Verification modulo theories

In this paper, we consider the problem of model checking fair transition systems expressed symbolically in the framework of Satisfiability Modulo Theories. This problem, referred to as Verification Modulo Theories, is tackled by combining two key elements from the legacy of Ed Clarke: SAT-based verification and abstraction refinement. We show how fundamental SAT-based algorithms have been lifted to deal with the extended expressiveness with a tight integration of abstraction within a CEGAR loop. In turn, the case of nonlinear theories is based on a CEGAR loop over the linear case. These two elements have also deeply impacted the development of the NuSMV model checker, born from a joint project between FBK and CMU, and its successor nuXmv, whose core integrates SMT-based techniques for VMT.


Introduction
In the early 80's, Edmund Clarke coauthored one of the papers that gave birth to the field of Model Checking [1,2], for which he received the 2007 ACM Turing Award [3]. Substantial breakthrough came from Clarke's work on Bounded Model Checking [4], with two key insights. The first was to consider the problem of debugging, giving up completeness and focusing on the analysis of bounded traces. The second was to understand the potential for SAT-based techniques as a possible replacement of BDDs in symbolic model checking. This paved the way to the development of SAT-based verification techniques of increasing power, from K-induction [5], to interpolation [6] and IC3 [7]. Later, Clarke and his colleagues introduced the fundamental concept of Counter-Example Guided Abstraction Refinement (CEGAR) [8]. CEGAR is an automated approach that combines the idea of reasoning in an abstract space, thus eliminating hopefully irrelevant details, with the idea of selectively introducing additional information based on spurious counterexamples.
These works heavily influenced the field of formal verification, and our own research in the last two decades. In this paper, we give an overview of our work on Verification Modulo Theories (VMT). VMT is the problem of model checking fair transition systems expressed symbolically in the framework of Satisfiability Modulo Theories (SMT). The framework is very appealing, because it is generic: similarly to the case of SMT, the expressiveness of the transition system depends on the background theory. This gives the ability to easily represent various kinds of infinite-state transition systems, and to express temporal properties with a background theory, in particular Linear-time Temporal Logic modulo Theory (LTL(T)). In a nutshell, this research can be seen as generalizing SAT-based verification to the case of infinite-state transition systems, leveraging the enormous progress of the field of SMT, by tightly integrating the computation of effective abstractions.
We first consider the problem of invariant checking, by generalizing to the infinite-state case two SAT-based algorithms, K-induction and IC3, by means of predicate abstraction. In particular, we rely on the idea of implicit predicate abstraction [9] to avoid the bottleneck resulting from the eager computation of the abstract space. This enables a tighter integration of the abstraction within a CEGAR loop, as the refinement can be achieved incrementally. The resulting algorithms are able to deal with huge numbers of predicates, which are completely out of reach in the eager case [10].
Then, we consider invariant checking in the presence of nonlinear theories. This case can not be easily dealt with by a simple adaptation of the techniques above, since the SMT solvers are, in the case of nonlinear theories, currently unable to fulfill the requirements (interpolation, quantifier elimination) imposed by the algorithms. Hence, we adopt a CEGAR loop where nonlinear operators (e.g. multiplication, transcendental functions) are modeled as uninterpreted functions, and whose interpretation is progressively restricted by means of piecewise-linear constraints [11].
The algorithms for invariant verification lay the foundations to deal with the case of temporal properties. Based on the idea of invariant checking, temporal logic model checking is tackled by considering specialized algorithms for the two complementary cases of proving and disproving LTL(T) properties. The first one is based on generalizations of the liveness-to-safety and K-liveness algorithms, with extensions specific to deal with infinite-state transition systems. In [12], implicit predicate abstraction is used to integrate liveness-to-safety and well-founded relations to prove LTL(T) properties. Spurious abstract lasso-shaped counterexamples that are not covered by the well-founded relations are used to find new predicates or new relations in a generalized CEGAR. In [13], K-liveness is extended for timed systems to avoid spurious counterexamples based on Zeno behaviors. When counting the number of occurrences of a live signal to prove an LTL(T) property, the minimal time between two occurrences is bounded by a symbolic expression derived from the model. The second dual case of finding violations to an LTL(T) property is hindered by the fact that, differently from the finite-state case, false temporal properties may not admit lasso-shaped counterexamples. The idea is hence to provide an underapproximation of the model that only contains counterexample traces. The underapproximation is obtained by a search algorithm that segments the execution trace into a sequence of regions, whose states are eventually "funneled" into the following one, so that progress towards a fair region condition is ensured [14,15].
All the above algorithms have been implemented in the nuXmv model checker [16], a successor of the NuSMV model checker [17], born from a joint project between FBK and CMU. nuXmv integrates at its core the MathSAT [18] SMT solver to support a number of SMT-based techniques for VMT, and supports the standardized VMT language [19]. In turn, nuXmv is at the core of the HyCOMP [20] model checker for hybrid automata, the xSAP [21] tool for safety assessment, and of the OCRA [22] tool for contract-based design. The techniques described in this paper have been applied in several industrial settings: nuclear [23], biological [24], railways [25,26], avionics [27], space [28,29], software engineering [30,31], and multi-core design [32].
This paper is structured as follows. In Sect. 2, we overview Satisfiability Modulo Theories. In Sect. 3, we define the problem of Verification Modulo Theories. In Sect. 4, we discuss implicit predicate abstraction and refinement. In Sect. 5, we overview the abstractionbased algorithms for invariant checking, and, in Sect. 6, we discuss the extension to the nonlinear case by way of incremental linearization. In Sect. 7, we present the algorithms for LTL(T) model checking. In Sect. 8, we overview the NuSMV and nuXmv verification engines. In Sect. 9 we draw some conclusions.

First-order notation
We work in the setting of standard first order logic. We assume to be given a signature Σ of function and predicate symbols. A 0-ary function symbol is called a constant. A Σ-term is a first-order term built out of function symbols and variables. If t 1 , … , t n are Σ-terms and p is a predicate symbol, then p(t 1 , … , t n ) is a Σ-atom. A Σ-formula is built in the usual way out of the universal and existential quantifiers, Boolean connectives, and Σ-atoms. When Σ is implicit, we omit it and just talk about terms, atoms, and formulas. A literal is either an atom or its negation. We call a formula quantifier-free if it does not contain quantifiers, and ground if it does not contain free variables.
A clause is a disjunction of literals. A formula is said to be in conjunctive normal form (CNF) if it is a conjunction of clauses. For every non-CNF formula , an equisatisfiable CNF formula can be generated in polynomial time [33].
We also assume the usual first-order notions of interpretation, satisfiability, validity, logical consequence, and theory, as given, e.g., in [34]. We write Γ ⊧ to denote that the formula is a logical consequence of the (possibly infinite) set Γ of formulas. A first-order theory, T , is a set of first-order sentences. A structure A is a model of a theory T if A 1 3 In what follows, with a little abuse of notation, we might denote conjunctions of literals l 1 ∧ … ∧ l n as sets {l 1 , … , l n } and vice versa. If ≡ {l 1 , … , l n } , we might write ¬ to mean ¬l 1 ∨ … ∨ ¬l n . Moreover, following the terminology of the SAT and SMT communities, we shall refer to predicates of arity zero as propositional variables, and to uninterpreted constants as theory variables. Finally, if a formula is satisfiable, we shall call a model of any assignment to (possibly a subset of) the variables of and interpretation of symbols which make the formula true, and we denote this with ⊧ . If is a model and x is a variable, we write [x] for the value of x in .
Note that we use the symbol ⊧ with different denotations. If and are state formulas, ⊧ denotes that is a logical consequence of . If is an interpretation, ⊧ denotes that is a model of . Later, we will introduce transition systems, paths, invariant properties and LTL properties. If S is a transition system and an invariant property, S ⊧ denotes that is an invariant of S. If instead is a LTL(T ) formula and an infinite-path of the transition system S, we use ⊧ to denote that the path satisfies the LTL(T ) formula and S ⊧ to denote that all the infinite paths of S satisfy . Different usages of ⊧ will be clear from the context.

SAT and SMT solvers
A SAT solver is a procedure that can decide the satisfiability of a propositional formula (typically assumed to be in CNF), i.e. it returns true iff has at least one model. Modern SAT solver implementations typically follow the CDCL (Conflict-Driven-Clause-Learning) architecture [35]. Given a first-order theory T , an SMT solver for T -SMT(T) -is a procedure that is able to decide the satisfiability of Boolean combinations of (quantifierfree) propositional atoms and theory atoms in T . 1 Examples of useful theories are equality and uninterpreted functions, difference logic and linear arithmetic, either over the rationals or the integers, the theory of arrays, that of bit vectors, and their combinations.
The currently most popular approach for solving the SMT(T) problem is the so-called "lazy" approach [36,37], also frequently called DPLL(T ) or CDCL(T ) [38]. The lazy approach works by combining a propositional SAT solver based on the CDCL algorithm with a theory solver for T (T -solver), which is a procedure that can decide the satisfiability in T of sets/conjunctions of ground atomic formulas and their negations. Essentially, CDCL is used as an enumerator of truth assignments i of the atoms of that propositionally satisfy the input formula, and the T -solver is used for checking the T -satisfiability of the enumerated assignments: if the current i is T -satisfiable, then is T -satisfiable. Otherwise, if i is T -unsatisfiable, the T -solver generates an unsatisfiable core i , i.e. a subset of i which is still T -unsatisfiable; the negation of i , which is a clause that is valid in T (and therefore called a theory lemma or T -lemma), is then added to the input formula, and the CDCL solver is called again on the updated formula. The procedure continues until either a T -satisfiable i is found, or the problem becomes propositionally unsatisfiable (and therefore also T -unsatisfiable). In practice, several optimizations and heuristics are applied 1 3 to make this basic description of the lazy SMT approach competitive. We refer the interested reader to [36,37] for more details.

Symbolic fair transition systems
We represent infinite-state systems over a background theory T with signature Σ . A transition system S is a tuple ⟨X, I, T⟩ where X is a set of (state) variables, I(X) is a Σ-formula representing the initial states, and T(X, X � ) is a Σ-formula representing the transitions ( X � ∶= {x � | x ∈ X} is the set of variables representing the next state of the transition system).
A state s of a transition system S is an interpretation ⟨M, s ⟩ to the symbols in the signature Σ and the variables X, where M and s are respectively the domain and the assignment of the interpretation. The satisfaction relation s ⊧ for a Σ-formula is defined as usual. We write s ′ for the state s where the assignments to the variables x ∈ X from s are substituted with assignments to the variables x � ∈ X � (i.e., for all x ∈ X , s(x) = s � (x � ) ). A finite path (of length k) of S is a finite sequence ∶= s 0 , s 1 , … , s k of states with the same domain and interpretation of the symbols in Σ (e.g., for a term t ∈ Σ , Notice that the interpretation of the symbols in the signature Σ is rigid, meaning that the interpretation to uninterpreted functions and predicates does not change across the states in a path (while the assignments to the variables X can change). We say that a state s is reachable in S if and only if there exists a path of S ending in s. The set of reachable states of a transition system represented with formulas interpreted over theories can be infinite. We denote the set of all states (not necessarily reachable) of a system with state variables X as S X .
is an infinite-state transition system, where {c, d} are integer variables. The initial state s 0 of the system has an assignment s 0 where s 0 [c] = 0 and s 0 [d] = 0 . At every transition, the system S increases d by one and increases c by d. A path ∶= s 0 , s 1 , s 2 of the system S is such that A fair transition system S ∶= ⟨X, I, T, F⟩ is a transition system with an additional fairness condition F. An infinite path ∶= s 0 , s 1 , … of a fair transition system S is such that all the states have the same domain and interpretation of symbols in Σ , s 0 ⊧ I and for all An infinite path is a fair path if for each i ≥ 0 there exists j > i such that s j ⊧ F (i.e., the path visits the fairness condition F infinitely often). Given two (fair) transition systems S 1 ∶= ⟨X 1 , I 1 , T 1 , F 1 ⟩ and S 2 ∶= ⟨X 2 , I 2 , T 2 , F 2 ⟩ , their synchronous product is

Example 2 Consider the fair transition system
In the following, we implicitly assume to represent the transition systems over a theory T with a signature Σ.

LTL(T ): linear temporal logic modulo theory
Linear-time Temporal Logic (LTL) [39] is a modal logic to express sets of infinite traces of a transition system. We consider LTL(T ) formulas [40], 2 an extension of LTL where atomic propositions are first-order predicates over the theory T and with variables X and X ′ . Formally, a LTL(T ) formula is: where p is a predicate, 1 and 2 are LTL(T ) formulas, and t 1 , … , t k are terms. A term t is: where f is a function symbol, t 1 , … , t k are terms, a is a constant, x ∈ X is a variable (in a set of variables X), and x � ∈ X � is a variable in the set of variables representing the next state. A predicate of LTL(T ) also contains the next state variables X ′ as terms. In such way, a LTL(T ) formula can predicate about the next value of a variable, instead of just relating formulas in the current state and next state of the path with the LTL temporal operator X . We will use the standard abbreviations F ∶= ⊤U and G ∶= ¬F¬ to denote the "finally" F and "globally" G operator.
In the following we consider infinite paths where all the states have the same domain and interpretation of symbols in Σ , while the assignments to the set of variables X in the states can change. Given an infinite path ∶= s 0 , s 1 , … we write [i] for the i-th element of (i.e., s i ) and we write i for the suffix of starting from state i-th (i.e., i ∶= s i , s i+1 , … ). We define when an infinite path satisfies the LTL(T ) formula (i.e., ⊧ ) by induction:

Example 3 Consider for example the LTL formula FG c < d and the path
The path satisfies the formula because it assigns initially both c and d to 0, and then c to 0 and d to 1 forever.

Invariant checking
Given a transition system S = ⟨X, I, T⟩ and formula P(X) over the variables X, the invariant verification problem for S and P is the problem to check if all the reachable states of S satisfy the formula P. In that case, we say that the transition system S satisfies the formula P, written as S ⊧ P . The formula P(X) represents a set of "safe" states of the system, while any state in the complement ¬P is an "unsafe" state. The dual formulation of the invariant verification problem is the reachability problem, which asks if there exists a reachable state s such that s ⊧ ¬P.
A challenge when checking invariant properties for infinite-state systems is to compute a possibly infinite set of reachable states. Instead, a central notion to solve the invariant verification problem for infinite-state systems are inductive invariants: a formula is an inductive invariant for a transition system S if I(X) ⊧ (X) and (X) ∧ T(X, X � ) ⊧ (X � ) . We can solve the invariant verification problem by finding an inductive invariant such that ⊧ P (i.e., if is an inductive invariant and ⊧ P , then S ⊧ P ). Note that the set of reachable states R(X) is the strongest inductive invariant (i.e., R(X) is an inductive invariant and for any other inductive invariant (X) we have that R(X) ⊧ (X)).

LTL(T ) model checking
The LTL(T ) model checking problem is the problem of checking if all the infinite paths of a fair transition system S ∶= ⟨X, I, T⟩ satisfy an LTL(T ) formula (i.e., for all infinite paths of S, ⊧ ). We denote the LTL(T ) verification problem as S ⊧ .
In the following, we consider standard reductions [41][42][43] of the LTL model checking problem S ⊧ to the model checking problem S × S ¬ ⊧ FG¬f ¬ (i.e., S ⊧ if and only if S × S ¬ ⊧ FG¬f ¬ ), where S ¬ is a transition system with a fairness condition f ¬ . Such reduction allows us to prove that S ̸ ⊧ by finding a counterexample in the form of a fair path, i.e., a path that visits the fairness condition f ¬ of S × S ¬ infinitely many times. In the following, we assume that the above transformation has been applied to the LTL(T ) model checking problem, and consider a problem in the form S ⊧ FG¬f ¬ , where is a formula whose atoms are either propositional variables or predicates. When clear from the context, we also drop the subscript ⋅ ¬ , and simply use FG¬f .

Algorithms for model checking modulo theories
Symbolic transition systems represented with propositional logic formulas can model finite-state systems such as hardware design. Several successful symbolic model checking algorithms [4][5][6][7] for finite-state systems are based on SAT solvers. Furthermore, as we highlighted in Sect. 2, in the last two decades there has been an important progress in deciding the satisfiability of formulas in first-order logic modulo theory. Such improvements enable a seamless transition of the verification algorithms for finite-state systems based on SAT solvers to algorithms that verify infinite-state systems, represented with SMT formulas, based on SMT solvers. In the following, we survey how the main verification algorithms that have been proposed in the SAT-based setting can be naïvely applied to infinite-state systems by simply replacing the underlying decision procedure (i.e., from a SAT to an SMT solver).

Invariant checking
Bounded Model Checking (BMC). BMC [4] is a symbolic reachability analysis algorithm that explores paths of a transition system that can be reached in a bounded number of steps k. BMC was first introduced to find violations to LTL properties for finite-state systems and was subsequently extended to infinite-state systems [44], substituting the underlying SAT solver with a SMT solver. BMC encodes the problem of finding a violation to an invariant property P with a path of length k as follows: The formula BMC k is satisfiable if and only if there exists a finite path of the transition system S that reaches a state s k in k steps and s k ̸ ⊧ P . To find a violation, we encode the condition BMC k for an increasing value of k, and check each time the satisfiability of the formula BMC k . Note that different encodings of the BMC problems are possible (e.g., one may encode the problem of finding violations in any of the i-steps from 0 to k).
-K-Induction. While BMC could, in principle, prove that S ⊧ P by exploring a sufficiently large bound k, such an upper bound is generally very large for finite-state systems and does not exist, in general, for infinite-state systems. Thus, in practice BMC is effective only in finding violations to an invariant verification problem. K-induction [5] builds on top of BMC and generalizes the induction principle to multiple steps of the system with the goal of proving an invariant property. The k-induction proof consists of a base and an inductive step. The base step proves that an invariant property P holds for all the states reachable in k − 1 steps. We prove this step showing that a BMC query similar to Eq. (1), but where the violation of the property is checked at every time step (i.e., ⋁ k i=0 ¬P(X i ) ), is unsatisfiable. The inductive step proves either that: any path of length k cannot reach a state that was not visited with a path of length k − 1 (Eq. (2)); or any safe path of length k − 1 cannot be extended to a path of length k that violates P (Eq. (3)). The formulas that formalize the inductive steps are: where: The simple path formula SIMPLE k restrict the search to simple paths, paths containing all different states (i.e., paths that never visit a state more than once). The formula KINDFW k encodes the set of simple paths of length k starting from an initial state of S. If such formula is unsatisfiable, then there is no path of length k that contains an unseen state in a path of length k − 1 . Thus, if the base case holds (i.e., all the states visited in the system up to length k − 1 satisfy P) and the formula KINDFW k is unsatisfiable, we can conclude that S ⊧ P since we visited all the states of S. The formula KINDBW k provides another sufficient condition to prove that S ⊧ P and encodes that an (uninitialized) path of length k − 1 that is safe can be extended to a path of length k that can violate P. Also in this case, the simple path formula SIMPLE k encodes the uniqueness of the states in the suffix. If the base case holds and the formula KINDBW k is unsatisfiable we can conclude that S ⊧ P.
IC3. IC3 [7] is an efficient SAT-based algorithm for the verification of finitestate systems, with Boolean state variables and propositional logic formulas. The IC3 algorithm tries to prove that S ⊧ P by finding a suitable inductive invariant F(X) such that F(X) ⊧ P(X) . In order to construct F , IC3 maintains a sequence of formulas (called trace) Therefore, each element of the trace F i+1 , called a frame, is inductive relative to the previous one, F i . IC3 strengthens the frames by finding new relative inductive clauses. A clause c is inductive relative to the frame F , i.e. F ∧ c ∧ T ⊧ c � , iff the formula is unsatisfiable, so that a check of relative inductiveness can be directly tackled by a SAT solver. At a high level, IC3 proceeds incrementally by alternating two phases: a blocking phase, and a propagation phase. In the blocking phase, the trace is analyzed to prove that no intersection between F k and ¬P(X) is possible. During this phase, the trace is enriched with additional formulas, which can be seen as strengthening the approximation of the reachable state space. At the end of the blocking phase, either F k ⊧ P is proved or a counterexample is generated.
In the propagation phase, IC3 tries to extend the trace with a new formula F k+1 , moving forward the clauses from preceding F i 's. If, during this process, two consecutive frames become identical (i.e. F i = F i+1 ), then a fixpoint is reached, and IC3 terminates with F i being an inductive invariant proving the property.
In the blocking phase IC3 maintains a set of pairs (s, i), where s is a set of states that can lead to a bad state, and i > 0 is a position in the current trace. New formulas (in the form of clauses) to be added to the current trace are derived by (recursively) proving that a cube s of a pair (s, i) is unreachable starting from the formula F i−1 . This is done by checking the satisfiability of the formula RelInd(F i−1 , T, ¬s) . If the formula is unsatisfiable, then ¬s is inductive relative to F i−1 , and the bad state s can be blocked at i. This is done by generalizing ¬s to a stronger clause ¬g that is still inductive relative to F i−1 , and adding ¬g to F i . Inductive generalization is a central step of IC3, that is crucial for the performance of the algorithm. Adding ¬g to F i blocks not only the bad cube s, but possibly also many others, thus allowing for a faster convergence of the algorithm.
If, instead, (5) is satisfiable, then the overapproximation F i−1 is not strong enough to show that s is unreachable. In this case, let p be a subset of the states in F i−1 ∧ ¬s such that all the states in p lead to a state in s ′ in one transition step. Then, IC3 continues by trying to show that p is not reachable in one step from F i−2 (that is, it tries to block the pair (p, i − 1) ). This procedure continues recursively, possibly generating other pairs to block at earlier points in the trace, until either IC3 generates a pair (q, 0), meaning that the system does not satisfy the property, or the trace is eventually strengthened so that the original pair (s, i) can be blocked.

Liveness checking
Encoding lasso-shaped paths. The liveness verification problem S ⊧ FG¬f amounts to show that no infinite path in S visits f infinitely often. We can modify the BMC encoding to find lasso-shaped paths. A path ∶= s 0 , s i , … s k is lasso-shaped if there exists j < k such that s k , s j ⊧ T(X k , X j ) (i.e., the state s k can "loop-back" to the state s j ). The path is formed by a finite path s 0 , … , s j−1 and a suffix s j , … , s k , which represents a loop. A lasso-shaped path represents the infinite path of the system where the suffix can be repeated for an infinite number of times. The BMC encoding (1) can be modified to find fair lasso-shaped paths as follows: The formula BMC k f is satisfiable if there exists a lasso-shaped path where at least one of the states in the loop satisfies f.
Liveness to safety reduction. The liveness to safety reduction (L2S) [45] encodes the liveness model checking problem as an invariant model checking problem. The L2S encoding transforms the transition system S to the new transition system S L2S = ⟨X ∪ X L2S , I L2S , T L2S ⟩ , where the set of variables X L2S contains a copy of the system variables and the additional variables {seen, triggered, loop} . The new transition relation T L2S guesses non-deterministically a state of the system where a loop of a fair path starts and stores such state in the variables X L2S . When doing so, it also sets the Boolean variable seen to true for recording that a loop started. The transition relation further records (with the triggered variable) if the fairness condition f has been seen since the start of the loop, and records if a fair lasso-shaped path for the fairness condition f exists with the loop variable. In the case S is a finite-state system, the reduction is such that S ⊧ FG¬f if and only if S L2S ⊧ ¬loop . In the infinite-state case, instead, the L2S reduction can only find some of the violations to the liveness properties for the system S, i.e., if S L2S ⊧ ¬loop then S ⊧ FG¬f , but the converse does not hold. [46] is an algorithm that reduces the liveness verification problem S ⊧ FG¬f to a sequence of safety verification problems. The main observation of the K-Liveness algorithm is that each path of the system S satisfies f a finite number of times iff S ⊧ FG¬f . The K-Liveness algorithm finds a non-negative upper bound K on the number of times a path of S visits a state s that satisfy f. Let the formula #(f ) ≥ K be true for a finite path of S, written as ⊧ #(f ) ≥ K , if the number of times a state satisfying f in the path is not greater than K (i.e., #(f ) denotes the size of the set {i | [i] ⊧ f } ). We express that all the paths of the system S do not reach f more than K times with S ⊧ #(f ) ≤ K . We have that:

K-Liveness. K-Liveness
The K-Liveness algorithm iteratively finds such K by solving a sequence of verification problems for an increasing value of K (i.e., the algorithm checks We can easily reduce each verification problem S ⊧ #(f ) ≤ n , for a natural number n ∈ ℕ , to an invariant verification problem. We first augment the transition system S with an additional variable c counting the number of times a state satisfies f (i.e., the variable c starts from 0 and increments its value by 1 whenever the system visits a state satisfying f). Then, we verify that S ⊧ c ≤ n with an invariant model checking algorithm. In the original paper proposing K-Liveness [46] the authors propose an efficient implementation that uses the IC3 algorithm to solve each safety verification problem. Such implementation exploits the incremental nature of IC3 to reuse all the frames IC3 learned when solving the problem S ⊧ c ≤ n to solve the next verification problem S ⊧ c ≤ n + 1 . This optimization is sound since the transition system S does not change and the property c ≤ n implies c ≤ n + 1 , and both conditions ensure that the invariants on the frames learned when verifying S ⊧ c ≤ n also hold when verifying S ⊧ c ≤ n + 1.

Challenges when verifying infinite-state systems
The algorithms we present above are sound when we apply them to a symbolic fair transition system and we use SMT to decide satisfiability. However, since both the invariant and liveness verification problems are undecidable for infinite-state transition systems, the procedures may not terminate. Furthermore, the procedures above may also not terminate on decidable subclasses of the verification problem (e.g., safety verification timed automata [47]) or on specific problem instances that may have a solution (e.g., k-induction and IC3 may be not be able to find an inductive invariant even if one exists). Here, we focus our attention on the second problem, and we redirect the reader to several of the ad-hoc extensions of the above techniques that target decidable cases for a description of solutions to the first one (e.g. [48,49]).

Invariant checking.
In the infinite-state setting, Bounded Model Checking, k-induction, and IC3 will eventually find a violation to a safety property, if such a violation exists. However, in an infinite-state system there is no maximum depth k that guarantees to visit all the reachable states (the least number of steps to reach all the reachable states of in an infinite state system, the diameter, can be unbounded).
Both the k-induction and IC3 algorithms may fail to prove that a property holds. In k-induction, the inductive check with k steps may not be sufficient to prove the system is safe, and the simple path condition SIMPLE k can be satisfiable for any k, preventing both formulas KINDFW k and KINDBW k from ever being unsatisfiable. A naïve extension of the IC3 algorithm to SMT is not effective because of the blocking phase. When the algorithm cannot block a pair (s, i), it finds a predecessor state (p, i − 1) to block from an assignment satisfying the relative induction formula (5) (i.e., RelInd(F i−1 , T, ¬s) ). Such strategies would block a single state from an infinite set of states, and thus is ineffective. In Sect. 5 we present modifications to the k-induction and IC3 algorithms that efficiently verify a sequence of finite-state abstractions of the system using counterexample-guided abstraction refinement (CEGAR) [50].
Example 4 Both k-induction and IC3 will fail to verify that the transition system S = ⟨{c, d}, c = 0 ∧ d = 0, (c � = c + d ∧ d � = d + 1)⟩ from the Example 1 satisfies the property d ≤ 3 ∨ c > d . Observe that such property holds, since when d = 4 the variable c is 4, and then we have that c > d in the following states of the path.
Applying k-induction would fail: (i) The base step for any k ≥ 0 succeeds (cleary, BMC cannot find a counterexample); (ii) the KINDFW k formula (2) is always satisfiable, since every path of length k − 1 can be extended to a k-long path with an "unseen" state (e.g., incrementing d by one will obtain a state with a new value of d for the path); (iii) similarly, the KINDBW k formula (3) is also satisfiable following a similary reasoning.
Applying a naïve version of IC3 would also be ineffective: the algorithm would keep enumerating states that do not satisfy d ≤ 3 ∨ c > d in the blocking phase. While each one of such states can be blocked by the previous frame via the the relative inductive check (5), their number is still infinite, so the algorithm would not terminate.
Liveness checking. One of the main challenges when verifying liveness properties for infinite-state systems is that a violated property is not guaranteed to have a lasso-shaped counterexample (e.g., all counterexamples may be paths where the value of variables diverge).
The BMC encoding shown in (6) only finds lasso-shaped paths, so the algorithm is not guaranteed to find a counterexample, even when one exists. The algorithm in Sect. 7.3 addresses this issue using the notion of recurrence sets.

Example 5 Consider the fair transition system
However, BMC would fail since the transition system has only fair paths that are not lasso-shaped.
The existence of non lasso-shaped paths does not allow to apply the same liveness to safety [45] reduction for finite-state systems for proving a liveness property. The reduction works by recoding the occurrence of a lasso-shaped path violating the fairness condition, so such reduction does not take into account non lasso-shaped paths. In Sect. 7.1 we describe an algorithm that circumvents such issues using abstraction techniques and wellfounded relations.

Example 6
Consider the fair transition system S = ⟨{c, d}, c ≥ 0, c � = c + d ∧ d � = d + 1, ⊤⟩ and the LTL(T ) property FG c < d . We have that S ̸ ⊧ FG c < d since, independently from the initial value of d, d will eventually be positive and c will eventually become greater than d. The transition system has only fair paths that are not lasso-shaped. Such paths are ignored by the L2S reduction that, when applied naïvely, results in a transition system where the loop variable is never true (i.e., there are no fair paths in the L2S reduction). In this case, verifying the L2S reduction would wrongly conclude that S ⊧ FG c < d.
The existence of paths that are not lasso-shaped further affects k-liveness. K-liveness proves fairness by showing that there exists a bound on the number of times a fairness property is falsified. Even if a fairness property holds, such bound may not be an integer number, but a value that depends on a, possibly infinite-valued, variable of the transition system (e.g., an uninitialized parameter). In Sect. 7.2 we present an algorithm that tackles such issues in transition systems where the value of a variable diverges along all the computation paths.

Example 7
Consider the fair transition system from Example 6 and the property FG ¬(c < d) . K-liveness would reduce the check of S ⊧ FG ¬(c < d) to find a bound K on the number of times S visits a state where c < d . Since the initial value of the variable d is unknown in the initial state, there is no upper bound on the value of K: after we fix a K, we can always pick a new path, choosing a smaller initial value for d, where the system visits a state where c < d for K + 1 times.

CEGAR and predicate abstraction
Abstraction [51] is a technique used to reduce the search space while preserving the satisfaction of some properties. In symbolic model checking, the abstraction yields a simpler transition system Ŝ , possibly described by a different set of variables (denoted here by X ). The abstraction is usually obtained by means of a surjective function ∶ S X → SX , called abstraction function, that maps the states of a symbolic fair transition system S into states of Ŝ . The concretization function ∶ SX → 2 S X is defined as (ŝ) = {s ∈ S X | (s) =ŝ} .
The abstraction function is symbolically represented by a formula H (X,X) such that The Counterexample Guided Abstraction Refinement (CEGAR) framework [50] leverages abstraction to create a simplified version of the input transition system, which is amenable for finite state model checking. The abstraction is typically constructed to be conservative, that is, every trace in the concrete space has a counterpart in the abstract space. If there are no property violations in the abstract space, then there are no violations in the original system. However, if an abstract counterexample exists, there may not be a corresponding counterexample for the concrete system. Such an abstract counterexample is then called a spurious counterexample. Then, abstraction-refinement tries to discover a new abstract model, which contains more detail in order to rule out spurious counterexamples. This is done by extracting information from counterexamples generated by the model checker. The process is iterated until the property is either proved or disproved. In Fig. 1 we give a pictorial representation of the approach.
In the rest of this Section and in the following one, we focus on the instantiation of the CEGAR framework to Predicate Abstraction [52], while in Sect. 6 we focus on the instantiation of CEGAR to incremental linearization [11].

Computing the predicate abstraction
Predicate Abstraction [52] abstracts a transition system S with a transition system having as states the (finite) set of truth assignments to a set of predicates ℙ = {p 1 (X), … , p m (X)} . A transition between two abstract states ŝ i and ŝ j in the abstraction is possible iff there exist two concrete states s i and s j such that the evaluation of the predicates in s i is ŝ i , the evaluation in s j is ŝ j , and s i , s ′ j ⊧ T. Predicate abstraction can be symbolically represented by associating to each predicate p a corresponding Boolean variable x p . We define the abstraction function for predicate abstraction as: The abstract initial states, the abstract transition relation, and the abstract fairness condition of the abstract transition system Ŝ = ⟨X ℙ ,Î,T,F⟩ obtained by applying predicate abstraction to the concrete system are symbolically represented by the Boolean formulas Î (X ℙ ) , T (X ℙ , X � ℙ ) , and F (X ℙ ) . The formulas are equivalent to the following definitions: The abstract fair transition system thus obtained is purely Boolean, and can be subjected to finite-state model checking to verify the abstraction of the properties of interest. The computation of the abstraction (eqns. (9), (10) and (11)) is a key operation, and in the literature it has been addressed with several approaches. A first simple approach is based on encoding the problem in the quantified fragment of the theory T , and on leveraging an SMT solver to perform the quantified elimination of the concrete variables X and X ′ to obtain the abstract counterpart. This has been done either by using specialized algorithms such as [53][54][55] or by leveraging general quantifier elimination procedures, e.g. [56][57][58][59]. All these approaches are subject to the model explosion problem. Indeed, they all end-up enumerating enough implicants to cover the abstraction, and this boils down to going through the construction of the corresponding DNF.
The works in [60,61] tackle the problem of computing the abstraction by integrating BDD-based quantification techniques with SMT-based constraint solving. These approaches try to overcome the limitations of the previous approaches by exploiting the fact that BDDs are a DAG representation of the space that a SAT-based enumerator treats as a tree. In [61] the abstraction problem is no longer seen as a monolithic quantifier elimination problem, but a conjunctively-partitioned representation of the formula to quantify is leveraged to reduce the computation burden.
Finally, in [62] the idea of partitioning the computation, initially outlined in [61] was further expanded by providing a structure-aware abstraction algorithm. The proposed approach first exploits the high-level structure of the system, and partitions the abstraction problem into the combination of several smaller abstraction problems, still represented as a formula with quantifiers. Then, the low-level structure of the formula (e.g. the occurrence of variables within the quantifiers, the application of low-level rewriting rules like De-Morgan and quantifier push) is leveraged to further reduce the scope of quantifiers. The resulting formulas (still with quantifiers) is then given in input to existing state-of-the-art quantifier elimination approaches like the ones in [56][57][58][59][60][61] to obtain a finite-state abstract model.

Refining the predicate abstraction from counterexamples
Let us now consider a sequence of abstract states ŝ 0 , ⋯ ,ŝ k (where each abstract state ŝ i is a valuation to the variables X ℙ ). If the abstract property does not hold in the abstract model, we generate an abstract counterexample that must be checked for spuriousness, i.e. we check whether it can be refined in the concrete space. This can be done with a setting similar to bounded model checking, where each state of both the concrete and abstract machine are replicated at different time steps, from 0 to k. Checking the spuriousness of a counterexample for an invariant property corresponds to checking if the following formula is unsatisfiable: Similar considerations also hold in the case the property is a liveness one: if Ŝ does not have an initial fair path, then the same can also be concluded for S. In this case, the check for the spuriousness of the counterexample shall also consider the fairness conditions F and encode a loop enforcing the fairness conditions to hold within the loop.
The main idea behind the refinement phase is to learn more information from the spurious counterexamples produced and use the information to refine the abstraction in such a way that it rules out the spurious counterexample. Spurious transitions are those abstract transitions that do not have any corresponding concrete transitions. If the most precise abstraction with respect to the given set of predicates is computed, the spuriousness of the counterexample would be because of an insufficient number of predicates, i.e. the absence of information rich enough to capture all the relevant behaviors of the concrete system, even for the most precise abstraction. Several approaches have been proposed in the literature to extract new predicates in the refinement. Most of them are based on the analysis of the unsatisfiable cores or the computation of Craig interpolants of the spuriousness check formula (12) (e.g., [63,64]).

Implicit predicate abstraction
As also defined in [51,65], the abstraction induces an equivalence relation among the concrete states: which in the case of predicate abstraction is characterized by the following formula: .
The formula EQ ℙ asserts that two concrete states have a consistent evaluation of predicates. It can be exploited to embed the abstraction into formulas over the concrete variables, thus reasoning about abstract states without explicitly computing them. This idea, first proposed [9] and later expanded in [10], takes the name of Implicit Abstraction (IA).
The clear advantage of IA is that it avoids the computation of the abstract transitions that must be done upfront in the explicit predicate abstraction and which results typically in a bottleneck. In fact, in the explicit abstraction case, the model checking algorithm on the abstract transition system cannot start before computing abstract transition (this is partly alleviated in Lazy Abstraction [66] where the abstraction is localized and computed on the fly based on an explicit-state control graph). On the other side, IA reasons over the concrete variables and thus, in some cases, cannot exploit simplification available only in the propositional case.
More in detail, IA embeds the definition of the predicate abstraction in the encoding of a path. The formula Path k ℙ ∶= , X k ) is satisfiable iff there exists a path of k steps in the abstract state space. Intuitively, instead of having a contiguous sequence of transitions, the encoding represents a sequence of disconnected transitions where every gap between two transitions is forced to lay in the same abstract state (see Fig. 2).
We can therefore extend Path k ℙ to solve an abstract bounded model checking problem. Suppose we want to verify that a property P(X) holds in the abstract state space in all abstract states reachable in k abstract steps. We can encode the dual problem into a formula BMC k ℙ that uses Path k ℙ to assert that there exists an abstract path, the first state is initial, and the last state satisfies the abstraction of ¬P . We use again EQ ℙ to build this encoding just using concrete variables as follows:

K-induction with implicit predicate abstraction
Similarly to the encoding of bounded model checking, we can define the abstract version of the k-induction conditions with IA: . where Therefore, if BMC k ℙ is unsatand, either KINDFW k ℙ or KINDBW k ℙ is unsat, then we can conclude that the invariant is not reachable in the abstract state space (and thus either in the concrete system).
Notice that we do not use the stronger version of KINDFW k ℙ and KINDBW k ℙ defined in [5], because they require to express the negation of the abstraction of P, which involves an existential quantification, and their negation cannot be handled by the satisfiability solver.

IC3Ia: IC3 with implicit abstraction
Implicit Abstraction provides a simple, yet very effective, way of generalising IC3 from SAT to SMT. The main idea is that of making IC3 work on the abstract state space defined by a set of predicates ℙ , and use implicit abstraction to avoid the explicit computation of the abstract transition relation. In the modified algorithm, which we call IC3Ia, clauses, frames and cubes are formulas over the set X ℙ of abstract variables. When working in the abstract space, the critical step for IC3IA is repeatedly checking whether a clause c is inductive relative to the frame F (where c and F are both formulas over X ℙ ). This check, if encoded as RelInd (F,T, c) , would require the explicit construction of T . The key insight underlying IC3Ia is to use implicit abstraction to perform the check without actually constructing the abstract transition relation T . This is done by checking the quantifier-free formula: It can be shown (see [67]) that working with AbsRelInd is equivalent to working with RelInd on the abstract transition relation T , in the sense that every model for AbsRelInd(F, T, c, ℙ) is also a model for RelInd(F,T, c) (when appropriately projected to X ℙ ∪ X ℙ � ). The consequence of this is that we can obtain an SMT-aware version of IC3 operating on a predicate abstraction of the original system by simply replacing the underlying SAT solver with an SMT solver, and using AbsRelInd instead of RelInd for performing the relative induction checks. Thanks to implicit predicate abstraction, we therefore obtain an algorithm that is simple, flexible (automatically supporting all theories that are handled by the underlying SMT solver), and very competitive in practice [67].

Example 8 Take the transition system and property from Example 4 and the set of predi-
, and x p ∈ X ℙ denotes the abstract variable for the predicate p ∈ ℙ (e.g., x d=0 is the abstract variable of the predicate d = 0): Since AbsRelInd(F 0 , T, c 0 , ℙ) ⊧ ⊥ , it's also the case case that RelInd(F 0 , � T, c) ⊧ ⊥ in the abstract system (see [67] for a full example of a run of IC3Ia).

Refining implicit predicate abstractions
Like all techniques based on predicate abstraction, when IC3Ia finds an abstract counterexample ̂ ∶=ŝ 0 ,ŝ 1 , … ,ŝ k (in the form of an interpretation of ⋃ k i=0 X i ℙ ), it must check whether it can be concretized, i.e. whether there exists a corresponding counterexample in S. This is done by simulating the abstract counterexample ̂ in the concrete system S, by encoding all the paths of S up to k steps restricted to ̂ : is the formula obtained from ŝ i (X i ℙ ) , seen as a conjunctions of literals, by replacing each Boolean variable in X i ℙ by the corresponding predicate over X i . If (18) is satisfiable, then the interpretation of the concrete variables X 0 , … , X k yields a concrete counterexample s 0 , s 1 , … , s k witnessing the violation of P. Otherwise, ̂ is spurious, and the abstraction must be refined by adding new predicates. The refinement procedure is somewhat orthogonal to IC3Ia, and can be done in various ways [66,68,69]. The only requirement is that the new set of predicates should be sufficient to remove the spurious counterexample. A popular approach is to use SMT-based interpolation to discover new predicates, as described in [68]. Although this technique always returns a set of predicates that are sufficient to refute the spurious counterexample, it offers no guarantee that all the discovered predicates are necessary. In other words, predicate discovery via interpolation can produce redundant predicates, which cause an increase in the precision of the predicate abstraction which might be not necessary, thus potentially slowing down the convergence of IC3Ia. This drawback can however be mitigated by exploiting implicit abstraction also for detecting redundant predicates. Let ℙ new be the set of predicates produced by the refinement procedure, such that the set ℙ ∪ ℙ new is sufficient to refute the abstract counterexample. By definition, this means that ̂ is not a path of the abstract system Ŝ , i.e. the predicate abstraction of S, wrt. ℙ ∪ ℙ new . Formulating this in terms of implicit abstraction means that the formula is unsatisfiable. We can use this fact to check for predicate redundancy, e.g. by heuristically replacing ℙ new with one of its subsets as long as (19) is still unsatisfiable. In practice, this can be performed efficiently by exploiting the capability offered by modern SMT solvers of (i) solving a formula under a set of assumptions, and (ii) producing an unsatisfiable core of the assumptions in case the formula is not satisfiable. More in detail, for each predicate p ∈ ℙ new , we can generate a fresh label variable l p . Then, we replace )) (and similarly for ). Finally, we solve under the assumptions {l p | p ∈ ℙ new } , and mark all the predicates p for which l p is not in the unsat core as redundant.

CEGAR via incremental linearization
Predicate abstraction is not the only approach to implement a CEGAR loop. In fact, the techniques presented in the previous sections are not always applicable, since they rely on several strong assumptions on the ability of the SMT solver: first, the SMT solver is given a large number of satisfiable queries; second, the SMT solver must expose an incremental interface; third, it must be able to provide interpolation and quantifier elimination. These requirements become hard to satisfy when dealing with nonlinear theories, that allow for multiplications between real-or integer-valued variables, or for transcendental functions such as exponentiation and trigonometric functions. Hence, despite the power of theory solvers based on Cylindrical Algebraic Decomposition [70] and effective implementations like Z3 [71], the direct integration of a nonlinear SMT solver inside the IC3Ia algorithm would not be practical.
We describe a CEGAR loop for the theory of nonlinear arithmetic with transcendental functions ( NTA ). The approach, that is not based on predicate abstraction, is called Incremental Linearization [11] (Fig. 3). The idea is to abstract the VMT(NTA ) problem in the combined theory of linear real arithmetic and the theory of equality with uninterpreted functions ( UFLRA ). Specifically, nonlinear multiplications and transcendental functions are abstracted as uninterpreted function symbols. For example, the formula is abstracted to We notice that the linear multiplications (e.g. 3 * y ) are not abstracted, while the nonlinear applications of * and sin are replaced by the uninterpreted functions f * (⋅) and f sin (⋅) . This abstraction is clearly conservative. Hence, if the property holds in the abstract space, then the concrete system can be deemed to be safe. However, if a counterexample can be found in the abstract space, a concretization step in VMT(NTA ) is required. If the abstract counterexample can be concretized, then the property does not hold. Otherwise, it is necessary to refine the abstraction by restricting the interpretation of the uninterpreted symbols in VMT(UFLRA).
Interestingly, the approach builds upon a black-box invariant checker for VMT(UFLRA ), which could be based on a complex abstraction refinement loop as described in the previous sections. Precise reasoning in NTA is limited to SMT in the concretization phase, given that the reason for spuriousness is that some uninterpreted functions may have been misinterpreted. For example, it is possible that the interpretation of the abstraction of multiplication of x and y, referred to as ̂ [f * (x, y)] , does not respect the semantics of multiplication, i.e. ̂ [f * (x, y)] ≠̂ [x] * ̂ [u] . In order to rule out such spurious models, various patterns of linear axioms are introduced (see Fig. 4). These include some basic facts (e.g. sign rules, commutativity, multiplication by zero), monotonicity, and tangent plane approximation. The latter dynamically constrains the multiplication on point (a, b), when the interpretation of f * (x, y) is such that ̂ [f * (x, y)] ≠ a * b , with a =̂ [x] and b =̂ [y] . The idea is to approximate the multiplication function, that is a hyperbolic paraboloid (Fig. 5, upper left), with a tangent plane centered around (a, b). In addition to constraining the value on the specific point, we can see that the plane intersects the multiplication curve on straight lines expressible in the form of linear equalities (Fig. 5, lower left), and in the resulting quadrants it can be used to express upper-and lower-bounds.
Additional attention is required to deal with approximations of nonlinear transcendental functions. First, since irrational values are not directly representable, one needs to make sure that the piece-wise linear functions are correct (over-or under-) approximations, which depends on the actual concavity of the curve. Second, trigonometric functions are dealt with by leveraging periodicity, reducing reasoning to the base period between − and and ensuring that all the lemmas can be applied to the other periods. We refer to [11] for the details.
Despite its simplicity, incremental linearization leads to significant results for VMT(NTA ), both in terms of expressiveness as well as in terms of effectiveness. The approach is motivated by the fact that many practical applications are "mostly linear", in the sense that only a small percentage of the constraints are nonlinear. Hence, the idea is to look for a piece-wise linear invariant that is strong enough to prove the property, so that expensive nonlinear reasoning is replaced -as much as possible -by cheaper linear reasoning.
Finally, we note that the idea of incremental linearization not only applies to VMT but also to SMT(NTA ). In fact, incremental linearization is akin to a lemmas-on-demand approach, where the interpretation of nonlinear multiplications and transcendental functions is progressively restricted by the introduction of lemmas that will rule out spurious abstract models (in the case of SMT) or counterexamples (in VMT).

Liveness to safety via implicit abstraction and well-founded relations
As described in the previous sections, various approaches to LTL Model Checking reduce the problem to the verification of an invariant. Such reductions may be neither complete nor correct in the case of infinite-state systems. Some of the issues are that, on one hand, if there exists a counterexample, it is not guaranteed that there exists a lasso-shaped one; on the other hand, if there is no counterexample visiting a live signal infinitely many times, there may be no bound on the number of such visits.
In order to cope with these issues, in [12], we proposed an approach integrating liveness-to-safety with implicit abstraction and well-founded relations. By applying implicit abstraction to the liveness-to-safety encoding, we can effectively prove the absence of abstract fair loops without explicitly constructing the abstract state space. The approach is extended by using termination techniques based on well-founded relations derived from ranking functions: the idea is to prove that any existing abstract fair loop is covered by a given set of well-founded relations. Within this framework, k-liveness is integrated as a generic ranking function. The algorithm iterates by attempting to remove spurious abstract fair loops: either it finds new predicates, to avoid spurious abstract prefixes, or it introduces new well-founded relations, based on the analysis of the abstract lasso. The implementation fully leverages the efficiency and incrementality of the underlying safety checker IC3Ia.
More specifically, after encoding the LTL model checking problem into a liveness problem in the form FG¬f on a transition system S, we produce a sequence of invariant checking problems S 0 ⊧ inv 0 , S 1 ⊧ inv 1 , … . For each j, S j and j are the result of an encoding operation dependent on given sets of state predicates P and well-founded relations W : S j , ϕ j = enCode(S, f, P, W). enCode is a variant of the liveness-to-safety transformation that includes both implicit predicate abstraction and well-founded relations: if S j ⊧ inv j either there is no abstract fair loop or every such loop is covered by the given set of well-founded relations. Thus, it ensures that if S j ⊧ inv j , then S ⊧ FG¬f , in which case the iteration terminates. If S j ̸ ⊧ inv j , we analyze a (finite) counterexample trace in S j to determine whether it corresponds to an (infinite) counterexample for FG¬f in S. If so, then we conclude that the property doesn't hold. Otherwise, if we can conclude that doesn't correspond to any real counterexample in S, we try to extract new predicates P ′ and/or well-founded relations W ′ to produce a refined encoding: S j+1 , j+1 ∶= enCode (S, f , P ∪ P � , W ∪ W � ) , where P � , W � ∶= enCode (S j , , P, W) . If we can neither confirm nor refute the existence of real counterexamples, we abort the execution, returning "unknown". 3 ⊤⟩ , the LTL(T ) property FG c > d , and the initial set of predicates ℙ ∶= {c ≤ d, c = 0, 0 ≤ d} . The algorithm will first find an abstract lasso-shaped counter-example with prefix {x c≤d , x c=0 , x 0≤d } and a self loop on the abstract state {x c≤d , ¬x c=0 , x 0≤d } . The algorithm cannot determine that such abstract counter-example is spurious using bounded model checking, since there is no corresponding lasso-shaped path in S. Instead, the algorithm synthesizes a ranking function d − c , with lower bound −1 ≤ d − c , proving the the abstract loop 1 3 terminates. The algorithm uses the ranking function to get a well-founded relation. We refer to [12] for the details of the encoding of the ranking function in the liveness-to-safety reduction: intuitively, the encoding relaxes the loop condition used in L2S (see Sect. 3.4.2), so that abstract loops that satisfy at least a well founded relation are not considered as violation for the LTL property.

The K-Zeno algorithm
The K-liveness algorithm is sound and complete for finite-state systems (i.e., the implication in (7) holds also in the other direction) although, in practice, the algorithm is effective only for proving liveness, rather than finding a violation. The K-liveness algorithm is sound, however not complete, to prove liveness properties for infinite-state systems.
In an infinite-state system the bound K may not be a specific natural number but instead may depend on the system variables (the bound K is a function of the state variables of the transition system S). For example, consider an infinite-state system S with an integer parameter p ≥ 0 where the condition f can be visited at most p times. In such system the property S ⊧ FG¬f holds, but K-liveness would never prove that since for all K ∈ ℕ , there exists a value of p ≥ 0 such that S ⊧ p > K . In practice, once we fix the value of K to an natural number to check The above limitation of K-liveness also affects the analysis of infinite-state systems with paths where the value of a variable diverges. We obtain infinite-state transition systems with such diverging paths when we encode timed automata [47] and hybrid automata [72], 4 two formalisms that model respectively real-time systems and control systems. Both formalisms do not exclude fair Zeno paths, infinite paths of the system where the real time does not diverge. We call non-Zeno paths all the infinite paths where time diverges. However, the fairness verification problem for timed and hybrid automata does not consider such Zeno paths, since they unrealistically assume that an infinite number of computation steps can happen in a finite amount of time [72]. K-liveness would not prove liveness properties when naïvely applied to the transition system S encoding of a timed or hybrid automaton that contains Zeno paths where the fairness condition f holds. In fact, for every possible value of K, the transition system would have an infinite path where the real time variable does not diverge and where the the condition f holds. This means that, for any choice of K, we would have that S ⊧ #(f ) ≤ K.
The K-Zeno [13] algorithm applies a transformation to the transition system S to consider only occurrences of the fairness condition f on paths where time diverges. In such transformation the algorithm uses a new transition system S that introduces a bound on the real time elapsed between two consecutive occurrences of the fairness condition f. In this way, the system only considers occurrences of the condition f that happen on a non-Zeno path. The liveness verification problem that considers only non-Zeno paths where f may hold is then: The specific construction of the transition system S depends on the kind of system to verify. For example, if the system is a timed automaton (without parameters), the bound can be just a constant (the maximum constant in the model or 1). The transition system S may have to capture a symbolic bound (X) that is a function of the state variables X, instead of being just a constant, when analyzing more general classes of systems (e.g., hybrid automata). The work in [13] shows that there exists a monitor S (X) that guarantees a complete reduction in the case of initialized with bounded non-determinism parametric hybrid automata (i.e., if S ⊧ FG¬f then ∃K.S × S (X) ⊧ #(f ) ≤ K).

Beyond lasso-shaped counterexamples
In finite-state systems, if an LTL property is false, there is always a counterexample path (i.e. a witness) for it which is ultimately periodic (i.e. in a lasso-shaped form). When dealing with the infinite-state case, this is no longer the case, as in general in an infinite-state system a false LTL property might admit no lasso-shaped witness. Therefore, in order to effectively find counterexamples for LTL properties in infinite-state systems, it is necessary to look for ways to encode a more general class of infinite traces.
This problem has been investigated extensively in the context of software (non)termination. In that setting, closed recurrence sets [77] are used to represent a witness for the nontermination of some software program. A closed recurrence set consists of a reachable set of states that is disjoint from the end states and inductive with respect to a left-total transition relation that underapproximates the transition relation of the program. The set represents at least one infinite execution for the program: (i) its reachability ensures that there is some finite execution of the program ending in some state within the set; (ii) since the set is also inductive, we know that no transition starting from within the set can reach a state outside of it and (iii) the left-total transition relation ensures that there always exists at least one successor state satisfying also the transition relation of the program.
However, in the more general context of counterexamples for full LTL properties, recurrent sets are not sufficient, as a counterexample trace has the additional requirement of being fair, i.e. it needs to visit some fair state infinitely often. Unless the set underapproximates the fair states, without additional information, we cannot conclude that the infinite executions described by the closed recurrence set are fair.
In order to solve this problem, we have recently generalised the notion of recurrence set to take fairness conditions into proper account [78]. We split the closed recurrence set into two components S and D, such that D is a subset of the fair states. The union of S and D must satisfy the same conditions described above for closed recurrence sets and, in addition, the left-total transition relation must not allow for infinite sequences of S states: every state in S must reach a state in D in a finite number of steps. Moreover, in order to aid the automatic discovery of such generalised recurrence sets, we split the monolithic problem described above into two orthogonal directions: by segmenting the infinite paths into finite paths and decomposing the system with respect to some partitioning of the symbols.
More precisely, we segment the fair paths into a concatenation of finite paths: we split S into multiple regions such that each region represents a set of finite paths that must eventually reach the following region. Notice that, while each path in a region must be finite, there might be no upper bound to their length: a region can represent an infinite number of finite paths with increasing lengths. We call each segment funnel and their concatenation representing the fair paths funnel-loop. In addition, we decompose the system by partitioning its symbols. Each component, called E-component (for existential component), describes 1 3 the behavior of a subset of the symbols while assuming some properties about the others. These properties represent the conditions that are necessary for this behavior to be enabled and we need to prove that such conditions are ensured by some other component.
With this partitioned representation, which we have proven to be both sound and relatively complete, we have then developed a search procedure, based on a combination of invariant checking with abstraction, bounded model checking and SMT-based synthesis via quantified reasoning, that is capable of identifying funnel-loops in an automatic manner [78], with an implementation that significantly outperforms the state of the art on a wide class of benchmarks.

Example 10
Consider the fair transition system: The system admits fair paths that are not lasso-shaped. For example, one such path is the following (where the states show the values for the variables c, n, o, and k is an integer constant): We can represent the paths above using a funnel as defined in [78], which intuitively defines an underapproximation of the original system that contains only fair paths. The funnel is defined as having a source region S ∶= (o > 0 ∧ n > o) (which is a subset of the initial states of the system), a destination region D ∶= (o > 0 ∧ o < n ∧ c = 0) (which is a subset of S consisting of fair states), connected by a transition relation T ∶= (c < n ∧ c � = c + 1 ∧ n � = n ∧ o � = o) ∨ (c ≥ n ∧ o � = n ∧ c � = 0 ∧ n � = n + 1) , which is an underapproximation of the transition relation of the system ensuring that eventually D must be reached when starting from S. 5

The nuXmv model checker
All the techniques and algorithms described in the previous sections have been implemented in nuXmv [16], a state-of-the-art symbolic model checker for both finite-and infinite-state synchronous fair transition systems. nuXmv is the successor of nuSmv [17], the popular symbolic model checker for finite-state systems which was conceived in 1999 within a joint cooperation of the CMU group of Ed Clarke and FBK. 6 In some sense, therefore, nuXmv carries on the legacy of Ed Clarke and his message of combining theoretical results with strong practical applications.
From a technical standpoint, nuXmv integrates, extends and complements the functionalities of nuSmv with multiple functionalities to facilitate its deployment in several operational industrial and research settings. nuXmv extends the nuSmv language with new data types, namely integers, reals and unbounded arrays. Figure 6 shows the nuXmv specification for the transition system and property from Example 4. The example shows how the nuXmv language can express infinite state transition systems, specifying the variables (VAR declarations), the initial condition (INIT declaration), and the transition relation (TRANS) declaration. Notice that the nuXmv input language is way richer, allowing to specify, for example, modules, fairness constraints, and timed transition systems [79]. nuXmv provides advanced SmT-based model checking techniques and implements all the abstraction-based approaches discussed in the previous sections (including several explicit computation techniques, e.g., [60][61][62]). Moreover, it complements these algorithms with other functionalities whose description is out of scope of this paper. The interested reader can refer to [16] for detailed discussion of all the functionalities provided by nuXmv. nuXmv has been used in a wide range of applications, both at academic and at industrial level, in different application domains including avionics, railways, automotive, space, and biological (e.g. [24,31,32,[80][81][82][83][84].) Finally, nuXmv is also the back-end of several other tools, including the KraToS [85] software model checker, the RATSY [86] tool for temporal logic synthesis, the OCRA [22] platform for contract-based verification, the xSAP [87] for model-based safety assessment, and the HyCOMP [20] model checker for the verification of hybrid systems.

Conclusions
In this paper we presented a retrospective on the verification of infinite-state transition systems expressed symbolically in SMT. This line of work was substantially influenced by the work of Ed Clarke, based on the ideas on SAT-based model checking and abstraction refinement. At the methodological level, Clarke always underlined the importance of developing strong tools and applying them in practical case studies, being enthusiastic about the work on the NuSMV model checker. This paved the way to the development of the nuXmv model checker, and its applications to practical industrial case studies.
Challenges for future research include devising effective verification and falsification algorithms and tools for more expressive classes of VMT problems: parameterized systems expressed in the quantified theory of arrays [88], timed and hybrid systems [40], sequential and concurrent software, recurrent neural networks, and the closed-loop combination of physical systems and control software.