LoopInvGen
A data-driven tool that generates provably-sufficient loop invariants for program verification.
[LoopInvGen is the successor of our old project, PIE (now deactivated), on precondition inference.]
Installation
|
Invariant Inference
·
Batch Verification
|
Use as a Library
|
Citing LoopInvGen
·
License (MIT)
📃 Papers and Presentations
- PLDI 2016 -
Original paper on PIE (Precondition Inference Engine), the backbone of LoopInvGen
- SyGuS-COMP 2018 (a satellite event of CAV and SYNT at FLoC 2018) - Solver Presentation and Description
- SyGuS-COMP 2017 (in conjunction with CAV and SYNT 2017) - Solver Presentation and Description
🏆 Awards and Honors
- SyGuS-COMP 2018 - INV Track Winner (Presentation)
- SyGuS-COMP 2017 - INV Track Winner (Presentation and Report)
Installation
Using docker (recommended)
Note: The docker image consumes ~4GB of disk space.
We recommend running LoopInvGen within a docker container, as opposed to installing it within your host OS. Docker containers have negligible performance overhead. (See this report)
- Get
dockerfor your OS. - Pull our docker image#:
docker pull padhi/loopinvgen. - Run a container over the image:
docker run -it padhi/loopinvgen. This would give you abashshell within LoopInvGen directory.
# Alternatively, you could also build the Docker image locally:
docker build -t padhi/loopinvgen github.com/SaswatPadhi/LoopInvGenDocker also allows you to easily limit the container's memory and/or CPU usage.
# Create a LoopInvGen container with 4GB memory, no swap and 1 CPU
$ docker run -it --memory=4g --memory-swap=4g --cpus=1 padhi/loopinvgenSee the official Docker guide for more details on applying resource constraints.
Manual Installation
CLICK to reveal instructions
0. Get the required packages for your OS.
Please see the Dockerfile for the complete list of required packages
for building LoopInvGen and its dependencies.
Most of these packages are already installed on standard installations of most *nix distributions,
except, may be, these: aspcud libgmp-dev libomp-dev m4.
1. Install ocaml >= 4.04.2.
We recommend using an OCaml compiler with flambda optimizations enabled.
For example, with opam, you could:
- run
opam switch 4.07.1+flambdafor opam 1.x - run
opam switch create 4.07.1+flambdafor opam 2.x
2. opam install the dependencies.
$ opam install alcotest.0.8.5 core.v0.11.3 core_extended.v0.11.0 dune.1.7.03. Get the Z3 project.
We have tested LoopInvGen with the latest stable version of Z3 (4.8.4). You could either:
git checkout https://github.com/Z3Prover/z3.gitfor the bleeding edge version, orwget https://github.com/Z3Prover/z3/archive/z3-4.8.4.zip && unzip z3-4.8.4.zipfor the stable version
4. git clone this project, and build everything.
$ ./build_all.sh -z /PATH/TO/z3_dirThe build_all.sh script would build Z3, copy it to ./_dep/, and then build LoopInvGen.
Alternatively, you can copy a precompiled version of Z3 to ./_dep/, and simply run ./build_all.sh.
For debug builds, use the -D or --debug switch when invoking ./build_all.sh.
For future builds after any changes to the source code, you only need to run dune build.
You can configure the build profile to either debug or optimize (default),
using: dune build --profile <profile>.
Invariant Inference
Infer invariants for SyGuS-INV benchmarks by invoking LoopInvGen as:
$ ./loopinvgen.sh benchmarks/LIA/2016.SyGuS-COMP/array.sl
(define-fun inv-f ((x Int) (y Int) (z Int)) Bool (not (and (>= x 5) (not (<= y z)))))Note: LoopInvGen processes benchmarks in multiple stages.
We trap CTRL+C (SIGINT signal) to break out of the current stage,
and CTRL+\ (SIGQUIT signal) to kill LoopInvGen and with its child processes.
Inference Timeout
You may use the -t flag to run LoopInvGen with a maximum limit
on the number of seconds (wall-clock time) for which the inference algorithm may run.
$ ./loopinvgen.sh -t 8 benchmarks/LIA/2016.SyGuS-COMP/array.slFor timeout based on CPU time, you may use ulimit.
CLICK for further details
Verifying Generated Invariants
The -v switch makes LoopInvGen verify the benchmark with the generated invariant:
$ ./loopinvgen.sh -v benchmarks/LIA/2016.SyGuS-COMP/array.sl
PASSIt gives one of the following verdicts:
PASS : The generated invariant successfully verifies the benchmark.
PASS (NO SOLUTION) : The benchmark is invalid (no invariant can verify it),
and no invariant was generated.
FAIL {<vc1>;...} : The generated invariant fails to verify the VCs: vc1, vc2 etc.
where each VC is one of {pre, post, trans}.
FAIL (NO SOLUTION) : The benchmark is invalid (no invariant can verify it),
but an invariant (that is not empty/false) was generated.
[TIMEOUT] <verdict> : Invariant inference timed out.
With an empty (false) invariant, <verdict> is one of the verdicts above.
Try ./loopinvgen.sh -h for other options that allow more control over the inference process.
Batch Verification
Execute ./test_all.sh -b benchmarks/LIA to run LoopInvGen on all benchmarks in benchmarks/LIA.
The test_all.sh script invokes LoopInvGen for invariant inference,
and then verifies that the generated invariant is sufficient to prove correctness of the SyGuS benchmark.
Note: Within test_all.sh,
we trap CTRL+C (SIGINT signal) to kill the currently running benchmark,
and CTRL+\ (SIGQUIT signal) to kill the test_all.sh script with its child processes.
CLICK for further details
For each benchmark, the test_all.sh script generates one of the verdicts mentioned above, or:
[SKIPPED] <verdict> : Invariant inference was skipped for an already passing benchmark.
<verdict> is one of the PASS verdicts above.
Caching of Results
Since test_all.sh caches results from previous runs, it skips benchmarks that are known to be passing.
This may be disabled by:
- using the
-ror--rerun-passedswitch withtest_all.sh, or - deleting the previous log directory (default:
_log), or - specifying a new log directory (
-l _new_log).
Benchmarking with Other Inference Tools
test_all.sh is a generic benchmarking script that may run any invariant inference tool.
which accepts the SyGuS format. This makes it easier for us to compare various tools easily.
To use an invariant inference tool other than LoopInvGen, invoke it as:
test_all.sh -b <path/to/benchmarks> -T <path/to/tool> [-- -tool -specific -options]
Limiting Execution Time
Just like loopinvgen.sh, the test_all.sh script allows users to limit the
execution time for the invariant inference tools using the -t flag.
$ ./test_all.sh -b benchmarks/LIA -t 10Try ./test_all.sh -h for more options.
Citing LoopInvGen
@inproceedings{pldi/2016/PadhiSM,
author = {Saswat Padhi and Rahul Sharma and Todd D. Millstein},
title = {Data-Driven Precondition Inference with Learned Features},
booktitle = {Proceedings of the 37th {ACM} {SIGPLAN} Conference on Programming
Language Design and Implementation, {PLDI} 2016, Santa Barbara, CA,
USA, June 13-17, 2016},
pages = {42--56},
year = {2016},
url = {http://doi.acm.org/10.1145/2908080.2908099},
doi = {10.1145/2908080.2908099}
}
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent