Specifcation Synthesis with Constrained Horn Clauses Sumanth Prabhu sumanth.prabhu@tcs.com TCS Research Indian Institute of Science India Grigory Fedyukovich grigory@cs.fsu.edu Florida State University USA Kumar Madhukar kumar.madhukar@tcs.com TCS Research India Deepak D’Souza deepakd@iisc.ac.in Indian Institute of Science India Abstract The problem of synthesizing specifcations of undefned pro- cedures has a broad range of applications, but the useful- ness of the generated specifcations depends on their quality. In this paper, we propose a technique for fnding maximal and non-vacuous specifcations. Maximality allows for more choices for implementations of undefned procedures, and non-vacuity ensures that safety assertions are reachable. To handle programs with complex control fow, our technique discovers not only specifcations but also inductive invari- ants. Our iterative algorithm lazily generalizes non-vacuous specifcations in a counterexample-guided loop. The key component of our technique is an efective non-vacuous specifcation synthesis algorithm. We have implemented the approach in a tool called HornSpec, taking as input systems of constrained Horn clauses. We have experimentally demon- strated the tool’s efectiveness, efciency, and the quality of generated specifcations on a range of benchmarks. CCS Concepts: • Theory of computation → Invariants; Program specifcations; Logic and verifcation; Auto- mated reasoning. Keywords: specifcation synthesis, automated verifcation, inductive invariants, SMT solvers. ACM Reference Format: Sumanth Prabhu, Grigory Fedyukovich, Kumar Madhukar, and Deepak D’Souza. 2021. Specifcation Synthesis with Constrained Horn Clauses. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for proft or commercial advantage and that copies bear this notice and the full citation on the frst page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specifc permission and/or a fee. Request permissions from permissions@acm.org. PLDI ’21, June 20ś25, 2021, Virtual, Canada © 2021 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-8391-2/21/06. . . $15.00 htps://doi.org/10.1145/3453483.3454104 In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI ’21), June 20ś25, 2021, Virtual, Canada. ACM, New York, NY, USA, 15 pages. htps://doi.org/10.1145/3453483.3454104 1 Introduction Specifcation synthesis is a challenging and important prob- lem because of its multiple applications. A direct application is the problem of fnding specifcations of functions with un- known bodies in the verifcation of open programs [3, 15, 48]; it can also be applied in the problem of inferring safe precon- ditions for a program [14, 40, 44, 45], and winning strategy synthesis in safety games [9]. One practically useful formu- lation of this task is concerned with a maximal and non- vacuous interpretation of unknown procedures under which a safety property (a.k.a. assertion) holds. Maximal specifca- tions summarize the largest set of behaviors for unknown procedures, and thus are logically weakest. Non-vacuous specifcations guarantee that the safety property does not hold vacuously by becoming unreachable. Maximal specifcations make minimal assumptions about undefned procedures, hence they are very valuable. The fewer the assumptions, the more choices are available for im- plementations of undefned procedures. However, maximal- ity should be considered along with the program’s structure. In programs with loops, the maximal specifcations should allow for invariants to exist to satisfy the safety property. Non-vacuous specifcations are useful as they make asser- tions, capturing the program safety, reachable. A notable obstacle for an approach to specifcation synthesis is that for some tasks, there could be infnitely many maximal solutions, and some maximal solutions could be vacuous. Multiple variants of specifcation synthesis have been pro- posed in [1, 3, 5, 8, 13ś15, 26, 29, 42, 46ś48]. The approaches include automata learning [3], learning patterns from pro- gram executions [5], usage of decision procedure [13], ab- stract interpretation [14] and even user guidance [15]. How- ever, they rarely address the problems of maximality and non-vacuity at the same time (see Sect. 7 for more details). 1203