Almost Correct Invariants: Synthesizing Inductive Invariants by Fuzzing Proofs

Real-life programs contain multiple operations whose semantics are unavailable to verification engines, like third-party library calls, inline assembly and SIMD instructions, special compiler-provided primitives, and queries to uninterpretable machine learning models. Even with the exceptional success story of program verification, synthesis of inductive invariants for such "open" programs has remained a challenge. Currently, this problem is handled by manually "closing" the program-by providing hand-written stubs that attempt to capture the behavior of the unmodelled operations; writing stubs is not only difficult and tedious, but the stubs are often incorrect-raising serious questions on the whole endeavor. In this work, we propose Almost Correct Invariants as an automated strategy for synthesizing inductive invariants for such "open" programs. We adopt an active learning strategy where a data-driven learner proposes candidate invariants. In deviation from prior work that attempt to verify invariants, we attempt to falsify the invariants: we reduce the falsification problem to a set of reachability checks on non-deterministic programs; we ride on the success of modern fuzzers to answer these reachability queries. Our tool, ACHAR, automatically synthesizes inductive invariants that are sufficient to prove the correctness of the target programs. We compare ACHAR with a state-of-the-art invariant synthesis tool that employs theorem proving on formulae built over the program source. Though ACHAR is without strong soundness guarantees, our experiments show that even when we provide almost no access to the program source, ACHAR outperforms the state-of-the-art invariant generator that has complete access to the source. We also evaluate ACHAR on programs that current invariant synthesis engines cannot handle-programs that invoke external library calls, inline assembly, and queries to convolution neural networks; ACHAR successfully infers the necessary inductive invariants within a reasonable time.