end SMT solver.
The inductive step is the most complex one, and is the focus of the rest of the paper. Recall that the inductive hypothesis asserts that {ϕ(N −1)} P N −1 {ψ(N − 1)} is valid. To make use of this hypothesis in the inductive step, we must relate the validity of {ϕ(N )} P N {ψ(N )} to that of {ϕ(N − 1)} P N −1 {ψ(N − 1)}. We propose doing this, whenever possible, via two key notions -that of "difference" program and "difference" pre-condition. Given a parameterized program P N , intuitively the "difference" program ∂P N is one such that P N −1 ; ∂P N is semantically equivalent to P N , where ";" denotes sequential composition. It turns out that for our purposes, the semantic equivalence alluded to above is not really necessary; it suffices to have ∂P N such that {ϕ(N )} P N {ψ(N )} is valid iff {ϕ(N )} P N −1 ; ∂P N {ψ(N )} is valid. We will henceforth use this interpretation of a "difference" program. The "difference" pre-condition ∂ϕ(N ) is a formula such that (i) ϕ(N ) → (ϕ(N − 1) ∧ ∂ϕ(N )) and (ii) the execution of P N −1 doesn't affect the truth of ∂ϕ(N ). Computing ∂P N and ∂ϕ(N ) is not easy in general, and we discuss this in detail in the rest of the paper.
Assuming we have ∂P N and ∂ϕ(N ) with the properties stated above, the proof obligation {ϕ(N )} P N {ψ(N )} can now be reduced to proving {ϕ(N − 1)} P N −1 {ψ(N − 1)} and {ψ(N − 1) ∧ ∂ϕ(N )} ∂P N {ψ(N )}. The first triple follows from the inductive hypothesis. Proving the second triple may require strengthening the pre-condition, say by a formula Pre(N − 1), in general. Recalling that we are in the inductive step of mathematical induction, we formulate the new proof sub-goal in such a case as {(ψ(N − 1) ∧ Pre(N − 1)) ∧ ∂ϕ(N )} ∂P N {ψ(N ) ∧ Pre(N )}. While this is somewhat reminiscent of loop invariants, observe that Pre(N ) is not really a loop-specific invariant. Instead, it is analogous to computing an invariant for the entire program, possibly containing multiple loops. Specifically, the above process strengthens both the preand post-condition of {ψ(N − 1) ∧ ∂ϕ(N )} ∂P N {ψ(N )} simultaneously using Pre(N − 1) and Pre(N ), respectively. The strengthened post-condition of the resulting Hoare triple may, in turn, require a new pre-condition Pre ′ (N − 1) to be satisfied. This process of strengthening the pre-and post-conditions of the Hoare triple involving ∂P N can be iterated until a fix-point is reached, i.e. no further pre-conditions are needed for the parameterized Hoare triple to hold. While the fix-point was quickly reached for all benchmarks we experimented with, we also discuss how to handle cases where the above process may not converge easily. Note that since we effectively strengthen the pre-condition of the Hoare triple in the inductive step, for the overall induction to go through, it is also necessary to check that the strengthened assertions hold at the end of each base case check. The technique described above is called full-program induction, and the following theorem guarantees its soundness. Then

Algorithms for Full-program Induction
We now discuss the full-program induction algorithm, focusing on generation of three crucial components: difference program ∂P N , difference pre-condition ∂ϕ(N ), and the formula Pre(N ) for strengthening pre-and post-conditions.

Preliminaries
We consider array manipulating programs generated by the grammar shown below (adapted from [4]).
This grammar restricts programs to have non-nested loops. While this limits the set of programs to which our technique currently applies, there is a large class of useful programs, with possibly long sequences of loops, that are included in the scope of our work. In reality, our technique also applies to a subclass of programs with nested loops. However, characterizing this class of programs through a grammar is a bit unwieldy, and we avoid doing so for reasons of clarity. A program P N is a tuple (V, L, A, PB, N ), where V is a set of scalar variables, L ⊆ V is a set of scalar loop counter variables, A is a set of array variables, PB is the program body, and N is a special symbol denoting a positive integer parameter. In the grammar shown above, we assume A ∈ A, v ∈ V \L, ℓ ∈ L and c ∈ Z. Furthermore, "relop" is assumed to be one of the relational operators and "op"is an arithmetic operator from the set {+, -, *, /}. We also assume that each loop L has a unique loop counter variable ℓ which is initialized at the beginning of L and is incremented by 1 at the end of each iteration. Assignments in the body of L are assumed not to update ℓ. Finally, for each loop with termination condition ℓ < E, we assume that E is an expression in terms of N . We denote by k L (N ) the number of times loop L iterates in the program with parameter N . We verify Hoare triples of the form {ϕ(N )} P N {ψ(N )}, where ϕ(N ) and ψ(N ) are either universally quantified formulas of the form ∀I (Φ(I, N ) =⇒ Ψ (A, V, I, N )) or quantifier-free formulas of the form Ξ(A, V, N ). In the above, I is a sequence of array index variables, Φ is a quantifier-free formula in the theory of arithmetic over integers, and Ψ and Ξ are quantifier-free formulas in the combined theory of arrays and arithmetic over integers.
Static single assignment (SSA) [27] is a well-known technique for renaming scalar variables such that a variable is written at most once in a program. For our purposes, we also wish to rename arrays so that each loop updates its own version of an array and multiple writes to an array element within the same loop happen on different versions of the array. Array SSA [20] renaming has been studied earlier in the context of compilers to achieve this goal. We propose using SSA renaming for both scalars and arrays as a pre-processing step of our analysis. Therefore, we assume henceforth that the input program is SSA renamed (for both scalars and arrays). We also assume that the post-condition is expressed in terms of these SSA renamed scalar and array variables.
We represent a program using a control flow graph G = (Locs, Edges, µ), where Locs denotes the set of control locations (nodes) of the program, Edges ⊆ Locs×Locs×{tt, ff , U} represents the flow of control and µ : Locs → AssignSt ∪ BoolE annotates every node in Locs with either an assignment statement (of the form v := E or A[E] := E) from the set of assignment statements AssignSt, or a Boolean condition. Two distinguished control locations, called Start and End in Locs, represent the entry and exit points of the program. An edge (n 1 , n 2 , label) represents flow of control from n 1 to n 2 without any other intervening node. It is labeled tt or ff if µ(n 1 ) is a Boolean condition, and is labeled U otherwise. If µ(n 1 ) is a Boolean condition, there are two outgoing edges from n 1 , labeled tt and ff respectively, and control flows from n 1 to n 2 along (n 1 , n 2 , label) only if µ(n 1 ) evaluates to label. If µ(n 1 ) is an assignment statement, there is a single outgoing edge from n 1 , and it is labeled U. Henceforth, we use CFG to refer to the control flow graph.
A CFG may have cycles due to the presence of loops in the program. A backedge of a loop is an edge from the node corresponding to the last statement in the loop body to the node representing the loop head. An exit-edge is an edge from the loop head to a node outside the loop body. An incoming-edge is an edge to the loop head from a node outside the loop body. We assume that every loop has exactly one back-edge, one incoming-edge and one exit-edge. For technical reasons, and without loss of generality, we also assume that the exit-edge of a loop always goes to a "nop" node (say, having a statement x = x;).
Given a program, the program dependence graph (or PDG) G = (V, DE, CE) represents data and control dependencies among program statements. Here, V denotes vertices representing assignment statements and boolean expressions, DE ⊆ V × V denotes data dependence edges and CE ⊆ V × V denotes control dependence edges. Standard dataflow analysis identifies dependencies between program variables and thereby among statements. Dependence between statements updating array elements requires a more careful analysis. Let S 1 and S 2 be two statements in loops L 1 and L 2 where there is a control-flow path from where f is an array index expression, i 1 is the loop counter variable of L 1 , and F is an arbitrary expression. Suppose S 2 is of the form X = G(A[g(i 2 , N )]);, where X is a variable or array element, G is an arbitrary expression, and g is an array index expression.
The routine ComputeRefinedPDG shown in Algorithm 1 constructs and refines the program dependence graph G = (V, DE, CE) for the input program P N . It uses the function ConstructPDG (line 1) based on the technique of [11] to create an initial graph. For a node n in G, let def (n) and uses(n) refer to the set of variables/array elements defined and used, respectively, in the statement/boolean expression corresponding to n. Similarly, let subscript (v, n) refer to the index expression of the array element v referred to at node n. Predicate is-array(v) evaluates to true if v is an array element and false if v is a

8:
if n ′ is part of a loop L ′ then 9: ℓ ′ := loop counter of L ′ ;

4:
Let kL(N ) be the expression for iteration count of L in P p N ;

6:
if peelCount is non-constant then throw "Failed to peel non-constant number of iterations";

7:
P p N , Locs ′ := PeelSingleLoop(P p N , L, kL(N − 1), peelCount); ⊲ Transforms loop L so that last peelCount iterations of L are peeled/unrolled. Updated CFG and newly created CFG nodes for the peeled iterations are returned by PeelSingleLoop.

Core Modules in the Technique
Peeling the Loops. To relate P N to P N −1 , we first ensure that the corresponding loops in both programs iterate the same number of times by peeling extra iterations from the loops in P N . This is done by routine PeelAllLoops shown in Algorithm 2. The algorithm first makes a copy, viz. P p N , of the input CFG P N . Let Loops(P p N ) denote the set of loops of P p N , and let k L (N ) and k L (N − 1) denote the number of times loop L iterates in P p N and P p N −1 respectively. The difference k L (N ) − k L (N − 1), computed in line 5, gives the extra iterations of loop L in P p N . If this difference is not a constant, we currently report a failure of our technique (line 6). Otherwise, routine PeelSingleLoop transforms loop L of P p N as follows: it replaces the termination condition (ℓ < k L (N )) of L by (ℓ < k L (N − 1)). It also peels (or unrolls) the last (k L (N ) − k L (N − 1)) iterations of L and adds control flow edges such that the the peeled iterations are executed immediately after the loop body is iterated k L (N − 1) times. Effectively, PeelSingleLoop unrolls/peels the last (k L (N ) − k L (N − 1)) iterations of loop L in P p N . The transformed CFG is returned as the updated P p N in line 7. In addition, PeelSingleLoop also returns the set Locs ′ of all CFG nodes newly added while peeling the loop L. The overall updated CFG and the set of all peeled nodes obtained after peeling all loops in P p N is returned in line 9. Remove a node n from WorkList;

14:
if v ∈ AffectedVars ∧ n is a assignment node then

16:
if v ∈ AffectedVars ∧ n is a predicate node then 17: for each edge (n, n ′ ) ∈ CE do

18:
AffectedVars := AffectedVars ∪ def (n ′ ); 19: until AffectedVars does not change 20: return AffectedVars; Affected Variable Analysis. Before we discuss the generation of ∂P N , we present an analysis that identifies variables/array elements that may take different values in P N and P N −1 . For example, the first k L (N − 1) iterations of L in P N may not be semantically equivalent to the (entire) k L (N − 1) iterations of L in P N −1 . This is because the semantics of statements in L may depend on the value of N either directly or indirectly. We call variables/array elements updated in such statements as affected variables. For every loop with statements having potentially different semantics in P N and P N −1 , the difference program ∂P N must have a version of the loop with statements that restore the effect of the first k L (N − 1) iterations of L in P N after the (entire) k L (N − 1) iterations of L in P N −1 have been executed. Furthermore, for statements in P N that are not enclosed within loops but have potentially different semantics from the corresponding statements in P N −1 , ∂P N must also rectify the values of variables/array elements updated in such statements.
Subroutine ComputeAffected, shown in Algorithm 3, computes the set of affected variables P N . We first construct the program dependence graph by calling the function ComputeRefinedPDG (line 1) defined in Algorithm 1. Let AffectedVars represent the set of affected variables/array elements. We initialize it (line 2) with variable N since its value is different in P N and P N −1 . For a node n in the PDG G, we use reaching -def (v, n) to refer to the set of nodes where the variable/array element v is defined and the definition reaches its use at node n. In line 4, we collect nodes in the graph that are not the ones peeled from loops in P N . The loop in lines 5-18 iterates over the collected nodes to identify affected variables. If a variable in the index expression of an array access is affected then that array element is considered affected (lines [7][8]. A definition at a node n is affected (marked in line 11) if any variable v used in the statement (checked in line 9) is defined in a peeled node (line 10). Similarly if the reaching definition of v is affected (line 12) the definition at n is affected (line 13). A variable defined in terms of an affected variable is also deemed to be affected (lines [14][15]. Finally, a variable definition that is control dependent on an affected variable is also considered affected (lines [16][17][18]. The computation of affected variables is iterated until the set AffectedVars saturates. Lemma 2. Variables/Array elements not present in AffectedVars have the same value after k L (N − 1) iterations of its enclosing loop (if any) in P N −1 as in P N .
Generating the Difference Program ∂P N . The routine ProgramDiff in Algorithm 4 shows how the difference program is computed. We peel each loop in the program and collect the list of peeled nodes (line 1) using Algorithm 2. We then compute the set of affected variables (line 2) using Algorithm 3. The difference program ∂P N inherits the skeletal structure of the program P N after peeling each loop (line 4). The algorithm then traverses the CFG of each loop in P N and removes the loops (lines 16-17) that do not update any affected variables from ∂P N . For every CFG node in other loops, it determines the corresponding node type (assignment or branch) and acts accordingly (lines 7-14). To explain the intuition behind the steps of this algorithm, we use the convention that all variables and arrays of P N −1 have the suffix Nm1 (for N-minus-1), while those of P N have the suffix N. This allows us to express variables/array elements of P N in terms of the corresponding variables/array elements of P N −1 in a systematic way in ∂P N , given that the intended composition is P N −1 ; ∂P N .
For assignment statements using simple arithmetic operators (+,-,*,/), the sub-routine AssignmentDiff in Algorithm 4 computes a "difference" statement as follows. We assume that Nodes(L) returns the set of CFG nodes in loop L. For every assignment statement of the form v = E; in L, a corresponding statement is generated in ∂P N that expresses v N in terms of v Nm1 and the difference (or ratio) between versions of variables/arrays that appear as sub-expressions in E in P N −1 and P N . There are additional kinds of statements that need special processing when generating ∂P N . These relate to accumulation of differences (or ratios). 17: v N/v Nm1 respectively. We use these optimizations aggressively in the function Simplify used in AssignmentDiff and AggregateAssignmentDiff. For every CFG node representing a conditional branch in P N , Algorithm BranchDiff is used to determine if the result of the condition check can differ in P N and P N −1 . If not, the conditional statement can be retained as such in the "difference" program. Otherwise, our current technique cannot compute ∂P N and we report a failure of our technique (see body of BranchDiff). For example, the conditional statement if (t3 == 0) in line 10 of Fig. 1(a) behaves identically in P N −1 and P N , and therefore can be used as is in the loop in the difference program. 16: return ∂P ′ N Simplifying the Difference Program. While we have described a simple strategy to generate ∂P N above, this may lead to redundant statements in the naively generated "difference" code. For example, we may have a loop like for (i=0; i < N-1; i++) A N[i] = A Nm1[i];. Our implementation aggressively optimizes and removes such redundant code, renaming variables/arrays as needed (see routine SimplifyDiff in Algorithm 5). The program ∂P N may also contain loops that compute values of variables that can be accelerated. For example, we may have a loop for(i=0; i < N-1; i++) sum = sum + 1;. Algorithm SimplifyDiff removes this loop and introduces the statement sum = sum + (N-1);. This helps in ∂P N having fewer and simpler loops in a lot of cases.  N). We now present a simple syntactic algorithm, called SyntacticDiff, for generation of the difference precondition ∂ϕ(N ). Although this suffices for all our experiments, for the sake of completeness, we present later a more sophisticated algorithm for generating ∂ϕ(N ) simultaneously with Pre(N ).
Generating the Formula Pre(N − 1). We use Dijsktra's weakest pre-condition computation to obtain Pre(N −1) after the "difference" pre-condition ∂ϕ(N ) and the "difference" program ∂P N have been generated. The weakest pre-condition  Fig. 1(a). The difference program of ∂P N is, however, loop-free, and hence the recursive invocation of full-program induction on ∂P N easily succeeds.

5:
(c) PN−1 does not update any variable or array element in ∂ϕ ′ i (N )

11
: Generalized FPI Algorithm. While algorithm FPIVerify suffices for all of our experiments, we may not always be so lucky. Specifically, even if ∂P N is loopfree, the analysis may exit the loop in lines 9-18 of FPIVerify by violating the base case check in line 18. To handle (at least partly) such cases, we propose the following strategy. Whenever a (weakest) pre-condition Pre i (N − 1) is generated, instead of using it directly to strengthen the current pre-and post-conditions, we "decompose" it into two formulas Pre ′ i (N − 1) and ∂ϕ ′ i (N ) with a two-fold intent: (a) potentially weaken Pre i (N − 1) to Pre ′ i (N − 1), and (b) potentially strengthen the difference formula ∂ϕ(N ) to ∂ϕ ′ i (N ) ∧ ∂ϕ(N ). The checks for these intended usages of Pre ′ i (N − 1) and ∂ϕ ′ i (N ) are implemented in lines 3, 4, 5, 11 and 17 of routine FPIDecomposeVerify, shown as Algorithm 7. This routine is meant to be invoked as FPIDecomposeVerify(i) after each iteration of the loop in lines 9-18 of routine FPIVerify (so that Pre i (N ), c Pre i (N ) etc. are initialized properly). In general, several "decompositions" of Pre i (N ) may be possible, and some of them may work better than others. FPIDecomp-seVerify permits multiple decompositions to be tried through the use of the NextDecomposition and HasNextDecomposition functions. Lines 22-25 of FPIDecomposeVerify implement a simple back-tracking strategy, allowing a search of the space of decompositions of Pre i (N − 1). Observe that when we use FPIDecomposeVerify, we simultaneously compute a difference formula (∂ϕ ′ i (N ) ∧ ∂ϕ(N )) and an inductive pre-condition (c Pre i−1 (N ) ∧ Pre ′ i (N )).
Lemma 5. Algorithms FPIVerify and FPIDecomposeVerify ensure conditions 2 and 3 of Theorem 1 upon successful termination.
While we have presented our technique focusing on a single symbolic parameter N , a straightforward extension works for multiple independent parameters, multiple independent array sizes, different induction directions, and non-uniform loop termination conditions. For more details, please refer to the long version of our paper at [3].
Limitations. There are several scenarios under which full-program induction may not produce a conclusive result. Currently, we only analyze programs with non-nested loops with +, −, ×, ÷ expressions in assignments. We also do not handle branch conditions that are dependent on the parameter N (this doesn't include loop conditions, which are handled by unrolling the loop). The technique also remains inconclusive when the difference program ∂P N does not have fewer loops than the original program. Reduction in verification complexity of the program, in terms of the number of loops and assignment statements dependent on N , is crucial to the success of full-program induction. Finally, our technique may fail to verify a correct program if the heuristics used for weakest pre-condition either fail or return a pre-condition that causes violation of the base case check in line 18 of FPIVerify. Despite these limitations, our experiments show that full-program induction performs remarkably well on a large suite of benchmarks.

Implementation and Experiments
We have implemented our technique in a prototype tool called Vajra, available at [5]. It takes a C program in SVCOMP format as input. The tool, written in C++, is built on top of the LLVM/CLANG [22] 6.0.0 compiler infrastructure and uses Z3 [25] v4.8.7 as the SMT solver to prove Hoare triples for loop-free programs.
We have evaluated Vajra on a test-suite of 42 safe benchmarks inspired from different algebraic functions that compute polynomials as well as a standard array operations such as copy, min, max and compare. Our programs take a symbolic parameter N which specifies the size of each array as well as the number of times each loop executes. Assertions, possibly quantified, are (in-)equalities over array elements, scalars and (non-)linear polynomial terms over N .
Vajra verified 17 benchmarks on which VIAP diverged, primarily due to the inability of VIAP's heuristics to get closed form expressions. VIAP verified 4 benchmarks that could not be verified by the current version of Vajra due to syntactic limiations. Vajra, however, is two orders of magnitude faster than VIAP on programs that were verified by both. Vajra proved 28 benchmarks on which VeriAbs diverged. VeriAbs ran out of time on programs where loop shrinking and merging abstractions were not strong enough to prove the assertions. VeriAbs reported 1 program as unsafe due to the imprecision of its abstractions and it proved 4 benchmarks that Vajra could not. Vajra verified 30 benchmarks that Booster could not. Booster reported 4 benchmarks as unsafe due to imprecise abstractions, its fixed-point computation engine reported unknown result on 12 benchmarks and it ended abruptly on 3 benchmarks. Booster also proved 2 benchmarks that couldn't be handled by the current version of Vajra due to syntactic limitations. Vajra verified 32 benchmarks on which Vaphor was inconclusive. Distinguished cell abstraction in Vaphor is unable to prove safety of programs, when the value at each array index needs to be tracked. Vaphor reported 9 programs unsafe due to imprecise abstraction, returned unknown on 2 programs and ended abruptly on 1 program. Vaphor proved a benchmark that Vajra could not. Vajra verified 32 programs on which FreqHorn diverged, especially when constants and terms that appear in the inductive invariant are not syntactically present in the program. FreqHorn ran out of time on 22 programs, reported unknown result on 12 and ended abruptly on 3 benchmarks. FreqHorn verified a benchmark with a single loop that Vajra could not. On an extended set of 231 benchmarks, Vajra verified 110 programs out of 121 safe programs, falsified 108 out of 110 unsafe programs, and was inconclusive on the remaining 13 programs.

Conclusion
We presented a novel property-driven verification method that performs induction over the entire program via parameter N . Significantly, this obviates the need for loop-specific invariants. Experiments show that full-program induction performs remarkably well vis-a-vis state-of-the-art tools for analyzing array manipulating programs. Further improvements in the algorithms for computing difference programs and for strengthening of pre-and post-conditions are envisaged as part of future work.