The Lattice-Theoretic Essence of Property Directed Reachability Analysis ⋆

. We present LT-PDR , a lattice-theoretic generalization of Bradley’s property directed reachability analysis (PDR) algorithm. LT-PDR identiﬁes the essence of PDR to be an ingenious combination of veriﬁcation and refutation attempts based on the Knaster–Tarski and Kleene theorems. We introduce four concrete instances of LT-PDR, derive their implementation from a generic Haskell implementation of LT-PDR, and experimentally evaluate them. We also present a categorical structural theory that derives these instances.


Introduction
Property directed reachability (PDR) (also called IC3 ) introduced in [9,13] is a model checking algorithm for proving/disproving safety problems.It has been successfully applied to software and hardware model checking, and later it has been extended in several directions, including fbPDR [25,26] that uses both forward and backward predicate transformers and PrIC3 [6] for the quantitative safety problem for probabilistic systems.See [14] for a concise overview.
The original PDR assumes that systems are given by binary predicates representing transition relations.The PDR algorithm maintains data structures called frames and proof obligations-these are collections of predicates over states-and updates them.While this logic-based description immediately yields automated tools using SAT/SMT solvers, it limits target systems to qualitative and nondeterministic ones.This limitation was first overcome by PrIC3 [6] whose target is probabilistic systems.This suggests room for further generalization of PDR.
In this paper, we propose the first lattice theory-based generalization of the PDR algorithm; we call it LT-PDR.This makes the PDR algorithm apply to a wider class of safety problems, including qualitative and quantitative.We also derive a new concrete extension of PDR, namely one for Markov reward models.
We implemented the general algorithm LT-PDR in Haskell, in a way that maintains the theoretical abstraction and clarity.Deriving concrete instances for various types of systems is easy (for Kripke structures, probabilistic systems, etc.).We conducted an experimental evaluation, which shows that these easilyobtained instances have at least reasonable performance.

Preview of the Theoretical Contribution
We generalize the PDR algorithm so that it operates over an arbitrary complete lattice L. This generalization recasts the PDR algorithm to solve a general problem µF ≤ ?α of overapproximating the least fixed point of an ω-continuous function F : L → L by a safety property α.This lattice-theoretic generalization signifies the relationship between the PDR algorithm and the theory of fixed points.This also allows us to incorporate quantitative predicates suited for probabilistic verification.
More specifically, we reconstruct the original PDR algorithm as a combination of two constituent parts.They are called positive LT-PDR and negative LT-PDR.Positive LT-PDR comes from a witness-based proof method by the Knaster-Tarski fixed point theorem, and aims to verify µF ≤ ?α.In contrast, negative LT-PDR comes from the Kleene fixed point theorem and aims to refute µF ≤ ?α.The two algorithms build up witnesses in an iterative and nondeterministic manner, where nondeterminism accommodates guesses and heuristics.We identify the essence of PDR to be an ingenious combination of these two algorithms, in which intermediate results on one side (positive or negative) give informed guesses on the other side.This is how we formulate LT-PDR in §3. 3.
We discuss several instances of our general theory of PDR.We discuss three concrete settings: Kripke structures (where we obtain two instances of LT-PDR), Markov decision processes (MDPs), and Markov reward models.The two in the first setting essentially subsume many existing PDR algorithms, such as the original PDR [9,13] and Reverse PDR [25,26], and the one for MDPs resembles PrIC3 [6].The last one (Markov reward models) is a new algorithm that fully exploits the generality of our framework.
In fact, there is another dimension of theoretical generalization: the derivation of the above concrete instances follows a structural theory of state-based dynamics and predicate transformers.We formulate the structural theory in the language of category theory [3,23]-using especially coalgebras [18] and fibrations [19]-following works such as [8,15,22,28].The structural theory tells us which safety problems arise under what conditions; it can therefore suggest that certain safety problems are unlikely to be formulatable, too.The structural theory is important because it builds a mathematical order in the PDR literature, in which theoretical developments tend to be closely tied to implementation and thus theoretical essences are often not very explicit.For example, the theory is useful in classifying a plethora of PDR-like algorithms for Kripke structures (the original, Reverse PDR, fbPDR, etc.).See §5.1.
We present the above structural theory in §4 and briefly discuss its use in the derivation of concrete instances in §5.We note, however, that this categorical theory is not needed for reading and using the other parts of the paper.
There are other works on generalization of PDR [17,24], but our identification of the interplay of Knaster-Tarski and Kleene is new.They do not accommodate probabilistic verification, either.See Appendix A for further discussions.

Fixed-points in Complete Lattices
Let (L, ≤) be a complete lattice and F : L → L be a monotone function.When we analyze fixed points of F , pre/postfixed points play important roles.Definition 2.1.A prefixed point of F is an element x ∈ L satisfying F x ≤ x.A postfixed point of F is an element x ∈ L satisfying x ≤ F x. We write Pre(F ) and Post(F ) for the set of prefixed points and postfixed points of F , respectively.
The following results are central in fixed point theory.They allow us to under/over-approximate the least/greatest fixed points.Theorem 2.2.A monotone endofunction F on a complete lattice (L, ≤) has the least fixed point µF and the greatest fixed point νF .Moreover, 1. (Knaster-Tarski [30]) The set of fixed points forms a complete lattice.Furthermore, µF 2 is known to hold for arbitrary ω-cpos (complete lattices are their special case).A generalization of Thm.2.2.2 is the Cousot-Cousot characterization [11], where F is assumed to be monotone (but not necessarily ω-continuous) and we have µF = F κ ⊥ for a sufficiently large, possibly transfinite, ordinal κ.In this paper, for the algorithmic study of PDR, we assume the ω-continuity of F .Note that ω-continuous F on a complete lattice is necessarily monotone.
We call the ω-chain Thm. 2.2.1 and 2.2.2 yield the following witness notions for proving and disproving µF ≤ α, respectively.Corollary 2.3.Let (L, ≤) be a complete lattice and F : L → L be ω-continuous.

(KT) µF ≤ α if and only if there is
By Cor.2.3.1, proving µF ≤ α is reduced to searching for x ∈ L such that F x ≤ x ≤ α.We call such x a KT (positive) witness.In contrast, by Cor.2.3.2,disproving µF ≤ α is reduced to searching for n ∈ N and x ∈ L such that x ≤ F n ⊥ and x ≤ α.We call such x a Kleene (negative) witness.Notation 2.4.We shall use lowercase (Roman and Greek) letters for elements of L (such as α, x ∈ L), and uppercase letters for (finite or infinite) sequences of L (such as X ∈ L * or L ω ).The i-th (or (i − j)-th when subscripts are started from j) element of a sequence X is designated by a subscript: X i ∈ L.
Example 3.2.Consider a transition system, where S be the set of states, ι ⊆ S be the set of initial states, δ : S → PS be the transition relation, and α ⊆ S be the set of safe states.Then letting L := PS and F := ι∪ s∈(−) δ(s), the lfp overapproximation problem µF ≤ ?α is the problem whether all reachable states are safe.It is equal to the problem studied by the conventional IC3/PDR [9,13].
Positive LT-PDR iteratively builds a KT witness in a bottom-up manner that positively answers the LFP-OA problem, while negative LT-PDR iteratively builds a Kleene witness for the same LFP-OA problem.We shall present these two algorithms as clear reflections of two proof principles (Cor.2.3), each of which comes from the fundamental Knaster-Tarski and Kleene theorems.
The two algorithms build up witnesses in an iterative and nondeterministic manner.The nondeterminism is there for accommodating guesses and heuristics.We identify the essence of PDR to be an ingenious combination of these two algorithms, in which intermediate results on one side (positive or negative) give informed guesses on the other side.This way, each of the positive and negative algorithms provides heuristics in resolving the nondeterminism in the execution of the other.This is how we formulate the LT-PDR algorithm in §3.3.
The dual of LFP-OA problem is called the gfp-under-approximation problem (GFP-UA): the GFP-UA problem for a complete lattice L, an ω op -continuous function F : L → L and α ∈ L is whether the inequality α ≤ νF holds or not, and is denoted by α ≤ ?νF .It is evident that the GFP-UA problem for (L, F, α) is equivalent to the LFP-OA problem for (L op , F, α).This suggests the dual algorithm called LT-OpPDR for GFP-UA problem.See Rem.3.24 later.

Positive LT-PDR: Sequential Positive Witnesses
We introduce the notion of KT ω witness-a KT witness (Cor.2.3) constructed in a sequential manner.Positive LT-PDR searches for a KT ω witness by growing its finitary approximations (called KT sequences).
Let L be be a complete lattice.We regard each element x ∈ L as an abstract presentation of a predicate on states.The inequality x ≤ y means that the predicate x is stronger than the predicate y.We introduce the complete lattice [n, L] of increasing chains of length n ∈ N, whose elements are (X 0 ≤ • • • ≤ X n−1 ) in L equipped with the element-wise order.We similarly introduce the complete lattice [ω, L] of ω-chains in L. We lift as follows.Note that the entries are shifted.
(1) The initial chain ⊥ ≤ F ⊥ ≤ • • • is always a KT ω witness for µF ≤ α.There are other KT ω witnesses whose growth is accelerated by some heuristic guessesan extreme example is x ≤ x ≤ • • • with a KT witness x.KT ω witnesses embrace the spectrum of such different sequential witnesses for µF ≤ α, those which mix routine constructions (i.e.application of F ) and heuristic guesses.Definition 3.5 (KT sequence).Let L, F, α be as in Def.3.1.A KT sequence for µF ≤ ?α is a finite chain KT sequences are finite by definition.Note that the upper bound α is imposed on all X i but X n−1 .This freedom in the choice of X n−1 offers room for heuristics, one that is exploited in the combination with negative LT-PDR ( §3.3).We take KT sequences as finite approximations of KT ω witnesses.This view shall be justified by the partial order ( ) between KT sequences defined below.Definition 3.6 (order between KT sequences).We define a partial order relation on KT sequences as follows: The order X j ≥ X ′ j represents that X ′ j is a stronger predicate (on states) than X j .Therefore X X ′ expresses that X ′ is a longer and stronger / more determined chain than X.We obtain KT ω witnesses as their ω-superma.Theorem 3.7.Let L, F, α be as in Def.3.1.The set of KT sequences, augmented with the set of KT ω witnesses {X ∈ [ω, L] | F # X ≤ X ≤ ∆α} and ordered by the natural extension of , is an ω-cpo.In this ω-cpo, each KT ω witness X is represented as the suprema of an ω-chain of KT The proposition above yields the following partial algorithm that aims to answer positively to the LFP-OA problem.It searches for a conclusive KT sequence.The rules are designed by the following principles.
Valid is applied when the current X is conclusive.Unfold extends X with ⊤.In fact, we can use any element x satisfying X n−1 ≤ x and F X n−1 ≤ x in place of ⊤ (by the application of Induction with x).The condition X n−1 ≤ α is checked to ensure that the extended X satisfies the condition in Def.3.5.1.
Induction strengthens X, replacing the j-th element with its meet with x.The first condition X k ≤ x ensures that this rule indeed strengthens X, and the second condition F (X k−1 ∧ x) ≤ x ensures that the strengthened X satisfies the condition in Def.3.5.2,that is, F # n X ≤ X (see the proof in Appendix J.11).
Theorem 3.10.Let L, F, α be as in Def.3.1.Then positive LT-PDR is sound, i.e. if it outputs 'True' then µF ≤ α holds.Moreover, assume µF ≤ α is true.Then positive LT-PDR is weakly terminating (meaning that suitable choices of x when applying Induction make the algorithm terminate).
⊓ ⊔ The last "optimistic termination" is realized by the informed guess µF as x in Induction.To guarantee the termination of LT-PDR, it suffices to assume that the complete lattice L is well-founded (no infinite decreasing chain exists in L) and there is no strictly increasing ω-chain under α in L, although we cannot hope for this assumption in every instance ( § 5.2, 5.3).
until any return value is obtained ; Algorithm 3: LT-PDR Lemma 3.11.Let L, F, α be as in Def.3.1.If µF ≤ α, then for any KT sequence X, at least one of the three rules in Algorithm 1 is enabled.
Moreover, for any KT sequence X, let X ′ be obtained by applying either Unfold or Induction.Then X X ′ and X = X ′ .
⊓ ⊔ Theorem 3.12.Let L, F, α be as in Def.3.1.Assume that ≤ in L is wellfounded and µF ≤ α.Then, any non-terminating run of positive LT-PDR converges to a KT ω witness (meaning that it gives a KT ω witness in ω-steps).Moreover, if there is no strictly increasing ω-chain bounded by α in L, then positive LT-PDR is strongly terminating.⊓ ⊔

Negative PDR: Sequential Negative Witnesses
We next introduce Kleene sequences as a lattice-theoretic counterpart of proof obligations in the standard PDR.Kleene sequences represent a chain of sufficient conditions to conclude that certain unsafe states are reachable.
We may use i (0 ≤ i ≤ n) instead of 0 as the starting index of the Kleene sequence C.
When we have a Kleene sequence C = (C 0 , . . ., C n−1 ), the chain of implications This proposition suggests the following algorithm to negatively answer to the LFP-OA problem.It searches for a conclusive Kleene sequence.The algorithm updates a Kleene sequence until its first component becomes ⊥.The rules are designed by the following principles.
Candidate initializes C with only one element x.The element x has to be chosen such that x ≤ α to ensure Def.3.13.2.
Model is applied when the current Kleene sequence C is conclusive.
2. Assume µF ≤ α is true.Then negative LT-PDR is weakly terminating (meaning that suitable choices of x when applying rules Candidate and Decide make the algorithm terminate).⊓ ⊔

LT-PDR: Integrating Positive and Negative
We have introduced two simple PDR algorithms, called positive LT-PDR ( §3.1) and negative LT-PDR ( §3.2).They are so simple that they have potential inefficiencies.Specifically, in positive LT-PDR, it is unclear that how we choose x ∈ L in Induction, while in negative LT-PDR, it may easily diverge because the rules Candidate and Decide may choose x ∈ L that would not lead to a conclusive Kleene sequence.We resolve these inefficiencies by combining positive LT-PDR and negative LT-PDR.The combined PDR algorithm is called LT-PDR, and it is a lattice-theoretic generalization of conventional PDR.Note that negative LT-PDR is only weakly terminating.Even worse, it is easy to make it diverge-after a choice of x in Candidate or Decide such that x ≤ µF , no continued execution of the algorithm can lead to a conclusive Kleene sequence.For deciding µF ≤ ?α efficiently, therefore, it is crucial to detect such useless Kleene sequences.
The core fact that underlies the efficiency of PDR is the following proposition, which says that a KT sequence (in positive LT-PDR) can quickly tell that a Kleene sequence (in negative LT-PDR) is useless.This fact is crucially used for many rules in LT-PDR (Def.3.20).Proposition 3.17.
There is no conclusive Kleene sequence with length n − 1.

⊓ ⊔
The proof relies on the following lemmas.
1.The Kleene sequence C can be extended to a conclusive one.2.
Using the above lattice-theoretic properties, we combine positive and negative LT-PDRs into the following LT-PDR algorithm.It is also a lattice-theoretic generalization of the original PDR algorithm.The combination exploits the mutual relationship between KT sequences and Kleene sequences, exhibited as Prop.3.17, for narrowing down choices in positive and negative LT-PDRs.The rules are designed by the following principles.
(Valid, Unfold, and Induction): These rules are almost the same as in positive LT-PDR.In Unfold, we reset the Kleene sequence because of Prop.3.17.3.Occurrences of Unfold punctuate an execution of the algorithm: between two occurrences of Unfold, a main goal (towards a negative conclusion) is to construct a conclusive Kleene sequence with the same length as the X.
(Candidate, Model, and Decide): These rules have many similarities to those in negative LT-PDR.Differences are as follows: the Candidate and Decide rules impose x ≤ X i on the new element x in (x, C i+1 , . . ., C n−1 ) because Prop.3.17.1 tells us that other choices are useless.In Model, we only need to check whether C 1 is defined instead of C 0 = ⊥.Indeed, since C 1 is added in Candidate or Decide, C 1 ≤ X 1 = F ⊥ always holds.Therefore, 2 ⇒ 1 in Lem.3.19 shows that (⊥, C 1 , . . ., C n−1 ) is conclusive.
(Conflict): This new rule emerges from the combination of positive and negative LT-PDRs.This rule is applied when C i ≤ F X i−1 , which confirms that the current C cannot be extended to a conclusive one (Prop.3.17.2).Therefore, we eliminate C i from C and strengthen X so that we cannot choose C i again, that is, so that C i ≤ (X i ∧ x).Let us explain how X is strengthened.The element x has to be chosen so that C i ≤ x and F (X i−1 ∧ x) ≤ x.The former dis-inequality ensures the strengthened X satisfies C i ≤ (X i ∧ x), and the latter inequality implies F (X i−1 ∧ x) ≤ x.One can see that Conflict is Induction with additional condition C i ≤ x, which enhances so that the search space for x is narrowed down using the Kleene sequence C.
Canonical choices of x ∈ L in Candidate, Decide, and Conflict are x := X n−1 , x := X i−1 , and x := F X i−1 , respectively.However, there can be cleverer choices; e.g.

Structural Theory of PDR by Category Theory
Before we discuss concrete instances of LT-PDR in §5, we develop a structural theory of transition systems and predicate transformers as a basis of LT-PDR.The theory is formulated in the language of category theory [3,18,19,23].We use category theory because 1) categorical modeling of relevant notions is well established in the community (see e.g.[2,8,18,19,27]), and 2) it gives us the right level of abstraction that accommodates a variety of instances.In particular, qualitative and quantitative settings are described in a uniform manner.
Our structural theory ( §4) serves as a backend, not a frontend.That is, -the theory in §4 is important in that it explains how the instances in §5 arise and why others do not, but the instances in §5 are described in non-categorical terms, so readers who skipped §4 will have no difficulties following §5 and using those instances.

Categorical Modeling of Dynamics and Predicate Transformers
Our interests are in instances of the LFP-OA problem µF ≤ ?α (Def.  1 here is minimal, due to the limited space.See Appendix C and the references therein for more details. A category consists of objects and arrows between them.In Table 1, categories occur twice: 1) a base category B where objects are typically sets and arrows are typically functions; and 2) fiber categories E S , defined for each object S of B, that are identified with the lattices of predicates.Specifically, objects P, Q, . . . of E S are predicates over S, and an arrow P → Q represents logical implication.A general fact behind the last is that every preorder is a category-see e.g.[3].
Transition Systems as Coalgebras State-based transition systems are modeled as coalgebras in the base category B [18].We use a functor G : B → B to represent a transition type.A G-coalgebra is an arrow δ : S → GS, where S is a state space and δ describes the dynamics.For example, a Kripke structure can be identified with a pair (S, δ) of a set S and a function δ : S → PS, where PS denotes the powerset.The powerset construction P is known to be a functor P : Set → Set; therefore Kripke structures are P-coalgebras.For other choices of G, G-coalgebras become different types of transition systems, such as MDPs ( §5.2) and Markov Reward Models ( §5.3).
Predicates Form a Fibration Fibrations are powerful categorical constructs that can model various indexed entities; see e.g.[19] for its general theory.Our use of them is for organizing the lattices E S of predicates over a set S, indexed by the choice of S. For example, E S = 2 S -the lattice of subsets of S-for modeling qualitative predicates.For quantitative reasoning (e.g. for MDPs), we use E S = [0, 1] S , where [0, 1] is the unit interval.This way, qualitative and quantitative reasonings are mathematically unified in the language of fibrations.
A fibration is a functor p : E → B with suitable properties; it can be thought of as a collection (E S ) S∈B of fiber categories E S -indexed by objects S of Bsuitably organized as a single category E. Notable in this organization is that we obtain the pullback functor l * : E Y → E X for each arrow l : X → Y in B. In our examples, l * is a substitution along l in predicates-l * is the monotone map that carries a predicate P (y) over Y to the predicate P (l(x)) over X.
In this paper, we restrict to a subclass of fibrations (called CLat ∧ -fibrations) in which every fiber category E S is a complete lattice, and each pullback functor preserves all meets.We therefore write P ≤ Q for arrows in E S ; this represents logical implication, as announced above.Notice that each f * has a left adjoint (lower adjoint in terms of Galois connection), which exists by Freyd's adjoint functor theorem.The left adjoint is denoted by f * .
We also consider a lifting Ġ : E → E of G along p; it is a functor Ġ such that p Ġ = Gp.See the diagram on the right.It specifies the logical interpretation of the transition type G.For example, for G = P (the powerset functor) from the above, two choices of Ġ are for the may and must modalities.See e.g.[2,15,21,22].

Categorical Predicate Transformer
The above constructs allow us to model predicate transformers-F in our examples of the LFP-OA problem µF ≤ ?αin categorical terms.A predicate transformer along a coalgebra δ : S → GS with respect to the lifting Ġ is simply the composite where the first Ġ is the restriction of Ġ : E → E to E S .Intuitively, 1) given a postcondition P in E S , 2) it is first interpreted as the predicate ĠP over GS, and then 3) it is pulled back along the dynamics δ to yield a precondition δ * ĠP .Such (backward) predicate transformers are fundamental in a variety of model checking problems.

Structural Theory of PDR from Transition Systems
We formulate a few general safety problems.We show how they are amenable to the LT-PDR (Def.3.20) and LT-OpPDR (Rem.3.24) algorithms.Definition 4.1 (backward safety problem, BSP).Let p be a CLat ∧ -fibration, δ : S → GS be a coalgebra in B, and Here, ι represents the initial states and α represents the safe states.( This problem is called the forward safety problem for (ι, δ, α) in (p, G, Ġ).

⊓ ⊔
When both additional assumptions are fulfilled (in Prop.4.2 & 4.3), we obtain two LT-PDR algorithms to solve BSP.One can even simultaneously run these two algorithms-this is done in fbPDR [25,26].See also §5.1.

Known and New PDR Algorithms as Instances
We present several concrete instances of our LT-PDR algorithms.The one for Markov reward models is new ( §5.3).We also sketch how those instances can be systematically derived by the theory in §4; details are in Appendix D.

LT-PDRs for Kripke Structures: PDR F-Kr and PDR IB-Kr
In most of the PDR literature, the target system is a Kripke structure that arises from a program's operational semantics.A Kripke structure consists of a set S of states and a transition relation δ ⊆ S × S (here we ignore initial states and atomic propositions).The basic problem formulation is as follows.

Definition 5.1 (backward safety problem (BSP) for Kripke structures).
The BSP for a Kripke structure (S, δ), a set ι ∈ 2 S of initial states, and a set α ∈ 2 S of safe states, is the GFP-UA problem ι ≤ ?νx.α ∧ F ′ x, where It is clear that the GFP in Def.5.1 represents the set of states from which all reachable states are in α.Therefore the BSP is the usual safety problem.
The above BSP is easily seen to be equivalent to the following problems.We compare these two instances of LT-PDR with algorithms in the literature.If we impose |C i | = 1 on each element C i of Kleene sequences, the PDR F-Kr instance of LT-PDR coincides with the conventional IC3/PDR [9,13].In contrast, PDR IB-Kr coincides with Reverse PDR in [25,26].The parallel execution of PDR F-Kr and PDR IB-Kr roughly corresponds to fbPDR [25,26].

LT-PDR for MDPs: PDR IB-MDP
The only known PDR-like algorithm for quantitative verification is PrIC3 [6] for Markov decision processes (MDPs).Here we instantiate LT-PDR for MDPs and compare it with PrIC3.
An MDP consists of a set S of states, a set Act of actions and a transition function δ mapping s ∈ S and a ∈ Act to either * ("the action a is unavailable at s") or a probability distribution δ(s)(a) over S. Definition 5.4 (IBSP for MDPs).The inverse backward safety problem (IBSP) for an MDP (S, δ), an initial state s ι ∈ S, a real number λ ∈ [0, 1], and a set α ⊆ S of safe states, is the LFP-OA problem µx.F ′ (x) ≤ ?d ι,λ .Here The function F ′ in Def.5.4 is a Bellman operator for MDPs-it takes the average of d over δ(s)(a) and takes the maximum over a. Therefore the lfp in Def.5.4 is the maximum reachability probability to S \ α; the problem asks if it is ≤ λ.In other words, it asks whether the safety probability-of staying in α henceforth, under any choices of actions-is ≥ 1 − λ.This problem is the same as in [6].
Instance of PDR The IBSP (Def.5.4) is LFP-OA and thus amenable to LT-PDR.We call this instance PDR IB-MDP ; See Appendix E for details.
Our Kleene sequences correspond to obligations in PrIC3, modulo the following difference.Kleene sequences aim at a negative witness ( §3.2), but they happen to help the positive proof efforts too ( §3.3); obligations in PrIC3 are solely for accelerating the positive proof efforts.Thus, if PrIC3 cannot solve these efforts, we need to check whether obligations yield a negative witness.
Another benefit of the categorical theory is that it can tell us a forward instance of LT-PDR (much like PDR F-Kr in §5.1) is unlikely for MDPs.Indeed, we showed in Prop.4.2 that Ġ′ s preservation of meets is essential (existence of a left adjoint is equivalent to meet preservation).We can easily show that our Ġ for MDPs does not preserve meets.See Appendix G.

LT-PDR for Markov Reward Models: PDR MRM
We present a PDR-like algorithm for Markov reward models (MRMs), which seems to be new, as an instance of LT-PDR.An MRM consists of a set S of states and a transition function δ that maps s ∈ S (the current state) and c ∈ N (the reward) to a function δ(s)(c) : S → [0, 1]; the last represents the probability distribution of next states.
Instance of PDR The SP (Def.5.5) is LFP-OA thus amenable to LT-PDR.We call this instance PDR MRM .It seems new.See Appendix F for details.

Structural Derivation
The function F ′ in Def.5.5 can be expressed categorically as F ′ (x) = d α ∧ δ * Ġ(x), where d α : S → [0, ∞] carries s ∈ α to ∞ and s ∈ α to 0, and Ġ is a suitable lifting that accumulates expected reward.However, the SP (Def.5.5) is not an instance of the three general safety problems in §4.2.Consequently, we expect that other instances of LT-PDR than PDR MRM (such as PDR F-Kr and PDR IB-Kr in §5.1) are hard for MRMs.

Implementation and Evaluation
Implementation LTPDR We implemented LT-PDR in Haskell.Exploiting Haskell's language features, it is succinct (∼50 lines) and almost a literal translation of Alg. 3 to Haskell.Its main part is presented in Appendix K.In particular, using suitable type classes, the code is as abstract and generic as Alg. 3. Specifically, our implementation is a Haskell module named LTPDR.It has two interfaces, namely the type class CLat τ (the lattice of predicates) and the type Heuristics τ (the definitions of Candidate, Decide, and Conflict).The main function for LT-PDR is ltPDR :: CLat τ ⇒ Heuristics τ → (τ → τ ) → τ → IO (PDRAnswer τ ), where the second argument is for a monotone function F of type τ → τ and the last is for the safety predicate α.
Obtaining concrete instances is easy by fixing τ and Heuristics τ .A simple implementation of PDR F-Kr takes 15 lines; a more serious SAT-based one for PDR F-Kr takes ∼130 lines; PDR IB-MDP and PDR MRM take ∼80 lines each.
Heuristics We briefly discuss the heuristics, i.e. how to choose x ∈ L in Candidate, Decide, and Conflict, used in our experiments.The heuristics of PDR F-Kr is based on the conventional PDR [9].The heuristics of PDR IB-MDP is based on the idea of representing the smallest possible x greater than some real number v ∈ [0, 1] (e.g.x taken in Candidate) as x = v + ǫ, where ǫ is a symbolic variable.This implies that Unfold (or Valid, Model) is always applied in finite steps, which further guarantees finite-step termination for invalid cases and ω-step termination for valid cases (see Appendix H for more detail).The heuristics of PDR MRM is similar to that of PDR IB-MDP .
Experiment Setting We experimentally assessed the performance of instances of LTPDR.The settings are as follows: 1.2GHz Quad-Core Intel Core i7 with 10 GB memory using Docker, for PDR IB-MDP ; Apple M1 Chip with 16 GB memory for the other.The different setting is because we needed Docker to run PrIC3 [6].
Experiments with PDR MRM Table 2a shows the results.We observe that PDR MRM answered correctly, and that the execution time is reasonable.Further performance analysis (e.g.comparison with [20]) and improvement is future work; the point here, nevertheless, is the fact that we obtained a reasonable MRM model checker by adding ∼80 lines to the generic solver LTPDR.
Experiments with PDR IB-MDP Table 2c shows the results.Both PrIC3 and our PDR IB-MDP solve a a linear programming (LP) problem in Decide.PrIC3 uses Z3 for this; PDR IB-MDP uses GLPK.PrIC3 represents an MDP symbolically, while PDR IB-MDP do so concretely.Symbolic representation in PDR IB-MDP is possible-it is future work.PrIC3 can use four different interpolation generalization methods, leading to different performance (Table 2c).
We observe that PDR IB-MDP outperforms PrIC3 for some benchmarks with smaller state spaces.We believe that the failure of PDR IB-MDP in many instances can be attributed to our current choice of a generalization method (it is the closest to the linear one for PrIC3).Table 2c suggests that use of polynomial or hybrid can enhance the performance.
Experiments with PDR F-Kr Table 2b shows the results.The benchmarks are mostly from the HWMCC'15 competition [1], except for latch0.smv4and counter.smv(our own).
IC3ref vastly outperforms PDR F-Kr in many instances.This is hardly a surprise-IC3ref was developed towards superior performance, while PDR F-Kr 's emphasis is on its theoretical simplicity and genericity.We nevertheless see that PDR F-Kr solves some benchmarks of substantial size, such as power2bit8.smv.This demonstrates the practical potential of LT-PDR, especially in view of the following improvement opportunities (we will pursue them as future work): 1) use of well-developed SAT solvers (we currently use toysolver5 for its good interface but we could use Z3); 2) allowing |C i | > 1, a technique discussed in §5.1 and implemented in IC3ref but not in PDR F-Kr ; and 3) other small improvements, e.g. in our CNF-based handling of propositional formulas.
Ablation Study To assess the value of the key concept of PDR (namely the positive-negative interplay between the Knaster-Tarski and Kleene theorems ( §3.3)), we compared PDR F-Kr with the instances of positive and negative LT-PDR ( §3.1-3.2) for Kripke structures.
Table 2d shows the results.Note that the value of the positive-negative interplay is already theoretically established; see e.g.Prop.3.17 (the interplay detects executions that lead to nowhere).This value was also experimentally witnessed: see power2bit8.smv and simpleTrans.smv,where the one-sided methods made wrong choices and timed out.One-sided methods can be efficient when they get lucky (e.g. in counter.smv).LT-PDR may be slower because of the overhead of running two sides, but that is a trade-off for the increased chance of termination.

Discussion
We observe that all of the studied instances exhibited at least reasonable performance.We note again that detailed performance analysis and improvement is out of our current scope.Being able to derive these model checkers, with such a small effort as ∼100 lines of Haskell code each, demonstrates the value of our abstract theory and its generic Haskell implementation LTPDR.
Table 2: experimental results for our PDR F-Kr , PDR IB-MDP , and PDR MRM (a) Results with PDR MRM .The MRM is from [4,Example 10.72], whose ground truth expected reward is 4  3 .The benchmarks ask if the expected reward (not known to the solver) is ≤ 1.5 or ≤ 1.3.

Benchmark Result Time
DieByCoin ≤ ?(c) Results with PDR IB-MDP (an excerpt of Table 3).Comparison is against PrIC3 [6] with four different interpolation generalization methods (none, linear, polynomial, hybrid).The benchmarks are from [6].|S| is the number of states of the benchmark MDP."GT pr." is for the ground truth probability, that is the reachability probability Pr max (sι |= ⋄(S \α)) computed outside the solvers under experiments.The solvers were asked whether the GT pr.(which they do not know) is ≤ λ or not; they all answered correctly.The last five columns show the average execution time in seconds.-is for "did not finish," for out of memory or timeout (600 sec.)We have presented a lattice-theoretic generalization of the PDR algorithm called LT-PDR.This involves the decomposition of the PDR algorithm into positive and negative ones, which are tightly connected to the Knaster-Tarski and Kleene fixed point theorems, respectively.We then combined it with the coalgebraic and fibrational theory for modeling transition systems with predicates.We instantiated it with several transition systems, deriving existing PDR algorithms as well as a new one over Markov reward models.We leave instantiating our LT-PDR and categorical safety problems to derive other PDR-like algorithms, such as PDR for hybrid systems [29], for future work.
We will also work on the combination of our work and the theory of abstract interpretation [10,12].Our current framework axiomatizes what is needed of heuristics, but it does not tell how to realize such heuristics (that differ a lot in different concrete settings).We expect abstract interpretation to provide some general recipes for realizing such heuristics.

A Further Discussion of Related Work
We discuss some other works on generalization of PDR.Hoder and Bjørner [17] gave an abstract formulation of (the original) PDR, abstracting away implementation details (such as SAT-related ones) and presenting the algorithm itself as a transition system (an "abstract transition system" as they call it).Their notion of predicate transformer is an instance of our forward predicate transformer (Prop.4.2).They also identified an invariant of frames, and our definition of KT sequence (Def.3.5) is inspired by it.Another theoretical study of PDR is by Rinetzky and Shoham [24].They studied PDR using abstract interpretation and showed a mapping between PDR configurations and elements of what they call cartesian trace semantics.In both of these works [17,24], the formulated PDR algorithms target at Kripke structures, and do not accommodate quantitative verification.They are instances of our LT-PDR especially for categorical safety problems introduced in §4.2 (specifically the FSP in §5.1), similarly to the original PDR.Moreover, our view of PDR as collaborative searches for KT and Kleene witnesses is not explicit in [17,24].
B LT-OpPDR (Rem.3.24) Recall that the GFP-UA problem α ≤ ?νF for (L, F, α) is defined to be the LFP-OA problem for (L op , F, α).Hence we can solve the GFP-UA problem by executing the LT-PDR algorithm over L op .We call this algorithm LT-OpPDR; in other words, LT-OpPDR is obtained by opposing each inequality in LT-PDR.
Although LT-OpPDR is a formal dual of LT-PDR, applying the PDR-like algorithm for solving GFP-UA problems seems to be new.
When L admits a duality by involution ¬ : L → L op , the GFP-UA problem in L can be formulated as the LFP-OA problem in L (not in L op as in the above).
Proof.This is a consequence of a more general statement about translating LFP-OA problem by isomorphisms.Let L be a complete lattice, α be an element in L, and F : L → L be an ω-continuous function.For any complete lattice L ′ with an order-preserving isomorphism f : In this case, we can invoke the LT-PDR algorithm over (L, ¬ • F • ¬, ¬α) to solve the GFP-UA problem α ≤ ?νF .We however note that the execution steps of LT-OpPDR over (L, F, α), i.e.LT-PDR over (L op , F, α), and the execution steps of LT-PDR over (L, ¬ • F • ¬, ¬α) are essentially the same; the configuration at each execution step is mutually convertible by the involution ¬.

C Structural Theory of PDR by Category Theory, Further Categorical Preliminaries
Here we provide more details on the categorical modeling in §4.1.
A fibration p : E → B is a functor that models indexing and substitution.That is, a functor p : E → B can be seen as a family of categories (E X ) X∈B indexed by B-objects.Categories with different indices are connected by substitution functors.In our examples, the base category B is that of sets and functions; and the total category E models "predicates" over B objects.We review a minimal set of definitions and results on fibrations.A good reference is [19], here we quote some definitions and examples given in §2.1 of [22]; see also [2] and [28].The functor p : E → B is a fibration if, for each Q ∈ E and each l : X → pQ in B, there exists l * Q ∈ E and a morphism l : l * Q → Q such that pl = l and l is cartesian.The functor p : E → B is an opfibration if p op : E op → B op is a fibration.A functor that is both a fibration and an opfibration is called a bifibration.
When p is a fibration, the correspondence from Q to l * Q described above induces the substitution functor l * : E Y → E X which replaces the index.The following characterization of bifibrations is useful for us: a fibration p is a bifibration if and only if each substitution functor l * : E Y → E X (often called a pullback ) has a left adjoint l * : E X → E Y (often called a pushforward ).
Definition C.2 (lifting [22, §2.1]).Let p : E → B be a functor.We say that an endofunctor Ġ on E is a lifting of G along p if p • Ġ = G • p.For an object S ∈ B, we write ĠS : E S → E GS for the restriction of Ġ to fibres.
To manipulate complete lattices along a transition function, we focus on a certain class of posetal fibrations called CLat ∧ -fibrations.They can be seen as topological functors [16] whose fibres are posets.Many categories arising from spacial and logical structures naturally determine CLat ∧ -fibrations.
Definition C.3 (CLat ∧ -fibration [22, §2.1]).A CLat ∧ -fibration is a fibration p : E → B such that each fibre E X is a complete lattice and each substitution f * : E Y → E X preserves all meets .In each fibre E X , the order is denoted by ≤ X or ≤.Its least and greatest elements are denoted by ⊥ X and ⊤ X ; its join and meet are denoted by and .
The above simple axioms of CLat ∧ -fibrations induce many useful structures [21,28].One of them is that a CLat ∧ -fibration is always a bifibration whose pushforwards f * arise essentially by Freyd's adjoint functor theorem.
Here, we write Set/Ω for the lax slice category with objects a set and a function (an "Ω-valued predicate on X").We shall often write simply f : X → Ω for the pair (X, f ).Its morphisms from f : X → Ω to g : Y → Ω are functions h : X → Y such that f ≤ X g • h, as shown above, where the order ≤ X is the pointwise order between functions of the type X → Ω; the same order ≤ X defines the order in each fiber (Set/Ω) X = Set(X, Ω).Then d Ω is the evident forgetful functor, extracting the upper part of the above triangle.Following [2, Def.4.1], we call d Ω a domain fibration (from the lax slice category).

D Structural Derivation of Instances of LT-PDR ( §5)
In §5, for each instance of LT-PDR, we only sketched its structural derivation from the categorical theory in §4.2.Here we give a systematic exposition to the structural derivation.

Set/Ω
discuss concrete instances of our PDR framework.In its course, known PDR variations are organized in a unified categorical language; we also derive a new variation.
These concrete instances are formulated in a domain fibration d Ω for varying Ω (Ex.C.4; see right).Given a complete lattice Ω, a set functor G, and a monotone G-algebra τ : GΩ → Ω (see Def. D.1 below), we obtain a setting (d Ω , G, Ġ) for safety problems ( §4.2).Specifically, Ġ is the lifting of G defined by the given monotone G-algebra τ , see Lem.D.2 below.Definition D.1 (monotone algebra [2]).Let G : Set → Set be a functor and Ω be a complete lattice.We call τ :

⊓ ⊔
One benefit of this framework (d Ω , G, Ġ) is that we may easily get an involution appeared in Prop.4.3.From a monotone function ¬ : Ω → Ω op satisfying ¬ • ¬ = id, we can define ¬ : E S → E op S mapping f : S → Ω to ¬ • f : S → Ω.All involutions appeared in this section can be defined in this way.

D.2 LT-PDR for MDPs: PDR IB-MDP
We instantiate the theory in §4.2 to derive an LT-PDR algorithm for Markov decision processes (MDP for short).We then compare it with the probabilistic model checking algorithm PrIC3 [6].
An MDP consists of a set S of states, a set Act of actions and a transition function δ mapping s ∈ S and a ∈ Act to δ(s)(a) representing a probability distribution of next states.We model the transition function of the MDP as a coalgebra δ : S → GS of G := (D(−) + 1) Act , where D is the finite probability distribution endofunctor on Set [27].The case δ(s)(a) = * ∈ 1 means that the action a is not available at s.
To employ the theory in §4.2, we next choose a complete lattice Ω and a monotone G-algebra over Ω.Consider the complete lattice [0, 1] of the real numbers in the unit interval with the usual order, and the monotone algebra τ : (note that min{} = 1).Then we obtain the triple (d [0,1] , G, Ġ) as a setting of the safety problems in §4.2.We note that ĠS does not have a left adjoint (see Appendix G).We therefore cannot apply Prop.4.2 to the current setting.
We are ready to consider the backward safety problem for MDPs.Let s ι ∈ S be an initial state, and α ⊆ S be a set of safe states.We convert s ι , λ and α to [0, 1]-valued predicates d ι,λ and d α : d ι,λ maps s ι to λ and others to 1, and d α maps s ∈ α to 1 and s ∈ α to 0. We use the involution ¬ : [0, 1] S → [0, 1] S defined by (¬d)(s) := 1 − d(s), too.Then the backward safety problem for (¬d ι,λ , δ, d α ) in (d [0,1] , G, Ġ) is the GFP-UA problem ¬d ι,λ ≤ ?νx.d α ∧ δ * Ġx. (8) This is the problem whether the probability of being at α all the time is greater than or equal to 1 − λ under any choices of actions in the MDP.
The precise algorithm is in Appendix E. The function (10) This is a standard Bellman Operator for MDPs.

D.3 LT-PDR for Markov Reward Models: PDR MRM
We instantiate an LT-PDR algorithm for Markov Reward Models (MRM for short), which is seemingly new.As we said in §5.3, the safety problem we will define is not an instance of the theory in §4.(Decide): If C i ≤ F ′ (X i−1 ) (i.e. for all s ∈ α, there exists a s ∈ Act such that C i (s) ≤ s ′ ∈S X i−1 s ′ • δ(s)(a s )(s ′ )), let (X; C) := (X; (x, C i , . . ., C n−1 )) where x : S → [0, 1] is defined as follows.Let a s ∈ Act be an action for s ∈ α satisfying C i (s) ≤ s ′ ∈S X i−1 s ′ • δ(s)(a s )(s ′ ), and V be the set {s ′ ∈ S | δ(s)(a s )(s ′ ) = 0 for some s ∈ supp(C i ) ∩ α}.Then we define x as if s ∈ V and x s = X i−1 s x s + ǫ otherwise where x s is determined by solving the following linear program: find (x s ) s∈V that minimize Σ s∈V (2 (Conflict): If C i > F ′ (X i−1 ) (i.e.there exists s ∈ α such that C i (s) > s ′ ∈S X i−1 s ′ • δ(s)(a)(s ′ ) for all a ∈ Act), A := {s ∈ α | C i (s) > s ′ ∈S X i−1 s ′ • δ(s)(a)(s ′ ) for all a ∈ Act} is not empty.Then let (X; C) := (X[X j := X j ∧ x] 2≤j≤i ; (C i+1 , . . ., C n−1 )) where x : S → [0, 1] maps s ∈ A to 1, s ∈ A with C i (s) = v + ǫ to v, and others to F ′ X i−1 (s).
Note that C i (s) is always v ∈ [0, 1] or v + ǫ for some v ∈ [0, 1) by rules defined above.When applying Conflict, each values of ǫ in the Kleene sequence C can be implicitly determined as small enough ones so that all conditions in rules (e.g.C i ≤ X i and C i ≤ F ′ (X i−1 )) hold.By this fact the heuristics above is valid for Alg. 4. The heuristics of PDR MRM in §6 is similarly designed.

I Full Experiment Results for PDR IB-MDP
See Table 3.
Theorem 3.4.Let L, F, α be as in Def.3.1.There exists a KT witness (Cor.2.3) if and only if there exists a KT ω witness.⊓ ⊔ sequences, namely X = n≥2 X| n where X| n ∈ [n, L] is the length n prefix of X.
until any return value is obtained ; 3).Each rule of LT-PDR, when applied to a pair of a KT and a Kleene sequence, yields a pair of a KT and a Kleene sequence.Many existing PDR algorithms ensure termination if the state space is finite.A general principle behind is stated below.Note that it rarely applies to infinitary or quantitative settings, where we would need some abstraction for termination.Valid and Model rules are immediately applied if applicable. 2. (L, ≤) is well-founded.3.Either of the following is satisfied: a) µF ≤ α and (L, ≤) has no strictly increasing ω-chain bounded by α, or b) µF ≤ α. ⊓ ⊔ Cond. 1 is natural: it just requires LT-PDR to immediately conclude 'True' or 'False' if it can.Cond.2-3arealwayssatisfiedwhen L is finite.Thm.3.22 and Prop.3.23 still hold if Induction rule is dropped.However, the rule can accelerate the convergence of KT sequences and improve efficiency.Remark 3.24 (LT-OpPDR).The GFP-UA problem α ≤ ?νF is the dual of LFP-OA, obtained by opposing the order ≤ in L. We can also dualize the LT-PDR algorithm (Alg.3),obtaining what we call the LT-OpPDR algorithm for GFP-UA.Moreover, we can express LT-OpPDR as LT-PDR if a suitable involution ¬ : L → L op is present.See Appendix B for further details; see also Prop.4.3.

Table 1 :
[18] that appear in model checking.In this context, 1) the underlying lattice L is that of predicates over a state space, and 2) the function F : L → L arises from the dynamic/transition structure, specifically as a predicate transformer.The Categorical modeling of state-based dynamics and predicate transformers a transition system as a coalgebra[18]in the base category B of sets and functions objects X, Y, . . . in B sets (in our examples where B = Set) an arrow f : X → Y in B a function (in our examples where B = Set) Act for MDPs ( §5.2), etc. a coalgebra δ : S → GS in B [18] a transition system (Kripke structure, MDP, etc.) a fibration p : E → B [19] that equips sets in B with predicates the fiber category ES over S in B the lattice of predicates over a set S the pullback functor l * : EY → EX for l : X → Y in B substitution P (y) → P (l(x)) in predicates P ∈ EY over Y a lifting Ġ : E → E of G along p logical interpretation of the transition type G (specifies e.g. the may vs. must modalities) the predicate transformer, whose fixed points are of our interest the composite δ * Ġ : ES → ES the predicate transformer associated with the transition system δ categorical notions in Table 1 model these ideas (state-based dynamics, predicate transformers).This modeling is well-established in the community.Our introduction of Table S → E S .Then we can translate BSP to the following LFP-OA problem.It directly asks whether all reachable states are safe.Proposition 4.2 (forward safety problem, FSP).In the setting of Def.4.1, assume that each ĠX : E X → E GX preserves all meets.Then by letting ḢS : E GS → E S be the left adjoint of ĠS , the BSP (2) is equivalent to the LFP-OA problem for (E S , ι ∨ ḢS δ * , α): µx.ι ∨ ḢS δ * x ≤ ?α.
1.5True 6.01 ms DieByCoin ≤ ? 1.3 False 43.1 µs 1. (fibre, fibration; [22, §2.1])Let p : E → B be a functor.For each X ∈ B, the fibre E X over X is the category with objects P ∈ E such that pP = X and morphisms f : P → Q such that pf = id X .A morphism f : P → Q in E is cartesian if it satisfies the following universality: for each g : R → Q in E and k : pR → pP in B with pg = pf • k, there exists a unique morphism h : R → P satisfying g = f • h and ph = k (see the diagram above).