polynomial invariant generation for non-deterministic recursive … · krishnendu chatterjee ist...

Polynomial Invariant Generation forNon-deterministic Recursive ProgramsKrishnendu Chatterjee

IST AustriaKlosterneuburg, Austria

[email protected]

Hongfei FuShanghai Jiao Tong University

Shanghai, [email protected]

Amir Kafshdar GoharshadyIST Austria

Klosterneuburg, [email protected]

Ehsan Kafshdar GoharshadyFerdowsi University of Mashhad

Mashhad, [email protected]

AbstractWe consider the classical problem of invariant generationfor programs with polynomial assignments and focus onsynthesizing invariants that are a conjunction of strict poly-nomial inequalities. We present a sound and semi-completemethod based on positivstellensätze, i.e. theorems in semi-algebraic geometry that characterize positive polynomialsover a semi-algebraic set.

On the theoretical side, the worst-case complexity of ourapproach is subexponential, whereas the worst-case com-plexity of the previous complete method (Kapur, ACA 2004)is doubly-exponential. Even when restricted to linear invari-ants, the best previous complexity for complete invariantgeneration is exponential (Colón et al, CAV 2003). On thepractical side, we reduce the invariant generation problem toquadratic programming (QCLP), which is a classical optimiza-tion problem with many industrial solvers. We demonstratethe applicability of our approach by providing experimentalresults on several academic benchmarks. To the best of ourknowledge, the only previous invariant generation methodthat provides completeness guarantees for invariants consist-ing of polynomial inequalities is (Kapur, ACA 2004), whichrelies on quantifier elimination and cannot even handle toyprograms such as our running example.

CCS Concepts: • Theory of computation → Logic andverification; Invariants.

Keywords: Invariant generation, Positivstellensätze, Poly-nomial programs

1 IntroductionInvariants. An assertion at a program location that is al-ways satisfied by the variables whenever the location isreached is called an invariant. Invariants are essential formany quantitative analyses, as well as for fundamental prob-lems such as proving termination [15, 41, 43, 59]. Invariantgeneration is a classical problem in verification and program-ming languages, and has been studied for decades, e.g. forsafety and liveness analysis [23, 25, 55].

Inductive Invariants.An inductive assertion is an assertionthat holds at a location for the first visit to it and is preservedunder every cyclic execution path to and from the location.Inductive assertions are guaranteed to be invariants, and thewell-established method to prove an assertion is an invariantis to find an inductive invariant that strengthens it [19, 55].

Abstract Interpretation. One technique to find inductiveinvariants is abstract interpretation [25], which is primar-ily a theory of semantic approximations. It has been usedfor invariant generation by computing least fixed points ofabstractions of the collecting semantics, but it guaranteescompleteness only for rare special cases [36].

Linear vs Polynomial Invariants. For linear invariantgeneration over programs with linear updates, a sound andcomplete methodology was obtained by [19]. We considerprograms with polynomial updates and the problem of gen-erating polynomial invariants, i.e. invariants that are a con-junction of polynomial inequalities over program variables.Hence, our setting is more general than [19] in terms of theprograms we analyze, and also the desired invariants. Theonly previous approach that provides completeness for thisproblem is [50]. However, it has doubly-exponential com-plexity and is not practically applicable even to toy programs.Conversely, efficient but incomplete methods were proposedin [31, 52, 53]. Polynomial invariants are more desirable thanlinear invariants for a variety of reasons. First, there aremany cases, such as the benchmarks in [65] and programs inreinforcement learning [82], where linear assertions are notenough and verification goals require higher-degree polyno-mial inequalities. Second, even when the desired assertionsare linear, they might not be provable by means of a linearinductive invariant, i.e. the inductivity might require non-linearity. Finally, many programs have polynomial assign-ments and guards. For such programs, even when lookingfor linear inductive invariants, our approach is the first ap-plicable method with completeness guarantees.

arX

iv:1

902.

0437

3v3

[cs

.LO

] 6

Apr

202

0

Krishnendu Chatterjee, Hongfei Fu, Amir Kafshdar Goharshady, and Ehsan Kafshdar Goharshady

Motivation for Polynomial Invariants. Given that poly-nomial invariants provide greater expressiveness in compar-ison with linear invariants, they improve solutions to manyclassical problems, such as the following:• Safety Verification. This is one of the most well-studiedmodel checking problems: Given a program and a set ofsafety assertions that must hold at specific points of theprogram, prove that the assertions hold or report thatthey might be violated by the program. Many existingapproaches for safety verification rely on invariants toprove the desired assertions (see [3, 5, 55, 62]). In thesecases, weak invariants can lead to an increase in falsepositives, i.e. if the supplied invariants are inaccurate andgrossly overestimate the program’s behavior, then the veri-fier might falsely infer that a true assertion can be violated.• Termination Analysis. A principal approach in provingtermination of programs is to synthesize ranking func-tions [33]. Virtually all synthesis algorithms for rankingfunctions depend on invariants, e.g. [10, 17, 20]. Havinginaccurate invariants, such as linear instead of polynomial,can lead to a failure in the synthesis and hence inabil-ity to prove termination. The same point also applies totermination analysis of probabilistic programs [12, 48, 78].• Inferring Complexity Bounds. Another fundamental prob-lem is to find automated algorithms that infer asymptoticcomplexity bounds on the runtime of (recursive) programs.Current algorithms for tackling this problem, such as [15],rely heavily on invariants and their accuracy. Inaccurate in-variants can lead to an over-approximation of complexityor even failure to synthesize any complexity bound.

These points not only justify the use of polynomial invari-ants, but also the need for completeness guarantees. Previousstate-of-the-art approaches in polynomial invariant genera-tion either lack such guarantees or have doubly-exponentialruntime and cannot be applied even to toy programs.

Our Contribution.We consider two variants of the invari-ant generation problem. Informally, the weak variant asksfor an optimal invariant w.r.t. a given objective function,while the strong variant asks for a representative set of allinvariants. Our contributions are as follows:• Soundness and Semi-completeness. We present a sound andsemi-complete method to generate polynomial invariantsfor programs with polynomial updates. Our completenessrequires a compactness condition that is satisfied by allreal-world programs (Remark 4). We also show that, us-ing the standard notions of pre and post-conditions, ourmethod can be extended to handle recursion as well.• Theoretical Complexity. We show that the worst-case com-plexity of our procedure is subexponential if we considerpolynomial invariants with rational coefficients. In com-parison, complexity of the procedure in [50] is doubly-exponential and the approach of [19], which is sound andcomplete for linear invariants, has exponential complexity,

whereas we show how to generate polynomial invariantsin subexponential time.• Practical Approach.We present a polynomial-time reduc-tion from weak invariant generation to quadratic program-ming (QCLP). Solving QCLPs is an active area of researchin optimization and there are many industrial solvers forhandling its real-world instances. Using our algorithm,practical improvements to such solvers carry over to poly-nomial invariant generation.

Hence, our main contribution is theoretical, i.e. presenting asub-exponential sound and semi-complete method for gener-ating polynomial invariants. Moreover, we also demonstratethe applicability of our approach by providing experimen-tal results on several academic examples from [65] that re-quire polynomial invariants. Unsurprisingly, we observe thatour approach is slower than previous sound but incompletemethods, so there is a trade-off between completeness andefficiency. However, we expect practical improvements insolving QCLPs to narrow the efficiency gap in the future.On the other hand, the only previous complete method, pro-posed in [50], is extremely impractical and cannot handleany of our benchmarks, not even our toy running example.

Techniqes. While the approaches of [19, 50] use Farkas’lemma and quantifier elimination to generate invariants,our technique is based on a positivstellensatz. Our methodreplaces the quantifier elimination step with either (i) analgorithm of [38] for characterizing solutions of systems ofpolynomial inequalities or (ii) a reduction to QCLP.

1.1 Related worksAutomated invariant generation has received much atten-tion in the past years, and various classes of approacheshave been proposed, including recurrence analysis [31, 49,52, 53], abstract interpretation [7, 13, 24, 57, 67], constraintsolving [16, 18, 19, 22, 28, 32, 50, 51, 54, 66, 69, 80], infer-ence [30, 39, 71], interpolation [56], symbolic execution [26],dynamic analysis [60] and learning [35].

Summary.A summary of the results of the literaturew.r.t. typesof assignments, type of generated invariants, programminglanguage features that can be handled (i.e. non-determinism,probability and recursion), soundness, completeness, andwhether the approach can handle weak/strong invariantgeneration is presented in Table 1. For approaches that areapplicable to weak/strong invariant generation, the respec-tive runtimes are also reported. Most previous methods areindeed incomparable with our approach, because they han-dle different problems, e.g. different types of programs. Wepresent the first applicable sound and semi-complete ap-proach for polynomial invariant generation. Our complexity(subexponential) is not only better than the previous doubly-exponential complexity for polynomial invariants [50], iteven beats the exponential complexity of complete methodsfor linear invariants [19].

Polynomial Invariant Generation

Approach Assignments and Guards Invariants Nondet Rec Prob Sound Complete Weak Strong

This Work Polynomial Polynomial ✓ ✓ × ✓ ✓♦ ✓QCLP

✓Subexp

[19]CAV’03 Linearc Linear ✓ × × ✓ ✓

✓Exp†

✓Exp†

[50]ACA’04 Polynomial Polynomial ✓ ✓ × ✓ ✓

✓2Exp

✓2Exp

[29]OOPSLA’13 General Linear (Presburger) ✓ ✓ × ✓ × × ×

[32]ATVA’17 Polynomial Polynomial × × ✓ ✓ ✓a ✓

Poly ×

[47]LICS’18 Linear‡ Polynomial Equalities ✓ × × ✓‡ ✓‡ × ✓‡,b

[53]POPL’18 Polynomial, Exponential, Logarithmic Polynomial, Exponential, Logarithmic ✓ ✓ × ✓ × × ×

[66]*ISSAC’04 Polynomial, Exponential Polynomial Equalities ✓ × × ✓ ✓ ✓b ✓b

[69]POPL’04 Polynomialc Polynomial Equalities ✓ × × ✓ ✓b ✓b ✓b

[31]FMCAD’15 Generald Generald ✓ ×e × ✓ × × ×

[52]PLDI’17 General General ✓ ✓ × ✓ × × ×

[28]ATVA’16 Polynomial,Without Conditional Branching Polynomial Equalities ✓ × × ✓ ✓

✓Poly

✓Poly

[49]*ISSAC’17 Polynomial‡ Polynomial Equalities ✓ × × ✓ ✓‡ ✓‡,b ✓‡,b

[1]∗SAS’15 Polynomial Polynomial × × × ✓ × × ×

♦ Semi-complete, assuming compactness (see Remark 4 and Lemma 4.8)† Generates a system of quadratic inequalities, but then applies quantifierelimination, leading to exponential runtime.‡ Treats branching conditions as non-determinism.∗ Does not support nested loops.

a Semi-completeb Uses Gröbner basis computations (super-exponential in worst-case).c Considers general transition systems instead of programs.d Handles non-linearity using linearization heuristics.e Can be extended to handle recursion (see [52]).

Table 1. Summary of approaches for invariant generation.

Recurrence Analysis. While approaches based on recur-rence analysis can derive exact invariants, they are applicableto a restricted class of programs where closed-form solutionsexist. Our approach does not require closed-form solutions.

Abstract Interpretation. This is the oldest and most clas-sical approach to invariant generation [23, 25] and has alsobeen used for generating quadratic invariants [2]. However,unlike our approach, it cannot provide completeness, ex-cept in very special cases [36]. There are efficient tools andalgorithms for invariant generation using abstract interpreta-tion [72, 73], but they focus on generating linear invariants.

Constraint Solving. Our approach falls in this category.First, we handle polynomial invariants, thus extending ap-proaches based on linear arithmetics, such as [16, 19, 28, 51].Second, we generate invariants consisting of polynomialinequalities, whereas several previous approaches synthe-size polynomial equalities [66, 69]. Third, our approach issemi-complete, thus it is more accurate than approaches withrelaxations (e.g. [22, 54]). Fourth, compared to previous com-plete approaches that solve formulas in the first-order theoryof reals (e.g. [18, 50, 80]) to generate invariants, our approachhas lower complexity, i.e. our approach is subexponential,

whereas they take exponential or doubly-exponential time.Another notable work is [82] that synthesizes barrier cer-tificates for the verification of reinforcement learning meth-ods. Compared to [82], our approach is not restricted tobarrier certificates and can handle non-convex invariants,whereas [82] relies on [6] and requires convexity.

Approaches in Dynamical Systems. Similar techniqueshave also been applied in the context of continuous andhybrid dynamical systems [9, 61, 68]. However, they ensureneither completeness nor subexponential complexity.

Comparison with [32]. Finally, we compare our approachwith the most related work, i.e. [32]. A main difference is thatour approach can find a representative set of all solutions,but [32] might miss some solutions, i.e. it only guarantees tofind at least one solution as long as the problem is feasible.In terms of techniques, [32] uses Stengle’s positivstellensatz,while we use Putinar’s positivstellensatz and the algorithmof Grigor’ev [38]. Moreover, [32] considers the class of proba-bilistic programs without non-determinism and only focuseson single probabilistic while loops, while we consider pro-grams in general form, with non-determinism and recursion,but without probability.


2 Illustrative ExampleBefore going into technical details, we first illustrate themain ideas and insights behind our approach using a verysimple example. Consider the following program:Precondition: 100 − y2 ≥ 0i f x2 − 100 ≥ 0 then

Invariant: c1 · y2 + c2 · y + c3 ≥ 0x : = y

e l seInvariant: c4 · x2 + c5 · x + c6 ≥ 0skip

f iPostcondition: c7 · x + c8 ≥ 0

There are two program variables, namely x and y. A pre-condition 100 − y2 ≥ 0 is assumed to hold at the beginningof the program, and the goal is to synthesize a postconditionand an invariant for each of the branches of the if state-ment. Moreover, a template is given for each of the desiredexpressions, e.g. inside the then branch, we are interested insynthesizing an invariant of the form c1 ·y2 + c2 ·y + c3 ≥ 0,where the ci ’s are unknown coefficients, i.e. the goal is tofind values for the ci ’s so that this expression becomes aninvariant. To do this, it suffices to synthesize values for theci ’s such that the assertion at each point of the program canbe deduced from those at its predecessors. More concretely:(i) 100 −y2 ≥ 0 ∧ x2 − 100 ≥ 0⇒ c1 ·y2 + c2 ·y + c3 ≥ 0,

i.e. the invariant should hold when we transition insidethe then branch.

(ii) 100 −y2 ≥ 0 ∧ 100 − x2 > 0⇒ c4 · x2 + c5 · x + c6 ≥ 0,i.e. the invariant should hold when we transition insidethe else branch.

(iii) c1 · y2 + c2 · y + c3 ≥ 0 ⇒ c7 · y + c8 ≥ 0, i.e. the post-condition should hold when we exit the then branch.Note that the assignment x := y is applied to the RHS.

(iv) c4 · x2 + c5 · x + c6 ≥ 0⇒ c7 · x + c8 ≥ 0, i.e. the post-condition should hold when we exit the else branch.

One ad-hocway to satisfy the constraints above is to force theRHS polynomial expression to be a nonnegative combinationof the LHS polynomials, e.g. in (i), we can set c1 = −1, c2 =

0, c3 = 100, essentially making the RHS polynomial equalto the first LHS polynomial. Similarly, in (ii), we can setc4 = −1, c5 = 0, c6 = 100. However, this cannot work for(iii). To handle this constraint, note that, without loss ofgenerality, we can add any tautology to our assumptions.For example, we know that (a · y − b)2 ≥ 0 holds for all realnumbers a and b, so we prove(a ·y −b)2 ≥ 0 ∧ c1 ·y2 + c2 ·y + c3 ≥ 0⇒ c7 ·y + c8 ≥ 0.

To solve the latter, we can simply letc7 · y + c8 = (a · y − b)2 + d · (c1 · y2 + c2 · y + c3),

where d is a nonnegative real number. Let us expand the RHSto get c7 ·y+c8 = a2 ·y2−2·a ·b ·y+b2+c1 ·d ·y2+c2 ·d ·y+c3 ·d .Note that this is an equality between two polynomials overthe variable y. These polynomials are equal iff they have the

same coefficient for each power of y, therefore this equality isequivalent to the following system:• 0 = a2 + c1 · d , i.e. the coefficients of y2 should be equal;• c7 = −2 · a · b + c2 · d , i.e. the coefficients of y are equal;• c8 = b

2 +c3 ·d , i.e. the constant factors should be the same.We can now use a quadratic programming solver, togetherwith the values we already have for c1, c2, c3 from the previ-ous steps, to obtain one possible solution, e.g. c7 = −1, c8 =

10,a = 12√

5,b =

√5,d = 1

20 . We can solve (iv) similarly.Putting everything together, we have:Precondition: 100 − y2 ≥ 0i f x2 − 100 ≥ 0 then

Invariant: −y2 + 100 ≥ 0x : = y

e l seInvariant: −x2 + 100 ≥ 0skip

f iPostcondition: 10 − x ≥ 0

To obtain this, we had to find values for ci ’s and proofsthat conditions (i)–(iv) above hold when we plug in thesevalues. The proofs for (i) and (ii) are easy, because the RHSpolynomial is already assumed to be nonnegative in the LHS.For (iii) and (iv) we had to become more creative and addsuitable tautologies to the LHS. For example, we proved (iii)

by showing that 10 −y =(

12√

5· y −

√5)2+ 1

20 ·(−y2 + 100

),

hence the assertion −y2 + 100 ≥ 0 ⇒ 10 − y ≥ 0 holds,because the RHS is a nonnegative combination of the LHS

and an always-nonnegative polynomial(

12√

5· y −

√5)2.

Our approach in this paper generalizes the simple ideasabove. Given a program, we cannot be sure about the righttemplate to use at each point, so we instead use the mostgeneral template, i.e. our template polynomials contain allpossible monomials up to a certain degree. Then, we writethe constraints that ensure these templates become a validinductive invariant (such as (i)–(iv) above). Afterwards, wehave to synthesize suitable values for the unknown coeffi-cients (ci ’s) and prove that all the required constraints hold.In general, when we want to prove a constraint of the formд1 ≥ 0,д2 ≥ 0, . . . ,дm ≥ 0 ⇒ д ≥ 0, where д and дi ’s arepolynomials, we use a technique similar to what we did forconstraint (iii) above and write д as a combination of дi ’s andsum-of-square polynomials, i.e. д = h0 +

∑mi=1 hi · дi , where

each hi is a sum of squares and hence always nonnegative.Therefore, wherever дi ’s are nonnegative, it trivially followsthat д must also be nonnegative. Hence, our approach issound. Moreover, a classical theorem in real algebraic geom-etry, called Putinar’s Positivstellensatz (Theorem 4.1), helpsus prove that our approach preserves completeness undercertain conditions, i.e. that any positive д can be written asa combination of дi ’s in the form above. Using this idea, we


⟨prog⟩ ::= ⟨func⟩ | ⟨func⟩ ⟨prog⟩⟨func⟩ ::= ⟨fname⟩ ‘(’ ⟨varlist⟩ ‘)’ ‘{’ ⟨stmtlist⟩ ‘}’⟨varlist⟩ ::= ⟨var⟩ | ⟨var⟩ ‘,’ ⟨varlist⟩⟨stmtlist⟩ ::= ⟨stmt⟩ | ⟨stmt⟩ ‘;’ ⟨stmtlist⟩⟨stmt⟩ ::= ‘skip’ | ⟨var⟩ ‘:=’ ⟨expr⟩

|‘if’ ⟨bexpr⟩ ‘then’ ⟨stmtlist⟩ ‘else’ ⟨stmtlist⟩ ‘fi’|‘if’ ‘⋆’ ‘then’ ⟨stmtlist⟩ ‘else’ ⟨stmtlist⟩ ‘fi’|‘while’ ⟨bexpr⟩ ‘do’ ⟨stmtlist⟩ ‘od’|⟨var⟩ := ⟨fname⟩ ‘(’ ⟨varlist⟩ ‘)’|‘return’ ⟨expr⟩

Figure 1. Our Syntax. See Appendix A for more details.

can translate our constraints to quadratic programming in es-sentially the same manner we handled constraint (iii) above,i.e. by equating the coefficients of corresponding terms onthe two sides of the polynomial equality. In the followingsections, we formalize and build on these simple ideas.

3 Polynomial Programs and Invariants3.1 Syntax and SemanticsWe consider non-deterministic recursive programswith poly-nomial assignments and guards. Our syntax is shown inFigure 1. The ⋆ denotes non-deterministic branching. SeeAppendix A for more details. We fix two disjoint finite sets:the set V of program variables and the set F of functions.Program Counters (Labels). We assign a unique programcounter to each statement of the program and the endpoint ofevery function. We also refer to program counters as labels.We use L to denote the set of labels. We denote the first labelin a function f by ℓfin and the label of its endpoint by ℓfout.Types of Labels. We partition the set L of labels as follows:• La : Labels of assignment, skip or return statements,• Lb : Labels of branching (if) and while-loop statements,• Lc : Labels of function call statements,• Ld : Labels of non-deterministic branching statements,• Le : Labels of the endpoints of functions.

Example 3.1. Consider the simple program in Figure 2. Thenumbers on the left are the labels and their subscripts denotetheir types. We will use this program as our running example.It contains a single function sum that takes a parametern andthen non-deterministically sums up some of the numbersbetween 1 and n and returns the summation. Our goal isto prove that the return value of sum is always less than0.5 · n2 + 0.5 · n + 1.

New Variables. For each function f ∈ F, whose headeris of the form f (v1, . . . ,vn), we define n + 1 new variablesretf , v1, . . . , vn . Informally, retf is the return value of thefunction f and each variable vi holds the value passed to thefunction f from its caller for parametervi without allowing fto change it. We define Vf

∗ := {retf ,v1, . . . ,vn , v1, . . . , vn}

sum (n ) {1a : i : = 1 ;2a : s : = 0 ;3b : while i ≤ n do4d : i f ⋆ then5a : s : = s + i

e l se6a : skip

f i ;7a : i : = i + 1

od ;8a : return s9e : }

Figure 2. A non-deterministic summation program

i←11 s←02i≤n

i≥n+13

retsum←s

8

9

4

s←s+i

567

i←i+1

★ ★

Figure 3. CFG of the Program in Example 3.1 (Figure 2)

and let Vf contain Vf∗ , and any other variable that appears

in the body of f . Similarly, Lf denotes the set of labels in f .

CFGs.We use standard control flow graphs as in [4, 15]. AControl Flow Graph (CFG) is a triple (F, L,→) where:• F is the set of functions;• the labels L form the set of vertices, and• → is a relation whose members are triples (ℓ,α , ℓ′) inwhich the source label ℓ and the target label ℓ′ are in thesame Lf , the source label is not the end of function label,i.e. ℓ , ℓfout, and α is one of the following: (i) an updatefunction α : Rf → Rf if ℓ ∈ La , or (ii) a propositionalpolynomial predicate over Vf if ℓ ∈ Lb , or (iii) ⊥ if ℓ ∈ Lc ,or (iv) ⋆ if ℓ ∈ Ld .

Intuitively, we say that a CFG (F, L,→) is the CFG of pro-gram P if (i) for each label ℓ ∈ L, the successors of ℓ in→are the labels that are in the same function as ℓ and canpossibly be executed right after ℓ, and (ii) the α ’s correspondto the behavior of the program, e.g. if (ℓ,α , ℓ′) ∈→, ℓ is anif statement and ℓ′ is the first statement in its ‘else’ part,then α should be the negation of the if condition. See [15]for more details. Note that a return statement in a functionf changes the value of the variable retf and is succeededby the endpoint label ℓfout. Figure 3 provides the CFG of Ex-ample 3.1. Our semantics are defined based on a CFG in thestandard manner. See Appendix B for details.


3.2 Invariants

Pre-conditions. A pre-condition is a function Pre mappingeach label ℓ ∈ Lf of the program to a conjunctive proposi-tional formula Pre(ℓ) :=

∧mi=0 (ei ≥ 0), where each ei is an

arithmetic expression over the set Vf of variables∗†. Intu-itively, a pre-condition specifies a set of requirements forthe runs of the program, i.e. a run of the program is validif it always respects the pre-condition, and a run that doesnot satisfy the pre-condition is considered to be invalid orimpossible and is ignored in our analysis.Post-conditions. A post-condition is a function Post thatmaps each program function f of the form f (v1, . . . ,vn) to aconjunctive propositional formula Post(f ) :=

∧mi=0 (ei > 0)

over {retf , v1, . . . , vn}. Informally, a post-condition charac-terizes the return value retf of each function f based onthe values of parameters passed to f when it was called.

Remark 1 (Strict and Non-strict Inequalities). In the def-initions above the inequalities in post-conditions are strict,whereas pre-conditions contain non-strict inequalities. Thereis a technical reason behind this choice, having to do withTheorem 4.1. Basically, Putinar’s positivstellensatz character-izes strictly positive polynomials over a closed semi-algebraicset. Therefore, this subtle difference in the definitions of preand post-conditions is necessary for our completeness result(Lemma 4.8). However, our soundness does not depend on it.

Model of Computation.We consider programs in whichvariables can have arbitrary real values. However, some ofour results only hold if the variable values are bounded. Insuch cases we explicitly mention that the result holds on“bounded reals”. The formal interpretation of this point is thatthere exists a constant value c ∈ R+ such that for every labelℓ ∈ Lf and every variable v ∈ Vf , the pre-condition Pre(ℓ)contains the inequalities −c ≤ v ≤ c . In other words, in thebounded reals model of computation, a variable overflows ifits value becomes more than c (resp. underflows if its valuebecomes less than −c), and any run containing an overflowor underflow is considered invalid. As a direct consequence,in every valid run, when we are in a function f and the valu-ation of variables is ν , we have ∥ν ∥2 ≤ c

√|Vf |. Hence, when

discussing bounded reals, we assume every pre-conditioncontains the inequality

Vf 2

2 ≤ c2 |Vf |, too.‡ Note that thisinequality is entailed by the bounds on values of individual

∗Classically, pre-conditions are only defined for the first labels of func-tions, but we allow pre-conditions for every label. This setting is strictlymore general, given that one can let Pre(ℓ) = true for every other label.

†The value of every uninitialized (non-parameter) variable v is always0 when the program reaches ℓfin. Hence, w.l.o.g. we assume that Pre(ℓfin)contains the assertions v ≥ 0 and −v ≥ 0. Similarly, we assume that forevery parameter v of f , we have the assertions v − v ≥ 0 and v − v ≥ 0in Pre(ℓfin).

‡More concretely, if Vf = {v1, v2, . . . , vn }, then the pre-conditioncontains the inequality v2

1 + v22 + . . . + v2

n ≤ c2 · n .

variables. We will later use it to satisfy the requirements ofour positivstellensatz (Theorem 4.1).Invariants. An invariant is a function Inv mapping eachlabel ℓ ∈ Lf of the program to a conjunctive propositionalformula Inv(ℓ) :=

∧mi=0 (ei > 0) over Vf , such that whenever

a valid run reaches ℓ, Inv(ℓ) is satisfied.Positivity Witnesses. Let e be an arithmetic expression onprogram variables and ϕ =

∧mi=0(ei ▷◁i 0) for ▷◁i ∈ {>, ≥},

such that for every valuation ν , we have ν |= ϕ ⇒ e(ν ) > 0.We say that a constant ϵ > 0 is a positivity witness for ew.r.t. ϕ if for every valuation ν , we have ν |= ϕ ⇒ e(ν ) > ϵ .In the sequel, we limit our focus to inequalities that havepositivity witnesses. Intuitively, this means that we considerinvariants of the form

∧mj=1(ej > 0) where the values of ej ’s

in the runs of the program cannot get arbitrarily close to 0§.Inductive Assertion Maps. An inductive assertion map fora non-recursive program is a function Indmapping each labelℓ ∈ Lf of the program to a conjunctive propositional formulaInd(ℓ) :=

∧mi=0 (ei > 0) over Vf , such that the following two

conditions hold:• Initiation. Pre(ℓfin) ⇒ Ind(ℓfin)• Consecution. In every valid transition of the program fromℓ0 to ℓ1, if Ind(ℓ0) holds at ℓ0, then Ind(ℓ1) must hold at ℓ1.Intuitively, this condition means that the inductive asser-tion map cannot be falsified by running a valid step of theexecution of the program.It is well-known that every inductive assertion map is

an invariant. So, inductive assertion maps are often calledinductive invariants, too. See Appendix C for a short proofand more formal definitions.

Example 3.2. Consider the program in Figure 2. Assumingthat we have the pre-condition n ≥ 0 at label 1, it is easyto show that for any ϵ > 0, Ind(ℓ) := (n + ϵ > 0 ∧ i +ϵ > 0 ∧ s + ϵ > 0) for all ℓ ∈ {1, . . . , 9} is an inductiveassertion map, i.e. it holds at the beginning of the programand no valid execution step falsifies it. Hence, it is also aninvariant. Moreover, using this invariant, one can prove thepost-condition retsum + ϵ > 0.

We extend the notion of inductive assertion maps to re-cursive programs using abstract paths:Abstract Paths. Informally, an abstract path is an executionpath in which all function calls are abstracted, i.e. removedand replaced with a simple transition in the parent func-tion that respects the pre and post-condition of the calledfunction. The intuition behind an abstract path is to use thepre/post-condition of a function as an over-approximation

§Note that this is a very minor restriction, in the sense that if e > 0 isan invariant, then so is e + ϵ > 0. We are unable to find invariants e > 0where e can get arbitrarily close to 0 over all valid runs of the program.However, in such cases, we can synthesize e + ϵ > 0 for any positive ϵ , aslong as e + ϵ > 0 is also part of an inductive invariant.


of its behavior, and hence avoid running the function itself.See Appendix B for a formal definition.

Example 3.3. Assume the pre and post-conditions of Ex-ample 3.2 and consider a program P whose main functionfmain calls the function sum of Figure 2. Suppose sum iscalled at label ℓ, i.e. the statement at ℓ is y := sum(x), and(ℓ,⊥, ℓ′) ∈→ . In a normal run of P , when the programreaches ℓ, control moves to sum. In contrast, in an abstractpath starting at ℓ, control directly moves to ℓ′, provided thatno variable other than y gets its value changed and that thepre-condition and post-condition are satisfied. For example,the following sequences are abstract paths:⟨⟨(fmain, ℓ,x = 3,y = 0)⟩, ⟨(fmain, ℓ′,x = 3,y = ϵ)⟩⟩⟨⟨(fmain, ℓ,x = 3,y = 1)⟩, ⟨(fmain, ℓ′,x = 3,y = 99.9)⟩⟩The latter configuration cannot happen in any valid run,

but it does not violate the conditions of an abstract path.This is because the post-condition in this example is veryweak and hence abstract paths grossly overestimate validpaths. As we will see, our algorithms synthesize strongerpost-conditions as part of the invariant generation process.Finally, the following are not abstract paths:⟨⟨(fmain, ℓ,x = −1,y = 1)⟩, ⟨(fmain, ℓ′,x = −1,y = 10)⟩⟩

Reason: It violates Pre(ℓsumin )[n ← x , n ← x]⟨⟨(fmain, ℓ,x = 1,y = 1)⟩, ⟨(fmain, ℓ′,x = 1,y = −1)⟩⟩

Reason: It violates Post(sum)[n ← x , retsum ← y]⟨⟨(fmain, ℓ,x = 3,y = 3)⟩, ⟨(fmain, ℓ′,x = 2,y = 4)⟩⟩

Reason: It changes the value of x

Recursive Inductive Invariants. Given a recursive pro-gram P and a pre-condition Pre, a recursive inductive in-variant is a pair (Post, Ind) where Post is a post-conditionand Ind is a function that maps every label ℓ ∈ Lf of theprogram to a conjunctive propositional formula Ind(ℓ) :=∧m

i=0 (ei > 0), such that the following requirements are met:• Initiation. For every function f , we havePre(ℓfin) ⇒ Ind(ℓfin).• Consecution. For every valid unit-length abstract path thattransitions from ℓ0 to ℓ1, if Ind(ℓ0) holds at ℓ0, then Ind(ℓ1)must hold at ℓ1.• Post-condition Consecution. For every valid unit-length ab-stract path that starts at ℓ0 ∈ Lf and ends at the endpointlabel ℓfout, if Ind(ℓ0) holds at ℓ0, then the post-conditionPost(f ) must hold at ℓfout.

Following an argument similar to the case of inductive in-variants, if (Post, Ind) is a recursive inductive invariant, thenInd is an invariant. See Appendix C for details.We define our synthesis problem in terms of (recursive)

inductive invariants, because the classical method for findingor verifying invariants is to consider inductive invariantsthat strengthen them [19, 55].The Invariant Synthesis Problem. Given a program P ,together with a pre-condition Pre, the invariant synthesisproblem asks for (recursive) inductive invariants of a given

form and size (e.g. linear or polynomial of a given degree).The problem can be divided into two variants:• The Strong Invariant Synthesis Problem asks for a charac-terization or a representative set of all possible invariants.• TheWeak Invariant Synthesis Problem provides an objec-tive function over the invariants (e.g. a function over thecoefficients of polynomial invariants) and asks for an in-variant that maximizes the objective function.

Motivation. There are several motives for defining bothstrong and weak invariant synthesis:• Strong invariant synthesis can be used in compositionalreasoning, e.g. having separate representations for all in-variants of programs P1, P2, . . . , Pn , an invariant for theirsequential composition P1; P2; . . . ; Pn can be derived byconsidering each part separately.• Strong invariant synthesis is computationally expensive,so in practice, weak invariant synthesis can be used toobtain invariants that are desirable (according to a givenobjective function). For example, in Section 6, we use it toprove desired assertions (partial invariants) at a few pointsof the program by synthesizing an inductive invariant thatincludes them.• Another use-case of weak invariant synthesis is to findbounds for a given expression R at some point of the pro-gram. The objective function can be set to find the tightestpossible bound. Such bounds are useful in many contexts,e.g. if R is a ranking function, then its upperbound is alsoa bound on the runtime of the program.

Polynomial Invariants. In the sequel, we consider the syn-thesis problems for polynomial invariants and pre and post-conditions, i.e. we assume that all arithmetic expressionsused in the atomic assertions are polynomials.

4 Invariants for Non-recursive ProgramsWe first provide a sound and semi-complete reduction frominductive invariants to solutions of a system of quadraticequalities. Our main tool is a theorem in real semi-algebraicgeometry called Putinar’s positivstellensatz [63]. We showthat the Strong Invariant Synthesis problem can be solved insubexponential time. We also show that the Weak InvariantSynthesis problem can be reduced to QCLP.

4.1 Mathematical Tools and LemmasThe following theorem is the main tool in our reduction:Theorem 4.1 (Putinar’s Positivstellensatz [63]). Let V bea finite set of variables and д,д1, . . . ,дm ∈ R[V ] polyno-mials over V with real coefficients. We define Π := {x ∈RV | ∀i дi (x) ≥ 0} as the set of points in which every дiis non-negative. If (i) there exists some дk s.t. the set {x ∈RV | дk (x) ≥ 0} is compact, and (ii) д(x) > 0 for all x ∈ Π,then

д = h0 +

m∑i=1

hi · дi (1)


where each polynomial hi is the sum of squares of some poly-nomials in R[V ], i.e. hi =

∑nj=0 f

2i, j for some fi, j ’s in R[V ].

Corollary 4.2 (Proof in Appendix D.1). Let V ,д,д1, . . . ,дmand Π be as above. Then д(x) > 0 for all x ∈ Π if and only if:

д = ϵ + h0 +

m∑i=1

hi · дi (2)

where ϵ > 0 is a real number and each polynomial hi is thesum of squares of some polynomials in R[V ].

Hence, Putinar’s positivstellensatz provides a characteri-zation of all polynomials д that are positive over the closedset Π. Intuitively, given a set of atomic non-negativity as-sumptions дi (x) ≥ 0, in order to find all polynomials д thatare positive under these assumptions, we only need to lookinto polynomials of form (2). Moreover, the real number ϵ in(2) serves as a positivity witness for д.

Our algorithm also relies on the following lemma:

Lemma 4.3 (Proof in Appendix D.2). Given a polynomialh ∈ R[V ] as input, the problem of deciding whether h is asum of squares, i.e. whether h can be written as

∑i f

2i for some

polynomials fi ∈ R[V ], can be reduced in polynomial time tosolving a system of quadratic equalities.

4.2 Overview of the ApproachIn this section, we provide an overview of our algorithms.The next sections go through all the details. Our algorithmsfor Strong and Weak Invariant Synthesis are very similar.They each consist of four main steps and differ only in thelast step. The steps are as follows:Step 1) First, the algorithm creates a template for the induc-tive invariant at each label. More specifically, it createspolynomial templates of the desired size and degree, butwith unknown coefficients. The goal is to synthesize val-ues for these unknown coefficients so that the templatebecomes a valid inductive invariant.

Step 2) The algorithm generates a set of constraints thatshould be satisfied by the template so as to ensure that it be-comes an inductive invariant. These constraints encode theinitiation and consecution requirements as in the definitionof inductive invariants. Moreover, they have a very specificform: each constraint consists of polynomials д1, . . . ,дmand д and encodes the requirement that for every valua-tion ν , if we have д1(ν ) ≥ 0,д2(ν ) ≥ 0, . . . ,дm(ν ) ≥ 0, thenwe must also have д(ν ) > 0.

Step 3) Exploiting the structure of the constraints generatedin the previous step, the algorithm applies Putinar’s pos-itivstellensatz to translate the constraints into quadraticequalities over the unknown coefficients.

Step 4) The algorithm uses an external solver for handlingthe system of quadratic equalities generated in the previ-ous step. In case of Strong Invariant Synthesis, the exter-nal solver would use the algorithm of [38] to provide a

representative set of all invariants. In contrast, for WeakInvariant Synthesis, the external solver is an optimizationsuite for quadratic programming (QCLP).

4.3 Strong Invariant SynthesisWe now provide a formal description of the input to ouralgorithm for Strong Invariant Synthesis and then presentdetails of every step.The StrongInvSynth Algorithm.We present an algorithmStrongInvSynth that gets the following items as its input:• A non-recursive program P which is generated by thegrammar in Figure 1,• A polynomial pre-condition Pre,• Positive integers d, n and ϒ, where d is the degree of poly-nomials in the desired inductive invariants, n is the desiredsize of the invariant generated at each label, i.e. number ofatomic assertions, and ϒ is a technical parameter to ensuresemi-completeness, which will be discussed later;

and produces a representative set of all inductive invariantsInd of the program P , such that for all ℓ ∈ L, the set Ind(ℓ)consists of n atomic assertions of degree at most d . Ouralgorithm consists of the following four steps:Step 1) Setting up templates. Let Vf = {v1,v2, . . . ,vt }and define Mf

d = {m1,m2, . . . ,mr } as the set of all monomi-als of degree at mostd over Vf , i.e.Mf

d := {∏ti=1v

αii | ∀i αi ∈

N0 ∧∑t

i=1 αi ≤ d}. At each label ℓ ∈ Lf of the program P ,the algorithm generates a template η(ℓ) :=

∧ni=1 φℓ,i where

each φℓ,i is of the form φℓ,i :=(∑r

j=1 sℓ,i, j ·mj > 0). Here,

the sℓ,i, j ’s are new unknown variables. For brevity, we callthem s-variables. Intuitively, our goal is to synthesize valuesfor s-variables such that η becomes an inductive invariant.

Example 4.4. Consider the summation program in Figure 2.We have Vsum = {n, n, i, s, retsum}. For brevity we definer := retsum. Suppose that we want to synthesize a singlequadratic assertion as the invariant at each label. In Step 1,the algorithm creates the following template for each labelℓ ∈ {1, 2, . . . , 9}:

η(ℓ) := sℓ,1,1 + sℓ,1,2 · n + sℓ,1,3 · n + sℓ,1,4 · i + sℓ,1,5 · s + sℓ,1,6 · r+sℓ,1,7 · n2 + sℓ,1,8 · n · n + sℓ,1,9 · n · i + sℓ,1,10 · n · s + sℓ,1,11 · n · r+sℓ,1,12 · n2 + sℓ,1,13 · n · i + sℓ,1,14 · n · s + sℓ,1,15 · n · r + sℓ,1,16 · i2+sℓ,1,17 · i · s + sℓ,1,18 · i · r + sℓ,1,19 · s2 + sℓ,1,20 · s · r + sℓ,1,21 · r 2 > 0.

Step 2) Setting up constraint pairs. For each transitione = (ℓ,α , ℓ′) of the CFG of P , the algorithm constructsa set Λe of constraint pairs of the form λ = (Γ,д) whereΓ =

∧mi=1 (дi ≥ 0) and д,д1, . . . ,дm are polynomials with un-

known coefficients (based on the s-variables). Intuitively, acondition pair (Γ,д) encodes the following condition:

∀ν ∈ Rf ν |= Γ ⇒ д(ν ) > 0 ≡ ∀ν ∈ RVf (∀дi ∈ Γ дi (ν ) ≥ 0) ⇒ д(ν ) > 0.


The construction is as follows (note that all computationsare done symbolically):• If ℓ ∈ La , for every polynomial д for which д > 0 appearsin η(ℓ′), the algorithm adds the condition pair (Pre(ℓ) ∧η(ℓ) ∧ (Pre(ℓ′) ◦ α),д ◦ α) to Λe . Note that α is an updatefunction that assigns a polynomial to every variable andhence the constraint pair can be computed symbolically.• If ℓ ∈ Lb , thenα is a propositional predicate. The algorithmwritesα in disjunctive normal form as α = α1∨α2∨. . .∨αa .Each αi is a conjunction of atomic assertions. For every αiand every д such that д > 0 appears in η(ℓ′), it adds thecondition pair (Pre(ℓ) ∧ η(ℓ) ∧ Pre(ℓ′) ∧ αi ,д) to Λe .• If ℓ ∈ Ld , for every д for which д > 0 appears in η(ℓ′), itadds the condition pair (Pre(ℓ) ∧ η(ℓ) ∧ Pre(ℓ′),д) to Λe .

Finally, the algorithm constructs the following set Λin:• For every polynomial д for which д > 0 appears in η(ℓfin),the algorithm constructs the constraint pair (Pre(ℓfin),д)and adds it to Λin.

Example 4.5. In the summation program of Figure 2, sup-pose that Pre(1) := (n ≥ 0) ∧ (i ≥ 0) ∧ (−i ≥ 0) ∧ (s ≥0) ∧ (−s ≥ 0) ∧ (retsum ≥ 0) ∧ (−retsum ≥ 0) ∧ (n − n ≥0) ∧ (n −n ≥ 0) and Pre(ℓ) := (1 ≥ 0) ≡ true for every ℓ , 1.Note that (n ≥ 0) is the only non-trivial assertion and all theother assertions are true by definition, given that 1 is the firststatement in sum. We provide some examples of constraintpairs generated in Step 2 of the algorithm:• 1 ∈ La and e1 = (1, [i ← 1], 2) ∈→ (see the CFG inFigure 3). Hence, we have the following constraint pair:

(Pre(1) ∧ η(1) ∧ Pre(2)[i ← 1],η(2)[i ← 1])which is symbolically computed as:

©«(n ≥ 0) ∧ (i ≥ 0) ∧ (−i ≥ 0)∧(s ≥ 0) ∧ (−s ≥ 0) ∧ (r ≥ 0)∧

(−r ≥ 0) ∧ (n − n ≥ 0) ∧ (n − n ≥ 0)∧(s1,1,1 + s1,1,2 · n + . . . + s1,1,21 · r 2 ≥ 0)

,

s2,1,1 + s2,1,2 · n + . . . + s2,1,4 + . . .+s2,1,9 · n + . . . + s2,1,13 · n + s2,1,16+

s2,1,17 · s + s2,1,18 · r + . . . + s2,1,21 · r 2

ª®¬and added to Λe1 . Note that Pre(2) is true and so ignored.• 3 ∈ Lb and e2 = (3, (n−i ≥ 0), 4) ∈→, so the constraint pair(Pre(3)∧η(3)∧Pre(4)∧ (n− i ≥ 0),η(4)) ≡ (η(3)∧ (n− i ≥0),η(4)) is symbolically computed and added to Λe2 .• 1 = ℓsumin , so the constraint pair (Pre(1),η(1)) is symboli-cally computed and added to Λin.

Step 3) Translating constraint pairs to quadratic equal-ities. LetΛ :=

⋃e ∈→ Λe∪Λin be the set of all constraint pairs

from the previous step. For each λ =(∧m

i=1 (дi ≥ 0) ,д)∈ Λ,

the algorithm takes the following actions:(i) LetV = {v1, . . . ,vt ′} be the set of all program variables

that appear in д or the дi ’s. The algorithm computes theset Mϒ = {m′1,m′2, . . . ,m′r ′} of all monomials of degree

at most ϒ over V . Note that ϒ is a technical parameterthat was supplied as part of the input.

(ii) It symbolically computes an equation of the form (2):

д = ϵ + h0 +∑m

i=1 hi · дi (†)

where ϵ is a new unknown and positive real variableand each polynomialhi is of the form

∑rj=1 ti, j ·m′j . Here,

the ti, j ’s are also new unknown variables. Intuitively,we aim to synthesize values for both t-variables and s-variables in order to ensure the polynomial equality (†).Note that both sides of (†) are polynomials in R[V ]whose coefficients are quadratic expressions over thenewly-introduced s-, t- and ϵ-variables.

(iii) The algorithm equates the coefficients of correspondingmonomials in the left and right hand sides of (†), leadingto a set of quadratic equalities over the new variables.

(iv) The algorithm computes a set of quadratic equalitieswhich are equivalent to the assertion that the hi ’s canbe written as sums of squares (Lemma 4.3).

The algorithm conjunctively compiles all the generated qua-dratic equalities into a single system. Note that this system’ssize is polynomially dependent on the number of lines in theprogram, assuming that d and ϒ are constants.

Remark 2. Based on above, the technical parameter ϒ is themaximum degree of the sum-of-squares polynomials hi in(†). More specifically, in Step 3, we are applying a specialcase of Putinar’s positivstellensatz, in which the sum-of-squarepolynomials can have a degree of at most ϒ.

Example 4.6. Consider the first constraint pair generatedin Example 4.5. The algorithm writes (†), i.e. д = ϵ + h0 +∑10

i=1 hi ·дi whereд = s2,1,1+. . .+s2,1,21 ·r 2 (the polynomial inthe second component of the constraint pair), д1 = n, д2 = i ,д3 = −i , . . . , д10 = s1,1,1 + . . . + s1,1,21 (the polynomials in thefirst component of the constraint pair) and each hi is a newlygenerated polynomial containing all possible monomials ofdegree at most ϒ, e.g. if ϒ = 2, we have hi = ti,1 + ti,2 · n +. . . + ti,21 · r 2, where each ti, j is a new unknown variable. Itthen equates the coefficients of corresponding monomialson the two sides of (†). For example, consider the monomialr 2. Its coefficient in the LHS of (†) is s2,1,21. In the RHS of (†),there are a variety of ways to obtain r 2, hence its coefficientis the sum of the following:• t0,21, i.e. the coefficient of r 2 in h0,• t6,6, i.e. the coefficient of r 2 in h6 · д6 = h6 · r ,• −t7,6, i.e. the coefficient of r 2 in h7 · д7 = h7 · (−r ),• t10,1 · s1,1,21 + t10,6 · s1,1,6 + t10,21 · s1,1,1, i.e. the coefficientof r 2 in h10 · д10.

Hence, the algorithm generates the quadratic equality s2,1,21 =

t0,21+t6,6−t7,6+t10,1 ·s1,1,21+t10,6 ·s1,1,6+t10,21 ·s1,1,1 over the s−and t−variables. The algorithm computes similar equalitiesfor every other monomial.


Step 4) Finding representative solutions. The previousstep has created a system of quadratic equalities over s-variables and other new variables. In this step, the algorithmfinds a representative set Σ of solutions to this system by call-ing an external solver. Then, for each solution σ ∈ Σ, it plugsthe values synthesized for the s-variables into the templateη to obtain an inductive invariant ησ := η[sℓ,i, j ← σ (sℓ,i, j )].The algorithm outputs I = {ησ | σ ∈ Σ}.

Remark 3 (Representative Solutions). In real algebraic ge-ometry, a standard notion for a representative set of solutionsto a polynomial system of equalities is to include one solu-tion from each connected component of the set of solutions [8].The classical algorithm for this problem is called cylindricalalgebraic decomposition and has a doubly-exponential run-time [8, 75]. However, if the coefficients are limited to rationalnumbers instead of real numbers, then a subexponential algo-rithm is provided in [38]¶. Hence, Step 4 of StrongInvSynthhas subexponential runtime in theory.

Lemma 4.7 (Soundness). Every output of StrongInvSynth isan inductive invariant. More generally, for every solutionσ ∈ Σobtained in Step 4, the function ησ := η[sℓ,i, j ← σ (sℓ,i, j )] isan inductive invariant.

Proof. The valuationσ satisfies the system of quadratic equal-ities obtained in Step 3. Hence, for every constraint pair (Γ,д) ∈Λ, д[sℓ,i, j ← σ (sℓ,i, j )] can be written in the form (†). Hence,we have σ |= (Γ,д). By definition of Step 2, this is equivalent toησ having the initiation and consecution properties and hencebeing an inductive invariant. □

We now prove our completeness result. Our approach issemi-complete for bounded reals in the sense of [14]. Con-cretely, this means that if we assume the bounded reals modelof computation (see Section 3.2), then any valid inductiveinvariant can be found by our approach so long as the techni-cal parameter ϒ is large enough. Recall that ϒ is a bound onthe degree of the sum-of-square polynomials (see Remark 2).

Lemma 4.8 (Semi-completeness with Compactness). If thepre-condition Pre satisfies the compactness condition of Theo-rem 4.1, i.e. if in every label ℓ, Pre(ℓ) contains an atomic propo-sition of the form д ≥ 0 such that the set {ν ∈ RVf | д(ν ) ≥ 0}is compact, then for every inductive invariant Ind that has theform of the template η, there exists a natural number ϒInd, suchthat for every technical parameter ϒ ≥ ϒInd, the invariant Indcorresponds to a solution of the system of quadratic equalitiesobtained in Step 3 of StrongInvSynth.

Proof. Let Ind be an inductive invariant in the form of thetemplate η. We denote the value of sℓ,i, j in Ind by σ (sℓ,i, j ).Given that Ind satisfies initiation and consecution, the valua-tion σ satisfies every constraint pair (Γ,д) generated in Step 2.

¶No tight runtime analysis is available for this algorithm, but [38]proves that its runtime is subexponential.

Each such Γ contains an assertionдi ≥ 0 s.t. {x ∈ RVf | дi (x) ≥0} is compact. Hence, by Corollary 4.2, д can be written in theform (†)∥ and for large enough ϒ, there exists a solution to thesystem that maps each sℓ,i, j to σ (sℓ,i, j ). □

Remark 4 (Bounded Reals, Compactness and Real-worldprograms). Note that in the bounded reals model of compu-tation, every pre-condition enforces that the value of everyvariable is between −c and c and also contains the polynomialinequality

Vf 2

2 ≤ c2 · |Vf | (see Section 3.2). The set of valua-tions that satisfy the latter polynomial are points in Rf whosedistance from the origin is at most a fixed amount c

√|Vf |.

Hence, this set is closed and bounded and therefore compact,and satisfies the requirement of Putinar’s positivstellensatz. So,our approach is semi-complete for bounded reals. It is worthmentioning that almost all real-world programs have boundedvariables, e.g. programs that use floating-point variables canat most store a finite number of values in each variable, hencetheir variables are always bounded. Also, note that while thecompleteness result is dependent on bounded variables, oursoundness result holds for general unbounded real variables.

Remark 5 (Non-strict inequalities). Although we consideredinvariants consisting of inequalities with positivity witnesses,i.e. invariants of the form

∧(д(x) > 0), our algorithm caneasily be extended to generate invariants with non-strict in-equalities, i.e. invariants of the form

∧(д(x) ≥ 0). To do so,it suffices to replace Equation (†) in Step 3 of the algorithmwith Equation (1), i.e. remove the ϵ-variables (positivity wit-nesses). This results in a sound, but not complete, method forgenerating non-strict polynomial invariants. Alternatively, wecan use Stengle’s positivstellensatz [74] instead of Theorem 4.1.Stengle is able to characterize non-negative polynomials aswell. Hence, using it will ensure semi-completeness even fornon-strict invariants. The downside is that, in comparison withPutinar, it leads to a much higher runtime in practice.

Remark 6 (Complexity). It is straightforward to verify thatSteps 1–3 of StrongInvSynth have polynomial runtime. Hence,our algorithm provides a polynomial reduction from the StrongInvariant Synthesis problem to the problem of finding rep-resentative solutions of a system of quadratic equalities. Asmentioned earlier, this problem is solvable in subexponentialtime [38]. Hence, the runtime of our approach is subexponential,too. Note that we consider d and ϒ to be fixed constants.

Theorem 4.9 (Strong Invariant Synthesis). Given a non-recursive program P and a pre-condition Pre that satisfies thecompactness condition, the StrongInvSynth algorithm solvesthe Strong Invariant Synthesis problem in subexponential time.This solution is sound and semi-complete.

Remark 7 (Inefficiency). Despite its subexponential runtime,the algorithm of [38] has a poor performance in practice [45].

∥Theorem 4.1 requires compactness and so does Corollary 4.2.


Hence, Theorem 4.9 can only be considered as a theoreticalcontribution and is not applicable to real-world programs.

4.4 Weak Invariant Synthesis and Practical MethodDue to the practical inefficiency mentioned in Remark 7, inthis section we focus on using a very similar approach toreduce theWeak Invariant Synthesis problem toQCLP. Giventhat there are many industrial solvers capable of handlingreal-world instances of QCLP, this reduction will provide apractical sound and semi-complete method for polynomialinvariant generation. We now provide an algorithm for theWeak Invariant Synthesis problem. This is very similar toStrongInvSynth, so we only describe the differences.TheWeakInvSynthAlgorithm.Our algorithmWeakInvSynthtakes the same set of inputs as StrongInvSynth, as well as anobjective function obj over the resulting inductive invariants.We assume that obj is a linear or quadratic polynomial overthe s-variables in the template. Intuitively, obj serves as ameasure of desirability of a synthesized invariant and thegoal is to find the most desirable invariant.The first three steps of the algorithm are the same as

StrongInvSynth. The only difference is in Step 4, whereWeakInvSynth needs to find only one solution for the com-puted system of quadratic equalities, i.e. the solution thatmaximizes obj. Hence, Step 4 is changed as follows:Step 4) Finding the optimal solution. Step 3 has gener-ated a system of quadratic equalities. In this step, the algo-rithm uses a QCLP-solver to find a solution σ of this systemthat maximizes the objective function obj. It then outputsthe inductive invariant ησ := η[sℓ,i, j ← σ (sℓ,i, j )].

Example 4.10. In Example 3.1, we mentioned that our goalis to prove that the return value of sum is less than 0.5 ·n2 +

0.5 ·n+1, i.e. we want to obtain 0.5 · n2+0.5 · n+1−r > 0 (∗)at the endpoint label 9 of sum. To do so, our algorithm callsa QCLP-solver over the system of quadratic equalities ob-tained in Example 4.6, with the objective of minimizing theEuclidean distance between the coefficients synthesized forη(9) and those of (∗). The QCLP-solver obtains a solution σ(i.e. a valuation to the new unknown s−, t− and ϵ−variables),such that η(9)[s9,i, j ← σ (s9,i, j )] = 0.5 · n2+ 0.5 · n+ 1−r > 0,hence proving the desired invariant. The complete solutionis provided in Appendix E.1.

Remark 8 (Form of the Objective Function). At first sight,the objective functions considered above might seem bizarre,given that they are functions of the unknown s-variables, i.e. thecoefficients of the invariant which should be synthesized bythe algorithm. In our view, this is a useful formulation. Inmany cases, the goal of a verification process is to prove that acertain desired invariant Inv(ℓ) holds at a specific point ℓ ofthe program. This goal can be specified as an objective functionover the s-variables. However, it does not simplify the invariantgeneration problem, because although Inv(ℓ) is given, in order

rsum (n ) {1 : i f n ≤ 0 then2 : return n

e l se3 : m : = n − 1 ;4 : s : = rsum (m ) ;5 : i f ⋆ then6 : s : = s + n

7 : e l se skip f i ;8 : return s

9 : f i }

Figure 4.A recursive non-deterministic summation program

to prove that it is an invariant, we have to find an inductiveinvariant for every other point of the program, too.

Theorem 4.11 (Weak Invariant Synthesis). Given a non-recursive program P , a pre-condition Pre that satisfies the com-pactness condition and a linear/quadratic objective functionobj, theWeakInvSynth algorithm reduces the Weak InvariantSynthesis problem to QCLP in polynomial time. This reductionis sound and semi-complete.

5 Invariants for Recursive ProgramsWe extend our algorithms to handle recursion. Recall that theonly differences between recursive and non-recursive induc-tive invariants are (i) presence of function-call statementsin recursive programs, (ii) presence of post-conditions, and(iii) the post-condition consecution requirement. We expectan invariant generation algorithm for recursive programs toalso synthesize a post-condition for every function.

Example 5.1. Consider the program in Figure 4, which is arecursive variant of the non-deterministic summation pro-gram of Figure 2. We use this program to illustrate our ap-proach for handling recursion.

TheRecStrongInvSynth andRecWeakInvSynthAlgorithms.Our algorithm for Strong (resp. Weak) Invariant Synthe-sis over a recursive program P is called RecStrongInvSynth(resp. RecWeakInvSynth). It takes the same inputs as in thenon-recursive case, except that the input program P cannow be recursive. It performs the same steps as in its non-recursive counterpart, except that the following additionalactions are taken in Steps 1 and 2:Step 1.a) Setting up a template for the post-condition.Let Mf

d = {m1,m2, . . . ,mr } be the set of all monomials ofdegree at most d over {retf , v1, . . . , vn}. The algorithm gen-erates an additional template µ(f ) :=

∧ni=1 φf ,i where each

φf ,i is of the form φf ,i :=(∑r

j=1 sf ,i, j · mj > 0)where the

sf ,i, j ’s are additional new s-variables. Intuitively, our goal isto synthesize the right value for s-variables such that (µ,η)


becomes a recursive inductive invariant. As a consequence,µ will be a post-condition and η a valid invariant.

Example 5.2. Consider the program in Figure 4 and assumethat each desired invariant/post-condition consists of a singlequadratic inequality. The algorithm generates a templateµ(rsum) for the post-condition of rsum. By definition, such apost-condition can only depend on n, i.e. the value passed forthe parameter n when rsum is called, and the return valuer := retrsum. Hence, the algorithm generates the followingtemplate: µ(rsum) := srsum,1,1 + srsum,1,2 · n + srsum,1,3 · r +srsum,1,4 · n2 + srsum,1,5 · n · r + srsum,1,6 · r 2 > 0

Step 2.a) Setting up constraint pairs at function-callstatements. For every transition e = (ℓ,⊥, ℓ′) where ℓ isa function-call statement of the form v0 := f ′(v1, . . . ,vn)calling a function with header f ′(v ′1, . . . ,v ′n), and every poly-nomial д for which д > 0 appears in η(ℓ′), the algorithmdefines a new program variable v∗0 and adds the followingconstraint pair to Λe :(

Pre(ℓ) ∧ η(ℓ) ∧ Pre(ℓf′

in)[v′i ← vi , v

′i ← vi ]∧

µ(f ′)[retf ′ ← v∗0 , v′i ← vi ] ∧ Pre(ℓ′)[v0 ← v∗0]

, д[v0 ← v∗0]),

in which ϕ[x ← y] is the result of replacing every occur-rence of x in ϕ with a y. Intuitively, v∗0 models the value ofv0 after the function call (equivalently the return value off ′)∗∗. The constraint pair above encodes the consecution re-quirement at function-call labels, i.e. it simply requires everyvalid abstract path that satisfies the invariant at ℓ to satisfyit at ℓ′, too. Note that a valid abstract path must satisfy thepost-condition and all the pre-conditions.

Example 5.3. Consider the transition e = (4,⊥, 5) in Fig-ure 4. The algorithm computes the following constraint andadds it to Λe :(

Pre(4) ∧ η(4) ∧ Pre(1)[n ←m, n ←m]∧µ(rsum)[retrsum ← s∗, n ←m] ∧ Pre(5)[s ← s∗] , η(5)[s ← s∗]

).

We now explain this constraint in detail. The purpose of thisconstraint is to enforce the consecution property in the tran-sition e from label 4 to label 5. Recall that the consecutionproperty requires that for every valid unit-length abstractpath π = ⟨(rsum, 4,ν4), (rsum, 5,ν5)⟩, we have ν4 |= η(4) ⇒ν5 |= η(5). Since the variable s is updated in line 4, we use sto denote its value before execution of the recursive call ands∗ to model its value after the function call. Hence, ν5 |= η(5)can be simply rewritten as η(5)[s ← s∗] (the second compo-nent of the above constraint). On the other hand, the firstcomponent of the constraint should encode the propertiesthat (a) ν4 |= η(4) and (b) π is a valid abstract path. The prop-erty (a) is ensured by including η(4) in the first componentof the constraint. Similarly, (b) is encoded as follows:• Pre(4) encodes the requirement ν4 |= Pre(4).

∗∗Note that v0 is the only variable in f whose value might change afterthe call to f ′. Hence, we need to distinguish between the initial value of v0and its value after the execution of f ′, which is denoted by v∗0 .

• Pre(1)[n ←m, n ←m] encodes the requirement that thefunction rsum can be called using the parameterm, i.e. thatm satisfies the pre-condition of 1 = ℓrsumin .• µ(rsum)[retrsum ← s∗, n ← m] checks that the call torsum is abstracted correctly, i.e. that the value s∗ returnedby rsum respects the post-condition µ(rsum).• Pre(5)[s ← s∗] encodes the requirement that the programshould be able to continue its execution from point 5 withthe new value of s , or equivalently ν5 |= Pre(5).

Step 2.b) Setting up constraint pairs for post-conditionconsecution. For each transition e = (ℓ,α , ℓ′) where ℓ is areturn statement and ℓ′ = ℓfout for some program functionf , the algorithm generates the following constraint pairs:• For every polynomialд such thatд > 0 appears in µ(f ), thealgorithm adds the condition pair (Pre(ℓ)∧η(ℓ)∧(Pre(ℓ′)◦α),д ◦ α) to Λe .

These constraints encode post-condition consecution.

Example 5.4. Consider transition e = (2, retrsum ← n, 9)in the program of Figure 4. The algorithm generates thefollowing constraint and adds it to Λe :

(Pre(2) ∧ η(2) ∧ Pre(9)[retrsum ← n] , µ(rsum)[retrsum ← n]) =

(Pre(2) ∧ η(2) ∧ Pre(9)[retrsum ← n] , srsum,1,1 + srsum,1,2 · n+srsum,1,3 · n + srsum,1,4 · n2 + srsum,1,5 · n · n + srsum,1,6 · n2 > 0).

This enforces the post-condition consecution requirement,i.e. that in every valid execution step going from line 2 toline 9, the post-condition µ(rsum) holds.

The soundness, completeness and complexity argumentscarry over from the non-recursive case.

Theorem 5.5 (Recursive Strong Invariant Synthesis). Givena recursive program P and a pre-condition Pre that satisfiesthe compactness condition, the RecStrongInvSynth algorithmsolves the Strong Invariant Synthesis problem in subexponen-tial time. This solution is sound and semi-complete.

Theorem 5.6 (Recursive Weak Invariant Synthesis). Givena recursive program P , a pre-condition Pre that satisfies thecompactness condition and a linear/quadratic objective func-tion obj, the RecWeakInvSynth algorithm reduces the WeakInvariant Synthesis Problem to QCLP/QCQP in polynomialtime. This reduction is sound and semi-complete.

6 Experimental ResultsImplementation. We implemented our algorithms for weakinvariant generation in Java and used LOQO [77] for solvingthe QCLPs. All results were obtained on an Intel Core i5-7200U machine with 6 GB of RAM, running Ubuntu 18.04.Previous Methods. We compare our approach against fiveprevious methods, including three widely-used tools, namelyICRA [53], SeaHorn [40], and UAutomizer [42], a state-of-the-art method using hypergeometric sequences [49], and our


own implementation of the previous method that providescompleteness guarantees for polynomial invariants [50].Technical Parameters. In our experiments, we set n to bethe maximal number of desired inequalities given at the samelabel, i.e. we used the smallest possible number of conjunctsneeded to represent the desired assertions. Similarly, we letd be the highest degree among desired inequalities in theinput and ϒ = d . Alternatively, our algorithm can be runiteratively, increasing the values of d and ϒ in a diagonalfashion, until the desired invariant is found. Moreover, wedid not bound our variables using pre-conditions.Solver Errors. Ensuring stability of the QCLP solver is anorthogonal problem. However, to gain confidence that thesoundness of our approach is not compromised by potentiallycascading numerical errors in our solver, we checked eachoutput using infinite-precision arithmetic, by plugging itback into Equation (†) in Step 3 to make sure that (i) everysynthesized strict inequality has a positivity witness of 10−9

or larger, and (ii) every instance of (†) corresponding to anequality д = 0 holds within an error margin of 10−9.

Non-recursive Results.We used the benchmarks in [65],which contain programs, pre-conditions, and the desiredpost-conditions and assertions (invariants at a few labels)that are needed for their verification. The problem is to findan inductive invariant that proves the given post-conditionsand assertions. We ignored benchmarks that contained non-polynomial assignments or pre-conditions. The results aresummarized in Table 2. Our algorithm is not complete fornon-strict invariants (Remark 5), but it successfully generatedall the desired invariants for these benchmarks.Recursive Results. Recursive results are shown in Table 3.Our recursive benchmarks can be divided in two categories:• Reinforcement Learning. We ran our approach on threeprograms from [82] which are used for safety verificationof reinforcement learning applications in cyber-physicalsystems such as Segway transporters. In these examples,the desired partial invariants are linear. However, the pro-grams themselves contain polynomial assignments andconditions of degree 4. Thus, approaches for linear invari-ant generation, such as [70], are not applicable.• Classical Examples. We considered Figure 4, and its ex-tensions to sums of squares and cubes, to show that ouralgorithm is able to synthesize invariants of higher degrees.We also considered a program that recursively computesthe largest power of 2 that is no more than a given boundx , showing that our algorithm can handle recursive invari-ants with more than one assertion at each label. Finally, wegenerated invariants for an implementation of the MergeSort algorithm that counts number of inversions in a se-quence [21]. See Appendix E.2 for details.

Runtimes.Our runtimes over these benchmarks are typicallyunder a minute, while the maximum runtime is close to10 minutes. This shows that our approach is applicable in

practice and does not suffer from the same impracticalitiesas [38], which would take years on problems of this size [45].

Comparison with Complete Approaches. Almost noneof the previous complete approaches are applicable to ourbenchmarks due to the existence of non-linear assignmentsand also because the desired invariants are polynomial in-equalities (See Table 1). The only previous complete approachthat handles polynomial programs and polynomial inequal-ities in invariants is [50]. However, it relies on quantifierelimination and is extremely inefficient. We confirmed thispoint experimentally. We generated the constraints of [50]for our benchmarks and used state-of-the-art quantifier elim-ination / SMT solver tools (Mathematica [64], QEPCAD [11]and Z3 [27]) to solve them. In all cases, the solver either didnot terminate, even when we increased the timeout to 12hours, or returned with failure. This was the case even forour simple running example (Figure 2).

Comparison with Incomplete Approaches. As is evidentin Tables 2 and 3, our approach is slower than previous soundmethods that do not provide any completeness guarantee.However, it is able to handle a strictly more general set ofbenchmarks. Specifically, there are several benchmarks, es-pecially among the recursive programs, where our approachwas the only one that could successfully prove the desiredassertions. Hence, there is currently a trade-off betweenaccuracy (completeness guarantees) and efficiency. Whilethe semi-completeness guarantee is a key novelty of ourapproach, we expect that advancements in quadratic pro-gramming, which is an active research topic in optimization,will narrow the runtime gap.

Generality and Types of Invariants. As shown in Ta-bles 2 and 3, our approach is able to synthesize polynomialinvariants of various degrees for a variety of benchmarks.None of the previous tools can handle all the benchmarks inTables 2 and 3, and there are several instances where our ap-proach is the only successful method. Moreover, we can alsosuccessfully synthesize invariants containing polynomialequalities. See Appendix E.4 for a detailed demonstration.This being said, the power of our approach becomes muchmore apparent when we consider recursive programs (Ta-ble 3). On our recursive benchmarks, every other methodfails in almost all cases. Additionally, our approach is alsoable to synthesize invariants for two or more functions thatrecursively call each other. See Appendix E.3 for a detailedexample of this. Finally, in Appendix E.5, we show a classicalprogram that approximates an irrational number using itscontinued fraction representation. This example requires in-variants of degree 5, which are beyond the reach of previousmethods. We manually tried all the methods in Table 1 andevery one of them was either not applicable to this exampleor failed to synthesize the required invariants. In contrast,our approach could easily handle this program.


Benchmark n d |V | |S | Ours ICRA SeaHorn [49] UAutomizer [50] using Z3

cohendiv 3 2 6 17391 15.2 0.7 0.1 Not Applicable 3.3 Timed Out

divbin 3 2 5 18351 5.4 Failed Timed Out 0.2 Failed Timed Out

hard 3 2 6 24975 28.0 Failed Failed 0.4 Failed Timed Out

mannadiv 3 2 5 16245 18.2 Failed 0.1 0.1 Timed Out Timed Out

wensely 2 2 7 18874 20.1 Failed Failed 0.1 Failed Timed Out

sqrt 2 2 4 4072 5.8 0.8 Failed 0.1 Timed Out Timed Out

dijkstra 2 2 5 10156 12.8 Failed Failed Not Applicable Failed Timed Out

z3sqrt 2 2 6 9404 12.9 0.5 0.1 Not Applicable Failed Timed Out

freire1 2 2 3 2432 26.5 0.6 Failed 0.1 Failed Timed Out

freire2 2 3 4 9708 10.7 1.1 Failed 0.1 Failed Timed Out

euclidex1 2 2 11 45756 97.5 Failed Failed Not Applicable Timed Out Timed Out

euclidex2 2 2 8 22468 39.3 Failed Failed 0.4 Timed Out Timed Out

euclidex3 2 2 13 72762 203.1 Failed Failed Not Applicable Timed Out Timed Out

lcm1 2 2 6 13361 17.9 0.8 0.1 Not Applicable 3.7 Timed Out

lcm2 2 2 6 12517 18.7 0.8 0.1 0.1 3.2 Timed Out

prodbin 2 2 5 10096 12.1 Failed Failed Not Applicable Timed Out Timed Out

prod4br 2 2 6 21064 43.2 Failed Failed Not Applicable Timed Out Timed Out

cohencu 2 3 5 16664 11.8 0.6 Failed 0.1 Timed Out Timed Out

petter 1 2 3 1080 20.4 0.5 0.1 0.1 2.7 Timed Out

Table 2. Experimental results over the benchmarks of [65]. |V| is number of program variables and |S| is size of the quadraticsystem, i.e. number of constraints in Step 3. Runtimes are reported in seconds. We set a time-limit of 1 hour.

Benchmark n d |V | |S | Ours ICRA SeaHorn [49] UAutomizer [50] using Z3

ReinforcementLearning

[82]

inverted-pendulum 1 3 7 9951 496.1 Failed Failed Not Applicable Failed Timed Out

strict-inverted-pendulum

4 2 7 14390 587.8 11.5 Failed Not Applicable Failed Timed Out

oscillator 1 2 7 3552 39.7 Failed Failed Not Applicable Failed Timed Out

ClassicalExamples

(Appendix E.2)

recursive-sum 1 2 3 1700 10.9 0.6 Failed Not Applicable Timed Out Timed Out

recursive-square-sum 1 3 3 1121 17.4 Failed Failed Not Applicable Failed Timed Out

recursive-cube-sum 1 4 3 15840 221.2 Failed Failed Not Applicable Failed Timed Out

pw2 2 1 3 430 5.4 0.7 0.1 Not Applicable Failed Timed Outmerge-sort 1 2 13 33002 78.1 Failed Failed Not Applicable Failed Timed Out

Table 3. Experimental results over recursive programs. The results are reported in the same manner as in Table 2.

7 ConclusionWe presented a subexponential sound and semi-completemethod to generate polynomial invariants for programs withpolynomial updates. On the practical side, we demonstratedhow to generate such invariants using QCLP. Previous meth-ods were either extremely inefficient or lacked completenessguarantees. An interesting, but non-trivial, direction of fu-ture work is to exploit special structural properties of CFGs,such as sparsity and low treewidth [76], to speed up the solu-tion of our QCLP instances. Such techniques have previouslybeen applied for solving linear programs [81] and systemsof linear equations [34], but not QCLPs.

Acknowledgments. The research was partially supportedby Austrian Science Fund (FWF) Grant No. NFN S11407-N23 (RiSE/SHiNE), Vienna Science and Technology Fund(WWTF) Project ICT15-003, National Natural Science foun-dation of China (NSFC) Grant No. 61802254, Facebook PhDFellowship Program, and DOC Fellowship No. 24956 of theAustrian Academy of Sciences (ÖAW).


References[1] Assalé Adjé, Pierre-Loïc Garoche, and Victor Magron. 2015. Property-

based polynomial invariant generation using sums-of-squares opti-mization. In SAS. 235–251.

[2] Assalé Adjé, Stéphane Gaubert, and Eric Goubault. 2010. Couplingpolicy iteration with semi-definite relaxation to compute accuratenumerical invariants in static analysis. In ESOP. 23–42.

[3] Aws Albarghouthi, Yi Li, Arie Gurfinkel, and Marsha Chechik. 2012.Ufo: A framework for abstraction-and interpolation-based softwareverification. In CAV. Springer, 672–678.

[4] Frances E Allen. 1970. Control flow analysis. In ACM Sigplan Notices,Vol. 5. ACM, 1–19.

[5] Rajeev Alur, ThaoDang, and Franjo Ivančić. 2006. Predicate abstractionfor reachability analysis of hybrid systems. ACM transactions onembedded computing systems (TECS) 5, 1 (2006), 152–199.

[6] Erling D. Andersen and Knud D. Andersen. 2018. MOSEKOptimizationSuite. (2018). https://www.mosek.com/

[7] Roberto Bagnara, Enric Rodríguez-Carbonell, and Enea Zaffanella.2005. Generation of Basic Semi-algebraic Invariants Using ConvexPolyhedra. In SAS. 19–34.

[8] Saugata Basu, Richard Pollack, and Marie-Françoise Coste-Roy. 2007.Algorithms in real algebraic geometry. Springer.

[9] Mohamed Amin Ben Sassi, Sriram Sankaranarayanan, Xin Chen, andErika Ábrahám. 2015. Linear relaxations of polynomial positivity forpolynomial lyapunov function synthesis. IMA Journal of MathematicalControl and Information 33, 3 (2015), 723–756.

[10] Aaron R Bradley, Zohar Manna, and Henny B Sipma. 2005. Linearranking with reachability. In CAV. Springer, 491–504.

[11] Christopher W Brown. [n. d.]. QEPCAD - Quantifier Eliminationby Partial Cylindrical Algebraic Decomposition. ([n. d.]). https://www.usna.edu/CS/qepcadweb/B/QEPCAD.html

[12] Aleksandar Chakarov and Sriram Sankaranarayanan. 2013. Probabilis-tic program analysis with martingales. In CAV. Springer, 511–526.

[13] Aleksandar Chakarov and Sriram Sankaranarayanan. 2014. Expecta-tion Invariants for Probabilistic Program Loops as Fixed Points. In SAS.85–100.

[14] Krishnendu Chatterjee, Hongfei Fu, and Amir Kafshdar Goharshady.2016. Termination Analysis of Probabilistic Programs Through Posi-tivstellensatz’s. In CAV. 3–22.

[15] Krishnendu Chatterjee, Hongfei Fu, and Amir Kafshdar Goharshady.2017. Non-polynomial Worst-Case Analysis of Recursive Programs.In CAV. 41–63.

[16] Krishnendu Chatterjee, Petr Novotný, and Dorde Zikelic. 2017. Sto-chastic invariants for probabilistic termination. In POPL. 145–160.

[17] Yinghua Chen, Bican Xia, Lu Yang, Naijun Zhan, and Chaochen Zhou.2007. Discovering non-linear ranking functions by solving semi-algebraic systems. In ICTAC. Springer, 34–49.

[18] Yu-Fang Chen, Chih-Duo Hong, Bow-Yaw Wang, and Lijun Zhang.2015. Counterexample-Guided Polynomial Loop Invariant Generationby Lagrange Interpolation. In CAV. 658–674.

[19] Michael Colón, Sriram Sankaranarayanan, and Henny Sipma. 2003.Linear Invariant Generation Using Non-linear Constraint Solving. InCAV. 420–432.

[20] Michael A Colón and Henny B Sipma. 2001. Synthesis of linear rankingfunctions. In TACAS. Springer, 67–81.

[21] Thomas H Cormen, Charles E Leiserson, Ronald L Rivest, and CliffordStein. 2009. Introduction to algorithms. MIT press.

[22] Patrick Cousot. 2005. Proving Program Invariance and Terminationby Parametric Abstraction, Lagrangian Relaxation and SemidefiniteProgramming. In VMCAI. 1–24.

[23] Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: aunified lattice model for static analysis of programs by constructionor approximation of fixpoints. In POPL. ACM, 238–252.

[24] Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne,Antoine Miné, David Monniaux, and Xavier Rival. 2005. The ASTREÉAnalyzer. In ESOP. 21–30.

[25] Patrick Cousot and Nicolas Halbwachs. 1978. Automatic discovery oflinear restraints among variables of a program. In POPL. ACM, 84–96.

[26] Christoph Csallner, Nikolai Tillmann, and Yannis Smaragdakis. 2008.DySy: dynamic symbolic execution for invariant inference. In ICSE.281–290.

[27] Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMTsolver. In TACAS. 337–340.

[28] Steven de Oliveira, Saddek Bensalem, and Virgile Prevosto. 2016. Poly-nomial Invariants by Linear Algebra. In ATVA. 479–494.

[29] Isil Dillig, Thomas Dillig, Boyang Li, and KenMcMillan. 2013. Inductiveinvariant generation via abductive inference. In OOPSLA.

[30] Isil Dillig, Thomas Dillig, Boyang Li, and Kenneth L. McMillan. 2013.Inductive invariant generation via abductive inference. In OOPSLA.443–456.

[31] Azadeh Farzan and Zachary Kincaid. 2015. Compositional RecurrenceAnalysis. In FMCAD. 57–64.

[32] Yijun Feng, Lijun Zhang, David N. Jansen, Naijun Zhan, and Bican Xia.2017. Finding Polynomial Loop Invariants for Probabilistic Programs.In ATVA. 400–416.

[33] Robert W Floyd. 1993. Assigning meanings to programs. In ProgramVerification. Springer, 65–81.

[34] Fedor V Fomin, Daniel Lokshtanov, Saket Saurabh, Michał Pilipczuk,and MarcinWrochna. 2018. Fully polynomial-time parameterized com-putations for graphs and matrices of low treewidth. ACM Transactionson Algorithms (TALG) 14, 3 (2018), 1–45.

[35] Pranav Garg, Daniel Neider, P. Madhusudan, and Dan Roth. 2016.Learning invariants using decision trees and implication counterex-amples. In POPL. 499–512.

[36] Roberto Giacobazzi and Francesco Ranzato. 1997. Completeness inabstract interpretation: A domain perspective. In AMAST. 231–245.

[37] Gene H Golub and Charles F Van Loan. 1996. Matrix computations.Johns Hopkins Universtiy Press.

[38] Dima Grigor’ev and Nicolai Vorobjov. 1988. Solving systems of poly-nomial inequalities in subexponential time. Journal of Symbolic Com-putation 5, 1/2 (1988), 37–64.

[39] Sumit Gulwani, Saurabh Srivastava, and Ramarathnam Venkatesan.2009. Constraint-Based Invariant Inference over Predicate Abstraction.In VMCAI. 120–135.

[40] Arie Gurfinkel, Temesghen Kahsai, Anvesh Komuravelli, and Jorge A.Navas. 2015. The SeaHorn Verification Framework. In CAV. 343–361.

[41] Nicolas Halbwachs, Yann-Erick Proy, and Patrick Roumanoff. 1997.Verification of real-time systems using linear relation analysis. FormalMethods in System Design 11, 2 (1997), 157–185.

[42] Matthias Heizmann, Jürgen Christ, Daniel Dietsch, Evren Ermis,Jochen Hoenicke, Markus Lindenmann, Alexander Nutz, ChristianSchilling, and Andreas Podelski. 2013. Ultimate Automizer with SMT-Interpol. In TACAS. 641–643.

[43] Thomas Henzinger and Pei-Hsin Ho. 1994. Model checking strategiesfor linear hybrid systems. (1994).

[44] Nicholas J Higham. 2009. Cholesky factorization. Wiley Interdisci-plinary Reviews: Computational Statistics 1, 2 (2009).

[45] Hoon Hong. 1991. Comparison of several decision algorithms for theexistential theory of the reals. (1991).

[46] Roger AHorn andCharles R Johnson. 1990.Matrix analysis. Cambridgeuniversity press.

[47] Ehud Hrushovski, Joël Ouaknine, Amaury Pouly, and James Worrell.2018. Polynomial Invariants for Affine Programs. In LICS. 530–539.

[48] Mingzhang Huang, Hongfei Fu, Krishnendu Chatterjee, and Amir Kaf-shdar Goharshady. 2019. Modular verification for almost-sure termi-nation of probabilistic programs. In OOPSLA. 1–29.

https://www.mosek.com/

https://www.usna.edu/CS/qepcadweb/B/QEPCAD.html

https://www.usna.edu/CS/qepcadweb/B/QEPCAD.html


[49] Andreas Humenberger, Maximilian Jaroschek, and Laura Kovács. 2017.Automated Generation of Non-Linear Loop Invariants Utilizing Hy-pergeometric Sequences. In ISSAC. 221–228.

[50] Deepak Kapur. 2004. Automatically generating loop invariants usingquantifier elimination, preliminary report. In ACA.

[51] Joost-Pieter Katoen, Annabelle McIver, Larissa Meinicke, and Carroll C.Morgan. 2010. Linear-Invariant Generation for Probabilistic Programs:- Automated Support for Proof-Based Methods. In SAS. 390–406.

[52] Zachary Kincaid, Jason Breck, Ashkan Forouhi Boroujeni, andThomas W. Reps. 2017. Compositional recurrence analysis revisited.In PLDI. 248–262.

[53] Zachary Kincaid, John Cyphert, Jason Breck, and Thomas W. Reps.2018. Non-linear reasoning for invariant synthesis. In POPL. 54:1–54:33.

[54] Wang Lin, Min Wu, Zhengfeng Yang, and Zhenbing Zeng. 2014. Prov-ing total correctness and generating preconditions for loop programsvia symbolic-numeric computation methods. Frontiers of ComputerScience 8, 2 (2014), 192–202.

[55] Zohar Manna and Amir Pnueli. 1995. Temporal verification of reactivesystems: Safety. Springer.

[56] Kenneth L. McMillan. 2008. Quantified Invariant Generation Using anInterpolating Saturation Prover. In TACAS. 413–427.

[57] Markus Müller-Olm and Helmut Seidl. 2004. Computing polynomialprogram invariants. Inform. Process. Lett. 91, 5 (2004).

[58] Vasilii Il’ich Nechaev. 2011. Continued fraction. Encyclopedia ofMathematics (2011). http://www.encyclopediaofmath.org/index.php?title=Continued_fraction&oldid=30344

[59] Van Chan Ngo, Quentin Carbonneaux, and Jan Hoffmann. 2018.Bounded expectations: resource analysis for probabilistic programs.In PLDI. ACM, 496–512.

[60] ThanhVu Nguyen, Deepak Kapur, Westley Weimer, and StephanieForrest. 2012. Using dynamic analysis to discover polynomial andarray invariants. In ICSE. 683–693.

[61] Antoine Oustry, Matteo Tacchi, and Didier Henrion. 2019. Innerapproximations of the maximal positively invariant set for polynomialdynamical systems. IEEE Control Systems Letters 3, 3 (2019), 733–738.

[62] Oded Padon, Kenneth L McMillan, Aurojit Panda, Mooly Sagiv, andSharon Shoham. 2016. Ivy: safety verification by interactive general-ization. PLDI (2016), 614–630.

[63] Mihai Putinar. 1993. Positive polynomials on compact semi-algebraicsets. Indiana University Mathematics Journal 42, 3 (1993), 969–984.

[64] Wolfram Research. [n. d.]. Mathematica, Version 12.0. ([n. d.]). https://www.wolfram.com/mathematica

[65] Enric Rodríguez-Carbonell. 2018. Some programs that need polynomialinvariants in order to be verified. (2018). http://www.cs.upc.edu/~erodri/webpage/polynomial_invariants/list.html

[66] Enric Rodríguez-Carbonell and Deepak Kapur. 2004. Automatic gener-ation of polynomial loop invariants: Algebraic foundations. In ISSAC.ACM, 266–273.

[67] Enric Rodríguez-Carbonell and Deepak Kapur. 2007. Automatic gen-eration of polynomial invariants of bounded degree using abstractinterpretation. Science of Computer Programming 64, 1 (2007), 54–75.

[68] Sriram Sankaranarayanan. 2011. Automatic abstraction of non-linearsystems using change of bases transformations. In HSCC. 143–152.

[69] Sriram Sankaranarayanan, Henny Sipma, and Zohar Manna. 2004.Non-linear loop invariant generation using Gröbner bases. In POPL.318–329.

[70] Sriram Sankaranarayanan, Henny B Sipma, and Zohar Manna. 2004.Constraint-based linear-relations analysis. In SAS. Springer, 53–68.

[71] Rahul Sharma and Alex Aiken. 2016. From invariant checking toinvariant inference using randomized search. FormalMethods in SystemDesign 48, 3 (2016), 235–256.

[72] Gagandeep Singh, Markus Püschel, and Martin Vechev. 2015. Makingnumerical program analysis fast. In PLDI. ACM, 303–313.

[73] Gagandeep Singh, Markus Püschel, and Martin Vechev. 2017. Fastpolyhedra abstract domain. In POPL. 46–59.

[74] Gilbert Stengle. 1974. A Nullstellensatz and a Positivstellensatz insemialgebraic geometry. Math. Ann. 207, 2 (1974), 87–97.

[75] Bernd Sturmfels. 2002. Solving systems of polynomial equations. Amer-ican Mathematical Society.

[76] Mikkel Thorup. 1998. All structured programs have small tree widthand good register allocation. Information and Computation 142, 2(1998), 159–181.

[77] Robert J. Vanderbei. 2006. LOQOUser’s Manual - Version 4.05. TechnicalReport. Princeton University.

[78] Peixin Wang, Hongfei Fu, Amir Kafshdar Goharshady, KrishnenduChatterjee, Xudong Qin, and Wenjun Shi. 2019. Cost analysis ofnondeterministic probabilistic programs. In PLDI. 204–220.

[79] Eric Weisstein. 2018. Periodic Continued Fraction. In MathWorld–A Wolfram Web Resource. http://mathworld.wolfram.com/PeriodicContinuedFraction.html

[80] Lu Yang, Chaochen Zhou, Naijun Zhan, and Bican Xia. 2010. Recentadvances in program verification through computer algebra. Frontiersof Computer Science in China 4, 1 (2010), 1–16.

[81] Ian En-Hsu Yen, Kai Zhong, Cho-Jui Hsieh, Pradeep K Ravikumar, andInderjit S Dhillon. 2015. Sparse linear programming via primal anddual augmented coordinate descent. In NIPS. 2368–2376.

[82] He Zhu, Zikang Xiong, Stephen Magill, and Suresh Jagannathan. 2019.An Inductive Synthesis Framework for Verifiable Reinforcement Learn-ing. In PLDI. 686–701.

http://www.encyclopediaofmath.org/index.php?title=Continued_fraction&oldid=30344

http://www.encyclopediaofmath.org/index.php?title=Continued_fraction&oldid=30344

https://www.wolfram.com/mathematica

https://www.wolfram.com/mathematica

http://www.cs.upc.edu/~erodri/webpage/polynomial_invariants/list.html

http://www.cs.upc.edu/~erodri/webpage/polynomial_invariants/list.html

http://mathworld.wolfram.com/PeriodicContinuedFraction.html

http://mathworld.wolfram.com/PeriodicContinuedFraction.html


A Detailed SyntaxPolynomial Arithmetic Expressions. A polynomial arith-metic expression e over V is an expression built from thevariables in V, real constants, and the arithmetic operationsof addition, subtraction and multiplication.Propositional Polynomial Predicates. A propositionalpolynomial predicate is a propositional formula built from(i) atomic assertions of the form e1 ▷◁ e2, where e1 and e2 arepolynomial arithmetic expressions, and ▷◁ ∈ {<, ≤, ≥, >}and (ii) propositional connectives ∨, ∧ and ¬. The satisfac-tion relation |= between a valuation ν and a propositionalpolynomial predicate ϕ is defined in the natural way, i.e. bysubstituting the variables with their values in ν and evaluat-ing the resulting boolean expression.Detailed Grammar. Figure 5 provides a more detailed gram-mar specifying the syntax of non-deterministic recursiveprograms with polynomial assignments and guards.

⟨prog⟩ ::= ⟨func⟩|⟨func⟩ ⟨prog⟩

⟨func⟩ ::= ⟨fname⟩ ‘(’ ⟨varlist⟩ ‘)’ ‘{’ ⟨stmtlist⟩ ‘}’⟨varlist⟩ ::= ⟨var⟩

|⟨var⟩ ‘,’ ⟨varlist⟩⟨stmtlist⟩ ::= ⟨stmt⟩

|⟨stmt⟩ ‘;’ ⟨stmtlist⟩⟨stmt⟩ ::= ‘skip’

|⟨var⟩ ‘:=’ ⟨expr⟩|‘if’ ⟨bexpr⟩ ‘then’ ⟨stmtlist⟩ ‘else’ ⟨stmtlist⟩ ‘fi’|‘if’ ‘⋆’ ‘then’ ⟨stmtlist⟩ ‘else’ ⟨stmtlist⟩ ‘fi’|‘while’ ⟨bexpr⟩ ‘do’ ⟨stmtlist⟩ ‘od’|⟨var⟩ := ⟨fname⟩ ‘(’ ⟨varlist⟩ ‘)’|‘return’ ⟨expr⟩

⟨bexpr⟩ ::= ⟨literal⟩|‘¬’ ⟨bexpr⟩|⟨bexpr⟩ ‘∨’ ⟨bexpr⟩|⟨bexpr⟩ ‘∧’ ⟨bexpr⟩

⟨literal⟩ ::= ⟨expr⟩ ‘<’ ⟨expr⟩|⟨expr⟩ ‘≤’ ⟨expr⟩|⟨expr⟩ ‘≥’ ⟨expr⟩|⟨expr⟩ ‘>’ ⟨expr⟩

⟨expr⟩ ::= ⟨var⟩|⟨constant⟩|⟨expr⟩ ‘+’ ⟨expr⟩|⟨expr⟩ ‘−’ ⟨expr⟩|⟨expr⟩ ‘∗’ ⟨expr⟩

Figure 5. Detailed Syntax of Non-deterministic RecursivePrograms

Below, we intuitively explain some aspects of the syntax:• Variables and Function Names. Expressions ⟨var⟩ (resp.⟨fname⟩) range over the set V (resp. F).• Arithmetic and Boolean Expressions. Expressions ⟨expr⟩range over all polynomial arithmetic expressions over pro-gram variables. Similarly, expressions ⟨bexpr⟩ range overpropositional polynomial predicates.

• Statements. A statement can be one of the following:– A special ‘skip’ statement which does not do anything,– An assignment statement (⟨var⟩ ‘:=’ ⟨expr⟩),– A conditional branch (‘if’ ⟨bexpr⟩) in which the ⟨bexpr⟩serves as the branching condition;– A non-deterministic branch (‘if ⋆’),– A while-loop (‘while’ ⟨bexpr⟩) in which the ⟨bexpr⟩serves as the loop guard;– A function call statement (⟨var⟩ := ⟨fname⟩ ‘(’ ⟨varlist⟩ ‘)’)which calls the function specified by ⟨fname⟩ using the pa-rameters specified in the ⟨varlist⟩ and assigns the resultingreturned value to the variable on its left hand side;– A return statement (‘return’ ⟨expr⟩) that ends the cur-rent function and returns the value of the expression ⟨expr⟩and the control to the parent function or ends the programif there is no parent function.• Programs and Functions. A program is simply a list of func-tions. Each function has a name, a set of parameters and abody. The function body is a sequence of statements. Weassume that there is a distinguished function fmain that isthe starting point of the program.

Syntactic Assumptions. We assume that each function inF is defined exactly once in the program, function headersdo not contain duplicate variables, and each function callstatement provides exactly as many parameters as defined inthe header of the function that is being called. Moreover, weassume that no variable appears in both sides of a functioncall statement.Simple vs. Recursive Programs. We call a program simple,or non-recursive, if it contains only one function and nofunction call statements. Otherwise, we say that the programis recursive.

B Detailed SemanticsValuations. A valuation over a setW ⊆ V of variables isa function ν : W → R that assigns a real value to eachvariable inW .We denote the set of all valuations onW byRW . We sometimes use a valuation ν over a setW ′ ⊂W ofvariables as a valuation overW . In such cases, we assumethat ν (w) = 0 for every w ∈ W \W ′. Given a valuationν , a variable v and x ∈ R, we write ν [v ← x] to denote avaluation ν ′ such that ν ′(v) = x and ν ′ agrees with ν forevery other variable.

Notation. We define Vf∗ := {retf ,v1, . . . ,vn , v1, . . . , vn}

and let Vf be the set containing all members of Vf∗ , as well

as any variable that appears somewhere in the body of thefunction f . W.l.o.g. we assume that the Vf ’s are pairwisedisjoint. Moreover, we write Rf as a shorthand for RVf . Inother words, Rf is the set of all valuations over the variablesthat appear in f , including its header, its body and its newvariables. Similarly, we define Lf as the set of labels thatoccur in f .


Configurations. A stack element ξ is a tuple (f , ℓ,ν ) wheref ∈ F is a function and ℓ ∈ Lf and ν ∈ Rf are respectively alabel and a valuation in f . A configuration κ = ⟨ξi ⟩ni=0 is afinite sequence of stack elements.Notation.Given a configurationκ and a stack element ξ , wewrite κ · ξ to denote the configuration obtained by adding ξto the end of κ. Also, we define κ−i as the sequence obtainedby removing the last i stack elements of κ.Runs. A run is an infinite sequence of configurations thatstarts at the first label of fmain and follows the requirementsof the CFG. Intuitively, a run models the sequence of config-urations that are met in an execution of the program.FormalDefinition of Runs.Given a program P and its CFG(F, L,→), a run is a sequence ρ = {κi }∞i=0 of configurationssuch that:• κ0 = ⟨(fmain, ℓfmainin ,ν )⟩ for some valuation ν ∈ Rfmain . Intu-itively, a run begins from the fmain function.• If |κi | = 0, then |κi+1 | = 0, too. Informally, this case corre-sponds to when the program has already terminated.• Let ξ = (f , ℓ,ν ) be the last stack element in κi . Then, κi+1should satisfy one of the following rules:(a) ℓ ∈ La and (ℓ,α , ℓ′) ∈→ and κi+1 = κ

−1i · (f , ℓ′,α(ν )).

(b) ℓ ∈ Lb and (ℓ,ϕ, ℓ′) ∈→ where ϕ is a predicate suchthat ν |= ϕ and κi+1 = κ

−1i · (f , ℓ′,ν ).

(c) ℓ ∈ Lc , the statement corresponding to ℓ is the functioncall v0 := f ′(v1,v2, . . . ,vn), the header of the function f ′

is f ′(v ′1,v ′2, . . . ,v ′n), and κi+1 = κi · (f ′, ℓf′

in,ν′) where

ν ′(x) ={ν (vi ) x ∈ {v ′i , v ′i }

0 otherwise .

Intuitively, this corresponds to adding the new functionto the stack.(d) ℓ ∈ Ld and (ℓ,⋆, ℓ′) ∈→ and κi+1 = κ

−1i · (f , ℓ′,ν ).

(e1) ℓ ∈ Le and |κi | = 1 and |κi+1 | = 0. Informally, thiscase corresponds to the termination of the program whenthe fmain function returns and the stack becomes empty.(e2) ℓ ∈ Le , |κi | > 1, ξ = ( f , ℓ, ν ) is the stack elementbefore ξ in κi , the label ℓ corresponds to a function callof the form v0 := f (v1, . . . ,vn), (ℓ,⊥, ℓ′) ∈→ and κi+1 =

κ−2i · ( f , ℓ′, ν [v0 ← ν (retf )]). Informally, this correspondsto returning control from the function f into its parentfunction f .

Return Assumption. We assume that every execution of afunction ends with a return statement. If this is not the case,we can add “return 0” to suitable points of the program toobtain an equivalent program that satisfies this condition.Semi-runs and Paths.A semi-run starting at a stack elementξ = (f , ℓ,ν ) is a sequence ϱ = ⟨κi ⟩∞i=0 that satisfies all theconditions of a run, except that it starts with κ0 = ⟨ξ ⟩. Apath π = ⟨κi ⟩ni=0 of length n is a finite prefix of a semi-run.Valid Runs. A run ρ is valid w.r.t. a pre-condition Pre, iffor every stack element ξ = (f , ℓ,ν ) appearing in one of its

configurations, we have ν |= Pre(ℓ). Valid semi-runs andpaths are defined similarly. A stack element is reachable if itappears in a valid run.Abstract Paths. Given a pre-condition Pre and a post-condition Post, an abstract path starting at a stack elementξ = (f , ℓ0,ν0) is a sequence ϖ = ⟨κi = ⟨(f , ℓi ,νi )⟩⟩ni=0 suchthat for all i < n, κi+1 satisfies either one of the conditions(a), (b) and (d) as in the definition of runs or the followingmodified (c) condition:(c′) ℓi ∈ Lc , i.e. the statement corresponding to ℓi is a func-tion call v0 := f ′(v1, . . . ,vn) where f ′ is a function withthe header f ′(v ′1, . . . ,v ′n) andνi |= Pre(ℓf

′

in)[v′i ← vi , v

′i ←

vi ]. Moreover, (ℓi ,⊥, ℓi+1) ∈→, the valuation νi+1 agreeswith νi over every variable, except possibly v0, and νi+1 |=Post(f )[v ′i ← vi , ret

f ← v0]. The latter is the result ofreplacing each occurrence of v ′i with its respective vi andretf with v0 in Post(f ).

An abstract path always remains in the same function andhence each configuration in an abstract path consists of onlyone stack element. A valid abstract path is defined similarlyto a valid path.

C Inductive Assertion Maps and InvariantsInvariants. Given a program P and a pre-condition Pre, aninvariant is a function Inv mapping each label ℓ ∈ Lf of theprogram to a conjunctive propositional formula Inv(ℓ) :=∧m

i=0 (ei > 0) over Vf , such that for every reachable stackelement (f , ℓ,ν ), it holds that ν |= Inv(ℓ).Inductive Assertion Maps. Given a non-recursive programP and a pre-condition Pre, an inductive assertion map is afunction Ind mapping each label ℓ ∈ Lf of the program toa conjunctive propositional formula Ind(ℓ) :=

∧mi=0 (ei > 0)

over Vf , such that the following two conditions hold:• Initiation. For every stack element ξ = (fmain, ℓfmainin ,ν0),we have ν0 |= Pre(ℓfmainin ) ⇒ ν0 |= Ind(ℓfmainin ). Intuitively,this means that Ind(ℓfmainin ) should be deducible from thepre-condition Pre(ℓfmainin ).• Consecution. For every valid unit-length pathπ = ⟨(fmain, ℓ0,ν0),(fmain, ℓ1,ν1)⟩ that starts at ℓ0 and ends at ℓ1, we haveν0 |= Ind(ℓ0) ⇒ ν1 |= Ind(ℓ1). Intuitively, this conditionmeans that the inductive assertion map cannot be falsifiedby running a valid step of the execution of the program.

Lemma C.1. Given a non-recursive program P and a pre-condition Pre, every inductive assertion map Ind is an invari-ant.

Proof. Consider a valid run ρ = ⟨κi ⟩∞i=0 = ⟨⟨(fmain, ℓi ,νi )⟩⟩∞i=0of P . Let π = ⟨κi ⟩ni=0 be a prefix of ρ, which is a valid pathof length n. We prove that νn |= Ind(ℓn). Our proof is byinduction on n. For the base case of n = 0, we have ℓ0 =ℓfmainin . By validity of ρ, we have ν0 |= Pre(ℓfmainin ). Hence, by


initiation, ν0 |= Ind(ℓfmainin ). For the induction step, assum-ing that νn−1 |= Ind(ℓn−1), we prove that νn |= Ind(ℓn).We apply the consecution property to the unit-length validpath ⟨(fmain, ℓn−1,νn−1), (fmain, ℓn ,νn)⟩, which leads to νn |=Ind(ℓn).Hence, for every reachable stack element (fmain, ℓ,ν ), we

have ν |= Ind(ℓ), which means Ind is an invariant. □

Recursive Inductive Invariants. Given a recursive pro-gram P and a pre-condition Pre, a recursive inductive in-variant is a pair (Post, Ind) where Post is a post-conditionand Ind is a function that maps every label ℓ ∈ Lf of theprogram to a conjunctive propositional formula Ind(ℓ) :=∧m

i=0 (ei > 0), such that the following requirements are met:• Initiation. For every stack element ξ = (f , ℓfin,ν0) at startof a function f , we have ν0 |= Pre(ℓfin) ⇒ ν0 |= Ind(ℓfin).• Consecution. For every valid unit-length abstract path π =⟨(f , ℓ0,ν0), (f , ℓ1,ν1)⟩ that starts at ℓ0 ∈ Lf and ends atℓ1 ∈ Lf , we have ν0 |= Ind(ℓ0) ⇒ ν1 |= Ind(ℓ1).• Post-condition Consecution. For every valid unit-lengthabstract path π = ⟨(f , ℓ0,ν0), (f , ℓfout,ν1)⟩ that starts atℓ0 ∈ Lf and ends at the endpoint label ℓfout, we haveν0 |= Ind(ℓ0) ⇒ ν1 |= Post(f ).

LemmaC.2. Given a recursive program P and a pre-conditionPre, if (Post, Ind) is a recursive inductive invariant, then thefunction Ind is an invariant.

Proof. Consider an arbitrary valid run ρ = ⟨κi ⟩∞i=0 of P . Letπ = ⟨κi ⟩ni=0 be a prefix of ρ, which is a valid path of length nand ξ = (f , ℓ,ν ) the last stack element of κn . We prove thatν |= Ind(ℓ). Our proof is by induction on n.

For the base case ofn = 0, we have ℓ = ℓfmainin . By validity of ρ,we have ν |= Pre(ℓfmainin ). Hence, by initiation, ν |= Ind(ℓfmainin ).For the inductive step, we let ξ ′ = (f ′, ℓ′,ν ′) be the last stackelement in κn−1. We prove that ν |= Ind(ℓ). We consider thefollowing cases:

• If f ′ = f , then ⟨(f ′, ℓ′,ν ′), (f , ℓ,ν )⟩ is a valid abstract pathof length 1. Hence, by consecution, we have ν |= Ind(ℓ).• If f ′ is the parent function of f , i.e. ℓ = ℓfin and ℓ′ is afunction-call statement calling f , then by validity of ρ, wehave ν |= Pre(ℓ) and by initiation, we infer ν |= Ind(ℓ).• If f is the parent function of f ′, i.e. ℓ′ = ℓf

′

out, then letξ = (f , ℓ, ν ) be the last visited stack element in f beforef ′ was called. It is easy to verify that ℓ is a function-callstatement calling f ′ and (ℓ,⊥, ℓ) ∈→. By post-conditionconsecution, ν ′ |= Post(f ′), hence ⟨(f , ℓ, ν ), (f , ℓ,ν )⟩ is avalid abstract path of length 1. By the induction hypothesis,we have ν |= Ind(ℓ), hence, by consecution, we deduce ν |=Ind(ℓ).Hence, for every reachable stack element ξ = (f , ℓ,ν ), we

have ν |= Ind(ℓ) which means Ind is an invariant. □

D Mathematical Tools and LemmasD.1 Proof of Corollary 4.2Corollary 4.2. Let V ,д,д1, . . . ,дm and Π be as in Theo-rem 4.1. Then д(x) > 0 for all x ∈ Π if and only if :

д = ϵ + h0 +

m∑i=1

hi · дi (3)

where ϵ > 0 is a real number and each polynomial hi is thesum of squares of some polynomials in R[V ].

Proof. It is obvious that if (3) holds, then д(x) > 0 for allx ∈ Π. We prove the other side. Let д(x) > 0 for all x ∈ Π.Given that Π is compact and д continuous, д(Π) must also becompact and hence closed. Therefore, δ := infx ∈Π д(x) > 0. Letϵ = δ/2, then д(x) − ϵ > 0 for all x ∈ Π. Applying Putinar’sPositivstellensatz, i.e. equation (1), to д − ϵ leads to the desiredresult. □

D.2 Proof of Lemma 4.3In our algorithm, we have to reduce the problem of check-ing whether a polynomial h ∈ R[V ] is a sum-of-squaresto solving a quadratic system. We now present this reduc-tion in detail. Our reduction is based on the following twowell-known theorems:

Theorem D.1 (See [46], Corollary 7.2.9). A polynomial h ∈R[V ] of even degree d is a sum-of-squares if and only if thereexists a k-dimensional symmetric positive semi-definite matrixQ such that h = yTQy, where k is the number of monomials ofdegree no greater than d/2 and y is a column vector consistingof every such monomial.

Theorem D.2 ([37, 44]). A symmetric square matrix Q ispositive semi-definite if and only if it has a Cholesky decom-position of the form Q = LLT where L is a lower-triangularmatrix with non-negative diagonal entries.

Given the two theorems above, our reduction uses thefollowing procedure for generating quadratic equations thatare equivalent to the assertion that h is a sum-of-squares:The Reduction. The algorithm generates the setM ⌊d/2⌋ ofmonomials of degree at most ⌊d/2⌋ over V . It then ordersthese monomials arbitrarily into a vector y and symbolicallycomputes the equality

h = yTLLTy (4)

where L is a lower-triangular matrix whose every non-zeroentry is a new variable in the system. We call these variablesl-variables. For every li,i , i.e. every l-variable that appearson the diagonal of L, the algorithm adds the constraint li,i ≥0 to the quadratic system. Then, it translates Equation (4)into quadratic equations over the coefficients of h†† and l-variables by equating the coefficients of corresponding terms

††These coefficients are called t -variables in our algorithm.


on the two sides of (4). The resulting system encodes theproperty that h is a sum-of-squares.

Example D.3. Let V = {a,b} be the set of variables andh ∈ R[V ] a quadratic polynomial, i.e. h(a,b) = t1 + t2 ·a+ t3 ·b + t4 · a2 + t5 · a · b + t6 · b2. We aim to encode the propertythat h is a sum-of-squares as a system of quadratic equalitiesand inequalities. To do so, we first generate all monomials ofdegree at most ⌊d/2⌋ = 1, which are 1, a and b. Hence, welet y =

[1 a b

]T. We then generate a lower-triangular

matrix L whose every non-zero entry is a new variable:

L =

l1 0 0l2 l3 0l4 l5 l6

.We also add the inequalities l1 ≥ 0, l3 ≥ 0 and l6 ≥ 0 toour system. Now, we write the equation h = yTLLTy andcompute it symbolically:

h =[1 a b

] l1 0 0l2 l3 0l4 l5 l6

l1 l2 l40 l3 l50 0 l6

1ab

,which leads to: t1+t2 ·a+t3 ·b+t4 ·a2+t5 ·a ·b+t6 ·b2 = l2

1+2·l1 ·l2·a+2·l1·l4·b+(l2

2+l23 )·a2+(2·l2·l4+2·l3·l5)·a·b+(l2

4+l25+l

26 )·b2.

Note that both sides of the equation above are polynomialsover {a,b}, hence they are equal iff their correspondingcoefficients are equal. So, we get the following quadraticequalities over the t-variables and l-variables: t1 = l2

1 , t2 =2 · l1 · l2, . . . , t6 = l2

4 + l25 + l

26 . This concludes the construction

of our quadratic system.

E Experimental ResultsE.1 The Invariant Synthesized for Our Running

ExampleTable 4 shows the output of our invariant generation algo-rithm, i.e. WeakInvSynth, on the running example of Fig-ure 2.

ℓ Pre(ℓ) Ind(ℓ)

1 n = n,n ≥ 1

0.13 − 0.01 · n − 0.05 · r − 0.07 · s −0.24 · i + 0.06 ·n+ 0.16 · n2 − 0.08 · n ·r + 0.11 · r 2 − 0.13 · n · s + 0.18 · r · s +0.15 ·s2−0.13 ·n ·i+0.16 ·r ·i+0.24 ·i ·s+0.23 ·i2+0.07 ·n ·n−0.52 ·r ·n−0.67 ·n · s − 0.66 · i ·n + 1.10 ·n2 > 0

2 true

0.09−0.01 ·n−0.18 ·r−0.30 ·s+0.09 ·i + 0.11 · n + 0.03 · n2 + 0.01 · n · r +0.13 ·r 2−0.03 ·n ·s+0.16 ·r ·s+0.23 ·s2−0.01 · n ·i−0.18 ·r ·i−0.30 ·i ·s+0.09 · i2 + 0.01 · n ·n + 0.11 · i ·n > 0

3 true

0.49 + 0.01 · n + 0.11 · r − 0.59 · s −0.30 · i − 0.29 · n + 0.13 · r 2 − 0.01 ·n · s − 0.35 · r · s + 0.60 · s2 + 0.05 · r ·i − 0.01 · i · s + 0.16 · i2 − 0.04 · r ·n −0.06 ·n · s − 0.04 · i ·n + 0.18 ·n2 > 0

4 true

0.20 − 0.12 · n + 0.01 · r − 0.01 · s −0.22 · i − 0.07 ·n+ 1.08 · n2 + 0.10 · n ·r + 0.15 · r 2 − 0.49 · n · s − 0.08 · r · s +0.10 ·s2−0.65 ·n ·i−0.15 ·r ·i+0.16 ·i ·s+0.14 ·i2−0.57 ·n ·n−0.11 ·r ·n+0.13 ·n · s + 0.24 · i ·n + 0.22 ·n2 > 0

5 true


6 true


7 true

0.15 − 0.09 · n − 0.12 · r + 0.03 · s −0.07 · i − 0.13 ·n+ 0.23 · n2 + 0.48 · n ·r + 0.35 · r 2 − 0.31 · n · s − 0.40 · r · s +0.13 ·s2+0.16 ·n ·i+0.13 ·r ·i−0.09 ·i ·s+0.06 ·i2−0.24 ·n ·n−0.24 ·r ·n+0.18 ·n · s − 0.10 · i ·n + 0.14 ·n2 > 0

8 true

0.18 − 0.11 · n + 0.01 · r + 0.50 · i −0.79 ·n+1.09 · n2+0.11 · n ·r +0.15 ·r 2 − 0.48 · n · s − 0.08 · r · s + 0.10 ·s2 − 0.57 · n · i − 0.09 · r · i + 0.16 · i ·s + 0.18 · i2− 0.66 · n ·n− 0.16 · r ·n+0.12 ·n · s + 0.13 · i ·n + 0.27 ·n2 > 0

9 true 1 + 0.5 · n − r + 0.5 · n2 > 0Table 4. The inductive invariant generated byWeakInvSynth for the running example in Figure 2


E.2 Recursive ExamplesWe used the following recursive examples as benchmarks.Desired assertions are shown in brackets. Pre-conditions areenclosed in # signs. In all cases our algorithm synthesizes aninductive invariant that contains the desired assertions.

recursive-sum (n ) {# n ≥ 0 #i f n ≤ 0 then

return n

e l sem : = n − 1 ;s : = recursive-sum (m ) ;i f ⋆ then

s : = s + n

e l seskip

f i ;return s

f i[retrecursive-sum < 0.5 · n2 + 0.5 · n + 1 ] }

recursive-square-sum (n ) {# n ≥ 0 #i f n ≤ 0 then

return n


s : = s + n ∗ ne l se

skipf i ;return s

f i[retrecursive-square-sum < 0.34 · n3 + 0.5 · n2 + 0.17 · n + 1 ] }

recursive-cube-sum (n ) {# n ≥ 0 #i f n ≤ 0 then

return n


s : = s + n ∗ n ∗ ne l se

skipf i ;return s

f i[retrecursive-cube-sum < 0.25 · n2 · (n + 1)2 + 1 ] }

pw2 (x ) {/ / computes the largest power of 2 that is ≤ x

# x ≥ 1 #i f x ≥ 2 then

y : = 0.5 ∗ x ;return 2 ∗ pw2(y)

e l sereturn 1

f i[retpw2 ≤ x ∧ 2 · retpw2 > x] }


merge-sort ( s , e ) / / sorts and returns number of inversions in[s ..e]{

# e ≥ s #i f s ≥ e then

return 0e l se

i : = 0.5 ∗ s + 0.5 ∗ e ;j : = ⌊i⌋ ;i : = j + 1 ;r : = merge-sort(s, j) ;ans : = merge-sort(i, e) ;ans : = ans + r ;k : = s ;

while i ≤ e dowhile k ≤ j do

i f ⋆ then / / array[k] ≤ array[i]k : = k + 1 ;skip / / temp.push_back (array[k] )

e l se / / array[k] > array[i]ans : = ans + j − k + 1 ; / / add inversionsi : = i + 1 ;skip / / temp.push_back (array[i] )

f iod ;skip ; / / temp.push_back (array[i] )i : = i + 1

od ;

while s ≤ e doskip ; / / copy from temp to arrays : = s + 1

od ;

return ans

f i[retmerge-sort < 0.5 · (e − s) · (e − s + 1) + 1 ] }


E.3 Example with Two Functions RecursivelyCalling Each Other

Our approach can handle any combination of recursive func-tion calls as long as a polynomial recursive inductive invari-ant exists. As an example, consider the following program,consisting of two functions f and д, which recursively calleach other. Our algorithm is able to handle it in 47s usingparameters n = d = ϒ = 2. This program leads to a quadraticsystem of size 5453.

f (n ) {# n ≥ 1 #i f n ≤ 1 then

return 1e l se

x : = д(n − 1);x : = x + 2 · n − 1;y : = 0;while (y + 1)2 ≤ x do

y : = y + 1od ;return y

f i[retf ≤ n ] }

g (n ) {# n ≥ 1 #return n · f (n)

[retg ≤ n2 ] }

sum (n ) {1 : i : = 1 ;2 : s : = 0 ;3 : while i ≤ n do4 : s : = s + i ;5 : i : = i + 1

od ;6 : return s7 : }

Figure 6. A summation program

E.4 Example of Synthesizing Polynomial EqualityInvariants

To demonstrate that our approach is able to generate in-variants including polynomial equalities, we slightly changethe program in Figure 2 to obtain the one in Figure 6. Thisprogram precisely computes 1 + 2 + . . . + n = n ·(n+1)

2 . Let rbe the return value of sum(n), we would like to prove thatr = 0.5 ·n2+0.5 ·n,which is equivalent to 0.5 ·n2+0.5 ·n−r ≥0 ∧ r − 0.5 ·n2 − 0.5 ·n ≥ 0.We can therefore run the soundbut incomplete variant of our approach, i.e. the variant thatdoes not incorporate positivity witnesses, with parametersn = d = ϒ = 2. Our algorithm successfully synthesizesan inductive invariant that proves the desired equality. Theresulting inductive invariant is given in Table 5.


ℓ Pre(ℓ) Ind(ℓ), first inequality Ind(ℓ), second inequality

1 n = n,n ≥ 1

−0.09 − 0.79 · n − 0.95 · r − 0.72 · s − 1.12 · i −0.39 ·n+ 1.90 · n2 − 0.12 · n · r + 1.62 · r 2 − 0.25 ·n · s − 0.36 · r · s + 1.48 · s2 − 0.79 · n · i − 0.67 ·r · i − 0.94 · i · s + 1.57 · i2 + 0.42 · n · n + 0.10 ·r · n − 0.15 · n · s − 0.82 · i · n + 2.36 · n2 ≥ 0

0.45 − 0.77 · n − 0.85 · r − 0.56 · s − 0.75 · i −0.47 ·n+ 1.68 · n2 − 0.37 · n · r + 1.45 · r 2 − 0.44 ·n · s − 0.52 · r · s + 1.42 · s2 − 0.89 · n · i − 0.67 ·r · i − 0.89 · i · s + 1.73 · i2 + 0.09 · n · n − 0.20 ·r · n − 0.38 · n · s − 0.92 · i · n + 2.07 · n2 ≥ 0

2 true

0.08 − 1.07 · n − 1.48 · r − 2.00 · s − 2.42 · i −0.34 ·n+ 3.14 · n2 − 0.62 · n · r + 3.51 · r 2 − 1.33 ·n · s − 2.12 · r · s + 2.32 · s2 + 0.64 · n · i + 0.76 ·r · i − 1.37 · i · s + 3.40 · i2 − 0.50 · n · n + 0.22 ·r · n − 0.68 · n · s + 0.94 · i · n + 3.67 · n2 ≥ 0

0.76 − 1.37 · n − 1.08 · r − 1.64 · s − 1.77 · i −0.01 ·n+ 2.25 · n2 − 1.34 · n · r + 3.25 · r 2 − 1.20 ·n · s − 2.27 · r · s + 2.68 · s2 − 0.04 · n · i + 0.59 ·r · i − 1.23 · i · s + 2.93 · i2 − 1.68 · n · n − 0.32 ·r · n − 0.95 · n · s + 0.31 · i · n + 2.93 · n2 ≥ 0

3 true

0.94−0.37 · n−0.07 ·r +0.95 ·s +0.38 · i −0.09 ·n+0.07 · n2+0.03 · n ·r −0.19 · n ·s −0.04 ·r ·s +0.28 ·s2−0.07 · n ·i−0.01 ·r ·i+0.27 ·i ·s+0.11 ·i2+0.01 ·n ·n+0.02 ·n ·s+0.06 ·i ·n+0.18 ·n2 ≥ 0

3.69+3.15·n−0.09·r−3.37·s−0.06·i−0.19·n+4.87 · n2−0.01 · n ·r +0.01 ·r 2−1.44 · n ·s−0.09 ·r ·s +2.89 ·s2+0.01 · n · i −0.05 · i ·s +0.02 · i2+0.02 · n ·n+0.02 ·r ·n−0.25 ·n ·s +0.03 ·n2 ≥ 0

4 true

0.89−0.31 · n−0.06 ·r +0.91 ·s +0.39 · i −0.26 ·n+0.06 · n2+0.02 · n ·r −0.16 · n ·s −0.03 ·r ·s +0.26 ·s2−0.06 · n ·i−0.01 ·r ·i+0.27 ·i ·s+0.11 ·i2+0.01 ·n ·n−0.09 ·n ·s−0.02 ·i ·n+0.23 ·n2 ≥ 0

0.34+0.47·n−0.55·s−0.56·i+0.01·n+0.82·n2−0.01·n ·r−0.16·n ·s+0.25·s2−0.15·n ·i+0.51·i ·s+0.26 ·i2−0.01 ·n ·n−0.01 ·n ·s−0.01 ·i ·n ≥ 0

5 true

2.83 − 1.01 · n − 0.20 · r + 2.86 · s − 1.62 · i −0.86 ·n+ 0.26 · n2 + 0.10 · n · r + 0.01 · r 2 − 0.52 ·n · s − 0.11 · r · s + 0.83 · s2 + 0.30 · n · i + 0.05 ·r · i − 0.80 · i · s + 0.32 · i2 + 0.04 · n · n + 0.01 ·r · n − 0.27 · n · s + 0.21 · i · n + 0.73 · n2 ≥ 0

2.03 + 2.31 · n − 0.04 · r − 2.82 · s − 0.01 · i −0.02 · n + 4.08 · n2 − 0.03 · n · r − 0.79 · n · s −0.01 · r · s + 1.32 · s2 + 0.03 · n · i + 0.02 · i2 −0.06 · n ·n+0.01 ·r ·n−0.06 ·n ·s +0.01 ·n2 ≥ 0

6 true

20.37 − 8.79 · n − 0.05 · r + 25.48 · s − 0.19 · i −2.16 ·n+ 4.25 · n2 − 0.25 · n · r + 2.89 · r 2 − 7.49 ·n · s + 2.00 · r · s + 25.53 · s2 − 1.08 · n · i − 0.97 ·r · i − 0.64 · i · s + 2.83 · i2 − 1.79 · n · n − 2.21 ·r · n − 4.19 · n · s − 0.86 · i · n + 4.49 · n2 ≥ 0

68.26+ 60.81 · n − 2.84 · r − 68.34 · s − 2.64 · i −3.44 · n + 100.00 · n2 + 0.76 · n · r + 2.64 · r 2 −33.53 · n · s − 2.63 · r · s + 57.63 · s2 + 0.71 · n · i −1.22 · r · i − 2.45 · i · s + 2.36 · i2 + 0.91 · n · n −1.74 · r ·n− 3.16 ·n · s − 1.82 · i ·n+ 2.19 ·n2 ≥ 0

7 true 0.50 · n2 + 0.50 · n − r ≥ 0 r − 0.50 · n2 − 0.50 · n ≥ 0Table 5. The inductive invariant generated by WeakInvSynth for the summation program in Figure 6


E.5 Continued Fraction ExampleGiven that our approach has semi-completeness guarantees(over bounded reals), it is no surprise that it can generatedesired polynomial invariants for inputs which no previ-ous incomplete approach could handle. We now present aclassical example of a program that approximates

√2 using

its continued fraction representation. Our implementationgenerates required invariants of degree 5, which is beyondthe reach of all previous methods in Table 1. Specifically,we manually tried all the incomplete approaches in Table 1over this example. They are either not applicable or fail tosynthesize the desired invariant. However, some of themsynthesize other invariants for the same program.We first review some well-known facts about continued

fractions. A continued fraction is an expression of the fol-lowing form:

x = a0 +1

a1 +1

a2+...

in which the ai ’s are natural numbers. For brevity, we denotethis fraction as x = [a0;a1,a2, . . .]. Note that the continuedfraction representation might be finite (in case of rationalnumbers) or infinite (in case of irrationals). Specifically, itis easy to verify that

√2 = [1; 2, 2, 2, . . .]. In any case, we

define xn := [a0;a1, . . . ,an] and call it the n-th convergentof x . A standard way for approximating irrational numbersis to evaluate the convergents of their continued fractionrepresentation. We consider a program that approximates√

2 using this technique.The following well-known lemma provides some proper-

ties of the convergents and a simple algorithm for computingthem:

Lemma E.1 ([58]). Let x = [a0;a1,a2, . . .]. We define twosequences ⟨Pn⟩∞n=−2 and ⟨Qn⟩∞n=−2 as follows:

Pn = an · Pn−1 + Pn−2 P−1 = 1 P−2 = 0Qn = an ·Qn−1 +Qn−2 Q−1 = 0 Q−2 = 1.

The following properties hold for all 0 ≤ n < ∞:(i) xn =

PnQn.

(ii) |x − xn | ≤ |x − xn+1 |.(iii) |x − xn | ≤ 1

Qn ·Qn+1.

(iv) Qn · Pn−1 −Qn−1 · Pn = (−1)n .□

Consider the program in Figure 7. This program computesthe values of Pn and Qn for every n ≥ 0. We use the variablep0 to save values of P2n , i.e. even-indexed values of the se-quence P , and p1 to save P2n+1. The variables q0 and q1 areused in a similar manner. We can encode properties (ii) to(iv) of Lemma E.1 as partial invariants for the program inFigure 7 and check if our approach can synthesize inductiveinvariants that prove them.

continued-fraction ( ){

1 : p0 : = 1 ;2 : p1 : = 3 ;3 : q0 : = 1 ;4 : q1 : = 2 ;

5 : while 1 ≥ 0 do6 : p0 : = 2 · p1 + p0 ;7 : q0 : = 2 · q1 + q0 ;8 : skip ; / / xn : = p0/q0 ;

9 : p1 : = 2 · p0 + p1 ;1 0 : q1 : = 2 · q0 + q1 ;1 1 : skip / / xn : = p1/q1

od}

Figure 7. A program that approximates√

2 by computingthe two sequences defined in Lemma E.1.

Specifically, letting x =√

2wewant the algorithm to provethe following partial invariants:

(ii) |x − xn | ≤ |x − xn+1 | can be rewritten as follows:

(x − xn)2 ≤ (x − xn+1)2(x − Pn

Qn

)2≤

(x − Pn+1

Qn+1

)2

(Qn ·Qn+1 · x − Pn ·Qn+1)2 ≤ (Qn ·Qn+1 · x − Pn+1 ·Qn)2

which is a polynomial inequality. Hence, we aim to find aninductive invariant that contains the following inequalitiesat lines 8 and 11, respectively:

(q0 · q1 ·√

2 − p1 · q0)2 ≤ (q0 · q1 ·√

2 − p0 · q1)2,

(q0 · q1 ·√

2 − p0 · q1)2 ≤ (q0 · q1 ·√

2 − p1 · q0)2.

Tomodel√

2,we consider a new program variable x whosevalue is always

√2.We enforce this by addingx2 ≤ 2∧x2 ≥

2 ∧ x ≥ 0 to every pre-condition.(iii) Similar to the previous case, this property can be rewrit-ten as a polynomial inequality as follows:

|x − xn | ≤1

Qn ·Qn+1|x − xn | ·Qn ·Qn+1 ≤ 1

(x − xn)2 ·Q2n ·Q2

n+1 ≤ 1(x − Pn

Qn

)2·Q2

n ·Q2n+1 ≤ 1

(Qn · x − Pn)2 ·Q2n+1 ≤ 1


Therefore, we aim to find an inductive invariant that con-tains the following inequalities at lines 8 and 11, respec-tively:

(q1 ·√

2 − p1)2 · q20 ≤ 1,

(q0 ·√

2 − p0)2 · q21 ≤ 1.

(iv) This property is already in polynomial form wrt our pro-gram variables. Therefore, it corresponds to the followingequality at lines 8 and 11:

q0 · p1 − q1 · p0 = 1.

Execution Results.We ran our approach on the programof Figure 7 with the goal of finding an inductive invariantcontaining the partial invariants listed above. Note that thepartial invariants in (ii) are of degree 5 and hence we setd = ϒ = 5. Moreover, we set n = 5, i.e. we generate 5polynomial inequalities at each program point. Using these

parameters, our approach was able to successfully generatethe desired inductive invariant in 48m. To the best of ourknowledge, no previous approach for polynomial invariantgeneration can handle this example.

Remark 9. Note that the choice of x =√

2 in the exampleabove was arbitrary. One can replace

√2 with any other real

number with a periodic continued fraction representation, thusobtaining a family of programs whose desired partial invari-ants (as in Lemma E.1) can be automatically proven by ourapproach, but not by any of the previous approaches. It is well-known that the set of real numbers with periodic continuedfraction representation is the same as the set of quadratic irra-tionals, i.e. irrational roots of quadratic equations with integercoefficients [79]. For example, this set contains

√n for every

non-square n ∈ N.

polynomial invariant generation for non-deterministic recursive … · krishnendu chatterjee ist...

Documents