Optimization of Lyapunov Invariants in Verification of Software Systems

The paper proposes a control-theoretic framework for verification of numerical software systems, and puts forward software verification as an important application of control and systems theory. The idea is to transfer Lyapunov functions and the associated computational techniques from control systems analysis and convex optimization to verification of various software safety and performance specifications. These include but are not limited to absence of overflow, absence of division-by-zero, termination in finite time, presence of dead-code, and certain user-specified assertions. Central to this framework are Lyapunov invariants. These are properly constructed functions of the program variables, and satisfy certain properties-resembling those of Lyapunov functions-along the execution trace. The search for the invariants can be formulated as a convex optimization problem. If the associated optimization problem is feasible, the result is a certificate for the specification.

💡 Research Summary

The paper introduces a novel verification framework that imports the concept of Lyapunov functions from control theory into the analysis of numerical software. By interpreting a program as a discrete‑time dynamical system S(X,f,X₀,X∞) with a finite state space X, an initial set X₀, a terminal set X∞, and a set‑valued transition map f, the authors are able to define “Lyapunov invariants” – real‑valued functions V(x) that satisfy a decrease condition along every feasible program transition (e.g., V(x′) − V(x) ≤ −α or V(x′) ≤ V(x)). Such invariants certify a wide range of safety and performance properties, including overflow avoidance, division‑by‑zero prevention, finite‑time termination, dead‑code detection, and user‑specified assertions.

Two concrete modeling languages are presented. The first, Mixed‑Integer Linear Model (MILM), exploits the universality of mixed‑integer linear constraints to represent any piecewise‑affine program fragment exactly. Proposition 1 proves that any piecewise‑affine map on a compact polytope can be encoded by linear equalities involving binary and continuous variables. The second, Graph Model, captures the natural control‑flow structure of code as a directed graph whose nodes correspond to program locations and whose edges carry polynomial transition labels Tₖⱼᵢ and guard (passport) sets Πₖⱼᵢ. Both models are special cases of the generic dynamical system representation and can be interchanged, allowing flexibility in how a program is abstracted for analysis.

The core of the verification method is the synthesis of Lyapunov invariants via convex optimization. The candidate invariant V is restricted to a tractable functional class (linear, quadratic, or higher‑degree polynomial). The decrease condition is then reformulated as a sum‑of‑squares (SOS) constraint or a linear matrix inequality (LMI), yielding a semidefinite program (SDP) or, in the linear case, a linear program (LP). Modern solvers (e.g., CVX, MOSEK, SeDuMi) can solve these problems efficiently. Feasibility of the optimization problem provides a constructive certificate: the computed V proves the desired property for all admissible initial states and all nondeterministic choices encoded in f.

The paper demonstrates the approach on several examples. An integer division routine is modeled both as a MILM and as a graph; a simple Lyapunov invariant V = q (the quotient) is shown to increase monotonically, implying that an infinite loop would inevitably cause overflow, thus proving termination for positive inputs. Additional case studies include a basic control loop and a fragment of an aircraft autopilot program, where quadratic invariants are synthesized to bound state variables and guarantee that no division‑by‑zero occurs.

Key contributions are: (1) a unified, control‑theoretic perspective on software verification; (2) the introduction of MILM and Graph Model as expressive, computationally amenable program representations; (3) a systematic reduction of invariant synthesis to convex optimization, enabling automated certificate generation; and (4) illustrative examples that validate the practicality of the method. The authors acknowledge limitations such as the need to pre‑select the functional form of V, potential scalability issues for programs with many variables, and the handling of floating‑point rounding errors, which may require additional conservative abstractions. Future work is outlined to address automatic degree selection, scalability through decomposition, tighter modeling of numerical uncertainties, and extension to real‑time constraints.

In summary, the paper establishes Lyapunov invariants as a powerful, mathematically rigorous tool for software verification, bridging control theory and formal methods, and opening a pathway toward scalable, optimization‑based certification of safety‑critical code.