VeriMAP: Automated CHC-Based Verification

• VeriMAP is a system and methodological framework that transforms programs into Constrained Horn Clauses for automated relational and safety verification.
• It integrates sophisticated techniques such as predicate pairing with abstraction, unfold/fold transformations, widening, and interpolation to infer invariants efficiently.
• Empirical evaluations across benchmarks and multi-agent LLM planning scenarios demonstrate VeriMAP’s effectiveness in achieving reliable coordination and robust safety analysis.

VeriMAP is a system and methodological framework for automated verification spanning three distinct research lines: (1) transformation-based verification of programs via Constrained Horn Clauses (CHCs) and abstract interpretation, (2) integration of specialization and interpolation for inductive invariant inference, and (3) verification-aware planning in multi-agent LLM systems. VeriMAP’s evolution marks foundational contributions in relational program verification, safety analysis, and robust coordination in collaborative AI agents.

1. Architectural Foundations and System Modules

VeriMAP’s original architecture is organized in four principal modules serving the end-to-end transformation-and-verification pipeline (Angelis et al., 2017, Angelis et al., 2014):

• Front-end / Parser: Translates one or more source programs and relational/safety properties into CHCs, adopting CLP syntax to encode both operational semantics and verification conditions.
• CHC-Transformation Engine: Implements unfold/fold transformation rules, the ASp (specialization) strategy, and the APP (Predicate Pairing with Abstraction) strategy. Parameterized by abstract domain $D$ and a partition operator; ensures modular extensibility.
• Abstract-Domain Manager: Interfaces with numerical abstract domains via the Parma Polyhedra Library (PPL). Supports domains such as Universe (no constraints), Boxes (intervals), Bounded Differences, Octagons, and Convex Polyhedra, supplying all standard abstract-interpretation operations ($\alpha$, $\sqcup$, $\nabla$, inclusion, projection).
• Solver Interface: Serializes transformed CHCs to SMTLIB2, invokes back-end CHC solvers (e.g., Z3’s Duality engine) and interprets results (sat, unsat, unknown).

This modular stratification enables incremental improvements and integration with downstream reasoning engines, CLP/Prolog interpreters, and abstract-domain packages.

2. Predicate Pairing with Abstraction for Relational Verification

VeriMAP’s predicate pairing with abstraction (APP) extends the classical unfold/fold transformation paradigm by explicitly synthesizing relational invariants. Formally, given a set $P$ of CHCs and a single query clause $C$:

• Unfolding: Each clause $C \equiv H \leftarrow c, A_1, \dots, A_k$ in the set of clauses to process ($\mathsf{InCls}$) is expanded over $A_i$.
• Clause Deletion: Any unfolded clause with unsatisfiable constraints (under chosen numerical domain) is removed.
• Definition and Folding:
  • Clause body $G$ is partitioned into $G_1, \dots, G_n$.
  • For each $G_i$, constraints are abstracted ($d_i = \alpha(d) \downarrow V_i$) and projected accordingly.
  • New predicate definitions are introduced if not already subsumed; widening ($\nabla$) manages possible divergence.
  • Folding replaces bodies by calls to new predicates encapsulating combined, abstracted constraints.
• Termination: Guaranteed if partitioning ($k$) bounds clause body size.
• Soundness: Theorematically, the APP transformation is satisfiability-preserving: $P \cup \{C\}$ is satisfiable iff the set of produced transformed clauses ($\mathsf{Transf}$) is satisfiable.

APP’s parameterization by numerical abstract domain underpins its expressivity and scalability. The use of PPL for convex polyhedra and subdomains (boxes, bounded-difference, octagons) provides a spectrum of cost/precision tradeoffs in upstream invariant synthesis (Angelis et al., 2017).

3. Specialization, Widening, and Interpolation

VeriMAP’s iterated specialization engine leverages unfold/fold rules to propagate and generalize constraints along program paths, systematically discovering invariants through widening. The methodology is as follows (Angelis et al., 2014):

• Unfold/Fold Transformations: Recursively resolve atoms in clause bodies, introducing generalized definitions ($g = \mathit{Gen}(e, \mathit{Defs})$) to summarize infinite derivations while preserving logical equivalence.
• Widening Operators: Invariant generalization via polyhedral widening ($P_{n+1} = P_n \nabla Q_n$) ensures convergence over abstract state sequences.
• Interpolating Horn-Clause Solving: The FTCLP solver is integrated modularly. It computes Craig interpolants over CHCs to further refine invariants beyond those discovered by widening. Each failed derivation yields path interpolants ($I_0, ..., I_n$) satisfying $I_{i-1} \wedge F_i \models I_i$.

The process iterates specialization and interpolation, including forward and backward constraint propagation (through CLP Reversal). Empirical analysis shows significant mutual synergy: more programs verified, fewer refinement iterations, compared to each component in isolation (Angelis et al., 2014).

4. Experimental Evaluation

VeriMAP’s transformation-based methodology is empirically validated on large relational and safety verification benchmarks:

APP Variant	Problems Solved (136 total)	Clause Blow-up	Mean Time per Proof
Z3 alone	28	1×	~2.4 s
APP(Box)	~73	~3×	—
APP(BDS), APP(OS)	~119–121	~5–6×	~4 s
APP(CP-H), CP-B	~113–114	~10×	higher cost

Key results: Predicate Pairing with Abstraction in domains BDS and OS solves $\approx$120/136 benchmarks with moderate increase in CHC set size and manageable runtime costs; convex polyhedra slightly underperform due to higher computational overhead.

Widening/interpolation integration (on 216 C programs) achieves up to $182/216$ verified with polyvariant specialization, a significant improvement over specialization or interpolation used in isolation (Angelis et al., 2017, Angelis et al., 2014).

5. Worked Example: Relational Loop Equivalence

Consider two loop programs (P1: standard loop; P2: pipelined variant), with the verification goal to confirm $x$-equivalence. Direct CHC encoding, even with Z3 as solver, is insufficient for confirmation. The APP(CP) transformation introduces paired predicates (e.g., $pp1, pp2$) explicitly encoding the relational invariants as linear convex polyhedral constraints. Folded CHCs now have bodies devoid of constrained facts, enabling Z3 to quickly decide satisfiability and thus equivalence (Angelis et al., 2017).

This demonstrates the essential role of predicate pairing plus abstraction in making complex relational properties tractable for CHC solvers.

6. VeriMAP in Verification-Aware Multi-Agent Planning

The term VeriMAP has also been adopted for a framework in multi-agent LLM-based collaboration, targeting robustness and interpretability via planner-driven subtask verification (Xu et al., 20 Oct 2025):

• Problem Model: Specified as $(A, T, S, D)$, where $A$ is a set of agents, $T$ a unitary goal, $S$ decomposed subtasks, and $D$ a dependency DAG. Subtask $s$ has a planner-assigned Verification Function ($VF_s$) in Python or natural language, and failure-propagation risk $P_{\text{fail}(s_i \to s_j)}$ models error propagation.
• Planner Workflow: LLM-based planner constructs $(S, D)$ and emits, for each subtask, instructions, structured I/O, and VFs. Core execution loop coordinates agent assignment, verification, and re-planning upon failure, integrating deterministic and open-ended verification.
• Experimental Results: Across five QA/coding/math benchmarks, VERIMAP achieves superior first-pass solution accuracy, e.g., 78.20% (MultiHopRAG), 93.92% (HumanEval), 40.54% (BigCodeBench-Hard), outperforming both single-agent and multi-agent (MAP/V) baselines. Lower VF false-positive rates compared to generic LLM-based verifiers indicate greater reliability, though with slightly higher false negatives in programming tasks.

This suggests a robust, planner-centric approach where the articulation of subtask-specific VFs tightly couples verification with planning, yielding advances in system-level reliability for complex multi-agent workflows.

7. Limitations, Open Challenges, and Future Directions

Current limitations of VeriMAP-style systems vary by context:

• Classic Program Verification: APP’s benefit hinges on the tractability of the underlying abstract domain; convex polyhedra yield the strongest invariants but at greatest computational expense. There is no guarantee of termination for unfold/fold and interpolation iterations. Black-box integration with interpolating solvers (such as FTCLP) risks loss of partial progress if timeouts occur. A plausible implication is that tighter feedback between partial interpolants and specialization phases could yield further synergies (Angelis et al., 2014).
• Multi-Agent Planning Context: Framework relies on the planner LLM’s effectiveness and accuracy of automatically generated VFs, which may be brittle for nuanced subtasks. Failure handling currently resorts to naive re-planning; structured diagnosis for targeted repair is an open research area. Centralized planning remains a scalability bottleneck; decentralized or hierarchical settings are promising alternatives. Resource constraints limit accessibility, motivating adaptive verification schemes and more efficient agent orchestration (Xu et al., 20 Oct 2025).

Across both domains, future research is oriented towards: (1) tighter coupling of invariant discovery and interpolant usage, (2) more expressive abstract domains and specification languages, (3) the use of human-in-the-loop techniques for nuanced verification function synthesis, and (4) scalable, decentralized planning architectures for collaborative multi-agent systems.