Failure Tabled Constraint Logic Programming by Interpolation published in Theory and Practice of Logic Programming

The problem of verifying safety properties consists of proving that an unsafe configuration or error is not reachable from an initial configuration considering all possible program executions. clp has been shown to be a successful model for performing this task (see for example Jaffar et al. (2009) and Angelis et al. (2012)). The program P can be translated into an equivalent clp program P ′ such that the error is unreachable if and only if the derivation tree of P ′ does not contain any successful derivation. If the derivation tree is finite and the safety property can be expressed, for example, on real numbers then any clp system can prove the absence of errors. However, programs often contain unbounded loops, and therefore, the main challenge lies in discovering loop invariants that can still prove the unreachability of the error configurations. Another problem for clp systems is that sometimes the safety property may require reasoning about other theories different from real or rational linear arithmetic. In this appendix, we show several examples (Figures 1 and 2) taken from the software verification literature which are commonly considered to be challenging for automatic verifiers. We have translated the programs into clp manually in such way that the original program is safe iff the clp model of the translated program is empty. The details of the translation are beyond of the scope of this paper and we refer to, for example, Delzanno and Podelski (2001) and Jaffar et al. (2005) for a formal description. We also show the inductive invariant required in each case to prove program is safe. The only program that cannot be verified by our method is t1.c. Note that a safe inductive invariant is Y ≥ 0 ∧ X ≥ Y. From error/4 we can trivially infer the interpolant X ≥ Y but unfortunately we cannot infer the other required invariant Y ≥ 0 even though that clearly holds, since Y = 0 initially and then Y can only be incremented by one. This shortcoming is typical of methods that rely only on counterexample-driven verification with interpolation. However, abstract interpreters using intervals or octagons can easily infer the inductive invariant Y ≥ 0. Thus, verifiers that combine abstract interpretation with interpolation (Gulavani et al. 2008; Albarghouthi et al. 2012; Jaffar et al. 2012) can easily infer the required invariant Y ≥ 0. Note that all C variables are defined …