Abstraction Refinement for Emptiness Checking of Alternating Data Automata

. Alternating automata have been widely used to model and verify systems that handle data from ﬁnite domains, such as communication protocols or hardware. The main advantage of the alternating model of computation is that complementation is possible in linear time, thus allowing to concisely encode trace inclusion problems that occur often in veriﬁcation. In this paper we consider alternating automata over inﬁnite alphabets, whose transition rules are formulae in a combined theory of Booleans and some inﬁnite data domain, that relate past and current values of the data variables. The data theory is not ﬁxed, but rather it is a parameter of the class. We show that union, intersection and complementation are possible in linear time in this model and, though the emptiness problem is undecidable, we provide two e ﬃ cient semi-algorithms, inspired by two state-of-the-art abstraction reﬁnement model checking methods: lazy predicate abstraction [8] and the I mpact semi-algorithm [16]. We have implemented both methods and report the results of an experimental comparison.


Introduction
The language inclusion problem is recognized as being central to verification of hardware, communication protocols and software systems.A property is a specification of the correct executions of a system, given as a set P of executions, and the verification problem asks if the set S of executions of the system under consideration is contained within P. This problem is at the core of widespread verification techniques, such as automata-theoretic model checking [22], where systems are specified as finite-state automata and properties defined using Linear Temporal Logic [20].However the bottleneck of this and other related verification techniques is the intractability of language inclusion (PSPACE-complete for finite-state automata over finite alphabets).
Alternation [3] was introduced as a generalization of nondeterminism, introducing universal, in addition to existential transitions.For automata over finite alphabets, the language inclusion problem can be encoded as the emptiness problem of an alternating automaton of linear size.Moreover, efficient exploration techniques based on antichains are shown to perform well for alternating automata over finite alphabets [5].
Using finite alphabets for the specification of properties and models is however very restrictive, when dealing with real-life computer systems, mostly because of the following reasons.On one hand, programs handle data from very large domains, that can be assumed to be infinite (64-bit integers, floating point numbers, strings of characters, etc.) and their correctness must be specified in terms of the data values.On the other hand, systems must respond to strict deadlines, which requires temporal specifications as timed languages [1].
Although being convenient specification tools, automata over infinite alphabets lack the decidability properties ensured by finite alphabets.In general, when considering infinite data as part of the input alphabet, language inclusion is undecidable and, even complementation becomes impossible, for instance, for timed automata [1] or finitememory register automata [12].One can recover theoretical decidability, by restricting the number of variables (clocks) in timed automata to one [19], or forbidding relations between current and past/future values, as with symbolic automata [23].In such cases, also the emptiness problem for the alternating versions becomes decidable [13,4].
In this paper, we present a new model of alternating automata over infinite alphabets consisting of pairs (a, ν) where a is an input event from a finite set and ν is a valuation of a finite set x of variables that range over an infinite domain.We assume that, at all times, the successive values taken by the variables in x are an observable part of the language, in other words, there are no hidden variables in our model.The transition rules are specified by a set of formulae, in a combined first-order theory of Boolean control states and data, that relate past with present values of the variables.We do not fix the data theory a priori, but rather consider it to be a parameter of the class.
A run over an input word (a 1 , ν 1 ) . . .(a n , ν n ) is a sequence φ 0 (x 0 ) ⇒ φ 1 (x 0 , x 1 ) ⇒ . . .⇒ φ n (x 0 , . . ., x n ) of rewritings of the initial formula by substituting Boolean states with time-stamped transition rules.The word is accepted if the final formula φ n (x 0 , . . ., x n ) holds, when all time-stamped variables x 1 , . . ., x n are substituted by their values in ν 1 , . . ., ν n , all non-final states replaced by false and all final states by true.
The Boolean operations of union, intersection and complement can be implemented in linear time in this model, thus matching the complexity of performing these operations in the finite-alphabet case.The price to be paid is that emptiness becomes undecidable, for which reason we provide two efficient semi-algorithms for emptiness, based on lazy predicate abstraction [8] and the Impact method [16].These algorithms are proven to terminate and return a word from the language of the automaton, if one exists, but termination is not guaranteed when the language is empty.
We have implemented the Boolean operations and emptiness checking semi-algorithms and carried out experiments with examples taken from array logics [2], timed automata [9], communication protocols [24] and hardware verification [21].
Related Work Data languages and automata have been defined previously, in a classical nondeterministic setting.For instance, Kaminski and Francez [12] consider languages, over an infinite alphabet of data, recognized by automata with a finite number of registers, that store the input data and compare it using equality.Just as the timed languages recognized by timed automata [1], these languages, called quasi-regular, are not closed under complement, but their emptiness is decidable.The impossibility of complementation here is caused by the use of hidden variables, which we do not allow.Emptiness is however undecidable in our case, mainly because counting (incrementing and comparing to a constant) data values is allowed, in many data theories.
Another related model is that of predicate automata [6], which recognize languages over integer data by labeling the words with conjunctions of uninterpreted predicates.
We intend to explore further the connection with our model of alternating data automata, in order to apply our method to the verification of parallel programs.
The model presented in this paper stems from the language inclusion problem considered in [11].There we provide a semi-algorithm for inclusion of data languages, based on an exponential determinization procedure and an abstraction refinement loop using lazy predicate abstraction [8].In this work we consider the full model of alternation and rely entirely on the ability of SMT solvers to produce interpolants in the combined theory of Booleans and data.Since determinisation is not needed and complementation is possible in linear time, the bulk of the work is carried out by the solver.
The emptiness check for alternating data automata adapts similar semi-algorithms for nondeterministic infinite-state programs to the alternating model of computation.In particular, we considered the state-of-the-art Impact procedure [16] that is shown to outperform lazy predicate abstraction [8] in the nondeterministic case, and generalized it to cope with alternation.More recent approaches for interpolant-based abstraction refinement target Horn systems [17,10], used to encode recursive and concurrent programs [7].However, the emptiness of alternating word automata cannot be directly encoded using Horn clauses, because all the branches of the computation synchronize on the same input, which cannot be encoded by a finite number of local (equality) constraints.We believe that the lazy annotation techniques for Horn clauses are suited for branching computations, which we intend to consider in a future tree automata setting.

Preliminaries
A signature S = (S s , S f ) consists of a set S s of sort symbols and a set S f of sorted function symbols.To simplify the presentation, we assume w.l.o.g. that S s = {Data, Bool}1 and each function symbol f ∈ S f has #( f ) ≥ 0 arguments of sort Data and return value σ( f ) ∈ S s .If #( f ) = 0 then f is a constant.We consider constants and ⊥ of sort Bool.
Let Var be an infinite countable set of variables, where each x ∈ Var has an associated sort σ(x).A term t of sort σ(t) = S is a variable x ∈ Var where σ(x) = S , or f (t 1 , . . ., t #( f ) ) where t 1 , . . ., t #( f ) are terms of sort Data and σ( f ) = S .An atom is a term of sort Bool or an equality t ≈ s between two terms of sort Data.A formula is an existentially quantified combination of atoms using disjunction ∨, conjunction ∧ and negation ¬ and we write φ → ψ for ¬φ ∨ ψ.
We denote by FV σ (φ) the set of free variables of sort σ in φ and write FV(φ) for σ∈S s FV σ (φ).For a variable x ∈ FV(φ) and a term t such that σ(t) = σ(x), let φ[t/x] be the result of replacing each occurrence of x by t.For indexed sets t = {t 1 , . . ., t n } and x = {x 1 , . . ., x n }, we write φ[t/x] for the formula obtained by simultaneously replacing x i with t i in φ, for all i ∈ [1, n].The size |φ| is the number of symbols occuring in φ.
An interpretation I maps (1) the sort Data into a non-empty set Data I , (2) the sort Bool into the set B = {true, false}, where I = true, ⊥ I = false, and (3) each function symbol f into a total function f I : (Data I ) #( f ) → σ( f ) I , or an element of σ( f ) I when #( f ) = 0. Given an interpretation I, a valuation ν maps each variable x ∈ Var into an element ν(x) ∈ σ(x) I .For a term t, we denote by t I ν the value obtained by replacing each function symbol f by its interpretation f I and each variable x by its valuation ν(x).For a formula φ, we write I, ν | = φ if the formula obtained by replacing each term t in φ by the value t I ν is logically equivalent to true.A formula φ is satisfiable in the interpretation I if there exists a valuation ν such that I, ν | = φ, and valid if I, ν | = φ for all valuations ν.The theory T(S, I) is the set of valid formulae written in the signature S, with the interpretation I.A decision procedure for T(S, I) is an algorithm that takes a formula φ in the signature S and returns yes iff φ ∈ T(S, I).

Alternating Data Automata
In the rest of this section we fix an interpretation I and a finite alphabet Σ of input events.Given a finite set x ⊂ Var of variables of sort Data, let x → Data I be the set of valuations of the variables x and Σ[x] = Σ × (x → Data I ) be the set of data symbols.A data word (word in the sequel) is a finite sequence (a 1 , ν 1 )(a 2 , ν 2 ) . . .(a n , ν n ) of data symbols, where a 1 , . . ., a n ∈ Σ and ν 1 , . . ., ν n : x → Data I are valuations.We denote by ε the empty sequence, by Σ * the set of finite sequences of input events and by Σ[x] * the set of data words over x.
This definition generalizes the classical notion of words from a finite alphabet to the possibly infinite alphabet Σ[x].Clearly, when Data I is sufficiently large or infinite, we can map the elements of Σ into designated elements of Data I and use a special variable to encode the input events.However, keeping Σ explicit in the following simplifies several technical points below, without cluttering the presentation.
Given sets of variables b, x ⊂ Var of sort Bool and Data, respectively, we denote by Form(b, x) the set of formulae φ such that FV Bool (φ) ⊆ b and FV Data (φ) ⊆ x.By Form + (b, x) we denote the set of formulae from Form(b, x) in which each Boolean variable occurs under an even number of negations.
An alternating data automaton (ADA or automaton in the sequel) is a tuple A = x, Q, ι, F, ∆ , where: In each formula ∆(q, a) describing a transition rule, the variables x track the previous and x the current values of the variables of A. Observe that the initial values of the variables are left unconstrained, as the initial configuration does not contain free data variables.The size of A is defined as |A| = |ι| + (q,a)∈Q×Σ |∆(q, a)|.
Formally, let x k = {x k | x ∈ x}, for any k ≥ 0, be a set of time-stamped variables.For an input event a ∈ Σ and a formula φ, we write ∆(φ, a) (respectively ∆ k (φ, a)) for the formula obtained from φ by simultaneously replacing each state q ∈ FV Bool (φ) by the formula ∆(q, a) (respectively ∆(q, a)[x k /x, x k+1 /x], for k ≥ 0).Given a word w = (a 1 , ν 1 )(a 2 , ν 2 ) . . .(a n , ν n ), the run of A over w is the sequence of formulae: Next, we slightly abuse notation and write ∆(ι, a 1 , . . ., a n ) for the formula φ n (x 0 , . . ., x n ) above.We say that A accepts w iff I, ν | = ∆(ι, a 1 , . . ., a n ), for some valuation ν that maps: (1) Example The following sequence is a non-accepting run of the ADA from Figure 1 on the word (a, 0, 0 ), (a, 1, 1 ), (b, 2, 1 ), where Data I = Z and the function symbols have standard arithmetic interpretation: In this paper we tackle the following problems: 1. Boolean closure: given automata A 1 and A 2 , both with the same set of variables x, do there exist automata A ∪ , A ∩ and It is well known that other problems, such as universality (given automaton A with variables x, does L(A) = Σ[x] * ?) and inclusion (given automata A 1 and A 2 with the same set of variables, does L(A 1 ) ⊆ L(A 2 )?) can be reduced to the above problems.Observe furthermore that we do not consider cases in which the sets of variables in the two automata differ.An interesting problem in this case would be: given automata A 1 and A 2 , with variables x 1 and x 2 , respectively, such that x 1 ⊆ x 2 , does L(A 1 ) ⊆ L(A 2 )↓ x 1 , where L(A 2 )↓ x 1 is the projection of the set of words L(A 2 ) onto the variables x 1 ?This problem is considered as future work.

Boolean Closure
Given a set Q of Boolean variables and a set x of variables of sort Data, for a formula φ ∈ Form + (Q, x), with no negated occurrences of the Boolean variables, we define the formula φ ∈ Form + (Q, x) recursively on the structure of φ: In the following let , where w.l.o.g.we assume that Q 1 ∩ Q 2 = ∅.We define: where ∆ 1 (q, a) ≡ ∆ 1 (q, a), for all q ∈ Q 1 and a ∈ Σ.The following lemma shows the correctness of the above definitions: thus the automata for the Boolean operations, including complementation, can be built in linear time.This matches the linear-time bounds for intersection and complementation of alternating automata over finite alphabets [3].

Antichains and Interpolants for Emptiness
The emptiness problem for ADA is undecidable, even in very simple cases.For instance, if Data I is the set of positive integers, an ADA can simulate an Alternating Vector Addition System with States (AVASS) using only atoms x ≥ k and x = x + k, for k ∈ Z, with the classical interpretation of the function symbols on integers.Since reachability of a control state is undecidable for AVASS [14], ADA emptiness is undecidable.
Consequently, we give up on the guarantee for termination and build semi-algorithms that meet the requirements below: (i) given an automaton A, if L(A) ∅, the procedure will terminate and return a word w ∈ L(A), and (ii) if the procedure terminates without returning such a word, then L(A) = ∅.
Let us fix an automaton A = x, Q, ι, F, ∆ whose (finite) input event alphabet is Σ, for the rest of this section.Given a formula φ ∈ Form + (Q, x) and an input event a ∈ Σ, we define the post-image function Post A (φ, a) ≡ ∃x .∆(φ[x/x], a) ∈ Form + (Q, x), mapping each formula in Form + (Q, x) to a formula defining the effect of reading the event a.We generalize the post-image function to finite sequences of input events, as follows: Then the emptiness problem for A becomes: does there exist u ∈ Σ * such that the formula Acc A (u) is satisfiable?Observe that, since we ask a satisfiability query, the final states of A need not be constrained 2 .A naïve semi-algorithm enumerates all finite sequences and checks the satisfiability of Acc A (u) for each u ∈ Σ * , using a decision procedure for the theory T(S, I).
Since no Boolean variable from Q occurs under negation in φ, it is easy to prove the following monotonicity property: given two formulae φ, ψ This suggest an improvement of the above semi-algorithm, that enumerates and stores only a set U ⊆ Σ * for which {Post A (φ, u) | u ∈ U} forms an antichain3 w.r.t. the entailment partial order.This is because, for any is satisfiable as well, and there is no need for u, since the non-emptiness of A can be proved using v alone.However, even with this optimization, the enumeration of sequences from Σ * diverges in many real cases, because infinite antichains exist in many interpretations, e.g.q ∧ x ≈ 0, q ∧ x ≈ 1, . . .for Data I = N.
A safety invariant for A is a function I : (Q → B) → 2 x →Data I such that, for every Boolean valuation β : Q → B, every valuation ν : x → Data I of the data variables and every finite sequence u ∈ Σ * of input events, the following hold: 1.
. If I satisfies only the first point above, we call it an invariant.Intuitively, a safety invariant maps every Boolean valuation into a set of data valuations, that contains the initial configuration ι ≡ Post A (ι, ε), whose data variables are unconstrained, overapproximates the set of reachable valuations (point 1) and excludes the valuations satisfying the acceptance condition (point 2).A formula φ(Q, x) is said to define I iff for all β : Q → B and ν : x → Data I , we have I, Lemma 2. For any automaton A, we have L(A) = ∅ if and only if A has a safety invariant.
Turning back to the issue of divergence of language emptiness semi-algorithms in the case L(A) = ∅, we can observe that an enumeration of input sequences u 1 , u 2 , . . .∈ Σ * can stop at step k as soon as k i=1 Post A (ι, u i ) defines a safety invariant for A. Although this condition can be effectively checked using a decision procedure for the theory T(S, I), there is no guarantee that this check will ever succeed.
The solution we adopt in the sequel is abstraction to ensure the termination of invariant computations.However, it is worth pointing out from the start that abstraction alone will only allow us to build invariants that are not necessarily safety invariants.To meet the latter condition, we resort to counterexample guided abstraction refinement (CEGAR).
Formally, we fix a set of formulae Π ⊆ Form(Q, x), such that ⊥ ∈ Π and refer to these formulae as predicates.Given a formula φ, we denote by φ ≡ {π ∈ Π | φ | = π} the abstraction of φ w.r.t. the predicates in Π.The abstract versions of the post-image and acceptance condition are defined as follows: For any bijection µ : N → Σ * , there exists k > 0 such that k i=0 Post A (ι, µ(i)) defines an invariant I for A.
We are left with fulfilling point (2) from the definition of a safety invariant.To this end, suppose that, for a given set Π of predicates, the invariant I , defined by the previous lemma, meets point (1) but not point (2), where Post A and Acc A replace Post A and Acc A , respectively.In other words, there exists a finite sequence u ∈ Σ * such that ν ∈ I (β) and I, β∪ν | = Acc A (u), for some Boolean β : Q → B and data ν : x → Data I valuations.Such a u ∈ Σ * is called a counterexample.
Once a counterexample u is discovered, there are two possibilities.Either (i) Acc A (u) is satisfiable, in which case u is feasible and L(A) ∅, or (ii) Acc A (u) is unsatisfiable, in which case u is spurious.In the first case, our semi-algorithm stops and returns a witness for non-emptiness, obtained from the satisfying valuation of Acc A (u) and in the second case, we must strenghten the invariant by excluding from I all pairs (β, ν) such that I, β ∪ ν | = Acc A (u).This strenghtening is carried out by adding to Π several predicates that are sufficient to exclude the spurious counterexample.
Given an unsatisfiable conjunction of formulae ψ 1 ∧ . . .∧ ψ n , an interpolant is a tuple of formulae I 1 , . . ., I n−1 , I n such that I n ≡ ⊥, I i ∧ ψ i | = T I i+1 and I i contains only variables and function symbols that are common to ψ i and ψ i+1 , for all i ∈ [n − 1].Moreover, by Lyndon's Interpolation Theorem [15], we can assume without loss of generality that every Boolean variable with at least one positive (negative) occurrence in I i has at least one positive (negative) occurrence in both ψ i and ψ i+1 .In the following, we shall assume the existence of an interpolating decision procedure for T(S, I) that meets the requirements of Lyndon's Interpolation Theorem.
A classical method for abstraction refinement is to add the elements of the interpolant obtained from a proof of spuriousness to the set of predicates.This guarantees progress, meaning that the particular spurious counterexample, from which the interpolant was generated, will never be revisited in the future.Though not always, in many practical test cases this progress property eventually yields a safety invariant.
Given a non-empty spurious counterexample u = a 1 . . .a n , where n > 0, we consider the following interpolation problem: is the initial configuration of A, with every q ∈ FV Bool (ι) replaced by q 0 .The definition of θ k , for all k ∈ [1, n], uses replacement sets R ⊆ Q , ∈ [0, n], which are defined inductively below: - The intuition is that R 0 , . . ., R n are the sets of states replaced, θ 0 , . . ., θ n are the sets of transition rules fired on the run of A over u and θ n+1 is the acceptance condition, which forces the last remaining non-final states to be false.We recall that a run of A over u is a sequence: where φ 0 is the initial configuration ι and for each k > 0, φ k is obtained from φ k−1 by replacing each state q ∈ FV Bool (φ k−1 ) by the formula ∆(q, a k )[x k−1 /x, x k /x], given by the transition function of A. Observe that, because the states are replaced with transition formulae when moving one step in a run, these formulae lose track of the control history and are not suitable for producing interpolants that relate states and data.
The main idea behind the above definition of the interpolation problem is that we would like to obtain an interpolant , I 0 (Q), I 1 (Q, x), . . ., I n (Q, x), ⊥ whose formulae combine states with the data constraints that must hold locally, whenever the control reaches a certain Boolean configuration.This association of states with data valuations is tantamount to defining efficient semi-algorithms, based on lazy abstraction [8].Furthermore, the abstraction defined by the interpolants generated in this way can also over-approximate the control structure of an automaton, in addition to the sets of data values encountered throughout its runs.
The correctness of this interpolation-based abstraction refinement setup is captured by the progress property below, which guarantees that adding the formulae of an interpolant for Θ(u) to the set Π of predicates suffices to exclude the spurious counterexample u from future searches.Lemma 4. For any sequence u = a 1 . . .a n ∈ Σ * , if Acc A (u) is unsatisfiable, the following hold: 1. Θ(u) is unsatisfiable, and 2. if , I 0 , . . ., I n , ⊥ is an interpolant for Θ(u) such that

Lazy Predicate Abstraction for ADA Emptiness
We have now all the ingredients to describe the first emptiness checking semi-algorithm for alternating data automata.Algorithm 4 1 builds an abstract reachability tree (ART) whose nodes are labeled with formulae over-approximating the concrete sets of configurations, and a covering relation between nodes in order to ensure that the set of formulae labeling the nodes in the ART forms an antichain.Any spurious counterexample is eliminated by computing an interpolant and adding its formulae to the set of predicates (cf.Lemma 4).Formally, an ART is tuple T = N, E, r, Λ, R, T, , where: ) is a labeling of the nodes with formulae, such that ) is a labeling of edges with time-stamped formulae, and -⊆ N × N is a set of covering edges.
Each node n ∈ N corresponds to a unique path from the root to n, labeled by a sequence λ(n) ∈ Σ * of input events.The least infeasible suffix of λ(n) is the smallest sequence v = a 1 . . .a k , such that λ(n) = wv, for some w ∈ Σ * and the following formula is unsatisfiable: where θ 1 , . . ., θ k+1 are defined as in (1) and The pivot of n is the node p corresponding to the start of the least infeasible suffix.We assume the existence of two functions FindPivot(u, T ) and LeastInfeasibleSuffix(u, T ) that return the pivot and least infeasbile suffix of a sequence u ∈ Σ * in an ART T , without detailing their implementation.With these considerations, Algorithm 1 uses a worklist iteration to build an ART.We keep newly expanded nodes of T in a queue WorkList, thus implementing a breadthfirst exploration strategy, which guarantees that the shortest counterexamples are explored first.When the search encounters a counterexample candidate u, it is checked for spuriousness.If the counterexample is feasible, the procedure returns a data word w ∈ L(A), which interleaves the input events of u with the data valuations from the model of Acc A (u) (since u is feasible, clearly Acc A (u) is satisfiable).Otherwise, u is spurious and we compute its pivot p (line 12), add the interpolants for the least unfeasible suffix of u to Π, remove and recompute the subtree of T rooted at p.
Termination of Algorithm 1 depends on the ability of a given interpolating decision procedure for the combined Boolean and data theory T(S, I) to provide interpolants that yield a safety invariant, whenever L(A) = ∅.In this case, we use the covering relation to ensure that, when a newly generated node is covered by a node already in N, it is not added to the worklist, thus cutting the current branch of the search.
Formally, for any two nodes n, m ∈ N, we have n m iff Post A (Λ(n), a) | = Λ(m) for some a ∈ Σ, in other words, if n has a successor whose label entails the label of m. 10: Π ← Π ∪ {I 0 , . . ., I }, where , I 0 , . . ., I , ⊥ is an interpolant for Ψ (v) 15: let S = N , E , p, Λ , be the subtree of T rooted at p 16: for (m, q) ∈ such that q ∈ N do for a ∈ Σ do expand n 22: 23:

25:
else 26: let s be a fresh node 27: worklist nodes covered by s 30: for r ∈ R do 31:

35:
remove R from T

37: return true
Example Consider the automaton given in Figure 1.First, Algorithm 1 fires the sequence a, and since there are no other formulae than ⊥ in Π, the successor of ι ≡ q 0 is , in Figure 2 (a).The spuriousness check for a yields the root of the ART as pivot and the interpolant q 0 , q 1 , which is added to the set Π. Then the node is removed and the next time a is fired, it creates a node labeled q 1 .The second sequence aa creates a successor node q 1 , which is covered by the first, depicted with a dashed arrow, in Figure 2 (b).The third sequence is ab, which results in a new uncovered node and triggers a spuriousness check.The new predicate obtained from this check is x ≤ 0 ∧ q 2 ∧ y ≥ 0 and the pivot is again the root.Then the entire ART is rebuilt with the new predicates and the fourth sequence aab yields an uncovered node , in Figure 2 (c).The new pivot is the endpoint of a and the newly added predicates are q 1 ∧ q 2 and y > x − 1 ∧ q 2 .Finally, the ART is rebuilt from the pivot node and finally all nodes are covered, thus proving the emptiness of the automaton, in Figure 2 (d).
The correctness of Algorithm 1 is proved below: 6 Checking ADA Emptiness with Impact As pointed out by a number of authors, the bottleneck of predicate abstraction is the high cost of reconstructing parts of the ART, subsequent to the refinement of the set of predicates.The main idea of the Impact procedure [16] is that this can be avoided and the refinement (strenghtening of the node labels of the ART) can be performed inplace.This refinement step requires an update of the covering relation, because a node that used to cover another node might not cover it after the strenghtening of its label.We consider a total alphabetical order ≺ on Σ and lift it to the total lexicographical order ≺ * on Σ * .A node n ∈ N is covered if (n, p) ∈ or it has an ancestor m such that (m, p) ∈ , for some p ∈ N. A node n is closed if it is covered, or Λ(n) | = Λ(m) for all m ∈ N such that λ(m) ≺ * λ(n).Observe that we use the coverage relation here with a different meaning than in Algorithm 1.
The execution of Algorithm 2 consists of three phases5 : close, refine and expand.Let n be a node removed from the worklist at line 4.If Acc A (λ(n)) is satisfiable, the counterexample λ(n) is feasible, in which case a model of Acc A (λ(n)) is obtained and a word w ∈ L(A) is returned.Otherwise, λ(n) is a spurious counterexample and the procedure enters the refinement phase (lines [11][12][13][14][15][16][17][18].The interpolant for Θ(λ(n)) (cf.formula 1) is used to strenghten the labels of all the ancestors of n, by conjoining the formulae of the interpolant to the existing labels.
In this process, the nodes on the path between r and n, including n, might become eligible for coverage, therefore we attempt to close each ancestor of n that is impacted by the refinement (line 18).Observe that, in this case the call to Close must uncover for i = 0, . . ., k do 14: 19: if n is not covered then 20: for a ∈ Σ do expand n

21:
let s be a fresh node and e = (n, a, s) be a new edge
The correctness of Algorithm 2 is coined by the theorem below: Theorem 2. Given an automaton A, such that L(A) ∅, Algorithm 2 terminates and returns a word w ∈ L(A).If Algorithm 2 terminates reporting true, then L(A) = ∅.

Experimental Evaluation
We have implemented both Algorithm 1 and 2 in a prototype tool 6 that uses the Math-SAT5 SMT solver7 via the Java SMT interface 8 for the satisfiability queries and interpolant generation, in the theory of linear integer arithmetic with uninterpreted Boolean functions (UFLIA).We compared both algorithms with a previous implementation of a trace inclusion procedure, called Includer9 , that uses on-the-fly determinisation and lazy predicate abstraction with interpolant-based refinement [11] in the LIA theory.
The results of the experiments are given in Table 1.We applied the tool first to several array logic entailments, which occur as verification conditions for imperative programs with arrays [2] (array shift, array simple, array rotation1+2) available online [18].Next, we applied it on proving safety properties of hardware circuits (hw1+2) [21].Finally, we considered two timed communication protocols, consisting of systems that are asynchronous compositions of timed automata, whom correctness specifications are given by timed automata monitors: a timed version of the Alternating Bit Protocol (abp) [24] and a controller of a railroad crossing (train) [9].All results were obtained on x86 64 Linux Ubuntu virtual machine with 8GB of RAM running on an Intel(R) Xeon(R) CPU E5-2683 v3 @ 2.00GHz.The automata sizes are given in bytes needed to store their ASCII description on file and the execution times are in seconds.As in the case of non-alternating nondeterministic integer programs [16], the alternating version of Impact (Algorithm 2) outperforms lazy predicate abstraction for checking emptiness by at least one order of magnitude.Moreover, Impact is comparable, on average, to the previous implementation of Includer, which uses also MathSAT5 via the C API.We believe the reason for which Includer outperforms Impact on some examples is the hardness of the UFLIA entailment checks used Algorithm 2 (line 14 and line 3 in the function Close) as opposed to the pure LIA entailment checks used in Includer.According to our statistics, Algorithm 2 spends more than 50% of the time waiting for the SMT solver to finish answering entailment queries.
Acc A (λ(n)) is satisfiable, and Algorithm 2 returns at line 9, upon encountering λ(n).But this contradicts the assumption that Algorithm 2 returns true, hence we have proved that n∈N Λ(n) is a safety invariant, and L(A) = ∅ follows, by Lemma 2. We have then proved the second point of the statement.
To prove the first point, assume that L(A) ∅.By the previous point, Algorithm 2 does not return true.Suppose, by contradiction, that it does not terminate and conclude using the breadth-first argument from the proof of Theorem 1.

17 :
remove m from N and enqueue m into WorkList 18: remove S from T 19: enqueue p into WorkList recompute the subtree rooted at p 20: else 21: