Inferring Invariants with Quantifier Alternations: Taming the Search Space Explosion

We present a PDR/IC3 algorithm for finding inductive invariants with quantifier alternations. We tackle scalability issues that arise due to the large search space of quantified invariants by combining a breadth-first search strategy and a new syntactic form for quantifier-free bodies. The breadth-first strategy prevents inductive generalization from getting stuck in regions of the search space that are expensive to search and focuses instead on lemmas that are easy to discover. The new syntactic form is well-suited to lemmas with quantifier alternations by allowing both limited conjunction and disjunction in the quantifier-free body, while carefully controlling the size of the search space. Combining the breadth-first strategy with the new syntactic form results in useful inductive bias by prioritizing lemmas according to: (i) well-defined syntactic metrics for simple quantifier structures and quantifier-free bodies, and (ii) the empirically useful heuristic of preferring lemmas that are fast to discover. On a benchmark suite of primarily distributed protocols and complex Paxos variants, we demonstrate that our algorithm can solve more of the most complicated examples than state-of-the-art techniques.


Introduction
Invariant inference is a long-standing problem in formal methods, due to the desire for verified systems without the cost of manually writing invariants.For complex unbounded systems the required invariants often involve quantifiers, including quantifier alternations.For example, an invariant for a distributed system may need to quantify over an unbounded number of nodes, messages, etc.Furthermore, it may need to nest quantifiers in alternation (between ∀ and ∃) to capture the system's correctness arguments.For example, one crucial invariant of the Paxos consensus protocol is "every decision must come from a quorum of votes", i.e. ∀decision.∃quorum.∀node.node ∈ quorum ⇒ node voted for decision.We show that automatically inferring such invariants is possible for systems beyond the current state of the art by addressing several scalability issues that arise as the complexity of systems and their invariants increases.
Many recent successful invariant inference techniques, including ours, are based on PDR/IC3 [3,5].PDR/IC3 is an algorithmic framework for finding inductive invariants incrementally, rather than attempting to find the entire inductive invariant at once.PDR/IC3 progresses by building a collection of lemmas, organized into frames labeled by number of steps from the initial states, until eventually some of these lemmas form an inductive invariant.New lemmas are generated by inductive generalization, where a given (often backward reachable) state is generalized to a formula that excludes it and is inductive relative to a previous frame.Inductive generalization therefore plays a key role in PDR/IC3 implementations.Specifically, extending PDR/IC3 to a new domain of lemmas requires a suitable inductive generalization procedure.
Techniques for inductive generalization, and more broadly for generating formulas for inductive invariants, are varied, including interpolation [24], quantifier elimination [20], model-based techniques [18], and syntax guided synthesis [6,30].Almost all of these existing techniques target either quantifier-free or universally quantified invariants.While it is sometimes possible to manually transform a transition system to eliminate some of the need for quantifiers [8], doing so is difficult and requires some knowledge of the fully quantified invariant.
We present a system that can infer quantified invariants with alternations based on quantified separation, which was introduced in [19].Roughly, a separation query asks whether there is a quantified formula, a separator, that evaluates to true on a given set of models and to false on another given set of models.While [19] used separation (as a black box) to implement inductive generalization and described the first PDR/IC3 implementation that finds invariants with quantifier alternations, it did not scale to challenging protocols such as Paxos and its variants.These protocols require invariants with many symbols and quantifiers, and the search space for quantified separators explodes as the number of symbols in the vocabulary and number of quantifiers increases.In contrast, this work presents a technique that can automatically find such complex invariants.
When targeting complex invariants, there are two main challenges for inductive generalization: (i) the run time of each individual query; and (ii) overfitting, i.e., learning a lemma that eliminates the given state but does not advance the search for an inductive invariant.We tackle both problems via two strategies: the first integrates inductive generalization with separation in a breadth-first way, and the second defines a new form, k-term pDNF, for the quantifier-free Boolean structure of the separators.
Integrating quantified separation with inductive generalization enables us to effectively use a breadth-first rather than a depth-first search strategy for the quantifiers of potential separators: we search in multiple parts of the search space simultaneously rather than exhaustively exploring one region before moving to the next.Beyond enabling parallelism, and thus faster wall-clock times, this restructuring can change which solution is found by allowing easy-to-search regions to find a solution first.We find that these easier-to-find formulas generalize better (i.e., avoid overfitting).
Using k-term pDNF narrows the search space for lemmas with quantifier alternations.Universally quantified invariants can be split into universally quantified clauses by transformation into conjunctive normal form (CNF). Accordingly, most PDR/IC3 based techniques find invariants as conjunctions of possibly quantified clauses.However, invariants with quantifier alternations may require conjunction inside quantified lemmas (e.g., consider ∀x.∃y.p(y) ∧ r(x, y)).Using multiple clauses per lemma (k-clause CNF) creates a significantly larger search space, impeding scalability.Using disjunctive normal form (DNF) suffers from the same problem.We introduce k-term pDNF, a class of Boolean formulas inspired by human-written invariants that allows both limited conjunction and disjunction while keeping the search space manageable.Many of the lemmas that arise in our evaluation and would require many clauses in CNF are only 2-term pDNF.We modify separation to search for lemmas of this form, leading to a reduced search space compared to CNF or DNF, resulting in both faster inductive generalization and less overfitting.
We evaluate our technique on a benchmark suite that includes challenging distributed protocols.Inferring invariants with quantifier alternations has recently drawn significant attention, with recent works, [19,11], presenting techniques based on PDR/IC3 that find invariants with quantifier alternations but do not scale to complex protocols such as Paxos.Very recently, [14] and [12] presented enumeration-based and PDR/IC3-based techniques, respectively, which find the invariant for simple variants of Paxos, but do not scale to more complex variants.Our experiments show that our separation-based approach significantly advances the state-of-the-art, and scales to several Paxos variants which are unsolved by prior works.We also present an ablation study that investigates the individual effect of key features of our technique.
This work makes the following contributions: 1.An algorithm for inductive generalization in PDR/IC3 (Section 3) based on quantified separation that explores the search space in a parallel, breadthfirst way and thus focuses on lemmas that are easy to discover without requiring a priori knowledge of the search space.2. A syntactic form of lemmas (k-pDNF, Section 4) that is well-suited for invariants with quantifier alternations.3. A combined system (Section 5) able to infer the invariants of challenging protocols with quantifier alternations, including complex Paxos variants.4. A comprehensive evaluation (Section 6) on a large benchmark suite including complex Paxos variants, comparisons with a variety of state-of-the-art tools, and an ablation study exploring the effects of key features of our technique.

Background
We review first-order logic, quantified separation, the invariant inference problem, and PDR/IC3.
First-Order Logic.We consider formulas in many-sorted first-order logic with uninterpreted functions and equality.A signature consists of a finite set of sorts and sorted constant, relation, and function symbols.A first-order structure over a given signature consists of a universe set of sorted elements along with interpretations for each symbol.A structure is finite when its universe is finite.We use the standard definitions for term, atomic formula, literal, quantifier-free Invariant Inference.The invariant inference problem is to compute an inductive invariant for a given transition system, which shows that only safe states are reachable from the initial states.We consider a transition system to be a set of states as structures over some signature satisfying an axiom Ax, some initial states satisfying Init, a transition formula Tr which can contain primed symbols (x ′ ) representing the post-state, and safe states satisfying Safe.We define bad states as ¬Safe.We define single-state implication, written A ⇒ B, as Unsat(A∧ Ax ∧ ¬B) and two-state implication across transitions, written A ⇒ wp(B), as Unsat(A∧Ax ∧Tr ∧Ax ′ ∧¬B ′ ).An inductive invariant is a formula I satisfying: Together, (1) and (2) mean that I is satisfied by all reachable states, and (3) ensures the system is safe.We only consider invariant inference for safe systems.
PDR/IC3.PDR/IC3 is an invariant inference algorithm first developed for finite state model checking [3] and later extended to various classes of infinite-state systems.We describe PDR/IC3 as in [17].PDR/IC3 maintains frames F i as conjunctions of formulas (lemmas) representing overapproximations of the states reachable in at most i transitions from Init.Finite frames (i = 0, . . ., n) and the frame at infinity (i = ∞) satisfy: Conditions (4), (5), and (6) mean Init ⇒ F i for all i, and we ensure this by restricting frames to subsets of the prior frame, when taken as sets of lemmas.Conditions (7) and (8) say each frame is relatively inductive to the prior frame, except F ∞ which is relatively inductive to itself and thus inductive for the system.To initialize, the algorithm adds the (conjuncts of) Init and Safe as lemmas to F 0 .The algorithm then proceeds by adding lemmas to frames using either pushing or inductive generalization while respecting this meta-invariant, gradually tightening the bounds on reachability until F ∞ ⇒ Safe.We can push a lemma p ∈ F i to F i+1 , provided F i ⇒ wp(p).When a formula is pushed, the stronger F i+1 may permit us to push one or more other formulas, possibly recursively, and so we always push until a fixpoint is reached.Any mutually relatively inductive set of lemmas do not have a finite fixpoint, and we detect these sets (by checking for F i = F i+1 ) and move them to F ∞ .
If the algorithm cannot push a lemma p a beyond frame i, there is a model of ¬(F i ⇒ wp(p a )), which is a transition s → t where s ∈ F i and t |= p a .We call the pre-state s a pushing preventer of p a .To generate new lemmas, we block the pushing preventer s in F i by first recursively blocking all predecessors of s that are still in F i−1 , and then using an inductive generalization (IG) query to learn a new lemma that eliminates s.An IG query finds a formula p satisfying: If we can learn such a lemma, it can be added to F i and all previous frames, and removes at least the state s stopping p a from being pushed.Classic PDR/IC3 always chooses to block the pushing preventer of a safety property (lemma from Safe) or a predecessor thereof, but other strategies have been considered [17].The technique used to solve IG queries controls what kind of invariants we are able to discover.In this work we use separation to solve for p, which lets us infer invariants with quantifier alternations.

Breadth-First Inductive Generalization with Separation
Inductive generalization is the core of PDR/IC3, and improving it comes in two flavors: making individual queries faster, and generating better lemmas that are more general.We address both of these concerns by restructuring the search to be breadth-first rather than depth-first.We first discuss naively solving an IG query with separation (as in [19]), then present an algorithm that restructures the search in a breadth-first manner.

Naive Inductive Generalization with Separation
An IG query is solved in [19] with separation by a simple refinement loop, which performs a series of separation queries with an incrementally growing set of structure constraints.Starting with a negative constraint s for the state to block, we ask for a separator p and check if eqs. ( 10) and ( 11) hold for p using a standard SMT solver.If both hold, p is a solution to the IG query.Otherwise, the SMT solver produces a model which becomes either a positive constraint (corresponding to an initial state p violates) or an implication constraint (a transition edge that shows p is not relatively inductive to F i−1 ), respectively.
At a high level, the SAT-based algorithm for separation from [19] uses Boolean variables to encode the kind (∀/∃) and sort of each quantifier, and additional variables for the presence of each syntactically valid literal in each clause in the matrix, which is in CNF.It then translates each structure constraint into a Boolean formula over these variables such that satisfying assignments encode formulas with the correct truth value for each structure.The details of the translation to SAT are not relevant here, except a few key points: (i) separation considers each potential quantifier prefix essentially independently, (ii) complex IG queries can result in hundreds or thousands of constraints, and (iii) prefixes, as partitions of the space of possible separators, vary greatly in how quickly they can be explored.Further, with the black box approach where the prefixes are considered internally by the separation algorithm, even if the separation algorithm uses internal parallelism as suggested in [19], there is still a serialization step when a new constraint is required.As a consequence of (ii) and (iii), a significant failure mode of this naive approach is that the search becomes stuck generating more and more constraints for difficult parts of the search space that ultimately do not contain an easy-to-discover solution to the IG query.

Prefix Search at the Inductive Generalization Level
To fix the problems with the naive approach, we propose lifting the choice of prefix to the IG level, partitioning a single large separation query into a query for each prefix.Each sub-query can be explored in parallel, and each can proceed independently by querying for new constraints (using eqs.(10) and (11) as before) without serializing by waiting for other prefixes.We call this a breadthfirst search, because the algorithm can spend approximately equal time on many parts of the search space, instead of a depth-first search which exhausts all possibilities in one region before moving on to the next.When regions have greatly varying times to search, the breadth-first approach prevents expensive regions from blocking the search in cheaper regions.This improvement relies on changing the division between separation and inductive generalization: without the knowledge of the formulas (eqs.(10) and (11)) that generate constraints, the separation algorithm cannot generate new constraints on its own.
A complicating factor is that in addition to prefixes varying in difficulty, sometimes there are entire classes of prefixes that are difficult.For example, many IG queries have desirable universal-only solutions, but spend a long time searching for separators with alternations, as there are far more distinct prefixes with alternations than those with only universals.To address this problem, we define possibly overlapping sets of prefixes, called prefix categories, and ensure the algorithm spends approximately equal time searching for solutions in each category (e.g., universally quantified invariants, invariants with at most one alternation and at most one repeated sort).Within each category, we order prefixes to further bias towards likely solutions: first by smallest quantifier depth, then fewest alternations, then those that start with a universal, and finally by smallest number of existentials.

Algorithm for Inductive Generalization
We present our algorithm for IG using separation in Figure 1.Our algorithm has a fixed number N of worker threads which take prefixes from a queue subject to prefix restrictions, and perform a separation query with that prefix.Each worker thread calls next-prefix() to obtain the next prefix to consider, according to the order discussed in the previous section.To solve a prefix P , a worker performs a refinement loop as in the naive algorithm, building a set of constraints C(P ) until a solution to the IG query is discovered or separation reports UNSEP.While we take steps to make SMT queries for new constraints as fast as possible (Section 5.4), these queries are still expensive and we thus want to re-use constraints between prefixes where it is beneficial.Re-using every constraint discovered so far is not a good strategy as the cost of checking upwards of hundreds of constraints for every candidate separator is not justified by how frequently they actually constrain the search.Instead, we track a set of related constraints for a prefix P , R C (P ).We define related constraints in terms of immediate subprefixes of P , written S(P ), which are prefixes obtained by dropping exactly one quantifier from P , i.e. the quantifiers of P ′ ∈ S(P ) are a subsequence of those in P with one missing.We then define R C (P ) = ∪ P ′ ∈S(P ) C(P ′ ), i.e. the related constraints of P are all those used by immediate sub-prefixes.While S(P ) considers only immediate sub-prefixes, constraints may propagate from non-immediate sub-prefixes as the algorithm progresses.
Constraints from sub-prefixes are used because the possible separators for those queries are also possible separators for the larger prefix.Thus the set of constraints from sub-prefixes will definitely eliminate some potential separators, and in the usual case where the sub-prefixes have converged to UNSEP, will rule out an entire section of the search space.We also opportunistically make use of known constraints for the same prefix generated in prior IG queries, as long as those constraints still satisfy the current frame.
Overall, the algorithm in Figure 1 uses parallelism across prefixes to generate independent separation queries in a breadth-first way, while carefully sharing only useful constraints.From the perspective of the global search for an induc-tive invariant the algorithm introduces two forms of inductive bias: (i) explicit bias arising from controlling the order and form of prefixes (Section 3.2), and (ii) implicit bias towards formulas which are easy to discover.

k-Term Pseudo-DNF
We now consider the search space for quantifier-free matrices, and introduce a syntactic form that shrinks the search space while still allowing common invariants with quantifier alternations to be expressed.
Conjunctive and disjunctive normal forms (CNF and DNF) are formulas that consist of a conjunction of clauses (CNF) or a disjunction of cubes (DNF), where clauses and cubes are disjunctions and conjunctions of literals, respectively: For example, (a ∨ b ∨ ¬c) ∧ (b ∨ c) is in CNF and (a ∧ ¬c) ∨ (¬a ∧ b) is in DNF.We further define k-clause CNF and k-term DNF as formulas with at most k clauses and cubes, respectively.
In [19] separation is performed by finding a matrix in k-clause CNF, biasing the search by minimizing the sum of the number of quantifiers and k.We find that both CNF and DNF are not good fits for the formulas in human-written invariants.For example, consider the following formula from Paxos: To write this in CNF, we need to distribute the antecedent over the conjunction, obtaining the 3-clause formula: When written without →, this matrix has the form ¬a ∨ ¬b ∨ c ∨ (d ∧ e ∧ ¬f ), which is already in DNF.Under the k-term DNF, however, the formula requires a single-literal cube for each antecedent literal, i.e. k = 4.Because of the quantifier alternation, we cannot split this formula into cubes or clauses, and so a search over either CNF or DNF must consider a significantly larger search space.To solve these issues, we define a variant of DNF, k-term pseudo-DNF (k-pDNF), where one cube is negated, yielding as many individual literals as needed: where ℓ 1 , . . ., ℓ n are literals and c 2 , . . ., c k are cubes.
Note that 1-term pDNF is equivalent to 1-clause CNF, i.e. a single clause.2term pDNF correspond to formulas of the form (cube) → (cube).Such formulas are sufficient for all but a handful of the lemmas required for invariants in our benchmark suite.An exception is the following, which has one free literal and two cubes (so it is 3-term pDNF): For a fixed k, k-clause CNF, k-term DNF, and k-term pDNF all have the same-size search space, as the SAT query inside the separation algorithm will have one indicator variable for each possible literal in each clause or cube.The advantage of pDNF is that it can express more invariant lemmas with a small k, reducing the size of the search space while still being expressive.We can also see pDNF as a compromise between CNF and DNF, and we find that pDNF is a better fit to the matrices of invariants with quantifier alternation.

An Algorithm for Invariant Inference
We now take a step back to consider the high-level PDR/IC3 structure of our algorithm.We have described how our algorithm performs inductive generalization (Sections 3 and 4), which is the central ingredient.As in all PDR/IC3 variants, we use IG to block backward reachable states (i.e., states from which a safety violation is reachable).We next discuss blocking states that are not backward reachable as a heuristic for finding additional useful lemmas.We then discuss how we can search for formulas in the EPR logic fragment and techniques to increase the robustness of SMT solvers.Finally, we tie everything together to give a complete description of our proposed algorithm.

May-proof-obligations
In classic PDR/IC3, the choice of pushing preventer to block is always that of a safety property.[17] proposed a heuristic that in our terminology is to block the pushing preventer of other existing lemmas, under the heuristic assumption that current lemmas in lower frames are part of the final invariant but lack a supporting lemma to make them inductive.The classic blocked states are known as must-proof-obligations, as they are states that must be eliminated somehow to prove the safety property.In contrast, these heuristic states are may-proofobligations, as they may or may not be necessary to block.Our algorithm selects these lemmas at random, biased towards lemmas with smaller matrices.
To block a state, we first recursively block its predecessors in the prior frame, if they exist.For may-proof-obligations, 4 this recursion can potentially reach all the way to an initial state in F 0 , and thus proves that the entire chain of states is reachable-i.e., the states cannot be blocked.This fact shows that the original lemma is not part of any final invariant and cannot be pushed past its current frame; it also provides a positive structure constraint useful for future IG queries.

Multi-block Generalization
After an IG query blocking state s is successful, the resulting lemma p may cause the original lemma that created s to be pushed to the next frame.If not, there will be a new pushing preventer s ′ .If s ′ is in the same frame, we can ask whether there is a single IG solution formula p 1 which blocks both s and s ′ .If we can find such a p 1 , it is more likely to generalize past s and s ′ , and we should prefer p 1 .This is straightforward to do with separation: we incrementally add another negative constraint to the existing separation queries.To implement multi-block generalization, we continue an IG query if the new pushing preventer is suitable (i.e.exists and is in the same frame), accumulating as many negative constraints as we can until we do not have a suitable state or we have spent as much time as the original query.This timeout guarantees we do not spend more than half of our time on generalization, and protects us in the case that the new set of states cannot be blocked together with a simple formula.

Enforcing EPR
Effectively Propositional Reasoning (EPR, [27]) is a fragment of many-sorted first-order logic in which satisfiability is decidable and satisfiable formulas always have a finite model.The essence of EPR is to limit function symbols, both in the signature and from the Skolemization of existentials, to ensure only a finite number of ground terms can be formed.EPR ensures this property by requiring that there be no cycles in the directed graph with an edge from each domain sort to the codomain sort for every (signature and Skolem) function symbol.For example, (∀x:S.ϕ 1 ) ∨ (∃y:S.ϕ 2 ) is in EPR, but ∀x:S.∃y:S.ϕ 3 is not in EPR as the Skolem function for y introduces an edge from sort S to itself.The acyclicity requirement means that EPR is not closed under conjunction, and so is best thought of as a property of a whole SMT query rather than of individual lemmas.Despite these restrictions, EPR can be used to verify complex distributed protocols [27].
For invariant inference with PDR/IC3, the most straightforward way to enforce acyclicity is to decide a priori which edges are allowed, and to not infer lemmas with disallowed Skolem edges.In practice, enforcing EPR means simply skipping prefixes during IG queries that would create disallowed edges.Without this fixed set of allowed edges, adding a lemma to a frame may prevent a necessary lemma from being added to the frame in a later iteration, as PDR/IC3 lacks a way to remove lemmas from frames.Requiring the set of allowed edges as input is a limitation of our technique and other state-of-the-art approaches (e.g.[14]).We hope that future work expands the scope of decidable logic fragments, so that systems require less effort to model in such a fragment.It is also possible that our algorithm could be wrapped in an outer search over the possible acyclic sets of edges.
Because separation produces prenex formulas, some EPR formulas would be disallowed without additional effort (e.g. a prenex form of (∀x:S.ϕ 1 ) ∨ (∃y:S.ϕ 2 ) is ∀x:S.∃y:S.(ϕ 1 ) ∨ (ϕ 2 )).In our implementation, we added an option where  separation produces prenex formulas that may not be in EPR directly, but where the scope of the quantifiers can be pushed down into the pDNF disjunction to obtain an EPR formula.Extra SAT variables are introduced that encode whether a particular quantified variable appears in a given disjunct, and we add the constraint that the quantifiers are nested consistently and in such a way as to be free of disallowed edges.Because this makes separation queries more difficult, we only enable this mode for the single example that requires non-prenex EPR formulas.

SMT Robustness
Even with EPR restrictions, some SMT queries we generate are difficult for the SMT solvers we use (Z3 [4] and CVC55 ), sometimes taking minutes, hours, or longer.This wide variation of solving times is significant because separation, and thus IG queries, cannot make progress without a new structure constraint.We adopt several strategies to increase robustness: periodic restarts, running multiple instances of both solvers in parallel, and incremental queries.Our incremental queries send the formulas to the SMT solver one at a time, asserting a subset of the input.An UNSAT result from a subset can be returned immediately, and a SAT result can be returned if there is no un-asserted formula violated by the model.Otherwise, one of the violating formulas is asserted, and the process repeats.This process usually avoids asserting all the discovered lemmas from a frame, which significantly speeds up many of the most difficult queries, especially those with dozens of lemmas in a frame or those not in EPR.

Complete Algorithm
Figure 2 presents the pseudocode for our algorithm, which consists of two parallel tasks (learning and heuristic), each using half of the available parallelism to discharge IG queries, and pushing to fixpoint after adding any lemmas.In this listing, the to-block(ℓ) function computes the state and frame to perform an IG query in order to push ℓ (i.e. the pushing preventer of ℓ or a possibly multi-step predecessor thereof).The heuristic task additionally may find reachable states, and thus mark lemmas as bad.We cancel an IG query when it is solved by a lemma learned or pushed by another task.Our algorithm is parameterized by the logic used for inductive generalization, and thus the form of the invariant.We support universal, EPR, and full firstorder logic (FOL) modes.Universal mode restricts the matrices to clauses, and considers predecessors of superstructures when computing to-block() (as in [18]).EPR mode also takes as input the set of allowed edges.In FOL mode, there are no restrictions on the prefix.

Evaluation
We evaluate our algorithm and compare with prior approaches on a benchmark of invariant inference problems.We discuss the benchmark, our experimental setup, and the results.

Invariant Inference Benchmark
Our benchmark is composed of invariant inference problems from prior work on distributed protocols [28,27,7,26,29,2,9], written in or translated to the mypyvy tool's input language [25].Our benchmark contains a total of 30 problems (Table 1), ranging from simple (toy-consensus, firewall) to complex (stoppablepaxos-epr, bosco-3t-safety).Some problems admit invariants that are purely universal, and others use universal and existential quantifiers, with some in EPR.All our examples are safe transition systems with a known human-written invariant.

Experimental Setup
We compare our algorithm to the techniques Swiss [14], IC3PO [11,12], fol-ic3 [19], and PDR ∀ [18].We performed our experiments on a 56-thread machine with 64 GiB of RAM, with each experiment restricted to 16 hardware threads, 20GiB of RAM, and a 6 hour time limit. 6To account for noise caused by randomness in seed selection, we ran each algorithm 5 times and report the number of successes and the median time.PDR ∀ , IC3PO, and fol-ic3 are not designed to use parallelism, while Swiss and our technique make use of parallelism.For IC3PO, we use the better result from the two implementations [11] and [12], and give reported results for those we could not replicate.For our technique, we ran the tool in universal-only, EPR, or full FOL mode as appropriate.For k-pDNF, we use k = 1 for universal prefixes and k = 3 otherwise.Our implementation uses five prefix categories (universal-only mode uses only the first two): (i) universal 1 As reported in [12] on similar input. 2 With EPR push down enabled.
formulas, (ii) universal formulas with each sort appearing in at most two quantifiers, (iii) at most one quantifier alternation and each sort appearing in at most two quantifiers, (v) at most two quantifier alternations and each sort appearing in at most two quantifiers, and (vi) at most two quantifier alternations.

Results and Discussion
We present the results of our experiments in Table 1.In general, for examples that converge with both prior approaches and our technique, we match or exceed existing results, with significant performance gains for some problems such as client-server-db-ae relative to the previous separation-based approach.Along with other techniques, we solve paxos-epr and flexible-paxos-epr, which are the simplest variants of Paxos in our benchmark, but nonetheless represents a significant jump in complexity over the examples solved by the prior generation of PDR/IC3 techniques.Paxos and its variants are notable for having invariants with two quantifier alternations (∀∃∀) and a maximum quantifier depth of 6 or 7.
We uniquely solve multi-, fast-, and stoppable-paxos-epr, which add significant complexity in the number of sorts, symbols, and quantifier depth required.Due to variations in seeds and the non-determinism of parallelism, our technique was only successful in some trials, but these results nevertheless demonstrate that our technique is capable of solving these examples.Our algorithm is unable to solve vertical-paxos-epr, as this example requires a 7 quantifier formula that is very expensive for our IG solver.For universal-only examples, our algorithm is able to solve all but one of the examples7 solved by other techniques, and is able to solve one that others cannot.In some cases (e.g.consensus-forall), our solution is slower than other approaches, but on the whole our algorithm is competitive in a domain it is not specialized for.In addition, we significantly outperform the existing separation-based algorithm (fol-ic3) by solving several difficult examples (cache, paxos-forall).

Ablation Study
Table 2 presents an ablation study investigating effect of various features of our technique.The first column of Table 2 repeats the full algorithm results, and the remaining columns report the performance with various features disabled individually.The most important individual contributions come from k-pDNF To isolate the benefits of parallelism, we ran several examples in both parallel and serial mode with a proportionally larger timeout (Table 3).In both modes we use a single prefix category containing all prefixes, with the same static order over prefixes. 9Beyond the wall-clock speedup, the parallel IG algorithm affects the quality of the learned lemmas, that is, how well they generalize and avoid overfitting.To estimate the quality of generalization, we count the total number of IG queries performed by each trial and report the average over the five trials.In all examples, the parallel algorithm learns fewer lemmas overall, which suggests it generalizes better.We attribute this improved generalization to the implicit bias towards lemmas that are faster to discover.For the more complicated example (multi-paxos-epr), this difference has an impact on the success rate.

Related Work
Extensions of PDR/IC3.The PDR/IC3 [3,5] algorithm has been very influential as an invariant inference technique, first for hardware (finite state) systems and later for software (infinite state).There are multiple extensions of PDR/IC3 to infinite state systems using SMT theories [16,20].[18] extended PDR/IC3 to universally quantified first-order formulas using the model-theoretic notion of diagrams.[13] applies PDR/IC3 to find universally quantified invariants over arrays and also to manage quantifier instantiation.Another extension of PDR/IC3 for universally quantified invariants is [22], where a quantified invariant is generalized from an invariant of a bounded, finite system.This technique of generalization from a bounded system has also been extended to quantifiers with alternations [11].Recently, [30] suggested combining synthesis and PDR/IC3, but they focus on word-level hardware model checking and do not support quantifier alternations.Most of these works focus on quantifier-free or universally quantified invariants.In contrast, we address unique challenges that arise when supporting lemmas with quantifier alternations.
The original PDR/IC3 algorithm has also been extended with techniques that use different heuristic strategies to find more invariants by considering additional proof goals and collecting reachable states [15,17].Our implementation benefits from some of these heuristics, but our contribution is largely orthogonal as our focus is on inductive generalization of quantified formulas.Generating lemmas from multiple states, similar to multi-block generalization, was explored in [21].
[23] suggests a way to parallelize PDR/IC3 by combining a portfolio approach with problem partitioning and lemma sharing.Our parallelism is more tightly coupled into PDR/IC3, as we parallelize the inductive generalization procedure.
Quantified Separation.Quantified separation [19] was recently introduced as a way to find quantified invariants with quantifier alternations.While [19] introduced a way to combine separation and PDR/IC3, it has limited scalability and cannot find the invariants of complex protocols such as Paxos.Our work here is motivated by these scalability issues.In contrast to [19], our technique is able to find complex invariants by avoiding expensive but useless areas of the search space using a breadth-first strategy and a multi-dimensional inductive bias.While [19] searches for quantified lemmas in CNF, we introduce and use k-term pDNF.k-term pDNF can express the necessary lemmas of many distributed protocols more succinctly, resulting in better scalability.
Synthesis-Based Approaches to Invariant Inference.Synthesis is a common approach for automating invariant inference.ICE [10] is a framework for learning inductive invariants from positive, negative, and implication constraints.Our use of separation is similar, but it is integrated into PDR/IC3's inductive generalization, so unlike ICE we find invariants incrementally.
Enumeration-Based Approaches.Another approach is to use enumerative search, for example [6], which only supports universal quantification.Enumerative search has been extended to quantifier alternations in [14], which is able to infer the invariants of complex protocols such as some Paxos variants.

Conclusion
We have presented an algorithm for quantified invariant inference that combines separation and inductive generalization.Our algorithm uses a breadth-first strategy to avoid regions of the search space that are expensive.We also explore a new syntactic form that is well-suited for lemmas with alternations.We show via a large scale experiment that our algorithm advances the state of the art in quantified invariant inference with alternations, and finds significantly more invariants on difficult problems than prior approaches.

Table 1 .
Experimental results, giving both the median wall-clock time (seconds) of run time and the number of trials successful, out of five.If there were less than 3 successful trials, we report the slowest successful trial, indicated by (>).A dash (-) indicates all trials failed or timed out after 6 hours (21600 seconds).A blank indicates no data.

Table 2 .
Ablation study.Columns are interpreted as in Table1.

Table 3 .
Parallel vs sequential comparison.Each of 5 trials ran with 3 or 48 hour timeouts, respectively.The number of successes, and the average number of IG queries in each trial (including failed ones) are given.Using a 5-clause CNF instead of pDNF matrix (No pDNF) causes many difficult examples to fail and some (e.g., flexible-paxos-epr) to take significantly longer even when they do succeed.8Similarly,using full FOL mode instead of EPR (No EPR) leads to timeouts for all but the simplest Paxos variants.Incremental SMT queries (No Inc.SMT) make the more difficult Paxos variants, and the universal cache example, succeed much more reliably.Multiblock generalization (No Gen.) makes many problems faster or more reliable, but disabling it allows block-cache-async to succeed.