Skip to main content
SpringerLink
Log in

Abstraction refinement and antichains for trace inclusion of infinite state systems

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

A generic register automaton is a finite automaton equipped with variables (which may be viewed as counters or, more generally, registers) ranging over infinite data domains. A trace of a generic register automaton is an alternating sequence of alphabet symbols and values taken by the variables during an execution of the automaton. The problem addressed in this paper is the inclusion between the sets of traces (data languages) recognized by such automata. Since the problem is undecidable in general, we give a semi-algorithm based on a combination of abstraction refinement and antichains, which is proved to be sound and complete, but whose termination is not guaranteed. Moreover, we further enhance the proposed algorithm by exploiting a concept of data simulations, i.e., simulation relations aware of the data associated with the words. We have implemented our technique in a prototype tool and show promising results on multiple non-trivial examples.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. Generic register automata were called data automata in our preliminary work [24]. We have decided to change the name in order to avoid confusion with some other formalisms.

  2. Note that the presented trace inclusion method can be used with any data domain supported by the underlying SMT solver including integers or reals.

  3. http://www.fit.vutbr.cz/research/groups/verifit/tools/includer/.

  4. Note that there is not a fixed set of predefined predicates. New predicates are discovered during refinement phase.

  5. This option covers the case of data values allowed by the network \({\langle A_1,A_2 \rangle }\) that are not covered by a data constraint of any B-transition.

  6. Our reduction to the emptiness of product automata is at least exponential.

  7. For (in)finite words, the class of LTL-definable languages coincides with the star-free languages, which are a strict subclass of (\(\omega \)-)regular languages.

  8. Called data automata in [24].

  9. Note that the empty disjunction is equivalent to \(\bot \). Hence \(\theta ({\mathbf {x}},{\mathbf {x}}')\) satisfiable implies that for all \(p' \in P'\) there exists \(p \in P\) and a rule \(p \xrightarrow {{\scriptscriptstyle \sigma ,\psi }}{} p' \in \Delta \).

  10. For timed automata, this is the case since the only shared variable is the time, and the observer may have local clocks.

  11. The formal definition of antichain trees will be given as Definition 1 later in this section.

  12. Note that the above choice of the product state in the form \(s=({\mathbf {q}},P,\Phi )\) is not straightforward and resulted from several previous unsuccessful attempts. For example, if one chooses to associate separate formulae for the valuations of the variables with \({\mathbf {q}}\) and each of the states in P, which seems to be a quite natural choice, the construction becomes unsound. Intuitively, when a successor state of such a product state is computed, the disjunction of the formulae joint with the successors of P may entail the formula joint with the successor of \({\mathbf {q}}\). However, that does not mean that all pairs of source/target valuations possible in \({\mathcal {A}}^e\) are possible in \({\overline{B}}\) too. More details are provided in “Appendix 1”.

  13. A fact is a formula in \(\text{ Form }({\mathcal {D}})\).

  14. If \(\theta ({\mathbf {x}}'_{{\mathcal {A}}}, {\mathbf {x}}_{{\mathcal {A}}})\) is unsatisfiable, then s does not contain a valuation of the variables that would allow one to do a step following the rule \(({\mathbf {q}},P) \xrightarrow {{\scriptscriptstyle \sigma ,\theta }}{} ({\mathbf {r}},S)\).

  15. Taking a bigger K leads to a more precise \( Sim _{ij}\), but, on the other hand, it can significantly increase the computation time.

  16. Many realistic systems comply with this restriction, take, for instance, shared-memory multithreading in Java.

  17. http://www.fit.vutbr.cz/research/groups/verifit/tools/includer/.

  18. The size of a formula is measured in the number of nodes of its MathSAT graph-based representation.

  19. A simulation R is trivial iff \(\forall x,y\in Q: x\ne y \rightarrow (x,\bot ,y)\in R\).

References

  1. Abdulla P, Chen YF, Holik L, Mayr R, Vojnar T (2010) When simulation meets antichains. In: Proceedings of TACAS’10, LNCS, vol 6015. Springer, pp 158–174

  2. Alur R, Dill DL (1994) A theory of timed automata. Theor Comput Sci 126(2):183–235

    Article  MathSciNet  Google Scholar 

  3. Bardin S, Finkel A, Leroux J, Petrucci L (2003) Fast: fast acceleration of symbolic transition systems. In: Proceedings of CAV’03, LNCS, vol 2725. Springer

  4. Beyene TA, Popeea C, Rybalchenko A (2013) Solving existentially quantified horn clauses. In: Proceedings of CAV’13, LNCS, vol 8044. Springer

  5. Bjørner N, Gurfinkel A, McMillan K, Rybalchenko A (2015) Horn clause solvers for program verification. Springer, Cham, pp 24–51

    MATH  Google Scholar 

  6. Bojańczyk M, David C, Muscholl A, Schwentick T, Segoufin L (2011) Two-variable logic on data words. ACM Trans Comput Logic 12(4):27:1–27:26

    Article  MathSciNet  Google Scholar 

  7. Bonchi F, Pous D (2013) Checking NFA equivalence with bisimulations up to congruence. In: Proceedings of POPL’13. ACM

  8. Bozga M, Habermehl P, Iosif R, Konecný F, Vojnar T (2009) Automatic verification of integer array programs. In: Proceedings of CAV’09, LNCS, vol 5643, pp 157–172

  9. Cimatti A, Griggio A, Schaafsma B, Sebastiani R (2013) The MathSAT5 SMT solver. In: Proceedings of TACAS, LNCS, vol 7795

  10. Comon H, Dauchet M, Gilleron R, Löding C, Jacquemard F, Lugiez D, Tison, S, Tommasi M (2007) Tree automata techniques and applications. http://www.grappa.univ-lille3.fr/tata. Release 12 Oct 2007

  11. Cook B, Khlaaf H, Piterman N (2015) On automation of CTL* verification for infinite-state systems. In: Proceedings of CAV’15, LNCS, vol 9206. Springer

  12. Craig W (1957) Three uses of the herbrand-gentzen theorem in relating model theory and proof theory. J. Symb. Log. 22(3):269–285

    Article  MathSciNet  Google Scholar 

  13. D’Antoni L, Alur R (2014) Symbolic visibly pushdown automata. In: Proceedings of CAV’14, LNCS, vol 8559. Springer

  14. Decker N, Habermehl P, Leucker M, Thoma D (2014) Ordered navigation on multi-attributed data words. In: Proceedings of CONCUR’14, LNCS, vol 8704, pp 497–511

  15. Dhar A (2014) Algorithms for model-checking flat counter systems. Ph.D. thesis, Univ. Paris 7

  16. Fribourg L (1998) A closed-form evaluation for extended timed automata. Tech. rep, CNRS et Ecole Normale Supérieure de Cachan

  17. Grebenshchikov S, Lopes NP, Popeea C, Rybalchenko A (2012) Synthesizing software verifiers from proof rules. In: ACM SIGPLAN conference on programming language design and implementation, PLDI ’12, Beijing, China—June 11–16, 2012, pp 405–416

  18. Habermehl P, Iosif R, Vojnar T (2008) A logic of singly indexed arrays. In: Proceedings of LPAR’08, LNCS, vol 5330, pp 558–573

  19. Habermehl P, Iosif R, Vojnar T (2008) What else is decidable about integer arrays? In: Proceedings of FOSSACS’08, LNCS, vol 4962, pp 474–489

  20. Henzinger MR, Henzinger TA, Kopke PW (1995) Computing simulations on finite and infinite graphs. In: Proceedings of the 36th annual symposium on foundations of computer science, FOCS ’95, pp 453

  21. Henzinger TA, Jhala R, Majumdar R, Sutre G (2002) Lazy abstraction. In: Proceedings of POPL’02. ACM

  22. Henzinger TA, Jhala R, Majumdar R, Sutre G (2003) Software verification with blast. In: Proceedings of 10th SPIN workshop, LNCS, vol 2648

  23. Henzinger TA, Nicollin X, Sifakis J, Yovine S (1992) Symbolic model checking for real-time systems. Inf Comput 111:394–406

    MathSciNet  MATH  Google Scholar 

  24. Iosif R, Rogalewicz A, Vojnar T (2016) Abstraction refinement and antichains for trace inclusion of infinite state systems. In: Proceedings of TACAS’16, LNCS, vol 9636. Springer, pp 71–89

  25. Iosif R, Xu X (2018) Abstraction refinement for emptiness checking of alternating data automata. In: Proceedings of TACAS’18, LNCS, vol 10806. Springer, pp 93–111

  26. Kaminski M, Francez N (1994) Finite-memory automata. Theor Comput Sci 134(2):329–363. https://doi.org/10.1016/0304-3975(94)90242-9

    Article  MathSciNet  MATH  Google Scholar 

  27. McMillan KL (2006) Lazy abstraction with interpolants. In: Proceedings of CAV’06, LNCS, vol 4144. Springer

  28. McMillan KL (2011) Interpolants from z3 proofs. In: Proceedings of the international conference on formal methods in computer-aided design, FMCAD ’11, pp 19–27. FMCAD Inc

  29. Milner R (1971) An algebraic definition of simulation between programs. In: Proceedings of of IJCAI’71. Morgan Kaufmann Publishers Inc

  30. Minsky M (1967) Computation: finite and infinite machines. Prentice-Hall, Upper Saddle River

    MATH  Google Scholar 

  31. Numerical Transition Systems Repository (2012). http://nts.imag.fr/index.php/Flata

  32. Ouaknine J, Worrell J (2004) On the language inclusion problem for timed automata: closing a decidability gap. In: Proceedings of LICS’04. IEEE Computer Society

  33. Smrcka A, Vojnar T (2007) Verifying parametrised hardware designs via counter automata. In: HVC’07, pp 51–68

  34. Tripakis S (1998) The analysis of timed systems in practice. Ph.D. thesis, Univ. Joseph Fourier, Grenoble (December)

  35. Wulf MD, Doyen L, Henzinger TA, Raskin J (2006) Antichains: a new algorithm for checking universality of finite automata. In: Proceedings of CAV’06, LNCS, vol 4144. Springer

  36. Zbrzezny A, Polrola A (2007) Sat-based reachability checking for timed automata with discrete data. Fundam Inf 79:1–15

    MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IT4Innovations Centre of Excellence, FIT, Brno University of Technology, Brno, Czech Republic

    Lukáš Holík, Adam Rogalewicz & Tomáš Vojnar

  2. CNRS, VERIMAG, University Grenoble Alpes, Grenoble, France

    Radu Iosif

Authors
  1. Lukáš Holík
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Radu Iosif
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Adam Rogalewicz
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tomáš Vojnar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Adam Rogalewicz.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

The Czech authors were supported by the Czech Science Foundation project 17-12465S, the FIT BUT internal project FIT-S-17-4014, and The Ministry of Education, Youth and Sports from the National Programme of Sustainability (NPU II) project LQ1602 IT4Innovations excellence in science. The French author was supported by the French National Research Agency project VECOLIB ANR-14-CE28-0018.

Appendix A: Alternative notions of the product state

Appendix A: Alternative notions of the product state

Below, we briefly discuss two alternative notions of product states that we originally considered but dropped them since we were not able to build a sound antichain construction on them.

The first option we considered was to link predicates with the individual states involved in a product state. In that case, the predicate map linked particular states of automata \({\mathcal {A}}^e\) and B to sets of formulas as follows: \(\Pi _{ind}: Q_{{\mathcal {A}}^e}\cup Q_B \rightarrow 2^{ \text{ Form }({\mathcal {D}})}\). The product state was then defined as \(s_{ind}=(\langle {\mathbf {q}},\Phi _q\rangle , P)\) with \({\mathbf {q}}\) being a state of the automaton \({\mathcal {A}}^e\), \(\Phi _q\subseteq \Pi _{ind}({\mathbf {q}})\), and \(P\subseteq \{ \langle r,\Phi _r\rangle \mid r \in Q_{B}\) and \(\Phi _r\subseteq \Pi _{ind}(r)\}\). The semantics of the product state \(s_{ind}=(\langle {\mathbf {q}},\Phi _q\rangle , P )\) was that whenever the automaton \({\mathcal {A}}^e\) is in the state \({\mathbf {q}}\) with a valuation \(\nu \models \Phi _q\) of the variables, then the automaton B can be in any state r such that \(\langle r,\Phi _r\rangle \in P\) and \(\nu \models \Phi _r\). A product state \(s_{ind}=(\langle {\mathbf {q}},\Phi _q\rangle , P )\) was considered accepting iff \({\mathbf {q}}\in F_{{\mathcal {A}}^e}\) and there existed \(\nu \models \Phi _q\) such that \(\nu \not \models \bigvee \{\Phi _r \mid \langle r,\Phi _r\rangle \in P \wedge r\in F_B\}\). That implied existence of a trace accepted by \({\mathcal {A}}^e\) at the state \({\mathbf {q}}\) with the final valuation \(\nu \), not covered by the automaton B. A problem with this product construction is that it cannot be used for soundly deciding the inclusion problem as shown in the following example: Take the product state \(s_1=(\langle q_1, x\in \{1,2\}\rangle , \{\langle r_1, x=1\rangle ,\langle r_2, x=2\rangle \})\) obtained for an automaton \({\mathcal {A}}^e\) with the rule \(q_1 \xrightarrow {{\scriptscriptstyle \sigma , x'=x+1}}{} q_2\) and an automaton B with rules \(r_1 \xrightarrow {{\scriptscriptstyle \sigma , x'>x}}{} r_3\) and \(r_2 \xrightarrow {{\scriptscriptstyle \sigma , x'=x+1\wedge x>10}}{} r_3\). Moreover, let \(q_2\) be final in \({\mathcal {A}}^e\) and \(r_3\) be final in B. When one computes the post of \(s_1\), one gets \(s_2=(\langle q_2, x\in \{2,3\}\rangle , \{\langle r_3, x>1\rangle \})\), which is not accepting, because all configurations of \({\mathcal {A}}^e\) (i.e. \(x\in {\left\{ 2,3 \right\} }\)) are covered by configurations of B (i.e. \(x>1\)). However, the automaton \({\mathcal {A}}^e\) can do a step \((q_1,x=2)\xrightarrow {{\scriptscriptstyle \sigma , x'=x+1}}{} (q_2,x=3)\), which cannot be followed by B (it cannot do a step from the configurations \((r_1,x=2)\) or \((r_2,x=2)\)). Hence, an antichain construction based on this notion of product states could hide a real counterexample and provide an unsound answer.

In order to avoid the unsoundness of the above solution, we attempted to use predicates representing relations between successive values of variables within a step leading to a given product state. In this case, the predicate map was defined as \(\Pi _{rel} : Q_{{\mathcal {A}}^e}\cup Q_B \rightarrow 2^{ \text{ Form }({\mathcal {D}})} \times 2^{ \text{ Form }({\mathcal {D}})}\). The product state was then defined as \(s_{rel}=(\langle {\mathbf {q}},\Phi _q\rangle , P)\) with \({\mathbf {q}}\) being a state of the automaton \({\mathcal {A}}^e\), \(\Phi _q\subseteq \Pi _{rel}({\mathbf {q}})\), and \(P\subseteq \{ \langle r,\Phi _r\rangle \mid r\in Q_{B}\) and \(\Phi _r\subseteq \Pi _{rel}(r)\}\). The semantics of the product state \(s_{rel}=(\langle {\mathbf {q}},\Phi _q\rangle , P )\) was that whenever the last step of \({\mathcal {A}}^e\) was \((\_,\nu )\xrightarrow {{\scriptscriptstyle }}{}({\mathbf {q}},\nu ')\) such that \((\nu ,\nu ')\models \Phi _r\), then the last step of B could have been \((\_,\nu )\xrightarrow {{\scriptscriptstyle }}{}(r,\nu ')\) where \(\langle r,\Phi _r\rangle \in P\) and \((\nu ,\nu ')\models \Phi _r\). (The source states of the steps were not reflected in the product states, and hence are represented using the underscore sign.) A product state was considered final iff \({\mathbf {q}}\in F_{{\mathcal {A}}^e}\) and there existed a relation \((\nu ,\nu ')\models \Phi _r\) such that \((\nu ,\nu ')\not \models \bigvee \{\Phi _r \mid \langle s,\Phi _r\rangle \wedge r\in F_{B} \}\). The antichain tree could be used for sound checking of the inclusion in this case. However, a problem was to find a subsumption relation to soundly prune the antichain tree. A natural way of defining the subsumption relation following the approach of [1] is to define the subsumption as follows: \((\langle {\mathbf {q}}_1,\Phi _1\rangle , P_1 ) \sqsubseteq (\langle {\mathbf {q}}_2,\Phi _2\rangle , P_2)\) iff (i) \({\mathbf {q}}_1 = {\mathbf {q}}_2\), (ii) \(\Phi _1 \rightarrow \Phi _2\), and (iii) for each \(\langle r,\Phi _r\rangle \in P_2\) there exists \(\langle s,\Phi _s\rangle \in P_1\) such that \(r=s\) and \(\Phi _r \rightarrow \Phi _s\). Unfortunately, it turns out that using such a subsumption cannot be used for sound inclusion checking since comparing formulae representing solely the last step of the automata can lead to omitting counterexamples to inclusion that depend on longer traces. Existence of a suitable sound subsumption for this type of product states, which is needed to ensure termination of the antichain construction, is an open problem.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Holík, L., Iosif, R., Rogalewicz, A. et al. Abstraction refinement and antichains for trace inclusion of infinite state systems. Form Methods Syst Des 55, 137–170 (2020). https://doi.org/10.1007/s10703-020-00345-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-020-00345-1

Keywords

Search

Navigation