Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Model checking of liveness properties is a fundamental verification problem. In finite-state model checking, the most prominent approaches are liveness-to-safety (L2S) [6] and \(k\)-liveness [18], that reduce the problem to one or more safety checks. Their success is motivated by the possibility to leverage the progress of SAT-based invariant checking techniques, such as interpolation-based model checking [34] and IC3 [10].

The verification of liveness properties for infinite-state systems has been primarily tackled in the setting of analysis of imperative program [21, 23, 24, 30, 39, 40], or other specific classes [2, 8, 15, 25, 32]. However, in many practical cases the model is described as a symbolic transition system (e.g. [12, 35]), or it is compiled into a symbolic transition system from a higher level language (e.g. networks of timed and hybrid automata [16, 43], architecture description language [4, 7, 9]).

In this paper we present a new approach for LTL model checking of infinite-state transition systems, which we call \({\textsc {L2Sia-wfr}}\). The approach relies on two ingredients. First, we extend liveness-to-safety by means of implicit abstraction [44]. Implicit abstraction is a form of predicate abstraction that does not require the explicit construction of the abstract transition system, and is able to deal with a large number of predicates. In this setting, implicit abstraction is key to checking the existence of abstract fair loops efficiently, given a set of predicates. Second, we integrate termination techniques based on well-founded relations [23]. Specifically, the technique tries to prove that any existing abstract fair loop is covered by a given set of well-founded relations. At the top level, the algorithm iterates trying to remove spurious abstract fair loops while maintaining a set of predicates and a set of well-founded relations. New predicates are added if they expose the spuriousness of the abstract path at hand by showing that its abstract prefixes can not be concretized. The set of well-founded relations is extended as a result of the analysis of the abstract lasso, guided by the construction of a ranking function. Within this framework, we also integrate \(k\)-liveness, that infers the validity of the property by proving that no path can fulfill the fairness condition more than a given number of times. As such, \(k\)-liveness is seen as a generic well-founded relation.

We implemented \({\textsc {L2Sia-wfr}}\) on top of IC3ia, a model checking engine for safety properties that extends IC3 to the infinite-state case with the use of implicit abstraction at its core [14]. We exploit the fact that the \({\textsc {L2Sia-wfr}}\) algorithm is highly incremental with respect to the refinement iterations to tighten the integration with IC3ia.

We carried out an experimental evaluation using liveness property benchmarks for transition systems and for imperative programs. To compare various temporal checkers, we translate transition systems to programs, and programs to transition systems. The results highlight a positive interaction between implicit abstraction and well-founded relations. Overall, \({\textsc {L2Sia-wfr}}\) outperforms the competitor temporal checkers, not only on the benchmarks for transition systems, but also on the ones for imperative programs.

The paper is structured as follows. In Sect. 2 we discuss the related work. In Sect. 3 we present some background. In Sect. 4 we discuss the \({\textsc {L2Sia-wfr}}\) approach, and in Sect. 5 we discuss the experimental results. In Sect. 6 we draw some conclusions, and outline directions for future work.

2 Related Work

The most prominent approaches to symbolic LTL model checking are based on SAT techniques and typically lift naturally to the infinite-state case using SMT solvers. \(k\)-liveness [18] remains a sound technique in the infinite-state case, although not complete since even if there is no fair path, the fairness can be visited an unbounded number of times. In this paper, we embed \(k\)-liveness as a special case of well-founded relation based on counting the occurrences of fairness along a path.

Liveness-to-safety was extended to infinite-state systems in [42] for a number of classes of infinite-state systems, namely, (\(\omega \)-)regular model checking, push-down systems, and timed automata. However, the approach is in general not sound for infinite-state transition systems, where a liveness property can be violated even if there is no lasso-shaped counterexample. In fact, in this paper, we are applying liveness-to-safety on the abstract state space, which is finite.

Predicate abstraction [28] is a general technique for model checking infinite-state systems. Once the abstract transition relation is computed, any algorithm for finite-state systems can be applied. However, on one side, the computation of the abstract state space typically blows up with few dozens of predicates, and on the other side, a finite number of predicates is not sufficient to prove the property (for example, when there are loops with counters that are not initialized). In this paper, we consider implicit abstraction to tackle the first problem and well-founded relations for the second.

The counterexample-based refinement we propose is very similar to the one presented in [3]: in both approaches, if an abstract counterexample contains a spurious prefix, new predicates are added to the abstraction, while new ranking functions are discovered in case the lasso is spurious. Our approach is completely different regarding the method used to prove the property: in [3] a ranking abstraction is used to add a monitor of a ranking function and a strong fairness on its decreasing/increasing and then conventional (i.e. “explicit”) predicate abstraction is used to prove the modified liveness property; our approach is instead based on reachability analysis and a novel combination of liveness-to-safety, implicit abstraction, and well-founded relations, all tightly integrated within an efficient IC3-based algorithm.

Our algorithm presents some similarities also with the work of [24], where the abstraction is based on the control-flow graph and is refined by removing paths obtained from spurious counterexamples by generalizing infeasible prefixes or termination arguments on loops. Both techniques start from the observation that it is typically easier to refute spurious counterexamples that are due to an infeasible (and bounded) execution prefix than to syntesize a termination argument showing the infeasibility of an infinite path. However, the two approaches differ in the way this observation is turned into an actual procedure. In particular, the approach of [24] is specialised for imperative programs with an explicit control-flow graph, and is based on the construction and manipulation of Büchi automata. Our approach, instead, works on fully-symbolic transition systems, and is based on implicit predicate abstraction.

Another kind of abstraction, targeting liveness properties, is transition predicate abstraction [40]. It extends the classical predicate abstraction by annotating abstract states with abstract transitions. It builds on transition invariants [39] to reduce liveness to fair termination. The technique proves that abstract transitions are well-founded to determine termination. To prove the liveness property, the technique determines whether all fair states are terminating. Our approach differs because it uses predicate abstraction (and well-known refinement techniques) and symbolic liveness model checking techniques such as liveness-to-safety and \(k\)-liveness.

Other techniques such as [11, 23, 39] focus on the specific problem of termination, which is reduced to a binary reachability using disjunctively well-founded invariants. They have also been extended to address temporal properties as in [21, 22].

There are several other approaches to the verification of special classes of infinite-state systems such as (\(\omega \)-)regular model checking [8], push-down systems [25], timed and hybrid automata [15]. The current paper focuses on the verification of generic symbolic transition systems. Specialization of the proposed methods for the above classes is left to future work.

3 Background

Transition Systems. Our setting is standard first order logic. We use the standard notions of theory, satisfiability, validity, logical consequence. We denote formulas with \(\phi ,\varphi , \psi , I, T\), variables with x, y, and sets of variables with \(X\), Y, \(\overline{X}\), \(\widehat{X}\). A literal is an atomic formula or its negation. Given a formula \(\varphi \) and the set of its atoms A, an implicant is a conjunction of literals over A that implies \(\varphi \). In this paper, we shall deal with linear arithmetic formulas, that is, Boolean combinations of propositional variables and linear inequalities. A transition system S is a tuple \(\langle {X,I,T}\rangle \) where X is a set of (state) variables, I(X) is a formula representing the initial states, and \(T(X,X')\) is a formula representing the transitions. Given a formula \(\phi \) over variables X, we denote with \(\phi '\) [\(\phi ^{\langle {n}\rangle }\), respectively] the formula obtained by replacing each \(x\in X\) with \(x'\) [x with n primes] in \(\phi \). A state of S is an assignment to the variables X. A [finite] path of S is an infinite sequence \(s_0,s_1,\ldots \) [resp., finite sequence \(s_0,s_1,\ldots ,s_k\)] of states such that \(s_0\models I\) and, for all \(i\ge 0\) [resp., \(0\le i<k\)], \(s_i,s'_{i+1}\models T\). Given two transitions systems \(S_1=\langle {X_1,I_1,T_1}\rangle \) and \(S_2=\langle {X_2,I_2,T_2}\rangle \), we denote with \(S_1\times S_2\) the synchronous product \(\langle {X_1\cup X_2,I_1\wedge I_2,T_1\wedge T_2}\rangle \). A predicate is a formula over state variables. Given a set P of predicates and a path of a transition system, we call the abstraction of \(\pi \) wrt. P, denoted \(\big [\widehat{\pi }\big ]_{P}\), the sequence of sets of states \(\big [\widehat{s_0}\big ]_{P},\big [\widehat{s_1}\big ]_{P},\ldots \) obtained by evaluating the predicates in P in the states of \(\pi \). Given a predicate \(\phi \), the invariant model checking problem, denoted with \(S\models _{inv} \phi \), is the problem to check if, for all finite paths \(s_0,s_1,\ldots ,s_k\) of S, for all i, \(0\le i\le k\), \(s_i\models \phi \).

Linear-Time Temporal Logic Verification Using Symbolic Automata-Based Techniques. We use the standard notions of Linear-time Temporal Logic (LTL) formulas and their semantics wrt. infinite paths of a symbolic transition system, as can be found e.g. in [37]. We denote temporal operators in boldface (e.g. \(\mathbf{F}\) for \(\mathbf{F}\)inally, \(\mathbf{G}\) for \(\mathbf{G}\)lobally, \(\mathbf{X}\) for ne\(\mathbf{X}\)t, U for Until). Given a transition system and an LTL formula \(\phi \) over X, we focus on the model checking problem of finding if, for all infinite paths \(\pi \) of S, \(\phi \) is true in \(\pi \). We denote this with \(S \models \phi \). The automata-based approach [45] to LTL model checking consists of building a transition system \(S_{\lnot \phi }\) with a fairness condition \(f_{\lnot \phi }\), such that \(S\models \phi \) iff \(S\times S_{\lnot \phi }\models \mathbf{F}\mathbf{G}\lnot f_{\lnot \phi }\). Showing that \(S\not \models \phi \) amounts to find a counterexample in the form of a fair path, i.e., a path that visits the \(f_{\lnot \phi }\) infinitely many times. In finite-state systems, if \(\phi \) does not hold, there is always a counterexample in lasso-shaped form, i.e., formed by a prefix (or stem) and a loop. In the following, without loss of generality, we assume that the automata-based transformation has been applied to the LTL model checking problem, and consider a problem in the form \(S\models \mathbf{F}\mathbf{G}\lnot {f_{\lnot \phi }}\), where \(\phi \) is a formula whose atoms are either propositional variables or linear arithmetic (in)equalities. When clear from the context, we also drop the subscript \(\cdot _{\lnot \phi }\), and simply use \(\mathbf{F}\mathbf{G}\lnot f\).

Liveness to Safety (L2S). The liveness to safety reduction (L2S) [6] is a technique for reducing an LTL model checking problem on a finite-state transition system to an invariant model checking problem. The idea is to encode as an invariant property the absence of a lasso-shaped path violating the property \(\mathbf{F}\mathbf{G}\lnot f\). This is achieved by transforming the original transition system S to the transition system \(S_{\textsc {L2S}}\), introducing a set \(\overline{X}\) of variables containing a copy \(\overline{x}\) for each state variable x of the original system, plus additional variables seen, triggered and loop. Let . L2S transforms the transition system in so that \(S\models \mathbf{F}\mathbf{G}\lnot f\) if and only if \(S_{\textsc {L2S}} \models \lnot {bad_\textsc {L2S}}\), where:

figure a

The variables \(\overline{X}\) are used to non-deterministically guess a state of the system from which a reachable fair loop starts. The additional variables are used to remember that the guessed state was seen once and that the signal f was true at least once afterwards.

Termination via Disjunctive Well-Founded Transition Invariants. If S is a transition system with reachable states R and transition relation T, a relation \(\rho \) over the states of S is said to be a transition invariant if it contains the transitive closure of T restricted to the states in R (i.e. \(T^+ \cap (R \times R) \subseteq \rho \)) [39]. A binary relation \(\rho \subseteq Q \times Q\) is well-founded if every non-empty subset \(U \subseteq Q\) has a minimal element wrt. \(\rho \), i.e. there is \(m \in U\) such that no \(u \in U\) satisfies \(\rho (u, m)\). A relation is said to be disjunctively well-founded if it is a finite union of well-founded relations. Termination of a program can be reduced to finding a (disjunctively) well-founded transition invariant for it. The technique of [23] reduces the problem of finding a disjunctively well-founded transition invariant to the verification of invariant properties. It works on imperative programs with an explicit representation of the control-flow graph (although in principle it can be applied also in a fully-symbolic setting). A given set of well-founded relations \(W \) is conjectured to be a transition invariant for the program. This condition is encoded as an invariant property, and checked with an off-the-shelf invariant-checking engine. In case of failure, the encoding is refined in a counterexample-guided manner by adding new well-founded relations to \(W \), obtained by synthesizing ranking functions for potentially non-terminating lasso-shaped paths in the control-flow graph.

IC3 with Implicit Abstraction. IC3 [10] is a SAT-based algorithm for the verification of invariant properties of transition systems. It incrementally builds an inductive invariant for the property by discovering relatively-inductive formulas obtained by generalization while disproving candidate counterexamples. A a novel approach to lift IC3 to the SMT case has been recently presented in [14]. The technique is able to deal with infinite-state systems by means of a tight integration with predicate abstraction [28]. The approach leverages Implicit Abstraction [44] to express abstract transitions without computing explicitly the abstract system, and is fully incremental with respect to the addition of new predicates. The main idea of IC3 with Implicit Abstraction (IC3ia) is that of replacing the relative induction check of IC3, which is the central operation of the algorithm, with an abstract version, defined using implicit abstraction. Given a transition system \(S=\langle {X,I,T}\rangle \), a formula \(\varphi (X)\) representing a set of states, and an overapproximation F(X) of states of S reachable in up to k steps, a relative induction query determines whether \(\varphi \) is inductive relative to F, by checking if the formula \(\varphi (X) \wedge F(X) \wedge T(X,X') \wedge \lnot \varphi (X')\) is unsatisfiable. Given a set of state predicates \(P = \{ p_i(X) \}_i\), and assuming that both F and \(\varphi \) are Boolean combinations of predicates from P, the corresponding abstract query is the check for unsatisfiability of the following SMT formula:

figure b

where \(Y, Y'\) are sets of fresh variables. Using the above, IC3 can be generalized from SAT to SMT with very little effort, at the cost of introducing spurious error paths. When this happens, the abstraction can be refined in a counterexample-guided manner, using standard techniques for extracting new predicates (e.g. interpolation). The loop continues until either a real counterexample is found (and so the property does not hold), no more counterexamples are found (and so the abstraction is precise enough to conclude that the property holds), or resources (e.g. time or memory) are exhausted. We refer the reader to [14] for more details about IC3ia.

4 Liveness-to-Safety for Infinite-State Systems

Top-Level Algorithm. We reduce the problem of checking an LTL property \(\mathbf{F}\mathbf{G}\lnot f\) on a transition system S to a sequence of invariant checking problems \(S_0 \models _{inv} \phi _0\), \(S_1 \models _{inv} \phi _1\), \(\ldots \). For each j, \(S_j\) and \(\phi _j\) are the result of an encoding operation dependent on given sets of state predicates P and well-founded relations \(W \): \(S_j, \phi _j := {\textsc {encode}}(S, f, P, W)\). encode ensures that if \(S_j \models _{inv} \phi _j\), then \(S \models \mathbf{F}\mathbf{G}\lnot f\), in which case the iteration terminates. If \(S_j \not \models _{inv} \phi _j\), we analyze a (finite) counterexample trace \(\pi \) in \(S_j\) to determine whether it corresponds to an (infinite) counterexample for \(\mathbf{F}\mathbf{G}\lnot f\) in S. If so, then we conclude that the property doesn’t hold. Otherwise, if we can conclude that \(\pi \) doesn’t correspond to any real counterexample in S, we try to extract new predicates \(P'\) and/or well-founded relations \(W '\) to produce a refined encoding: \(S_{j+1}, \phi _{j+1} := {\textsc {encode}}(S, f, P \cup P', W \cup W ')\), where \(P', W ' := {\textsc {refine}}(S_j, \pi , P, W)\). If we can neither confirm nor refute the existence of real counterexamples, we abort the execution, returning “unknown”. We might also diverge and/or exhaust resources in various intermediate steps (e.g. in checking \(S_j \models \phi _j\) or during refinement). In the following, we describe in detail our encoding and refinement procedures. We begin in Sect. 4.1 with a simplified version that only uses predicates from P, i.e. \(W=\emptyset \). We then describe how to extend the encoding to exploit also well-founded relations in Sect. 4.2.

4.1 Liveness-to-Safety with Implicit Abstraction

Our first contribution is an extension of the L2S reduction described above to the infinite-state case. We first note that the original L2S transformation is not sound for infinite-state systems. This is because L2S produces a transition system that reaches the error condition if and only if there exists a lasso-shaped path. While for finite-state systems it is enough to consider lasso-shaped counterexamples, this is not true in the infinite-state case. Consider the transition system \(S=\langle {\{x\}, x=0, x'=x+1}\rangle \), with x integer, and the property . Clearly, \(\phi \) does not hold in S. Suppose to apply the L2S transformation to S as described in the previous Section, obtaining the transition system \(S_{\textsc {L2S}}\). Since in S there are no lasso-shaped paths, in \(S_{\textsc {L2S}}\) there are no paths such that the value of \(\overline{x}\) (the copy of the variable x introduced in \(S_{\textsc {L2S}}\)) is equal to x. Thus, \(S_{\textsc {L2S}}\) is safe even if \(S\not \models \phi \).

We overcome this problem by incorporating implicit abstraction in the L2S encoding. Intuitively, the idea is to search for a sufficiently precise predicate abstraction of the original system, if there is one, that does not admit a path visiting the fairness condition an infinite number of times. This exploits the fact that predicate abstraction preserves the validity of universal properties [19] (therefore, if a property \(\mathbf{F}\mathbf{G}\lnot f\) holds in the abstract system, then it holds also in the concrete one).

In fact, we do not need to compute the full predicate abstraction of the system S. Instead, we characterize abstract paths directly in the property, by reducing the LTL model checking problem on \(\mathbf{F}\mathbf{G}\lnot f\) to proving the absence of paths with an abstract fair loop. Given a set of predicates \(P = \{p_i(X)\}_i\), the encoding consists of storing only the truth assignments to the predicates non-deterministically, and detecting a loop if the system visits again the same abstract state, with the fairness signal f satisfied at least once in the loop. More specifically, from a system \(S = \langle {X,I,T}\rangle \), a property \(\mathbf{F}\mathbf{G}\lnot f\), and a set of predicates P, our abstract L2S transformation (\(\alpha \) L2S) produces a system \(S_{\alpha \textsc {L2S}} = \langle {X \cup X_{\alpha \textsc {L2S}}, I_{\alpha \textsc {L2S}}, T_{\alpha \textsc {L2S}}}\rangle \) and an invariant property \(\lnot bad_{\alpha \textsc {L2S}} \) as follows:

figure c

where \(X_{\alpha \textsc {L2S}} \) is a set of fresh Boolean variables.

Theorem 1

( \(\alpha \) L2S soundness). Let \(S=\langle {X,I,T}\rangle \) be a transition system, P a set of predicates over X, and \(\psi \) an LTL property \(\mathbf{F}\mathbf{G}\lnot f\). Let the system \(S_{\alpha \textsc {L2S}} \) and invariant property \(\lnot bad_{\alpha \textsc {L2S}} \) be the results of applying \(\alpha \) L2S to S and \(\psi \). Then \(S_{\alpha \textsc {L2S}} \models _{inv} \lnot bad_{\alpha \textsc {L2S}} \) only if \(S \models \psi \).

Proof

First, we observe that all initial states I are represented in \(I_{\alpha \textsc {L2S}} \), and that if we take any state s of S and any successor \(s'\) of s under T then there exist corresponding states \(s_{\alpha \textsc {L2S}} \) and \(s'_{\alpha \textsc {L2S}} \) related by \(T_{\alpha \textsc {L2S}} \). This can be seen by noticing that the extra constraints added to T to obtain \(T_{\alpha \textsc {L2S}} \) do not restrict the values of the original variables of the system. Therefore, we can lift the correspondence relation to paths, and conclude that every path \(\pi \) of S corresponds to at least one path of \(S_{\alpha \textsc {L2S}} \).

Suppose now by contradiction that \(S_{\alpha \textsc {L2S}} \models _{inv} \lnot bad_{\alpha \textsc {L2S}} \), but \(S \not \models \mathbf{F}\mathbf{G}\lnot f\). Then, there exists an infinite path of S in which f holds infinitely-often. Let be a path in \(S_{\alpha \textsc {L2S}} \) corresponding to \(\pi \), and let be its abstraction wrt. P. Since P is finite, so is the number of different states in \(\big [\widehat{\pi }\big ]_{P}\). Let i be a position in \(\big [\widehat{\pi }\big ]_{P}\) such that all different abstract states occur at least once in \(\big [\widehat{s_0}\big ]_{P}, \ldots , \big [\widehat{s_i}\big ]_{P}\). Let \(j > i\) be a position in \(\pi \) such that \(s_j \models f\). Since \(\pi \) is infinite and f holds infinitely-often, j must exist. Then, \(\big [\widehat{s_j}\big ]_{P}\) must be equal to one of the states in \(\big [\widehat{s_0}\big ]_{P}, \ldots , \big [\widehat{s_i}\big ]_{P}\), and therefore \(\widehat{s_0}, \ldots , \widehat{s_j}\) is a counterexample for \(\lnot bad_{\alpha \textsc {L2S}} \) in \(S_{\alpha \textsc {L2S}} \), which contradicts our initial assumption.    \(\square \)

Counterexamples and Refinement. If \(\lnot bad_{\alpha \textsc {L2S}} \) holds in \(S_{\alpha \textsc {L2S}} \), then \(S \models \mathbf{F}\mathbf{G}\lnot f\). The converse, however, is not true. A counterexample path leading to \(bad_{\alpha \textsc {L2S}} \) in \(S_{\alpha \textsc {L2S}} \) might correspond to a real counterexample in S, but it might also be due to an insufficient precision of the abstraction induced by the predicates P. We deal with this case using the following counterexample-guided refinement step. A violation of the property \(bad_{\alpha \textsc {L2S}} \) in \(S_{\alpha \textsc {L2S}} \) implies that the counterexample path forms a lasso in the abstract state space induced by the predicates P. We first search for a concrete lasso witnessing a real violation of the LTL property, using standard bounded model checking. If this fails, we try to prove that the abstract lasso is infeasible. We check an increasing number of finite unrollings of the lasso, and, upon infeasibility, we extract new predicates from sequence interpolants, similarly to popular refinement strategies used for invariant properties (e.g. [31]). More specifically, let be a finite path in \(S_{\alpha \textsc {L2S}} \) such that \(s_{l+k} \models bad_{\alpha \textsc {L2S}} \), \(s_{l-1} \models \lnot seen\) and \(s_{l} \models seen\). Let \(\big [\widehat{\pi }\big ]_{P}\) be the abstraction of \(\pi \) wrt. P. We search for the smallest integer \(i \ge 0\) such that the formula

(1)

is unsatisfiable. If i exists, we then use an interpolating SMT solver to produce a sequence interpolant \(\iota _1, \ldots , \iota _{n-1}\) for \(\phi _0, \ldots , \phi _n\), and extract the set \(P^\iota \) of all the atomic predicates in \(\iota _1, \ldots , \iota _{n-1}\), to be added to the set of predicates used at the next iteration.

4.2 Extending Liveness-to-Safety with Well-Founded Relations

The abstract L2S transformation described above is inherently limited in the kind of properties it can prove. This is not only due to the potential divergence of the refinement loop, which is a possibility shared by all approaches based on predicate abstraction applied to undecidable problems, but also to the fact that a single refinement operation may not terminate. If the abstract counterexample that is being simulated can be concretized only with paths that are not in a lasso-shaped form, then (1) will always be satisfiable. However, refinement might not terminate even if the abstract path cannot be concretized. This happens in all cases in which there is no feasible concrete path that executes the abstract loop an infinite number of times, but all finite unrollings of the loop are instead concretizable. As an example, consider the system with \(x_1,x_2\) integers, the property , and the predicates . The property holds, but \(\alpha \) L2S will not be able to prove it. In fact, \(\alpha \) L2S admits an abstract path with a self loop on the abstract state \(\langle {(x_1 \le x_2), (0 \le x_2), \lnot (x_1 = 0)}\rangle \). In this case, the unrolling of the abstract loop will not terminate: any finite path of S in which the abstract loop is unrolled i times is feasible, e.g. by starting from the initial state \(\langle {x_1=0,x_2=i+1}\rangle \).

We address the problem of abstract counterexamples whose finite prefixes are all feasible by extending our encoding to incorporate well-founded relations. The intuitive idea is to prove that such abstract counterexamples are spurious and to block them by finding suitable termination arguments in the form of (disjunctively) well-founded transition invariants. The extended \(\alpha \) L2S reduction with well-founded relations, denoted with \({{\alpha \textsc {L2S}} _\downarrow } \), takes as input a transition system , an LTL property \(\mathbf{F}\mathbf{G}\lnot f\), a set P of state predicates, and a set \(W \) of well-founded binary relations. The encoding extends \({\alpha \textsc {L2S}} \) producing a transition system and an invariant property \(\lnot bad_{{\alpha \textsc {L2S}} _\downarrow } \) defined as:

figure d

where r, s, and w are additional auxiliary Boolean variables, and for every variable \(x \in X\), two fresh variables \(x_0\) and \(\overline{x}\) are introduced, representing the initial value of x and a stored value of x at some previous occurrence of f respectively.

Intuitively, we weaken the invariant \(\lnot bad_{\alpha \textsc {L2S}} \) of Sect. 4.1 by allowing abstract loops with the fairness f to occur as long as w holds. The variable w initially holds and can change its phase at most once, when the current valuation of X and the stored valuation of \(\overline{X}\) do not satisfy any of the relations in \(W \). In the subformula \(T_{check}\), the variable r captures the truth value of this test and the variable s ensures the test is carried out only when the valuation of \(\overline{X}\) captures some previous valuation of X stored non-deterministically by the subformula \(T_{mem}\).

Theorem 2

(Soundness). Assuming a fixed finite collection \(W \) of well-founded relations, if \(S_{{\alpha \textsc {L2S}} _\downarrow } \models _{inv} \lnot bad_{{\alpha \textsc {L2S}} _\downarrow } \) then \(S \models \mathbf{F}\mathbf{G}\lnot f\).

In order to prove the Theorem, we need the following lemma.

Lemma 1

For any infinite suffix \(\pi _+\) of a path \(\pi \) satisfying \(\mathbf{G}\mathbf{F}f\) and any finite set \(W \) of well-founded relations there is a pair of states \({\pi _+}_1\) and \({\pi _+}_2\) satisfying f such that \(({\pi _+}_1, {\pi _+}_2)\) is not in any relation in \(W \).

Proof

Let \(\pi _f\) denote the transitive closure of \(\pi _+\) restricted to states where f holds, i.e. an infinite graph over nodes corresponding to those states of \(\pi _+\) that satisfy f and edges connecting nodes \({\pi _f}_i\) and \({\pi _f}_j\) when the latter is reachable from the former. Because all the states lie on a single straight path, the graph is complete. And suppose all edges \(({\pi _f}_i, {\pi _f}_j)\) are covered by \(W \). By Ramsey’s theorem [41] there exists a complete infinite subgraph \(\pi _{W _k}\) of \(\pi _f\) whose edges are all covered by \(W _k \in W \) for some k. The subgraph \(\pi _{W _k}\) forms an infinite chain in the set of states in the ordering imposed by the path \(\pi _+\). This is in conflict with the fact that all the relations in \(W \) are well-founded and thus do not admit infinite chains.    \(\square \)

We can now prove Theorem 2.

Proof

(Theorem 2 ). First, with an argument analogous to that used for proving Theorem 1, we can conclude that every path \(\pi \) of S corresponds to at least one path of \(S_{{\alpha \textsc {L2S}} _\downarrow } \).

Let us assume (by contradiction) \(S_{{\alpha \textsc {L2S}} _\downarrow } \) is safe and \(S \not \models \mathbf{F}\mathbf{G}\lnot f\), then there exists a path of S where f appears infinitely often (the witness to violation of the property \(\mathbf{F}\mathbf{G}\lnot f\)). Let be a path in \(S_{{\alpha \textsc {L2S}} _\downarrow } \) corresponding to \(\pi \) and let \(\big [\widehat{\pi }\big ]_{P}\) be its abstraction wrt. P. Let \(\big [\widehat{s_k}\big ]_{P}\) be the first step where all the distinct abstract states occurring on \(\big [\widehat{\pi }\big ]_{P}\) were visited at least once. By Lemma 1 there are \(s_{i_2}\) and \(s_{i_3}\) such that \(k< i_2 < i_3\) and \((s_{i_2}, s_{i_3})\) are not in any relation in \(W \). But \(\big [\widehat{s_{i_3}}\big ]_{P}\) must be equal to some state \(\big [\widehat{s_{i_1}}\big ]_{P}\) for \(i_1 \le k\). Thanks to \(T_{mem}\), \(\overline{X}\) stores the valuation of X at \(\widehat{s_{i_2}}\) and preserves it for the rest of the path. There exists a valuation of the variables \(\{c_{p_i}~|~p_i \in P\}\) and an induced partitioning \(\langle \widehat{s_0}, \ldots , \widehat{s_{i_1}}, \ldots , \widehat{s_{i_2}}, \ldots , \widehat{s_{i_3}}, \ldots \rangle \) of path \(\widehat{\pi }\) such that the predicates \(p_i \in P\) assume the values of the corresponding \(c_{p_i}\) at \(\widehat{s_{i_1}}\) and \(\widehat{s_{i_3}}\), and \(f \in \widehat{s_{i_1}}, \widehat{s_{i_2}}, \widehat{s_{i_3}}\), and \((s_{i_2}, s_{i_3})\) is not in any relation in \(W \). The variables seen, triggered, and s become satisfied after \(\widehat{s_{i_1}}\) and the literals loop, \(\lnot w\), and \(\lnot r\) become satisfied at \(\widehat{s_{i_3}}\). Therefore, there exists some positive integer n such that

$$ I_{{\alpha \textsc {L2S}} _\downarrow } \wedge T_{{\alpha \textsc {L2S}} _\downarrow } \wedge \ldots \wedge T_{{\alpha \textsc {L2S}} _\downarrow } ^{\langle {n-1}\rangle } \wedge bad_{{\alpha \textsc {L2S}} _\downarrow } ^{\langle {n}\rangle } $$

is satisfiable and thus \(\widehat{\pi }\) violates the invariant property \(\lnot bad_{{\alpha \textsc {L2S}} _\downarrow } \) in finite number of steps, which contradicts our initial assumptions. We conclude that if \(S_{{\alpha \textsc {L2S}} _\downarrow } \) satisfies the invariant property \(\lnot bad_{{\alpha \textsc {L2S}} _\downarrow } \) then \(S \models \mathbf{F}\mathbf{G}\lnot f\).    \(\square \)

Counterexamples and Refinement. In order to refine the extended encoding in case of spurious counterexamples, we modify the procedure described in Sect. 4.1 as follows. We first check if the set of predicates P can be refined by blocking a finite unrolling of the abstract loop (or if a real lasso-shaped counterexample can be found). We set an upper bound on the maximum number of unrollings of the abstract loop. If this bound is reached, we try to prove that no infinite unrolling of the loop exists by finding a suitable termination argument based on ranking functions. A violation of \(\lnot bad_{{\alpha \textsc {L2S}} _\downarrow } \) implies that the abstract counterexample path forms a lasso in the space of the predicates P, with stem and loop . Within the loop there are two distinct steps \(\big [\widehat{s_j}\big ]_{P}\) and \(\big [\widehat{s_k}\big ]_{P}\) that both satisfy f but \((\big [\widehat{s_j}\big ]_{P}, \big [\widehat{s_k}\big ]_{P})\) is not in any relation in \(W \). Let \(\varphi _{stem}\) and \(\varphi _{loop}\) be defined as:

figure e

where T is the transition relation of the original system S. If T doesn’t contain disjunctions, then several off-the-shelf techniques for ranking function synthesis (e.g. [30, 38]) can be used for constructing a termination argument for the simple lasso represented by \(\varphi _{stem} \wedge \varphi _{loop}\). However, in general T does contain disjunctions. In this case, we can enumerate the simple lassos symbolically represented by \(\varphi _{stem} \wedge \varphi _{loop}\) (i.e. lassos without disjunctions), and attempt to build a termination argument for each of them. We do this using the algorithm presented in [36], a technique for enumerating an overapproximation of the prime implicants of a formula by exploiting SMT solving under assumptions. Each implicant of \(\varphi _{stem} \wedge \varphi _{loop}\) corresponds to a simple lasso, for which we try to build a termination argument with the technique of [30]. In case of success, we use the ranking function r(X) and its lower bound b produced by [30] to generate a well-founded relation. If this relation was not in the set \(W \) already, we add it to \(W \), add its atomic predicates to P, stop the enumeration of simple lassos, and refine the encoding, proceeding to checking the new invariant property on the refined system.Footnote 1 Otherwise, we continue with the enumeration, until we either eventually find some new information that allows us to refine our encoding, or we fail to build a termination argument for all the simple lassos represented by the abstract counterexample. In the latter case, the algorithm is aborted, and “unknown” is returned.

k -Liveness as a Well-Founded Relation. Generally, infinite-state systems admit counterexamples that are not lasso-shaped. But we analyze infeasibility of a strict subset of all possible infinite unrollings of the abstract lasso. Consequently, the refinement may fail to produce new abstraction predicates or well-founded relations as well as fail to find a concrete counterexample. However, we may use \(k\)-liveness to recover from such situations in hope to make further progress. By extending the transition system with an auxiliary integer variable k representing a counter of occurrences of f, and the necessary updates of k, the refinement may always discover a new well-founded relation where \(\overline{k} \in \overline{X}\) is introduced by the reduction \({{\alpha \textsc {L2S}} _\downarrow }\) and n is an arbitrary positive integer. We usually let n be the number of occurrences of f in the current counterexample. By adding these free relations we allow the procedure to progress by blocking all short spurious counterexamples as w holds for the first n steps of the re-encoded system. Notice that this is sound.

4.3 Implementation Within IC3ia

In principle, the technique described in the previous Sections can be implemented on top of any off-the-shelf invariant verification algorithm. In practice, however, we exploit the features of the IC3ia algorithm of [14] to obtain an efficient implementation, in which our liveness-to-safety encoding is tightly integrated in the incremental IC3-based invariant checking procedure and its interpolation-based abstraction refinement.

First, we observe that the interpolation-based refinement of the \(\alpha \) L2S encoding (see Sect. 4.1) is very similar to the refinement procedure already implemented in IC3ia, making it possible to reuse most of the code. More importantly, our technique can be integrated in IC3ia in a highly incremental manner. In particular, there is no need of restarting from scratch the IC3 search at every refinement iteration; rather, all the relatively-inductive formulas discovered by IC3ia in the process of constructing an inductive invariant can be retained across refinements. This is possible because: (a) our encoding only monotonically adds constraints to the original transition system, and (b) the new safety property obtained after the \(i+1\)-th refinement step is weaker than the previous ones; in particular, if IC3 has concluded that no state can violate the property corresponding to the i-th refinement in k steps or less, then this is true also for the \(i+1\)-th property. Therefore, all the invariants on which IC3 relies for its correctness are preserved by our refinement procedure, thus allowing it to continue the search without resetting its internal state.

5 Experimental Evaluation

We have implemented \({\textsc {L2Sia-wfr}}\) as an extension of the IC3ia algorithm described in [14]. The MathSAT SMT solver [17] is used for solving SMT queries, computing interpolants, and synthesizing ranking functions (using the technique of [30]). The LTL extension to IC3ia consists of about 1500 lines of C++ code. In the evaluation, in addition to \({\textsc {L2Sia-wfr}}\), we consider \({\textsc {L2Sia}}\), i.e. the variant where well-founded relations are disabled. The source code of the implementation is available at https://es-static.fbk.eu/people/griggio/ic3ia/.

Tools Used. We compare our implementation with the following state-of-the-art tools for temporal property verification of infinite-state systems:

HSF [29], a solver for Horn-like clauses that also supports proving well-foundedness of a given relation, using transition invariants. In order to check an LTL property \(\varphi \), we apply the technique described in [39]: we encode the input transition system and a (symbolic representation of a) Büchi automaton for \(\lnot \varphi \) as Horn-like clauses, and ask HSF to find a (disjunctively) well-founded transition invariant showing that the accepting states of the automaton cannot be visited infinitely often. We use the ltl2ba tool of [26] to generate the Büchi automaton.

T2-CTL* [21], an extension to the T2 termination prover for imperative programs supporting CTL* temporal properties. LTL properties can be verified by simply checking the equivalent CTL* specification.Footnote 2 T2-CTL* works by recursively computing preconditions of subformulas of the input property (starting from the leaves), and checking whether the precondition of the topmost formula is satisfied by the initial states of the program. Path subformulas are approximated in ACTL, the program is partially determinized using prophecy variables to reduce the imprecision of the approximation. Formula preconditions are then computed via CTL model checking. We remark that T2-CTL* is more general than \({\textsc {L2Sia-wfr}}\), being able to handle arbitrary CTL* properties. This fact should be considered when interpreting the experimental results presented.

Ultimate-LTL [24], a tool for the verification of LTL properties of sequential C programs. Ultimate-LTL works by enumerating the fair paths of the input program (i.e. paths visiting the accepting condition of a Büchi automaton for \(\lnot \varphi \) infinitely often) and trying to prove each of them unfeasible (either by refuting a finite prefix of the path, or by finding a suitable termination argument for it). If a fair path is determined to be feasible, the property is shown not to hold. Otherwise, if the fair path is successfully refuted, it is generalized and then subtracted from the input program: if the result is empty, then the property is shown to hold. Otherwise, an unknown result is reported.

Fig. 1.
figure 1

Experimental results on symbolic transition systems

Full size image

Benchmark Sets. Our benchmark set consists of 835 LTL verification problems, grouped in three different subsets:

Symbolic Transition Systems. The first set consists of a collection of symbolic transition systems: BIP models from [7], and systems derived from standard examples in the real-time domain (e.g. [1, 5, 27]) in which the variables have been converted to integers, in order to be able to use all the tools mentioned above.

Fig. 2.
figure 2

Experimental results on imperative programs.

Full size image
figure f

The LTL properties have been manually generated, in order to capture standard liveness requirements on the considered domains. The set consists of 556 instances, 66 of which are unsafe. For tools working with imperative programs (T2-CTL*, Ultimate-LTL), we encode a system \(S=\langle {X,I,T}\rangle \) as shown in the box on the right, where nondet is a function that returns a non-deterministic value. We then translate an LTL property \(\mathbf{F}\mathbf{G}\lnot f\) into \(\mathbf{F}\mathbf{G}(ok \rightarrow \lnot f)\).Footnote 3

Fig. 3.
figure 3

Experimental results on T2 termination benchmarks.

Full size image
Fig. 4.
figure 4

Experimental results on all benchmarks.

Full size image

Imperative-style Programs. This set consists of 86 imperative-style programs collected from three different sources:

(i) 17 simple hand-crafted imperative programs with LTL properties that were specifically written to make approaches based on \(\alpha \) L2S fail. The instances are all safe.

(ii) the 41 C programs belonging to the “coolant” and “decision-predicates” groups of benchmark instances used in [24]. The programs have been translated to transition systems using the C front-end of the Kratos [13] software model checker.Footnote 4

(iii) the 28 instances of the “cav13-ctl-examples” in the source distribution of T2, in which the LTL properties have been obtained by simply removing the path quantifiers from the corresponding CTL properties in the original files.

T2 Termination Benchmarks. The last set we considered consists of the 193 instances of the “testsuite” group in the source distribution of T2. These are termination problems that have been encoded into LTL by checking that a distinguished “sink” location is eventually reached. For this group of benchmarks, in addition to the tools described above, we compare also with the specialised procedure for termination checking in T2 [11] (called T2-termination in the following).

Results. We ran our experimental evaluation on a cluster of machines with 2.67 GHz Xeon X5650 CPUs and 96 GB of RAM, running Scientific Linux 6.7. We used a timeout of 1200 s and a memory limit of 6 GB.

As a preliminary remark, we analyze the number of predicates used. For the verification of the benchmarks, \({\textsc {L2Sia-wfr}}\) discovered up to 85 predicates for the \({{\alpha \textsc {L2S}} _\downarrow }\) encoding and up to 278 predicates for checking the sequence of invariant properties with IC3ia, with an average of 20 predicates for \({{\alpha \textsc {L2S}} _\downarrow }\) and 45 predicates for IC3ia (with median values of 14 and 34 respectively). These numbers do not include Boolean state variables in the system, that are always tracked precisely. We conclude that Implicit Abstraction is a key enabler for the proposed approach: an eager computation of the abstract transition system, based for example on AllSMT [33], is typically unable to deal with such high numbers of predicates.

The results of the evaluation are summarized in Figs. 1, 2, 3 and 4. The plots show, for each tool, the number of solved instances (y-axis) in the given total execution time (x-axis), not including timeouts/unknowns. More information is provided in the tables under the plots, where for each tool we show the number of solved instances (distinguishing also between safe and unsafe ones), the difference in number of solved instances wrt. \({\textsc {L2Sia-wfr}}\), the number of instances gained (i.e. solved by the given tool but not by \({\textsc {L2Sia-wfr}}\)) and lost, and the total execution time taken on solved instances. From the results, we can make the following observations:

(i) \({\textsc {L2Sia-wfr}}\) significantly outperforms all the other tools on symbolic transition systems (Fig. 1). Most of the instances are solved without the need of any ranking function, relying exclusively on abstract L2S. However, as can be seen from the comparison with \({\textsc {L2Sia}}\), the integration of ranking functions gives a non-negligible benefit, allowing to solve 31 instances that were out of reach before, and only losing one. It is also interesting to observe that this is beneficial not only for proving properties, but also for finding counterexamples. We attribute the performance of \({\textsc {L2Sia-wfr}}\) to its tight integration with the engine based on IC3 with Implicit Abstraction [14], that can handle very efficiently the symbolic encodings of these benchmarks. In contrast, and as expected, tools that are optimized to exploit control-flow graphs of programs (T2-CTL*, Ultimate-LTL) perform very poorly when such information is not available.

(ii) Interestingly, as shown in Fig. 2 \({\textsc {L2Sia-wfr}}\) is the best performing tool also on the benchmarks of the imperative programs group, for which a control-flow graph is available. The gap with the other tools in this case is much smaller, and there are a number of instances which \({\textsc {L2Sia-wfr}}\) cannot solve but some of the other tools can. However, \({\textsc {L2Sia-wfr}}\) is still the most effective tool overall, both for safe and for unsafe instances.Footnote 5 For this set of benchmarks, the integration of ranking functions is crucial for performance.

(iii) The results on termination benchmarks (Fig. 3) show that there is still a significant gap between tools supporting arbitrary LTL properties and specialised procedures for termination such as T2-termination, for which almost all these instances are very easy. Also in this case, however, \({\textsc {L2Sia-wfr}}\) is very competitive with other tools of similar expressiveness (HSF and Ultimate-LTL).

(iv) Overall (Fig. 4), \({\textsc {L2Sia-wfr}}\) performs very well across all the categories of benchmarks we have considered, comparing very favorably with the state of the art. We think that this demonstrates the generality and potential of our approach.

6 Conclusions

In this paper we presented a novel algorithm, called \({\textsc {L2Sia-wfr}}\), to check liveness properties on infinite state transition systems. The algorithm combines liveness-to-safety with implicit abstraction and well-founded relations. The implementation demonstrates substantial advantages in performance over other temporal checkers for infinite-state systems.

In the future, we will explore techniques for non-termination to find counterexamples that are not lasso-shaped, thus extending the effectiveness of the algorithm in the case of property violation. Furthermore, we will investigate domain-specific techniques for the analysis of real-time/hybrid systems, such as the integration with k-zeno [15], and the extension of the class of well-founded relations over the reals. Finally, we will evaluate the application of \({\textsc {L2Sia-wfr}}\) to temporal satisfiability of first-order temporal logic.