Inferring Loop Invariants using Postconditions
To Yuri Gurevich in joyful celebration of his 70th birthday, and with thanks for his many contributions to computer science, including his original leadership of the group on whose tools the present work crucially relies. Abstract. One of the obstacles in automatic program proving is to obtain suitable loop invariants. The invariant of a loop is a weakened form of its postcondition (the loop's goal, also known as its contract); the present work takes advantage of this observation by using the postcondi-tion as the basis for invariant inference, using various heuristics such as " uncoupling " which prove useful in many important algorithms. Thanks to these heuristics, the technique is able to infer invariants for a large variety of loop examples. We present the theory behind the technique, its implementation (freely available for download and currently relying on Microsoft Research's Boogie tool), and the results obtained. 1 Overview Many of the important contributions to the advancement of program proving have been, rather than grand new concepts, specific developments and simplifications ; they have removed one obstacle after another preventing the large-scale application of proof techniques to realistic programs built by ordinary programmers in ordinary projects. The work described here seeks to achieve such a practical advance by automatically generating an essential ingredient of proof techniques: loop invariants. The key idea is that invariant generation should use not just the text of a loop but its postcondition. Using this insight, the gin-pink tool can infer loop invariants for non-trivial algorithms including array partitioning (for Quicksort), sequential search, coincidence count, and many others. The tool is available for free download.