Questions: Invariant Generation

Verification of straight-line code is fully automated by weakest precondition computation. Loops are the obstacle: the wp calculus needs a loop invariant to cut the loop, and finding invariants is undecidable in general. The invariant must satisfy two constraints simultaneously: (1) it is preserved by one iteration of the loop body (inductiveness), and (2) combined with the loop exit condition, it implies the postcondition (sufficiency). Balancing these — strong enough but not too strong — is the creative challenge that automation aims to solve.

Answer: True

These are the three verification conditions for a loop invariant in Hoare logic. (1) Initiation: the precondition implies I before the loop starts. (2) Consecution (inductiveness): {I AND loop_condition} body {I} — the invariant is maintained by each iteration. (3) Sufficiency: I AND NOT loop_condition implies the postcondition. All three must hold. The invariant 'true' always satisfies (1) and (2) but is typically too weak for (3). The art is finding an I that is strong enough for (3) while still satisfying (2).

This is the most principled approach to invariant generation. The abstract domain determines what kinds of invariants can be expressed. If the true invariant is 'x + y <= n', interval analysis cannot discover it (it only tracks individual variables), but octagon analysis can. If the invariant involves nonlinear relationships, all these domains fail, and you need polynomial invariants or template-based approaches. Choosing the right domain for the target property is the key engineering decision.