research-article

Loop invariants: Analysis, classification, and examples

Authors:
Carlo A. Furia

ETH Zurich, Zurich, Switzerland

ETH Zurich, Zurich, Switzerland
View Profile

,
Bertrand Meyer

ETH Zurich, ITMO St. Petersburg, and Eiffel Software, Zurich, Switzerland

ETH Zurich, ITMO St. Petersburg, and Eiffel Software, Zurich, Switzerland
View Profile

,
Sergey Velder

ITMO St. Petersburg, Saint Petersburg, Russia

ITMO St. Petersburg, Saint Petersburg, Russia
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 46 Issue 3Article No.: 34pp 1–51https://doi.org/10.1145/2506375

Published:01 January 2014Publication History

ACM Computing Surveys

Abstract

Software verification has emerged as a key concern for ensuring the continued progress of information technology. Full verification generally requires, as a crucial step, equipping each loop with a “loop invariant.” Beyond their role in verification, loop invariants help program understanding by providing fundamental insights into the nature of algorithms. In practice, finding sound and useful invariants remains a challenge. Fortunately, many invariants seem intuitively to exhibit a common flavor. Understanding these fundamental invariant patterns could therefore provide help for understanding and verifying a large variety of programs.

We performed a systematic identification, validation, and classification of loop invariants over a range of fundamental algorithms from diverse areas of computer science. This article analyzes the patterns, as uncovered in this study, governing how invariants are derived from postconditions; it proposes a taxonomy of invariants according to these patterns; and it presents its application to the algorithms reviewed. The discussion also shows the need for high-level specifications based on “domain theory.” It describes how the invariants and the corresponding algorithms have been mechanically verified using an automated program prover; the proof source files are available. The contributions also include suggestions for invariant inference and for model-based specification.

References

Samson Abramsky and Achim Jung. 1994. Domain theory. In Handbook of Logic in Computer Science III, S. Abramsky, D. M. Gabbay, and T. S. E. Maibaum (Eds.). Oxford University Press. Google ScholarDigital Library
Dirk Beyer, Thomas A. Henzinger, Rupak Majumdar, and Andrey Rybalchenko. 2007. Invariant synthesis for combined theories. In Proceedings of the 8th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’07), Byron Cook and Andreas Podelski (Eds.), Lecture Notes in Computer Science, vol. 4349. Springer, 378--394. Google ScholarDigital Library
Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, and Xavier Rival. 2003. A static analyzer for large safety-critical software. In Proceedings of the 2003 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’03). ACM, 196--207. Google ScholarDigital Library
Joshua Bloch. 2006. Extra, Extra -- Read all about it: Nearly all binary searches and mergesorts are broken. http://googleresearch.blogspot.ch/2006/06/extra-extra-read-all-about-it -nearly.html. (2006).Google Scholar
Marius Bozga, Peter Habermehl, Radu Iosif, Filip Konečný, and Tomáš Vojnar. 2009. Automatic verification of integer array programs. In Proceedings of the 21st International Conference on Computer Aided Verification (CAV’09), Ahmed Bouajjani and Oded Maler (Eds.), Lecture Notes in Computer Science, vol. 5643. Springer, 157--172. Google ScholarDigital Library
Aaron R. Bradley and Zohar Manna. 2007. The Calculus of Computation. Springer.Google Scholar
Aaron R. Bradley, Zohar Manna, and Henny B. Sipma. 2006. What’s decidable about arrays&quest; In Proceedings of the 7th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’06), E. Allen Emerson and Kedar S. Namjoshi (Eds.), Lecture Notes in Computer Science, vol. 3855. Springer, 427--442. Google ScholarDigital Library
Bruno Buchberger. 2006. Mathematical theory exploration. In Proceedings of the 3rd International Conference on Automated Reasoning (IJCAR'66). Lecture Notes in Computer Science, vol. 4130. Springer, 1--2. Google ScholarDigital Library
Bor-Yuh Evan Chang and K. Rustan M. Leino. 2005. Abstract Interpretation with alien expressions and heap structures. In Proceedings of the 6th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’05), Radhia Cousot (Ed.), Lecture Notes in Computer Science Series, vol. 3385. Springer, 147--163. Google ScholarDigital Library
Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. 1999. Model Checking. MIT Press. Google ScholarDigital Library
Michael Colón, Sriram Sankaranarayanan, and Henny Sipma. 2003. Linear invariant generation using non-linear constraint solving. In Proceedings of the 15th International Conference on Computer Aided Verification(CAV’03), Jr. Warren A. Hunt and Fabio Somenzi (Eds.), Lecture Notes in Computer Science, vol. 2725. Springer, 420--432.Google ScholarCross Ref
Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. 2009. Introduction to Algorithms (3rd ed.). MIT Press. Google ScholarDigital Library
Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th Annual ACM Symposium on Principles of Programming Languages (POPL’77). 238--252. Google ScholarDigital Library
Patrick Cousot and Nicolas Halbwachs. 1978. Automatic discovery of linear restraints among variables of a program. In Proceedings of the 5th Annual ACM Symposium on Principles of Programming Languages (POPL’78). 84--96. Google ScholarDigital Library
Christoph Csallner, Nikolai Tillman, and Yannis Smaragdakis. 2008. DySy: Dynamic symbolic execution for invariant inference. In Proceedings of the 30th International Conference on Software Engineering (ICSE’08), Wilhelm Schäfer, Matthew B. Dwyer, and Volker Gruhn (Eds.). ACM, 281--290. Google ScholarDigital Library
Guido de Caso, Diego Garbervetsky, and Daniel Gorín. 2009. Reducing the number of annotations in a verification-oriented imperative language. In Proceedings of Automatic Program Verification.Google Scholar
Edsger W. Dijkstra. 1976. A Discipline of Programming. Prentice Hall. Google ScholarDigital Library
Eiffel. 2006. Standard ECMA-367. Eiffel: Analysis, design and programming language. (2006).Google Scholar
Michael D. Ernst, Jake Cockrell, William G. Griswold, and David Notkin. 2001. Dynamically discovering likely program invariants to support program evolution. IEEE Transactions of Software Engineering 27, 2 (2001), 99--123. Google ScholarDigital Library
Robert W. Floyd. 1967. Assigning meanings to programs. In Mathematical Aspects of Computer Science J. T. Schwartz (Ed.), Proceedings of Symposia in Applied Mathematics Series, vol. 19. American Mathematical Society, 19--32.Google Scholar
Gordon Fraser and Andreas Zeller. 2011. Exploiting common object usage in test case generation. In Proceedings of the IEEE 4th International Conference on Software Testing, Verification and Validation (ICST’11). IEEE Computer Society, 80--89. Google ScholarDigital Library
Carlo A. Furia, Dino Mandrioli, Angelo Morzenti, and Matteo Rossi. 2012. Modeling Time in Computing. Monographs in Theoretical Computer Science. An CATCS Series. Springer. Google ScholarDigital Library
Carlo A. Furia and Bertrand Meyer. 2010. Inferring loop invariants using postconditions. In Fields of Logic and Computation: Essays Dedicated to Yuri Gurevich on the Occasion of His 70th Birthday, Andreas Blass, Nachum Dershowitz, and Wolfgang Reisig (Eds.), Lecture Notes in Computer Science Series, vol. 6300. Springer, 277--300. Google ScholarDigital Library
Michael R. Garey and David S. Johnson. 1979. Computers and Intractability: A Guide to the Theory of NP-Completeness. Freeman. Google ScholarDigital Library
Carlo Ghezzi, Andrea Mocci, and Mattia Monga. 2009. Synthesizing intensional behavior models by graph transformation. In Proceedings of the 31st International Conference on Software Engineering (ICSE’09). IEEE, 430--440. Google ScholarDigital Library
David Gries. 1981. The Science of Programming. Springer-Verlag. Google ScholarDigital Library
Neelam Gupta and Zachary V. Heidepriem. 2003. A new structural coverage criterion for dynamic detection of program invariants. In 18th IEEE International Conference on Automated Software Engineering (ASE’03). IEEE Computer Society, 49--59.Google Scholar
John Hatcliff, Gary T. Leavens, K. Rustan M. Leino, Peter Müller, and Matthew J. Parkinson. 2012. Behavioral interface specification languages. ACM Comput. Surv. 44, 3 (2012), 16. Google ScholarDigital Library
Thomas A. Henzinger, Thibaud Hottelier, Laura Kovács, and Andrei Voronkov. 2010. Invariant and type inference for matrices. In Proceedings of the 11th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’10). Lecture Notes in Computer Science. Springer. Google ScholarDigital Library
C. A. R. Hoare. 1969. An axiomatic basis for computer programming. Commun. ACM 12, 10 (1969), 576--580. Google ScholarDigital Library
C. A. R. Hoare. 1972. Proof of correctness of data representations. Acta Inf. 1 (1972), 271--281. Google ScholarDigital Library
C. A. R. Hoare. 2003. The verifying compiler: A grand challenge for computing research. J. ACM 50, 1 (2003), 63--69. Google ScholarDigital Library
Mikoláš Janota. 2007. Assertion-based loop invariant generation. In Proceedings of the 1st International Workshop on Invariant Generation (WING’07).Google Scholar
Ranjit Jhala and Rupak Majumdar. 2009. Software model checking. Comput. Surveys 41, 4 (2009). Google ScholarDigital Library
Michael Karr. 1976. Affine relationships among variables of a program. Acta Informatica 6 (1976), 133--151. Google ScholarDigital Library
Hans Kellerer, Ulrich Pferschy, and David Pisinger. 2004. Knapsack problems. Springer.Google Scholar
Donald E. Knuth. 2011. The Art of Computer Programming (1st ed., Volumes 1--4A). Addison-Wesley. 1968--1973. Google ScholarDigital Library
Laura Kovács and Andrei Voronkov. 2009. Finding loop invariants for programs over arrays using a theorem prover. In Proceedings of the 12th International Conference on Fundamental Approaches to Software Engineering (FASE’09), Marsha Chechik and Martin Wirsing (Eds.), Lecture Notes in Computer Science Series, vol. 5503. Springer, 470--485. Google ScholarDigital Library
Daniel Kroening and Ofer Strichman. 2008. Decision Procedures: An Algorithmic Point of View. Monographs in Theoretical Computer Sciences. An EATCS Series. Springer. Google ScholarDigital Library
Shuvendu K. Lahiri, Shaz Qadeer, Juan P. Galeotti, Jan W. Voung, and Thomas Wies. 2009. Intra-module Inference. In Proceedings of the 21st International Conference on Computer Aided Verification (CAV’09), Ahmed Bouajjani and Oded Maler (Eds.), Lecture Notes in Computer Science Series, vol. 5643. Springer, 493--508. Google ScholarDigital Library
Leslie Lamport. 1977. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering 3, 2 (1977), 125--143. Google ScholarDigital Library
Leslie Lamport. 2009. Teaching concurrency. SIGACT News 40, 1 (2009), 58--62. Google ScholarDigital Library
K. Rustan M. Leino. 2008. This is Boogie 2. (June 2008). (Manuscript KRML 178) http://research.microsoft.com/en-us/projects/boogie/.Google Scholar
Francesco Logozzo. 2004. Automatic inference of class invariants. In Proceedings of the 5th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’04), Bernhard Steffen and Giorgio Levi (Eds.), Lecture Notes in Computer Science Series, vol. 2937. Springer, 211--222.Google ScholarCross Ref
Kurt Mehlhorn and Peter Sanders. 2008. Algorithms and Data Structures: The Basic Toolbox. Springer. Google ScholarDigital Library
Bertrand Meyer. 1980. A basis for the constructive approach to programming. In Proceedings of IFIP Congress 1980, Simon H. Lavington (Ed.). 293--298.Google Scholar
Bertrand Meyer. 1997. Object-oriented software construction (2nd ed.). Prentice Hall. Google ScholarDigital Library
Carroll Morgan. 1994. Programming from Specifications (2nd ed.). Prentice Hall. Google ScholarDigital Library
ThanhVu Nguyen, Deepak Kapur, Westley Weimer, and Stephanie Forrest. 2012. Using dynamic analysis to discover polynomial and array invariants. In Proceedings of the 34th International Conference on Software Engineering (ICSE’12). IEEE, 683--693. Google ScholarDigital Library
Susan Owicki and David Gries. 1976. An axiomatic proof technique for parallel programs. Acta Informatica 6 (1976), 319--340. Google ScholarDigital Library
Christos H. Papadimitriou. 1993. Computational Complexity. Addison-Wesley.Google Scholar
Corina S. Păsăreanu and Willem Visser. 2004. Verification of Java programs using symbolic execution and invariant generation. In Proceedings of the 11th International SPIN Workshop on Model Checking Software. Lecture Notes in Computer Science Series, vol. 2989. Springer, 164--181.Google Scholar
Jeff H. Perkings and Michael D. Ernst. 2004. Efficient incremental algorithms for dynamic detection of likely invariants. In Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering (SIGSOFT’04/FSE-12), Richard N. Taylor and Matthew B. Dwyer (Eds.). ACM, 23--32. Google ScholarDigital Library
André Platzer. 2010. Differential-algebraic dynamic logic for differential-algebraic programs. J. Log. Comput. 20, 1 (2010), 309--352. Google ScholarDigital Library
Nadia Polikarpova, Ilinca Ciupa, and Bertrand Meyer. 2009. A comparative study of programmer-written and automatically inferred contracts. In Proceedings of the ACM/SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’09). 93--104. Google ScholarDigital Library
Alan Robinson and Andrei Voronkov (Eds.). 2001. Handbook of Automated Reasoning. Elsevier. Google ScholarDigital Library
Enric Rodríguez-Carbonell and Deepak Kapur. 2007. Generating all polynomial invariants in simple loops. Journal of Symbolic Computation 42, 4 (2007), 443--476. Google ScholarDigital Library
Sriram Sankaranarayanan, Henny Sipma, and Zohar Manna. 2004. Non-linear loop invariant generation using Gröbner bases. In Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’04), Neil D. Jones and Xavier Leroy (Eds.). ACM, 318--329. Google ScholarDigital Library
Michael I. Shamos. 1978. Computational geometry. Ph.D.thesis Yale University. http://goo.gl/XiXNl. Google ScholarDigital Library
J. Michael Spivey. 1992. Z Notation -- a reference manual (2nd ed.). Prentice Hall International Series in Computer Science. Prentice Hall. Google ScholarDigital Library
Nikolai Tillmann, Feng Chen, and Wolfram Schulte. 2006. Discovering likely method specifications. In Proceedings of the 8th International Conference on Formal Engineering Methods (ICFEM’06). Lecture Notes in Computer Science Series, vol. 4260. 717--736. Google ScholarDigital Library
Godfried T. Toussaint. 1983. Solving geometric problems with the rotating calipers. In Proceedings of IEEE MELECON.Google Scholar
Yi Wei, Carlo A. Furia, Nikolay Kazmin, and Bertrand Meyer. 2011a. Inferring Better Contracts. In Proceedings of the 33rd International Conference on Software Engineering (ICSE’11), Richard N. Taylor, Harald Gall, and Nenad Medvidović (Eds.). ACM, 191--200. Google ScholarDigital Library
Yi Wei, Hannes Roth, Carlo A. Furia, Yu Pei, Alexander Horton, Michael Steindorfer, Martin Nordio, and Bertrand Meyer. 2011b. Stateful testing: Finding more errors in code and contracts. In Proceedings of the 26th IEEE/ACM International Conference on Automated Software Engineering (ASE’11), Perry Alexander, Corina Pasareanu, and John Hosking (Eds.). ACM, 440--443. Google ScholarDigital Library

Index Terms

Loop invariants: Analysis, classification, and examples

Recommendations

Loop Invariants: Learning to Help Teach (Abstract Only)
SIGCSE '16: Proceedings of the 47th ACM Technical Symposium on Computing Science Education

Loop invariants are a key component in developing code for verification, but many students struggle to grasp how to arrive at one that will remain true at the beginning and end of each iteration as well as be sufficiently strong to prove subsequent ...
Read More
Inferring loop invariants using postconditions
Fields of logic and computation

One of the obstacles in automatic program proving is to obtain suitable loop invariants. The invariant of a loop is a weakened form of its postcondition (the loop's goal, also known as its contract); the present work takes advantage of this observation ...
Read More
Inadequacy of computable loop invariants

Hoare logic is a widely recommended verification tool. There is, however, a problem of finding easily checkable loop invariants; it is known that decidable assertions do not suffice to verify while programs, even when the pre- and postconditions are ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

ACM Computing Surveys Volume 46, Issue 3
January 2014
507 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/2578702
Issue’s Table of Contents

Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 January 2014
- Accepted: 1 July 2013
- Revised: 1 June 2013
- Received: 1 November 2012
Published in csur Volume 46, Issue 3

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Loop invariants
deductive verification
formal verification
preconditions and postconditions
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 36
  Total Citations
  View Citations
- 1,344
  Total Downloads
- Downloads (Last 12 months)100
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Loop invariants: Analysis, classification, and examples

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Loop Invariants: Learning to Help Teach (Abstract Only)

Inferring loop invariants using postconditions

Inadequacy of computable loop invariants

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Loop invariants: Analysis, classification, and examples

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Loop Invariants: Learning to Help Teach (Abstract Only)

Inferring loop invariants using postconditions

Inadequacy of computable loop invariants

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media