the fixpoint checking problem: an abstraction refinement...

The Fixpoint Checking Problem:An Abstraction Refinement Perspective

Pierre Ganty

These

presentee pour l’obtention du grade de

Docteur en Sciences

de l’Universite Libre de Bruxelles

(Faculte des Sciences, Departement d’Informatique)

Tesi

presentata per il conseguimento del titolo di Dottore di Ricerca inScienze e Tecnologie dell’Informazione e della Comunicazione

dell’Universita degli Studi di Genova

(Indirizzo Ingegneria Elettronica ed Informatica, xviii Ciclo)

September 2007

A mes parents

Dissertation submitted in fulfillment of the requirements for the degree of Doctor ofPhilosophy. The examiners of the committee are:

• Prof. Jean-Francois Raskin (Universite Libre de Bruxelles, Belgique), advisor

• Prof. Giorgio Delzanno (Universita degli Studi di Genova, Italia), co-advisor

• Prof. Alessandro Armando (Universita degli Studi di Genova, Italia), co-advisor

• Prof. Patrick Cousot (Ecole Normale Superieure de Paris, France)

• Prof. Francesco Ranzato (Universita di Padova, Italia)

• Prof. Thierry Massart (Universite Libre de Bruxelles, Belgique)

• Dr. Laurent Van Begin (Universite Libre de Bruxelles, Belgique)

Resume

Le model-checking est une technique automatisee qui vise a verifier des proprietes surdes systemes informatiques. Les donnees passees au model-checker sont le modele dusysteme (qui en capture tous les comportements possibles) et la propriete a verifier.Les deux sont donnes dans un formalisme mathematique adequat tel qu’un systeme detransition pour le modele et une formule de logique temporelle pour la propriete.

Pour diverses raisons (le model-checking est indecidable pour cette classe de modeleou le model-checking necessite trop de ressources pour ce modele) le model-checkingpeut etre inapplicable. Pour des proprietes de surete (qui disent dans l’ensemble � ilne se produit rien d’incorrect �), une solution a ce probleme recourt a un modelesimplifie pour lequel le model-checker peut terminer sans trop de ressources. Ce modelesimplifie, appele modele abstrait, surapproxime les comportements du modele concret.Le modele abstrait peut cependant etre trop imprecis. En effet, si la propriete est vraiesur le modele abstrait alors elle l’est aussi sur le modele concret. En revanche, lorsquele modele abstrait enfreint la propriete : soit l’infraction peut etre reproduite sur lemodele concret et alors nous avons trouve une erreur ; soit l’infraction ne peut etrereproduite et dans ce cas le model-checker est dit non conclusif. Ceci provient de lasurapproximation du modele concret faite par le modele abstrait. Un modele precisaboutit donc a un model-checking conclusif mais son cout augmente avec sa precision.

Recemment, differents algorithmes d’abstraction raffinement ont ete proposes. Cesalgorithmes calculent automatiquement des modeles abstraits qui sont progressivementraffines jusqu’a ce que leur model-checking soit conclusif. Dans la these, nous definissonsun nouvel algorithme d’abstraction raffinement pour les proprietes de surete. Nouscomparons notre algorithme avec les algorithmes d’abstraction raffinement anterieurs.A l’aide de preuves formelles, nous montrons les avantages de notre approche. Parailleurs, nous definissons des extensions de l’algorithme qui integrent d’autres tech-niques utilisees en model-checking comme les techniques d’accelerations.

Suivant une methodologie rigoureuse, nous instancions ensuite notre algorithmepour une variete de modeles allant des systemes de transitions finis aux systemes detransitions infinis. Pour chacun des modeles nous etablissons la terminaison de l’algo-rithme instancie et donnons des resultats experimentaux preliminaires encourageants.

Mots cles : Model-Checking, Abstraction Raffinement, Interpretation Abstraite.

vii

Riassunto

Il model-checking e una tecnica automatica finalizzata alla verifica delle proprieta deisistemi informatici. I dati passati al model-checker sono il modello del sistema (che necattura tutti i possibili comportamenti) e la proprieta da verificare. Entrambi sono datiin un formalismo matematico opportuno come, ad esempio, un sistema a transizioniper il modello e una formula di una logica temporale per la proprieta.

Per diversi ragioni (il model-checking e indecidibile per quella classe o il model-checking richiede troppe risorse per quel dato modello) il model-checking puo risultarenon applicabile. Quando la proprieta da verificare e una proprieta di safety (ovvero unaproprieta che afferma che “ non succede niente di scorretto”), una possibile soluzione equella di utilizzare un modello simplificato per il quale il model-checker puo terminaresenza utilizzare troppe risorse. Il modello simplificato, chiamato modello astratto,approssima i comportamenti del modello concreto. Tuttavia, il modello astratto puorisultare troppo impreciso. Infatti, se la proprieta e vera per il modello astratto allora loe anche per il modello concreto. Quando pero il modello astratto falsifica la proprieta:o la violazione puo essere riprodutta sul modello concreto, e allora abbiamo trovato unerrore, o la violazione non e riproducibile e in tal caso il model-checker e detto essereinconclusive. Cio e dovuto all’ approssimazione del modello concreto fatta dal modelloastratto. Quindi un modello preciso porta ad un model checking capace di concluderema il suo costo computazionale associato aumenta con la precizione.

Recentemente, sono stati proposti diversi algoritmi di astrazione raffinamento. Que-sti algoritmi calcolano automaticamente dei modelli astratti che sono via via raffinatifino a che il model-checker consente di concludere. Nella tesi, definiamo un nuovo al-goritmo di astrazione raffinamento per le proprieta di safety. Compariamo l’algoritmocon degli algoritmi di astrazione raffinamento precedenti e mostriamo formalmente ivantaggi del nostro approccio. Inoltre, introduciamo delle estensioni dell’algoritmo cheintegrano altre tecniche utilizzate nel model-checking come le tecniche di accelerazione.

Seguendo un metodologia rigorosa, instanziamo il nostro algoritmo per una famigliadi modelli di sistemi a transizioni finiti ai sistemi a transizioni infiniti. Per ciascuno deimodelli dimostriamo la terminazione dell’algoritmo instanziato e presentiamo risultatisperimentali che risultano essere molto promettenti.

Parole chiave: Model-Checking, Astrazione Raffinamento, Interpretazione Astratta.

ix

Abstract

Model-checking is an automated technique which aims at verifying properties of com-puter systems. A model-checker is fed with a model of the system (which capture allits possible behaviors) and a property to verify on this model. Both are given by aconvenient mathematical formalism like, for instance, a transition system for the modeland a temporal logic formula for the property.

For several reasons (the model-checking is undecidable for this class of model orthe model-checking needs too much resources for this model) model-checking may notbe applicable. For safety properties (which basically says “nothing bad happen”), asolution to this problem uses a simpler model for which model-checkers might terminatewithout too much resources. This simpler model, called the abstract model, over-approximates the behaviors of the concrete model. However the abstract model mightbe too imprecise. In fact, if the property is true on the abstract model, the same holdson the concrete. On the contrary, when the abstract model violates the property, eitherthe violation is reproducible on the concrete model and so we found an error; or it isnot reproducible and so the model-checker is said to be inconclusive. Inconclusivenessstems from the over-approximation of the concrete model by the abstract model. Soa precise model yields the model-checker to conclude, but precision comes generallywith an increased computational cost.

Recently, a lot of work has been done to define abstraction refinement algorithms.Those algorithms compute automatically abstract models which are refined as long asthe model-checker is inconclusive. In the thesis, we give a new abstraction refinementalgorithm which applies for safety properties. We compare our algorithm with previousattempts to build abstract models automatically and show, using formal proofs thatour approach has several advantages. We also give several extensions of our algorithmwhich allow to integrate existing techniques used in model-checking such as accelerationtechniques.

Following a rigorous methodology we then instantiate our algorithm for a variety ofmodels ranging from finite state transition systems to infinite state transition systems.For each of those models we prove the instantiated algorithm terminates and provideencouraging preliminary experimental results.

Keywords: Model-Checking, Abstraction Refinement, Abstract Interpretation.

xi

Contents

Acknowledgments xvii

1 Introduction 1

2 Preliminaries 9

2.1 Well-Quasi Ordered Sets . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2 Posets and Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.3 Fixpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.4 Transition systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.5 Elementary Notions of Abstract Interpretation . . . . . . . . . . . . . . 19

3 Abstraction Refinement for Fixpoint Checking 23

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.3 Abstract Fixpoint Checking Algorithm . . . . . . . . . . . . . . . . . . 26

3.3.1 Correctness of the Algorithm . . . . . . . . . . . . . . . . . . . 28

3.3.2 Termination of the Algorithm . . . . . . . . . . . . . . . . . . . 31

3.3.3 Termination of the Algorithm with Accelerations . . . . . . . . 35

3.4 Relationships with Other Approaches . . . . . . . . . . . . . . . . . . . 39

3.4.1 Counterexample Guided Abstraction Refinement . . . . . . . . . 39

3.4.2 Predicate Abstraction versus Moore Closed Domains . . . . . . 44

3.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3.6 Relaxing Some Hypotheses . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.7 How to instantiate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

3.7.1 Reduction to the Fixpoint Checking Problem . . . . . . . . . . 57

3.7.2 The Family of Abstract Domains . . . . . . . . . . . . . . . . . 57

xiii

3.7.3 Forward Reasoning . . . . . . . . . . . . . . . . . . . . . . . . . 59

3.7.4 Backward Reasoning . . . . . . . . . . . . . . . . . . . . . . . . 59

3.7.5 Abstract Domain Refinement . . . . . . . . . . . . . . . . . . . 59

3.7.6 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

4 The Coverability Problem of WSTS 61

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

4.2 The Coverability Problem: State-of-the-art . . . . . . . . . . . . . . . . 63

4.2.1 The Backward Approach . . . . . . . . . . . . . . . . . . . . . . 64

4.2.2 The Forward Approach . . . . . . . . . . . . . . . . . . . . . . . 65

4.3 Instantiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66


4.3.2 An Adequate Family of Abstract Domains . . . . . . . . . . . . 69




4.3.6 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

4.4 Illustration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

5 Locality-Based Abstractions for Finite Systems 85

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

5.2 System and Problem Definition . . . . . . . . . . . . . . . . . . . . . . 86

5.3 Locality-based Abstractions . . . . . . . . . . . . . . . . . . . . . . . . 88

5.4 An Introduction to MDDs . . . . . . . . . . . . . . . . . . . . . . . . . 90

5.5 Complexity of the Abstract Interpretation . . . . . . . . . . . . . . . . 92

5.6 Efficient Abstract Fixpoint Checking . . . . . . . . . . . . . . . . . . . 95

5.6.1 Extending the Semantics to Partial States . . . . . . . . . . . . 95

5.6.2 Finer Characterization of the Iterated Functions . . . . . . . . . 97

5.6.3 Efficient Iterated Functions: k-Bounded Systems . . . . . . . . . 99

5.7 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

5.7.1 Dining Philosophers Example . . . . . . . . . . . . . . . . . . . 103

5.7.2 Production Cell Example . . . . . . . . . . . . . . . . . . . . . . 104

6 Place Merging Abstractions for Petri Nets 107

6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

6.2 Petri Nets and the Coverability Problem . . . . . . . . . . . . . . . . . 109

6.3 Instantiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111


6.3.2 An Adequate Family of Abstract Domains . . . . . . . . . . . . 112




6.3.6 The Place Merging Algorithm . . . . . . . . . . . . . . . . . . . 133

6.3.7 Termination and Effectivity . . . . . . . . . . . . . . . . . . . . 134

6.4 Experimental results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

7 Conclusion 139

7.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

7.2 Future Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Acknowledgments

My foremost thank goes to Jean-Francois Raskin, my advisor. This thesis is also hisachievement. Over the years, he not only helped me to improve my scientific skills buthe also taught me how to use them. Indeed, without saving on his energy, he definedfor me what a scientific contribution is, what rigor means, what a brilliant scientist is.Being the PhD student of Jean-Francois is not always easy but the experience and theknowledge I acquired from it are invaluable. That is why I am so grateful to him.

During these years, I met people who played a significant role in this thesis. In orderof appearance, I first thank Giorgio Delzanno who welcomed me in Genoa, back in2002, for writing my master thesis. Over the years, it has always been a pleasure towork with Giorgio. In addition to have numerous great ideas, he was always there toencourage me when my motivation was decreasing. I also thank Alessandro Armandowho gently welcomed me in his team and supported me for one year. Finally, I wouldlike to express here my gratitude to Javier Esparza who significantly contributed tothis thesis. First, he helped me to elaborate the preliminary results which eventuallyled to this body of work. Second, he taught me to think as a scientist and to appreciatewriting scientific papers. My stay in Stuttgart was an invaluable experience.

Also, I seize the opportunity to thank all my co-authors and especially LaurentVan Begin (which, in addition, is a very good friend of mine) and Patrick Cousotwho gently accepted to collaborate and pointed research directions when necessary.

I am also indebted to Raymond Devillers who carefully proofread the thesis,spotted many inconsistencies and provided many helpful suggestions. I am also gratefulto my jury who spend much time at reading and understanding my results.

Many thanks to each member of the computer science department and especiallyto my colleagues of the GroupVerif for this pleasant atmosphere.

I could not close these acknowledgments without expressing my love to the peoplewho are the closest to me. My parents, to which this thesis is dedicated, and mybrother and sister. Because they created a stimulating environment around me, I wantto say that this achievement is also theirs. My last words go to my Mara. Your loveand support has meant so much to me.

Brussels, August 2007

xvii

Chapter 1

Introduction

In cars, planes, trains, rockets, medical equipments, . . . technological advances relymore and more on computers and there is no sign indicating a trend reversal. Moreand more also, they are used in critical situation where any failure leads to severedamages ranging from revenue loss (e.g. the flaw in the floating-point math subsectionof the first Pentium microprocessor resulted in a $500 million loss charge against Intel)to casualties (e.g. due to a software flaw, a radiation therapy machine, the Therac-25,killed at least five patients who died of massive overdoses of radiation).

Verification. To avoid such damages one has to verify that the system satisfies someproperties. From the early ages of computer science it has been a major concern forcomputer scientists — who design systems — to verify systems against properties,an activity which is referred to as verification. From a behavioral standpoint, it isequivalent to check that the behaviors of the system, which define its semantics, areincluded in the correct behaviors specified by the property. If the inclusion does nothold we also say that the system contains incorrect behaviors. Several approaches toverification have emerged over the years.

Testing. The most obvious way to ensure the system does not contain incorrectbehaviors is to examine the system behaviors one after the other by testing the system.This simple approach suffers from a major drawback: it is sufficient to find an incorrectbehavior but it falls short to prove their absence. In fact, imagine you want to showthat the ABS system of your car never crashes, which leads to an inoperative breakingsystem. You drive your car for years in different conditions and it never crashes. Canyou assert the ABS system never crashes ? You can do so provided you covered everypossible behavior of the ABS system. However obtaining a complete coverage is, ingeneral, costly since testing considers one behavior at a time and the set to cover canbe very large (if not infinite).

1

2 CHAPTER 1. INTRODUCTION

Model-based verification. Analogously to what is done in mechanical engineering,aerospace engineering, civil engineering, and so forth, a good engineering practice isto verify properties against a model of the system. In computer science, a model ofa system is a specification in some mathematical formalism of a set of behaviors. Werefer to this set of behaviors as the semantics of the model. Hereunder, follows a(non exhaustive) list of models currently used in computer science and in particularmodels used for verification purposes. Our classification is given according to theclass of systems to model. It is important to note that the classes listed below arenot necessarily disjoint. For instance, some communication protocols turn out to beparameterized systems as well.

Hardware. For hardware systems, models generally consist in a combination of booleanfunctions according to some topology. The intuition is that each boolean functionmodels a logical unit and the topology models the way logical units are connectedto each other.

Software. Typically, models are given by a piece of code expressed in a formal lan-guage to which is associated a formal semantics.

Embedded Systems. The two main characteristics of those systems are that (1) theyare reactive systems and (2) often they are real-time systems. A reactive systeminteracts with an external environment. It receives inputs from the environmentvia sensors, and it reacts through actuators to control the environment. A systemis real-time if its correctness relies on the timing of actions and events. Typicalmodels for such systems are given by timed automata [AD94] (for the controllerof the environment) and hybrid automata [Hen96] (for the environment).

Parameterized Systems. Those systems are made up of an arbitrary number ofsubsystems which interacts with each other according to some synchronisationrules. Petri-Nets [Pet62] and their extensions [Cia94] are often used to modelthose systems.

Communication Protocols. They are naturally modelled by a finite set of automataequipped with a set of communication primitives (e.g. communication via queues).We refer the reader to models like fifo channel systems [AJ96, AAB99] or broad-cast protocols [EFM99].

. . .

A general class of model. A formalism which can be used to model any computersystem is the one of transition systems. Formally, a transition system is given by atriple (C, T, I) where C is the (usually infinite) set of configurations of the system,T ⊆ C × C represents the transitions between configurations, and I ⊆ C is theset of initial configurations. In some cases the transition relation is labelled, that is

3

T ⊆ C × Σ × C where Σ is usually a finite alphabet. The transition systems encodebehaviors each of which is represented by a sequence of states such that each pair ofsuccessive states belongs to T and the first state belongs to I. A transition systemsmodels a system in the following sense: Each behavior of the system is matched (orhas a counterpart) in the transition system. We also call the relationship between themodel and the system it represents the adequacy of the model. It is worth to mentionhere the problematic of the model construction. Many questions arise when modellinga system: Which model to use? How to guarantee its adequacy? . . . However thesequestions are out of the scope of the thesis. Accordingly, given a system, we assumean adequate model for it. Hereunder, we give a list of model-based techniques forverification.

Model-based Testing. Recently [HNRW06], the testing approach has been adaptedto models. The idea is thus to explore behaviors of the model rather than the system.In some situations, testing of the system is just not feasible. Consider, for instance,you want to test the crash recovering procedure of an operating system. Performinga single test in real condition may take several minutes (for instance repairing the filesystem is a time consuming task). It follows that after months of testing you end upwith a narrow coverage of your recovery system. In such a situation, a model-basedtesting approach (where disks have now a mathematical definition) provides a solutionwith a better coverage.

Theorem Proving. With the help of a theorem prover you can reason about themodel of the system and thus try to prove a theorem corresponding to the propertyyou want to establish. For instance, to prove properties of a software system thetheorem prover reasons on the code and its associated formal semantics, a Turingcomplete model. This approach is, however, only partially automated and still requiresa manual intervention. In fact, the theorem prover may ask the user to prove somelemmas. Due to the manual intervention, it is not often applicable in practice. Infact, even for small systems, writing a proof is a very tedious, error-prone task for ahuman being. Finally, let us mention that due to fundamental reasons (Rice’s theorem[Ric53], Godel’s Incompleteness Theorem) there is no hope to make this approach fullyautomatic. We refer the reader to [AO91, Fra92, MP92, MP95] for a deeper discussionof theorem proving as well as bibliographies.

Automated Verification. Automated verification has been originally introduced inthe eighties by Queille and Sifakis [QS82], and independently by Clarke and Emmerson[CE81]. They propose to use, for the model of the system, a class of finite statetransition systems called Kripke Structures. In a Kripke structure, each configurationis labelled with a set of boolean propositions which describes a (set of) system state.On the other hand, the property to verify is specified by a formula in some temporal


logic, such as the computational tree logic CTL defined in [CE81]. This formula isintended to represent the behaviors of the system which are correct. It follows thatif the behaviors represented by the Kripke structure are included in the behaviorsrepresented by the formula, so are the system behaviors by the adequacy of the model.This approach is commonly referred to as the model-checking and is extensively coveredin [CGP99]. These seminal works have since generated a huge amount of research andhave been extended in many directions: other models have been considered (see themodels given above) as well as other properties (such as the ones expressed in thelinear temporal logic of [Pnu77] or the temporal logic CTL∗ of [CES86]).

However, model-checking cannot solve all verification problems. In fact, for fun-damental reasons (undecidability of the halting problem for Turing complete modelsof computation), or for practical reasons (limitations of the computing power of com-puters), model-checking may not applicable. Let us mention here a major problem toa general application of model-checking: the state explosion problem. In fact, givena model, the size of the underlying transition system can sometimes be huge andintractable for the model-checker. This explosion is better visualized in the case ofconcurrent systems but appears in other cases as well. Suppose the model is given bya set of distinct automata, each of which corresponds to a sub-component of the sys-tem. The transition system is obtained by the synchronisation of the sub-componentsand may result in a system which is exponentially larger than each sub-component.

Abstract Interpretation. A possible solution to overcome the aforementioned dif-ficulties is given by the theory of abstract interpretation. In the late seventies, theCousots defined in [CC77] the basis of the theory of abstract interpretation, a populartheory to approximate the evaluation of functions but also of their fixpoints. Thistheory finds many application in verification since the semantics of models boils downto evaluate a fixpoint.

In what follows, we adopt a restricted view of abstract interpretation in the follow-ing sense. We use abstract interpretation to approximate the state based semantics oftransition systems. Examples of state based semantics of a transition system (C, T, I)are given by the set of states reachable from I. State based semantics of transitionsystems can be computed by evaluating fixpoints on the complete lattice of sets ofstates. We commonly refer to those fixpoints as the concrete semantics. In addition,we restrict the discussion to the verification of invariants which ask, given a transitionsystem and a set S of states if the set of reachable states is included in the invariantgiven by S. The invariant S corresponds to an equivalent safety property which says:“no state of ¬S is reachable”.

Abstract Semantics. As shown above, the semantics of the model may not becomputable or may need too much resources to be computed. It is then interesting tocompute an approximation of the semantics. This can be obtained using an abstract

5

interpretation which computes an over-approximation of the concrete semantics, calledthe abstract semantics. To compute the abstract semantics, we need an abstractionfunction µ ∈ 2C 7→ 2C which basically identifies sets of states. More precisely, µ over-approximates its argument (X ⊆ µ(X)), µ is monotone (X ⊆ Y implies µ(X) ⊆ µ(Y )),and µ is idempotent (µ(µ(X)) = µ(X)). Now, let us consider the set of reachable states,which is given by the least fixpoint lfp(f) where f is given by λX. I ∪post [T ](X). Oneway to over-approximate lfp(f) is to evaluate lfp(µ ◦ f) instead, where ◦ denotes thefunctional composition. By applying µ on the result returned by f we thus speed upthe convergence at the price of obtaining an approximation of lfp(f), however.

Precision. We relate the precision of an approximation with the abstraction functionthrough some relevant examples. If the abstraction µ coincides with the identity weobtain that lfp(f) = lfp(µ ◦ f) and so the abstract semantics equals to the concretesemantics. Then, if the concrete semantics is not computable or needs too muchresources to be computed so is the abstract semantics.

Now assume µ is the constant function mapping each set of states to C. In thiscase, lfp(µ ◦ f) = C does not need much resources to be computed but C might be atoo coarse over-approximation of lfp(f) as explained below.

Formally, given (C, T, I) and S ⊆ C, the invariant checking problem asks if

lfpλX. I ∪ post [T ](X) ⊆ S . (1.1)

If the abstraction µ is such that lfpλX. µ(I ∪ post [T ](X)) ⊆ S then we can concludethat (1.1) holds; otherwise the analysis is said to be inconclusive because the noninclusion may result from the over-approximation introduced by µ and not becauselfpλX. I ∪ post [T ](X) * S.

The Abstraction Refinement Paradigm. The above discussion identified onekey for the design of effective and successful abstract interpretation algorithms: theprecision of the abstraction. The design of a “good” abstraction, where good meansthat the computation of the abstract semantics does not need much resources andyields a conclusive answer is a difficult and time consuming task. Recently, researchefforts [HJMS03, CCG+03, BR02] have been devoted to find automatic techniquesthat are able to discover and refine an abstraction function for a given transitionsystem and a given property to verify. This approach is also defined as the abstractrefinement paradigm. All those works take their inspiration from the seminal work of[CGJ+03] which is henceforth called Counterexample Guided Abstraction Refinement(or CEGAR for short).

CEGAR. This technique uses a restricted form of abstraction functions. The statespace C is divided into equivalence classes and the abstraction function µ maps each


set Z ⊆ C to a set of equivalence classes, each of which intersects Z. This abstractionyields to the definition of an abstract transition system (Cµ, Tµ, Iµ) where Cµ is the setof equivalence classes, Tµ ⊆ Cµ × Cµ is such that (c1, c2) ∈ Tµ if c1 and c2 containsrespectively states x1 and x2 such that (x1, x2) ∈ T , and Iµ = µ(I). The set Rµ ofreachable states of the abstract transition system is then computed. If Rµ ⊆ S thenthe analysis concludes that (1.1) holds; otherwise an incorrect behavior that violatesthe invariant (namely an abstract behavior that leaves S) is extracted. If the incorrectbehavior of (Cµ, Tµ, Iµ) has a counterpart in (C, T, I) then we return this incorrectbehavior to the user; otherwise the incorrect behavior is said to be a false alarm andthe abstraction is refined because the analysis is inconclusive. The idea behind therefinement is to prevent the false alarm to show up again. To this end, we split in twoparts d1, d2 an equivalence class ci along the false alarm c1, . . . , ci−1, ci, ci+1, . . . , cn suchthat neither c1, . . . , ci−1, d1, ci+1, . . . , cn nor c1, . . . , ci−1, d2, ci+1, . . . , cn is an incorrectbehavior. Hence the false alarm disappears. The above process is iterated as long asthe analysis is inconclusive.

Our contribution. In this thesis, we present a new abstract invariant checkingalgorithm with automatic refinement by backward completion in Moore closed abstractdomains. Backward completion (see [RT02, GQ01]) is a technique which refines theabstractions used in abstract interpretation. Moore closed abstract domains inducesmore general abstractions than the partition based abstract domains used in CEGAR.So, contrary to several works in the literature [HJMS03, CCG+03, BR02], our algorithmdoes not require the abstract domains to be partitions of the state space.

We study the properties of our algorithm and prove it to be more precise thanCEGAR. We also show that our automatic refinement technique is compatible withacceleration techniques (see, for instance, [Boi03]). Furthermore, the use of partitionbased abstract domains does not improve the precision of our algorithm.

In addition to these theoretical results we also provide technical results. In factour algorithm is instantiated, following a systematic methodology, in three differentsettings: one for concurrent finite state systems and two for infinite state systems.Along the technical results, we provide empirical results that uphold our approach.

Plan of the thesis. Chapter 2 recalls some preliminary notions that are necessaryfor the rest of the discussion. We review basic material on orderings and introduce thenotion of closed sets. Then attention is given to partially ordered sets, lattices andrelated notions. We next focus on fixpoints by recalling some well-known theorems offixpoint theory. We conclude the chapter by discussing transitions systems and theirsemantics defined through fixpoints. Finally we review the basic concepts of abstractinterpretation.

Chapter 3 is a theoretical chapter that introduces a new abstraction refinementalgorithm for the particular fixpoint checking problem. Besides establishing correctness

7

properties of the algorithm we also give several sufficient conditions for termination.We then discuss our algorithm in relationship with other approaches like CEGAR orthe predicate abstraction. After studying the consequences of relaxing some basicassumptions, we give a general and systematic methodology to turn our theoreticalalgorithm into an effective one. We call this process the instantiation of our algorithm.

Then Chapt. 4, 5 and 6 are devoted to three instantiations of our algorithm. Re-spectively, we solve the coverability problem of well-structured transition systems, thereachability problem of transition systems which are finite and concurrent, and thecoverability problem of Petri nets by instantiating our algorithm according to themethodology which is given in Chapt. 3. Finally we close the thesis by drawing aconclusion in Chapt. 7.

In this thesis, each chapter from 3 to 6 is based on a publication which has beenrevisited and extended according to new insights by the author. Each of these pub-lications has appeared in the proceedings of an international scientific conference orsymposium.

Chapter 3 is based on the following paper published in 2007.Cousot, P., Ganty, P., Raskin, J.F.: Fixpoint-guided Abstraction Refinements. In:SAS’07: Proc. 14th Int. Static Analysis Symp. Volume 4634 of LNCS, Springer (2007),333–348.

Chapter 4 is based on the following paper published in 2006.Ganty, P., Raskin, J.F., Van Begin, L.: A Complete Abstract Interpretation Frame-work for Coverability Properties of WSTS. In: VMCAI ’06: Proc. 7th Int. Conf.on Verification, Model Checking and Abstract Interpretation. Volume 3855 of LNCS,Springer (2006), 49–64.

Chapter 5 is based on the following paper published in 2005.Esparza, J., Ganty, P., Schwoon, S.: Locality-based Abstractions. In: SAS ’05: Proc.12th Int. Static Analysis Symp. Volume 3672 of LNCS, Springer (2005), 118–134.

Finally, Chapt. 6 is based on the following paper published in 2007.Ganty, P., Raskin, J.F., Van Begin, L.: From Many Places to Few: Automatic Ab-straction Refinement for Petri nets. In: ICATPN ’07: Proc. of 28th Int. Conf. onApplication and Theory of Petri Nets and Other Models of Concurrency. Volume 4546of LNCS, Springer (2007), 124–143.

Chapter 2

Preliminaries

Sets, relations and functions. We denote by Z the set of integers and by N thesubset of positive integers. We use Church [Chu85] lambda notation for functions (sothat f is λx. f(x)) and use the composition operator ◦ : if g ∈ X 7→ Y and f ∈ Y 7→ Zthen (f ◦ g) ∈ X 7→ Z is such that (f ◦ g) = λx. f(g(x)). The transitive and reflexiveclosure f ∗ of a function f such that its domain and co-domain coincide is a relationgiven by {(x, x′) | ∃i ∈ N : f i(x) = x′} where f 0 = λx. x, f i+1 = f i ◦ f .

The composition operator ◦ on relations R1 ⊆ X × Y , R2 ⊆ Y × Z, which gives(R1 ◦ R2) ⊆ X × Z, is defined as follows: (R1 ◦ R2) = {(x, z) | ∃y ∈ Y : (x, y) ∈R1 ∧ (y, z) ∈ R2}. The transitive and reflexive closure R∗ of a relation R ⊆ X ×X isdefined by

⋃i∈NR

i, where R0 = {(x, x) | x ∈ X}, and Ri+1 = Ri ◦ R.

Given a set S, ℘(S) denote the set of all the subsets of S. Sometimes we write sinstead of the singleton {s} when the context makes it clear.

2.1 Well-Quasi Ordered Sets

A preorder � is a binary relation over a set X which is reflexive (i.e. for each x, therelation x � x holds), and transitive (i.e. for each x1, x2, x3 such that x1 � x2 andx2 � x3, the relation x1 � x3 holds). Two elements x1, x2 are said to be incomparableif x1 � x2 and x2 � x1; otherwise x1, x2 are said to be comparable. Also we say thatx2 is strictly greater than x1 if x2 � x1 and x1 � x2; we write this fact x2 � x1.Finally, we say that � is decidable if there exists an algorithm which on inputs x1 andx2 computes if x1 � x2 holds or not.

The preorder � is a partial order if � is anti-symmetric that is, for each x1, x2 ∈ Xsuch that x1 � x2 and x2 � x1, we have x1 = x2.

The preorder � is a well-quasi order (wqo for short) if every countably infinitesequence of elements x0, x1, . . . from X contains elements xj � xi for some 0 ≤ i < j.We call the pair (X,�) a well-quasi ordered set (wqo-set for short).

9

10 CHAPTER 2. PRELIMINARIES

1

2

3

1 2 3x

y

C

D

B

A

Figure 2.1: �-dc-sets and �-uc-sets in N2.

Closed sets. Let (X,�) be a wqo-set, we call ↓x = {x′ ∈ X | x � x′} and ↑x = {x′ ∈X | x′ � x} the �-downward closure and �-upward closure of x ∈ X, respectively.This definition is naturally extended to sets in X. We define a set S ⊆ X to be a�-downward closed set (�-dc-set for short), respectively �-upward closed set (�-uc-set for short), iff ↓S = S, respectively ↑S = S. For each wqo-set (X,�), we defineDCS (X) (UCS (X)) to be the set of all �-dc-sets (�-uc-sets) in X.

Example 2.1 A diagrammatic representation of �-dc sets and �-uc-sets in the setN2 are given in Fig. 2.1. The wqo � over N2 is defined as follows (a1, a2) � (b1, b2)if and only if a1 ≥ b1 and a2 ≥ b2. The �-dc-sets A and B are infinite sets: A ={(x, y) ∈ N2 | y ≤ 1}, B = {(x, y) ∈ N2 | x ≤ 1}. On the contrary, the �-dc-setC = {(x, y) ∈ N2 | x ≤ 2 ∧ y ≤ 2} is finite. The �-uc-set D is given by {(x, y) ∈ N2 |x ≥ 3 ∧ y ≥ 2}.

Is it clear that the �-dc-sets and �-uc-sets are dual in the following sense.

Lemma 2.1 Let (X,�) be a wqo-set, the set complement of a �-dc-set is a �-uc-setand vice versa.

Proof. Let U be a �-uc-set and let x ∈ X \ U . For all x′ such that x � x′ we havethat x′ ∈ X \ U for otherwise x ∈ U , which yields a contradiction. So we obtain thatX \ U is a �-dc-set. And symmetrically for the other direction. �

Lemma 2.2 Let (X,�) be a wqo-set, and S1, S2 ⊆ X we have

↑S1 ∪ ↑S2 =x(S1 ∪ S2) ↓S1 ∪ ↓S2 =

y(S1 ∪ S2) .

2.1. WELL-QUASI ORDERED SETS 11

Proof.

↑S1 ∪ ↑S2 = {s′1 ∈ X | ∃s1 ∈ S1 : s′1 � s1} ∪ {s′2 ∈ X | ∃s2 ∈ S2 : s′2 � s2} def. of ↑= {s′ ∈ X | ∃s ∈ S1 ∪ S2 | s′ � s} set theory

=x(S1 ∪ S2) def. of ↑

The proof for ↓ is similar. �

For a sake of clarity, we do not mention explicitly the above lemmas whenever weuse their results. We now recall a well-known lemma on �-uc-sets and �-dc-sets.

Lemma 2.3 (From [ACJT96]) Let (X,�) be a wqo-set and let U0, U1, . . . be an in-finite sequence of �-uc-set such that Ui ⊆ Ui+1 for all i ≥ 0. There exists j ≥ 0 suchthat Uj = Uj′ for all j′ ≥ j. Dually, given an infinite sequence of �-dc-sets D0, D1 . . .such that Di ⊇ Di+1 for all i ≥ 0, there exists j ≥ 0 such that Dj = Dj′ for all j′ ≥ j.

Now, we give some results about the effective representation and manipulation (viz.a test or the application of a function) of �-uc-sets.

A set M ⊆ X is said to be canonical if each pair of distinct elements is incompa-rable: ∀x, y ∈M : x 6= y → x � y ∧ y � x. We say that M is a minor set of S ⊆ X, ifM ⊆ S and for all x ∈ S there exists y ∈M such that x � y, and M is canonical.

Lemma 2.4 (From [ACJT96]) Let (X,�) be a wqo-set. For each set S ⊆ X, S hasat least one minor set M and all minor sets are finite. If in addition � is a partialorder, then M is unique.

For instance consider the set D at fig. 2.1, it has {(2, 3)} as a minor set. Moreover thisminor set is unique since � is a partial order. We use min to denote a function which,given a set S ⊆ X, returns a minor set of S.

Effective representation for �-uc-sets. An effective representation for a �-uc-setU is any finite set S such that ↑S = U . By the previous lemma such a finite set alwaysexists, e.g. a minor set.

Lemma 2.5 (Effective manipulations of �-uc-sets.) Given a decidable well-quasiorder � and two finite subsets S1, S2 of X. Let ↑S1 = U1 and ↑S2 = U2, we have

• S1 ∪ S2 is finite andx(S1 ∪ S2) = U1 ∪ U2;

• U1 ⊆ U2 iff ∀s1 ∈ S1∃s2 ∈ S2 : s1 � s2;

• c ∈ U1 iff ∃s1 ∈ S1 : c � s1.


Proof. The union of two finite sets is again finite and the distributivity of ↑ establishesthe first item. For the second one, we have

U1 ⊆ U2

⇔ ↑S1 ⊆ ↑S2 def. of U1, U2

⇔ {s1 | ∃s′1 ∈ S1 : s1 � s′1} ⊆ {s2 | ∃s′2 ∈ S2 : s2 � s′2} def. of ↑⇔ ∀s′1 ∈ S1∃s′2 ∈ S2 : s′1 � s′2 set theory

This last characterization is effective by finiteness of S1, S2, and since � is decidable.The proof of the third statement follows by definition of ↑ . �

In conclusion, given a decidable well-quasi order �, we have an effective characteriza-tion for the inclusion and union of two �-uc-sets, as well as a membership test, for anyeffective representation.

2.2 Posets and Lattices

Partially ordered set. Let (X,v) be such that v is a partial order on X. We callthe pair (X,v) a partially ordered set (or poset for short).

Let Y ⊆ X, x ∈ X is an upper bound of Y iff ∀y ∈ Y : y v x. Dually, x ∈ Xis a lower bound of Y iff ∀y ∈ Y : x v y. A least upper bound (lub for short) x ofY is an upper bound of Y that satisfies x v x0 whenever x0 is another upper boundof Y ; similarly, a greatest lower bound (glb for short) x of Y is a lower bound of Ythat satisfies x0 v x whenever x0 is another lower bound of Y . Note that subsets Yof a poset (X,v) do not need to have least upper bounds nor greatest lower bounds,but when they exist they are unique (since v is anti-symmetric) and they are denoteddY and

⊔Y , respectively. Sometimes

⊔is called the join operator and

dthe meet

operator and we shall write x1 t x2 for⊔{x1, x2} and similarly x1 u x2 for

d{x1, x2}.

Complete Lattice. A complete lattice 〈L,v〉 = 〈L,v,⊔,d,>,⊥〉 is a poset (L,v)such that all subsets of L have least upper bounds as well as greatest lower bounds.Furthermore, ⊥ =

⊔ ∅ =dL is the v-minimal element and > =

d ∅ =⊔L is the

v-maximal element.

Example 2.2 The powerset lattice PL(A) associated to a set A is the complete lattice(℘(A),⊆,⋃,⋂, A, ∅) having the powerset of A as carrier, union and intersection asleast upper bound and greatest lower bound, respectively, and ∅ and A as the ⊆-minimaland ⊆-maximal elements, respectively.

2.2. POSETS AND LATTICES 13

Effective Complete Lattice. A complete lattice 〈L,v,⊔,d,>,⊥〉 is said to beeffective if

• for each element l of L, there exists a (not necessarily unique) finite representationdenoted le,

• there exists an algorithm which, on inputs le1 and le2, returns true iff l1 v l2 holds,

• there exists an algorithm which, on inputs {le1, . . . , len}, returns re such that r =d{l1, . . . , ln},

• there exists an algorithm which, on inputs {le1, . . . , len}, returns re such that r =⊔{l1, . . . , ln}.Complete Sublattice. A sublattice M of a complete lattice 〈L,v,⊔,d,>,⊥〉 iscalled a complete sublattice of L, if for every subset A of M , the elements

dA and⊔

A, as defined in L, are in M , that is ∀A ⊆M : {dA,⊔A} ⊆M .

ACC&DCC. A poset (X,v) is said to satisfy the ascending chain condition (ACCfor short) if every ascending chain x1 v x2 v · · · of elements of X is eventuallystationary, that is, there is some n ∈ N such that xm = xn for all m > n (i.e., thereis no infinite strictly ascending chain). Similarly, X is said to satisfy the descendingchain condition (DCC for short) if every descending chain x1 w x2 w · · · of elementsof X is eventually stationary (that is, there is no infinite strictly descending chain).

Lemma 2.6 Consider the powerset lattice PL(A) associated to a set A such that (A,�)is a wqo-set. The lattice 〈DCS (A),⊆,⋃,⋂, A, ∅〉 where the carrier is given by the �-dc-sets of A is a complete sublattice of PL(A). The same result holds for the lattice〈UCS (A),⊆,⋃,⋂, A, ∅〉 where the carrier is the set of �-uc-sets.

Proof. The result holds because �-dc-sets are closed under union and intersection,respectively; and so are the �-uc-sets. �

Definition 2.1 (downward&upward powerset lattices) Let (A,�) be a wqo-set. The complete lattices 〈DCS (A),⊆,⋃,⋂, A, ∅〉 and 〈UCS (A),⊆,⋃,⋂, A, ∅〉 arecalled the downward powerset lattice and the upward powerset lattice of A and theyare denoted DPL(A) and UPL(A), respectively. �

Lemma 2.7 Let (A,�) be a wqo-set. The lattices DPL(A) and UPL(A) satisfy thedescending chain condition and the ascending chain condition, respectively.

Proof. The result is shown using Lem. 2.3. �


Complete Boolean Algebra. A complete boolean algebra is a 7-uple〈L,v,d,⊔,>,⊥,¬〉 such that (i) 〈L,v,d,⊔,>,⊥〉 is a complete lattice which satis-fies (ii) the distributivity law: ∀a, b, c ∈ L : a u (b t c) = (a u b) t (a u c), and (iii) foreach a ∈ L there is some ¬a ∈ L such that a t ¬a = > and a u ¬a = ⊥. Given a ∈ Lwe call ¬a the complement of a.

Example 2.3 〈℘(S),⊆,⋃,⋂, S, ∅,¬〉 of a set S where ¬ denote the set complement,i.e. λX. S \X, is a complete boolean algebra.

Moore family. Given a complete lattice 〈L,v,⊔,d,>,⊥〉, the Moore closure ofY ⊆ L is given by {dY ′ | Y ′ ⊆ Y }. We denote the Moore closure of Y byM(Y ). If Yis such thatM(Y ) = Y , then Y is said to be a Moore family. Note that a Moore familyY always contains a least element,

dY , and a greatest element,

d ∅, which equals thev-maximal element, >, from L; in particular a Moore family is never empty.

For instance, given the powerset lattice 〈℘({a, b, c}),⊆,⋂,⋃, ∅, {a, b, c}〉, we seethat {{a, b}, {a, c}, {a}, {a, b, c}} is a Moore-family.

Now, we introduce the notions of Boolean closure and Boolean closed set. TheBoolean closure is stronger than the Moore closure in the following sense: each setwhich is Boolean closed is also a Moore-family.

Boolean closure. Given a complete boolean algebra 〈L,v,⊔,d,>,⊥,¬〉 and afinite subset Y of L, Y is said to be Boolean closed iff ∀y1, y2 ∈ Y : (i) y1 u y2 ∈ Y ,(ii) y1 t y2 ∈ Y , and (iii) ¬y ∈ Y . We define the function λX.B(X) which returnsthe Boolean closure of its argument, i.e. the smallest set B such that X ⊆ B and B isBoolean closed. In [DP89], a disjunctive normal form for the boolean terms (a booleanterm over X is any finite expression built using values of X and the connectives t, uand ¬) is introduced. This yields the conclusion that B always exists, is unique andfinite.

Properties of functions on complete lattices. Consider two complete lattices〈L1,v1,

⊔1,

d1,>1,⊥1〉 and 〈L2,v2,

⊔2,

d2,>2,⊥2〉. Given a function f ∈ L1 7→ L2,

we say that f is monotone if ∀l, l′ ∈ L1 : l v1 l′ ⇒ f(l) v2 f(l′).

Also f is completely additive (resp. completely coadditive) when for all C1 ⊆ L1, fsatisfies f(

⊔1C1) =

⊔2 f(C1) (resp. f(

d1C1) =

d2 f(C1)). For the sake of brevity, in

what follows, we simply say additivity (resp. coadditivity) instead of complete addi-tivity (resp. complete coadditivity).

The pair⟨L1 7→ L2, ⊆

⟩is a poset for the pointwise ordering f ⊆ g given by ∀x ∈

L1 : f(x) v2 g(x). If f ⊆ g holds, we call g an upper-approximation of f .

2.3. FIXPOINTS 15

2.3 Fixpoints

Let f be a function over a poset (L,v). A fixpoint of f is an element l ∈ L such thatf(l) = l. We denote by lfpv(f) and gfpv(f), respectively, the least and the greatestfixpoint, when they exist, of f . If the poset is clear from the context, we simply writelfp(f), gfp(f). The well-known Knaster-Tarski’s theorem states that each monotonefunction f ∈ L 7→ L over a complete lattice 〈L,v,⊔,d,>,⊥〉 admits a least fixpointand the following characterization holds:

lfp(f) =l{x ∈ L | f(x) v x} . (2.1)

Dually, f also admits a greatest fixpoint and the following characterization holds:

gfp(f) =⊔{x ∈ L | x v f(x)} . (2.2)

The set {x ∈ L | f(x) v x} used in (2.1) defines the set of post fixpoints of the functionf and is denoted briefly postfp(f); dually, the set {x ∈ L | x v f(x)} used in (2.2)defines the set of pre fixpoints of the function f and is denoted briefly prefp(f).

In what follows we constructively characterize least and greatest fixpoints by meansof a sequence of values which converges to the fixpoint. Any such sequence is a chain.We call those chains iteration sequences. In general the whole class of ordinal numbersis needed to define the iteration sequence converging to the fixpoint (see [CC79a] andthe references given there). However, driven by effectiveness concerns, we restrict ourstudy of the constructive characterizations of fixpoints to the iteration sequences whichstabilize after a finite number of steps. Roughly speaking, we restrict ourselves to thosefixpoints such that the iteration sequence converges to it after a finite number of steps.

About the stabilization of an iteration sequence {I i}i∈N, the sequence is said tohave stabilized after a finite number of steps if and only if there exists j such that foreach j′ ≥ j the equality Ij

′= Ij holds in which case the limit of the sequence is given

by Ij.

Definition 2.2 (Iteration sequences, iterates and iterated functions) Letf be a monotone function over a complete lattice 〈L,v〉, the upper iteration sequenceof f is the sequence {I i}i∈N where I0 = ⊥ and I i+1 = f(I i). Dually, the lower iterationsequence of f is the sequence {I i}i∈N where I0 = > and I i+1 = f(I i). When speakingabout iteration sequences, we sometimes call f the iterated function and each elementof the iteration sequence an iterate. �

The following proposition shows that the upper (resp. lower) iteration sequence of fon a lattice satisfying the ACC (resp. DCC) converges to lfp(f) (resp. gfp(f)) after afinite number of steps.


Proposition 2.1 Let f be a monotone function over a complete lattice 〈L,v〉. If〈L,v〉 satisfies the ACC then the upper iteration sequence of f is an increasing chain(i.e. I i v I i+1) which stabilizes to lfp(f) after a finite number of steps. Dually if〈L,v〉 satisfies the DCC then the lower iteration sequence of f is a decreasing chain(i.e. I i+1 v I i) stabilizes to gfp(f) after a finite number of steps.

When 〈L,v〉 does not satisfy the ACC, transfinitely many steps may be necessaryfor the upper iteration sequence to stabilize to lfp(f). It may be also the case thatthe iteration sequence stabilizes after a number of steps which is finite but so largethat it is unacceptable in practice. However, using the notion of extrapolation [CC77],we are able to speed up the stabilization of the iteration sequence and obtain a closeover-approximation of the least fixpoint after a (reasonably) finite number of steps.

Definition 2.3 (Widening operator) Given a complete lattice 〈L,v〉, we definea widening operator ∇ ∈

(N 7→ (L× L 7→ L)

)as follows:

1. ∀j > 0∀x, y ∈ L : x t y v x∇(j)y;

2. for each ascending chain y0 v y1 v y2 v · · · v yn v . . . of elements of L,the ascending chain x0 = y0, x1 = x0∇(1)y1, . . . , xn = xn−1∇(n)yn, . . . stabilizesafter a finite number of steps.

�

A widening operator will be used to extrapolate each iterate until a post fixpointis found, in which case an over-approximation of the least fixpoint has been found.

Proposition 2.2 (From [CC92b]) Let f ∈ L 7→ L be a monotone function of thecomplete lattice 〈L,v,d,⊔,>,⊥〉, and let ∇ be a widening operator. The sequence

x0 = ⊥

xn+1 =

{xn if f(xn) v xn

xn∇(n+ 1)f(xn) otherwise

stabilizes after a finite number of steps. Moreover, the limit u of this sequence is suchthat lfp(f) v u and f(u) v u.

This over-approximation can then be improved using a narrowing operator.

Definition 2.4 (Narrowing operator) Given a complete lattice 〈L,v〉, we de-fine a narrowing operator 4 ∈

(N 7→ (L× L 7→ L)

)as follows:

1. ∀j > 0 (∀x, y ∈ L : y v x), y v x4(j)y v x;

2.3. FIXPOINTS 17

2. for each descending chain y0 v y1 w y2 w · · · w yn w . . . of elements of L, thedescending chain x0 = y0, x1 = x04(1)y1, . . . , xn = xn−14(n)yn, . . . stabilizesafter a finite number of steps.

�

Proposition 2.3 (From [CC92b]) Let f ∈ L 7→ L be a monotone function of thecomplete lattice 〈L,v〉, and let 4 be a narrowing operator. The sequence

x0 = u

xn+1 = xn4(n+ 1)f(xn)

stabilizes after a finite number of steps. In addition each iterate is such that lfp(f) vf(xn) v xn.

It is worth noting that, besides improving the over-approximation of least fixpoints, thenarrowing operator can also be used to speed up the stabilization of a lower iterationsequence in a lattice 〈L,v〉 which does not satisfy the DCC.

We conclude this brief discussion about fixpoints by showing a basic result regardingupper-approximations of iterated functions and then by recalling the Park’s fixpointtheorem. Both results are used in the expose.

Lemma 2.8 Let f1, f2 be two monotone functions on a complete lattice 〈L,v〉 suchthat f1 ⊆ f2 and let Z ∈ L, we have:

Z ∈ postfp(f2)→ Z ∈ postfp(f1) lfpλX. f1(X) v lfpλX. f2(X)

Z ∈ prefp(f1)→ Z ∈ prefp(f2) gfpλX. f1(X) v gfpλX. f2(X) .

Proof. We conclude from Z ∈ postfp(f2), that f2(Z) v Z by definition of postfp, hencethat f1(Z) v Z by λX. f1(X) ⊆ λX. f2(X).

We conclude from Z ∈ prefp(f1), that Z v f1(Z) by definition of prefp, hence thatZ v f2(Z) by λX. f1(X) ⊆ λX. f2(X).

Then, Eq. (2.1), (2.2) and the above results conclude the proof. �

Theorem 2.1 (From [Par69]) Let 〈L,v,d,⊔,>,⊥,¬〉 be a complete boolean alge-bra and let f ∈ L 7→ L be a monotone function then g = λX.¬(f(¬X)) is a monotonefunction on L and gfp(f) = ¬

(lfp(g)

).


2.4 Transition systems

A transition system (or TS for short) is a triple (C, T, I) where C is the set of states,T ⊆ C × C is the transition relation and I ⊆ C is the subset of initial states. Often,we write s → s′ if (s, s′) ∈ T , s →∗ s′ if (s, s′) ∈ T ∗ and s →k s′ if (s, s′) ∈ T k fork ∈ N.

Predicate Transformers. A predicate is a Boolean formula defining a set of states:the ones satisfying the formula. To manipulate sets of states, we use predicate trans-formers.

The forward image operator is a function that given a relation T ′ ⊆ C ×C and aset of states C ′ ⊆ C, returns the set post [T ′](C ′) = {c′ ∈ C | ∃c ∈ C ′ : (c, c′) ∈T ′}. When the forward image operator is used with the transition relation T , itis called the post operator and it returns, given a set of states C ′ all their onestep successors in the transition system; we simply write it post(C ′).

The backward image operator is a function that given a relation T ′ ⊆ C×C and aset of states C ′ ⊆ C, returns the set pre[T ′](C ′) = {c ∈ C | ∃c′ ∈ C ′ : (c, c′) ∈ T ′}.When the backward image operator is used with the transition relation T , it iscalled the pre operator and it returns, given a set of states C ′ all their one steppredecessors in the transition system; we simply write it pre(C ′).

The unavoidable operator is a function given a relation T ′ ⊆ C × C and set ofstates C ′ ⊆ C, returns the set pre[T ′](C ′) = ¬pre[T ′](¬C ′) = ¬post [T ′−1](¬C ′)= {c ∈ C | ∀c′ : (c, c′) ∈ T ′ ⇒ c′ ∈ C ′}. When the backward image operatoris used with the transition relation T , it is called the pre tilde operator and itreturns, given a set of states C ′, all the states which have all their one stepsuccessors in the set C ′; we simply write it pre(C ′).

Monotonicity. We can distinguish two types of monotonicity for the predicate trans-formers. First, let T1 ⊆ C × C be relation over C; for all S, S ′ such that S ⊆ S ′ ⊆ Cwe have:

post [T1](S) ⊆ post [T1](S ′) ,

pre[T1](S) ⊆ pre[T1](S ′) .

Also given T2 ⊆ C × C such that T1 ⊆ T2, we have:

λX. post [T1](X) ⊆ λX. post [T2](X) ,

λX. pre[T2](X) ⊆ λX. pre[T1](X) .

In the sequel, when we refer to the monotonicity of post or pre, which definition to useshould be clear from the context.

2.5. ELEMENTARY NOTIONS OF ABSTRACT INTERPRETATION 19

Fixpoints of Transition Systems. Given a transition system (C, T, I), the setof reachable states is given by the least fixpoint lfp⊆λX. I ∪ post [T ](X). As shownin [CC99], this fixpoint coincides with post [T ∗](I), also written post∗(I) when thetransition relation is clear from the context. A state s is said to be reachable ifs ∈ post∗(I).Dually, given a set S of states, the set of states that are stuck in S (or also thatcannot escape from S) is given by the greatest fixpoint gfp⊆λX. S ∩ pre[T ](X). Asshown in [CC99], this fixpoint coincides with pre[T ∗](S), also written pre∗(S) whenthe transition relation is clear from the context.

We now define a subclass of TS which will be studied in Chapt. 4 and, to someextent, in Chapt. 5 and Chapt. 6.

Well-Structured Transition System (WSTS for short) (From [FS01]). AWSTS ((C,�), δ, c0) is a TS where (C,�) is a wqo-set of states, δ ⊆ C × C is a tran-sition relation, and c0 is a singleton initial state. Moreover, the strong compatibilitycondition holds, that is ∀x1, x2, x3 ∃x4 : (x3 � x1 ∧ x1 → x2)⇒ (x3 → x4 ∧ x4 � x2).

Examples of WSTS are Petri nets [Rei86], monotone extensions of Petri nets (Petrinets with transfer arcs [Cia94], Petri nets with reset arcs [DFS98], and Petri netswith non-blocking arcs [RVanB04]), broadcast protocols [EN98], lossy channel sys-tems [AJ96]. The next lemma gives some properties on the predicate transformers ofWSTS.

Lemma 2.9 Let ((C,�), δ, c0) be a WSTS, we have:

pre[δ](U) ∈ UCS (C) for any U ∈ UCS (C)

pre[δ](S) ∈ DCS (C) for any S ∈ DCS (C).

Proof. The first statement is shown in [ACJT96] at Lem. 3.2. For the second statement,we know that ¬U ∈ DCS (C) if U ∈ UCS (C). Hence, the definition pre = λX.¬ ◦ pre ◦

¬(X) and the first statement prove that for each V ∈ DCS (C), pre[δ](V ) ∈ DCS (C).�

2.5 Elementary Notions of Abstract Interpretation

In this thesis, the Galois connection framework [CC92a] is used to define the abstractinterpretation of transition systems.

Galois connections. In the Galois connection framework, we have on one side acomplete lattice 〈L,6,∨,∧,>L,⊥L〉, called the concrete domain, and on the other


side we have another complete lattice 〈A,v,⊔,d,>A,⊥A〉, called the abstract domain.These two domains are related to each other by a pair of total functions (α, γ) such thatα ∈ L 7→ A is the abstraction function and γ ∈ A 7→ L is the concretization function.Moreover the 4-tuple (α, 〈L,6〉 , 〈A,v〉 , γ) forms a Galois connection [Cou78], that is:

∀x ∈ L∀y ∈ A : α(x) v y ⇔ x 6 γ(y) .

We briefly denote this fact as 〈L,6〉 −−→←−−αγ 〈A,v〉, or simply −−→←−−α

γ, when both the

concrete and abstract domains are clear from the context. Finally, we write γ(A) forthe subset of L given by {γ(a) | a ∈ A}.

The orderings on the concrete and abstract domains describe the relative precisionof domain values: x 6 y means that x is more precise than y, i.e. y carries lessinformation than x. The Galois connection allows us to relate the concrete and abstractnotions of precision: an abstract value a ∈ A approximates a concrete value c ∈ Cwhen α(c) v a, or equivalently (by definition of the Galois connection), c 6 γ(a).

Below we further characterize Galois connections. Then we provide some intuitions.

Lemma 2.10 (From [Cou78]) For each Galois connection 〈L,6〉 −−−→←−−−αγ 〈A,v〉 the

following hold:

• α and γ are monotone functions,

• x 6 γ ◦ α(x) and α ◦ γ(y) v y,1

• α is additive and γ is coadditive,

• α = α ◦ γ ◦ α and γ = γ ◦ α ◦ γ,

• the concretization and the abstraction functions uniquely define each others:

α(c) =l{a | c 6 γ(a)} γ(a) =

∧{c | a v α(c)} ,

• the set γ(A) is a Moore-family. It follows that ∀a1, a2 ∈ γ(A) : a1 ∧ a2 ∈ γ(A).

From the above lemma, we see that, by requiring a Galois connection, it turns outthat α(c) is the best possible approximation of c in A in the following sense: for eacha ∈ A such that c 6 γ(a) we have α(c) v a.

Also, given a concrete value c ∈ L, we say that c is exactly represented in A iffγ ◦ α(c) = c. Equivalently, there exists a ∈ A such that c = γ(a). So, from the abovereasoning we deduce that γ ◦ α(c) = c iff c ∈ γ(A).

Below, we give another definition of a Galois connection based on the above lemma.

1Hint: you can retrieve these properties by following in −−−→←−−−α

γfirst α then γ or vice versa and

observing that you came back at a higher or lower position.

2.5. ELEMENTARY NOTIONS OF ABSTRACT INTERPRETATION 21

Lemma 2.11 The following equivalence holds: 〈L,6〉 −−−→←−−−αγ 〈A,v〉 iff α and γ are

monotone functions, ∀x ∈ L : x 6 γ ◦ α(x) and ∀y ∈ A : α ◦ γ(y) v y.

Proof. First, we show that ∀x ∈ L∀y ∈ A : α(x) v y ⇔ x 6 γ(y) holds using thealternative definition.

α(x) v y hyp x 6 γ(y) hyp

⇒ γ ◦ α(x) 6 γ(y) γ monotonicity ⇒ α(x) v α ◦ γ(y) α monotonicity

⇒ x 6 γ(y) x 6 γ ◦ α(x) ⇒ α(x) v y α ◦ γ(y) v y

The reverse direction follows directly from the two first entries of Lem. 2.10. �

A Galois connection which turns out to be useful for our purposes is the following.

Lemma 2.12 (From [Cou00]) Given a transition system (C, T, I): 〈C,⊆〉 −−−−−−→←−−−−−−post [T ]

fpre[T ]

〈C,⊆〉.

A Galois connection 〈L,6〉 −−→←−−αγ 〈A,v〉 for which α ◦ γ = λx. x, defines a Galois

insertion, which is noted as 〈L,6〉 −−→−→←−−−−α

γ 〈A,v〉. It follows that α is a surjectivefunction and γ is an injective function.

Note that each Galois connection can be lifted to a Galois insertion by identifying inan equivalence class those values of the abstract domain with the same concretization.

Computing Approximations. Assume that the concrete value c to approximate isgiven by some fixpoint computation in the concrete lattice, that is c = lfp6λX. f(X)2

for a monotone function f of L.3 So its best possible approximation is given byα(lfp6λX. f(X)). Unfortunately, there is no general algorithm computing this abstractvalue without evaluating lfp6λX. f(X) first. Moreover for undecidability reasons orbecause of practical resource limitations it may happen that we are unable to evaluatelfp6λX. f(X). So, abstract interpretation proposes to approximate α(lfp6λX. f(X))by evaluating the following fixpoint lfpvλX. α ◦ f ◦ γ(X). So we replaced a fixpointcomputation in the concrete domain by a fixpoint in the abstract domain: as shownby the next proposition, the latter approximates the former (but not necessarily thebest).

Proposition 2.4 (From [Cou81]) Let 〈L,6〉 be a complete lattice and let f ∈ L 7→L be a monotone function. Let 〈A,v〉 be a complete lattice such that 〈L,6〉 −−−→←−−−α

γ

2To make clear the lattice to which belongs the fixpoint we sometimes put, in superscript of thefixpoint expression, the ordering of that lattice.

3We arbitrarily choose a least fixpoint but our reasoning holds for a greatest fixpoint as well.


〈A,v〉, we have:

α(lfp6λX. f(X)) v lfpvλX. α ◦ f ◦ γ(X)

α(gfp6λX. f(X)) v gfpvλX. α ◦ f ◦ γ(X) .

By definition of a Galois connection, we also have that following.

Corollary 2.1 Under the hypothesis of Prop. 2.4, we have

lfp6λX. f(X) 6 γ(lfpvλX. α ◦ f ◦ γ(X))

gfp6λX. f(X) 6 γ(gfpvλX. α ◦ f ◦ γ(X)) .

In the abstract fixpoint occurs the function λX. α ◦ f ◦ γ(X) over the abstractdomain. In [CC79b] it is shown that, in the framework of Galois insertion, the abovefunction is the best abstract counterpart of f which means that for each functionf ] ∈ A 7→ A if f ⊆ γ ◦ f ] ◦ α then α ◦ f ◦ γ ⊆ f ]. Since, in the framework ofGalois connection, there might be several abstract values to approximate a concreteone (like the result returned by a function) there is no best approximation. However,we abusively use the name of best abstract counterpart of f to denote the functionλX. α ◦ f ◦ γ(X).

Chapter 3

The Fixpoint Checking Problem:An Abstract Refinement Algorithm

In this chapter, we present an abstract fixpoint checking algorithm with automaticrefinement by backward completion in Moore closed abstract domains. We study theproperties of our algorithm and prove it to be more precise than the counterexampleguided abstract refinement algorithm (CEGAR) (see [CGJ+03]). Contrary to severalworks in the literature, our algorithm does not require the abstract domains to bepartitions of the state space. We also show that our automatic refinement techniqueis compatible with so-called acceleration techniques. Furthermore, the use of Booleanclosed domains does not improve the precision of our algorithm. The algorithm isillustrated by proving properties of programs with nested loops.

3.1 Introduction

Techniques for the automatic verification of program’s invariants is an active researchsubject since the early days of computer science. Invariant verification for a programP can be reduced to a fixpoint checking problem: given a monotone function post oversets of program states, a set of initial states I, and a set S of states, S is an invariantof P if and only if the set of reachable states from I, that is the least fixpoint1 ofλX. I ∪ post(X), is a subset of S.

For fundamental reasons (undecidability of the invariant checking problem for Tur-ing complete models of computation), or for practical reasons (limitations of the com-puting power of computers), the forward semantics is usually not evaluated in thedomain of the function λX. I ∪ post(X), the so-called concrete domain, but in a sim-pler domain of values, a so-called abstract domain. Abstract interpretation has beenproposed in [CC77] as a general framework to abstract fixpoint checking problems.

1We call this fixpoint the forward semantics of P .

23

24 CHAPTER 3. ABSTRACTION REFINEMENT FOR FIXPOINT CHECKING

The design of effective abstract interpretation algorithms relies on the definition ofuseful abstract domains and semantics. The design of good abstractions for a pro-gramming language is a difficult and time consuming task. Recently, research ef-forts [HJMS03, CCG+03, BR02] have been devoted to find automatic techniques thatare able to discover and refine abstract domains for a given program. The present workproposes new techniques and results in this direction.

In this chapter, we propose a new abstract algorithm for fixpoint checking withbuilt-in abstract domain refinements. The automatic refinement of abstract domains isused to improve the precision of the algorithm when it is inconclusive. Our algorithmhas several properties that distinguishes it from the existing algorithms proposed inthe literature. First, it computes not only over-approximations of least fixpoints butalso over-approximations of greatest fixpoints. The two analyses improve each others:each fixpoint computation is guided by the last computed fixpoint. Second, it is notbound to consider refinements related to spurious abstract counterexamples. The re-finement principle that we propose is guided by the abstract fixpoint computations.Our refinement method is more robust and systematic. Third, our refinement prin-ciple is compatible with acceleration techniques: acceleration techniques can be usedto discover new interesting abstract values which can be used by subsequent abstractcomputations. This is an important characteristic as this allows us to compute newabstract values that are useful to capture the behavior of loops. This hinders the appli-cation of the CEGAR approach. Fourth, in the abstract interpretation framework thesubset of concrete values given by the abstract domain is a Moore family. Intuitively itmeans that the set is closed for the meet operation of the concrete lattice. This prop-erty is weaker than the property enforced by the use of partitions of the state spacein so-called predicate abstractions. We shall show that requiring the use of partitionsinstead of Moore families does not add power to our algorithm: if it terminates usingpartitions then it terminates using Moore families. Fifth we show that whenever an in-variant can be proved using the CEGAR approach, then our algorithm is able to provethe invariant as well. And last, we show that the abstract algorithm is guaranteed toterminate under various conditions like for instance the descending chain condition onthe concrete domain or the condition that the refinement adds a value for which theconcrete greatest fixpoint is computable.

Related works. In the following pages we relate our approach with the CEGARapproach (see [CGJ+03]) where the refinement is done by a backward traversal of anabstract counterexample. Recently new refinement techniques based on the proof ofunsatisfiability of the counterexample emerged (see [HJMS02] and the references giventhere). Seen differently, the refinement picks non deterministically the new values toadd to the abstract domain among a set of values defined declaratively. In our case, thevalue is unique and defined operationally. For this reason we think that an empiricalcomparison would make more sense.

3.2. PRELIMINARIES 25

The abstract fixpoint checking algorithm we propose is an extension of the clas-sical combination of forward and backward static analyses in abstract interpretation([Cou78], generalized by [Mas01]) to include abstract domain completion, that is theextension of the abstract domain to avoid loss of precision in abstract fixpoints. Thisabstract domain completion is a backward completion in the classical sense of ab-stract interpretation [GQ01] but, for efficiency, restricted to reachable states includedin the invariant to be checked. In [BPR02] the authors define a restricted abstractdomain completion. However, since we reuse all the information computed so far, ourcompletion is finer than theirs.

After some preliminaries in Sect. 3.2, we present in Sect. 3.3 our algorithm andprove its main properties related to correctness and termination; we also show thatour approach can be easily combined with acceleration techniques. Sect. 3.4 comparesour algorithm to the CEGAR approach and predicate abstraction. Sect. 3.5 illustratesthe algorithm with two representative examples. Finally we discuss the properties ofour algorithm when relaxing some of its hypothesis in Sect. 3.6 and then, in Sect. 3.7,we pinpoint the issues to address to go from the theoretical algorithm we proposed toa practical implementation.

3.2 Preliminaries

Abstract interpretation. Our solution to the fixpoint checking problem takes placein the context of abstract interpretation, the basics of which have been introduced inthe previous chapter. Here, given a transition system (C, T, I), we assume a standardabstract interpretation where the concrete domain is given by the Boolean completelattice 〈℘(C),⊆,⋂,⋃, C, ∅,¬〉 where ¬ denotes the set complement with respect to Cwhile the abstract domain A arises from a complete lattice 〈A,v,d,⊔,>,⊥〉. Thetwo lattices are related by a pair of functions (α, γ) forming a Galois connection, that

is 〈℘(C),⊆〉 −−→←−−αγ 〈A,v〉.

Below we instantiate to our needs the result of Cor. 2.1.

Lemma 3.1 Let (C, T, I) be a transition system and let S,Z ∈ ℘(C). Given a Galois

connection 〈℘(C),⊆〉 −−−→←−−−αγ 〈A,v〉 we have

lfp⊆(λX. (I ∪ post(X)) ∩ Z

)⊆ γ

(lfpvλX. α

((I ∪ post(γ(X))) ∩ Z

))gfp⊆λX. S ∩ pre(X) ⊆ γ

(gfpvλX. α

(S ∩ pre(γ(X))

)).

We call lfp⊆(λX. (I ∪ post(X)) ∩ Z

)the set of reachable states within Z and S ∩

pre(S) the set of states that cannot escape from S in less than 1 step. We concludethis section by defining the fixpoint checking problem.


The Fixpoint Checking Problem is defined as:Instance: A transition system (C, T, I) and a set of states S ⊆ C.Question: Does lfp⊆λX. I ∪ post(X) ⊆ S holds ?

3.3 Abstract Fixpoint Checking Algorithm

Below we introduce our new algorithm, which takes place in the Galois Connectionframework and follows the abstraction refinement paradigm. This requires the defi-nition of a family of abstract domains formalized by a collection of complete latticessuch that each of them relates to the concrete lattice through a Galois connection. Theunderlying idea is that, at each iteration of the abstraction refinement loop, a differentabstraction is used, or equivalently, a different member of the family is considered.

Definition 3.1 (Family of abstract domains) Let 〈L,⊆〉 be a complete lattice,a family of abstract domains for it is a family {〈Aj,vj〉 , αj, γj}j∈J such that 〈Aj,vj〉 is

a finite complete lattice and 〈L,⊆〉 −−−→←−−−αj

γj 〈Aj,vj〉. For the sake of clarity we generally

omit the subscripts of vj and γj because they are clear from the context. Sometimeswe simply write Aj to refer to an element of the family. �

In what follows, given a transition system (C, T, I) we consider a family of abstractdomains for the complete lattice 〈℘(C),⊆〉 so that for each j ∈ J , γ(Aj) denotes a setof sets of states.

We shall see that the algorithm imposes additional properties on the family it uses.For a sake of clarity, we thus consider that the family is computed on the fly by thealgorithm. Later on (in Sect. 3.7), we study the case where the family to be used by thealgorithm is given a priori. In this context, we specify the additional properties thatthe family has to satisfy. This is relevant because, when instantiating the algorithm,the family is often given a priori as we will see in Chapt. 4, 5 and 6.

The algorithm, which is the main contribution of this chapter, is given at Alg. 1. Wemake it clear that each Ai used by the algorithm is an abstract domain for 〈℘(C),⊆〉as defined at Def. 3.1.

It computes over-approximations of least and greatest fixpoints. Line 3 computes anabstract least fixpointRi(∈Ai). As we will see in Prop. 3.1, when executed on a positiveinstance of the fixpoint checking problem, every set γi(Ri)(∈℘(C)) over-approximatesthe reachable states of the transition system. Line 7 computes an abstract greatestfixpoint Si(∈ Ai). Besides being an over-approximation, the set γi(Si)(∈ ℘(C)) alsounder-approximates the set of states that cannot escape from S(∈℘(C)) in less thani + 1 steps. This is what is proved at Lem. 3.3, and Lem. 3.4. As we can see fromline 3 and line 7, the two fixpoints share all the information that has been computed sofar. In fact the abstract least fixpoint of line 3 over-approximates the reachable states

3.3. ABSTRACT FIXPOINT CHECKING ALGORITHM 27

Algorithm 1: The Abstract Fixpoint Checking Algorithm

Data: An instance of the fixpoint checking problem such that I ⊆ S and anabstract domain A0 such that S ∈ γ0(A0)

Z0 = S1

for i = 0, 1, 2, 3, . . . do2

Compute Ri = lfpvλX. αi

((I ∪ post(γi(X))

)∩ Zi

)3

if αi(I ∪ post(γi(Ri))

)v αi(Zi) then4

return OK5

else6

Compute Si = gfpvλX. αi(γi(Ri) ∩ pre(γi(X))

)7

if αi(I) v Si then8

Let Zi+1 = γi(Si) ∩ pre(γi(Si))9

Let Ai+1 be s.t. γi+1(Ai+1) ⊇ {Zi+1} ∪ γi(Ai)10

else11

return KO12

end13

end14

end15

within Zi(∈ ℘(C)) which gathers all the information computed so far. Similarly, theabstract greatest fixpoint of line 7 starts with the least fixpoint computed previously.Parts of the state space that have already been proved unreachable within S or stuckin S are not explored during the next iterations.

The tests given at lines 4 and 8 use those computed fixpoints to identify positiveand negative instances of the fixpoint checking problem, respectively. We say that thealgorithm concludes at iteration i if the test of line 4 is evaluated to true or the testof line 8 is evaluated to false. If the algorithm does not conclude, then the abstractdomain is too imprecise to identify either positive or negative instances and so we haveto refine it.

The refinement that we generically propose — see the lines 9 and 10 — relies onthe entire abstract fixpoint and is not bound to individual counterexamples. The valueZi+1 is the set of states that cannot escape from γi(Si) in one step; all the states thatare stuck within S have this property. So, this set is interesting as it adds informationabout concrete states in the abstract domain: this information is used by subsequentabstract fixpoint computations. We will see later in the chapter that line 9 can bemodified in order to incorporate information computed by acceleration techniques: theresults that we first prove with line 9 are still valid when accelerations are used. Thepossibility of combining our algorithm with acceleration techniques is very interestingas accelerations may allow to discover interesting abstract values related to loops inprograms. Loops usually hinder the application of the CEGAR approach.


In line 10 we see that the new value Zi+1 computed at line 9 is added to the subsetof ℘(C) that the current abstract domain Ai can represent (this set is γi(Ai)(⊆ ℘(C))).We thus obtain an abstract domain Ai+1 such that γi+1(Ai+1) ⊇ γi(Ai) ∪ {Zi+1}.

In Lem. 2.10 we have seen that for every Galois connection 〈L,⊆〉 −−→←−−αγ 〈A,v〉

the set γ(A) is a Moore family. We will see later that Moore closure is sufficientlypowerful in the following precise sense: considering the Boolean closure instead doesnot improve the precision of our algorithm. This interesting result is established inProp. 3.10. This contrasts with several approaches in the literature that use predicateabstractions which induce more complex Boolean closed domains. As we will see inLem. 3.11, the abstraction function is usually more difficult to compute on Booleanclosed domains.

Our algorithm also enjoys nice termination properties. Prop. 3.6 will show thatour algorithm terminates whenever the concrete domain enjoys the descending chaincondition. Th. 3.1 of Sect. 3.4 also shows that whenever CEGAR terminates, then ouralgorithm terminates. We also establish in Prop. 3.5 that whenever a negative instanceis submitted to our algorithm, it terminates.

Finally, it is worth pointing out that all the operations in the algorithm, with theexception of the refinement operation of line 9, are abstract operations, and the onlyconcrete operation is used outside any of the fixpoint computations.

Before giving a formal results regarding Alg. 1, let us give more insights by runningthe algorithm on a toy example.

Example 3.1 The toy example is a finite state system given at Fig. 3.1. The set ofstates given by the initial abstract domain are given by the boxes. We submit to ouralgorithm the following positive instance of the fixpoint checking problem where A0 ={β1, β2, β3, β>} is such that γ0(βi) = Bi for i ∈ {1, 2, 3,>}, I = {`0}, and S = B3. Sonote that Z0 = B3 = γ0(β3) = S. In the right side of Fig. 3.1 the algorithm is executedstep by step. Since the fixpoints stabilize in very few steps, we invite the interestedreader to verify them by hand.

3.3.1 Correctness of the Algorithm

In what follows when we consider a set occuring in Alg. 1 we assume enought iterationshave been performed to reach its computation. For instance, if γi(Ri) appears in astatement then the algorithm has not yet concluded at iteration i − 1, and if Zi+1

occurs in the statement then the algorithm has not yet concluded at iteration i.

We start by establishing a simple invariant of our algorithm and then a resultshowing that our algorithm computes smaller and smaller sets of states.

Lemma 3.2 In Alg. 1, at the ith iteration, we have γi ◦ αi(Zi) = Zi.


B1

B2

`

B>

`1 `3

B3

`4`2

`0

R0 = β3 line 3

α0(I ∪ post(γ0(β3))) 6v α0(Z0) (so not “OK”) line 4

S0 = β3 line 7

α0(I) v S0 (cannot say “KO”) line 8

Z1 = γ0(β3) ∩ pre(γ0(β3)) line 9

= B3 ∩ pre(B3)

= {`0, `1, `2}The new domain is A1 = A0 ∪ {β4, β5} line 10

with γ1(A0) = γ0(A0), γ1(β4) = Z1 and

γ1(β5) = Z1 ∩ γ1(β2) = Z1 ∩B2 = {`0, `1}R1 = β4 line 3

α1(I ∪ post(γ1(β4))) v α1(Z1) line 4

Alg. 1 terminates saying “OK”

Figure 3.1: A finite state system and the result of evaluating Alg. 1 on it.

Proof. We prove, by induction on i, that Zi ∈ γi(Ai), hence that there exists a ∈ Aisuch that γi(a) = Zi, and finally that γi ◦ αi(Zi) = Zi using Lem. 2.10. For the basecase, line 1 (Z0 = S) and assumption S ∈ γ0(A0) show that Z0 ∈ γ0(A0). The inductivecase follows immediately by line 10. �

Lemma 3.3 In Alg. 1, at the ith iteration, we have

Zi+1 ⊆ γ(Si) ⊆ γ(Ri) ⊆ Zi ⊆ · · · ⊆ Z1 ⊆ γ(S0) ⊆ γ(R0) ⊆ Z0 ⊆ S .

Proof. We establish the inclusions from right to left. First, line 1 shows that Z0 = Swhich concludes the first case. Then we show that for each value of i we have γ(Ri) ⊆Zi, γ(Si) ⊆ γ(Ri) and finally Zi+1 ⊆ γ(Si).

We conclude from line 3 that Ri v αi(Zi), hence that γ(Ri) ⊆ γ ◦ αi(Zi) bymonotonicity of γ and finally that γ(Ri) ⊆ Zi by Lem. 3.2.

Then, line 7 shows that Si v αi(γ(Ri)). Hence, we find that Si v Ri by αi(γ(Ri)) vRi which follows by −−−→←−−−αi

γ, and finally that γ(Si) ⊆ γ(Ri) by monotonicity of γ.

The last case Zi+1 ⊆ γ(Si) directly follows from the definition of Zi+1 = γ(Si) ∩pre(Si) given at line 9. �

The next proposition characterizes the sets of states that are computed by thealgorithm in the presence of positive instances.


Proposition 3.1 In Alg. 1, if post∗(I) ⊆ S then ∀i ∈ N : post∗(I) ⊆ γ(Ri).

Proof. Our proof is by induction on i.

Base case. Lem. 3.1 tells us that γ(R0) over-approximates the least fixpoint lfp⊆λX. (I∪post(X)) ∩ S. Provided the system respects the invariant S (i.e. post∗(I) ⊆ S), thisfixpoint is equal to lfp⊆λX. (I ∪ post(X)). So, post∗(I) ⊆ γ(R0).

Inductive case. For the inductive case we prove the contrapositive. Suppose thatthere exists s ∈ post∗(I) and s 6∈ γ(Ri). Lemma 3.3 shows that γ(Ri−1) ⊇ γ(Si−1) ⊇Zi ⊇ γ(Ri). We now consider several cases.

1. s /∈ γ(Ri−1). This contradicts the induction hypothesis.

2. s ∈ γ(Ri−1) and s 6∈ γ(Si−1). We conclude from Lem. 3.1 that γ(Si−1) over-approximates the states stuck in γ(Ri−1). Since s /∈ γ(Si−1) there exists a state s′

such that s→∗ s′ and s′ /∈ γ(Ri−1). First, note that as s ∈ post∗(I), we concludethat s′ ∈ post∗(I). But as s′ /∈ γ(Ri−1), we know that post∗(I) * γ(Ri−1), whichcontradicts the induction hypothesis.

3. s ∈ γ(Ri−1), s ∈ γ(Si−1) and s /∈ Zi. We conclude from the definition of Zi,which is given by γ(Si−1) ∩ pre(γ(Si−1)), that there exists s′ /∈ γ(Si−1) suchthat s → s′. Either s′ /∈ γ(Ri−1), or s′ ∈ γ(Ri−1) and by the previous case,we know that s′ →∗ s′′ and s′′ /∈ γ(Ri−1). In the two cases, we conclude thatpost∗(I) * γ(Ri−1) which contradicts the induction hypothesis.

4. s ∈ γ(Ri−1), s ∈ γ(Si−1), s ∈ Zi, and s /∈ γ(Ri). By Lem. 3.1, we know that s isnot reachable from I within Zi. Otherwise stated, all paths starting form I andending in s leaves Zi. As s is reachable from I, we know that there exists somes′ /∈ Zi which is reachable form I. We can apply the same reasoning as aboveand conclude that this contradicts the induction hypothesis. �

We are now in a position to prove that, when the algorithm terminates and returnsOK, it has been submitted a positive instance of the fixpoint checking problem, andwhen the algorithm terminates and returns KO, it has been submitted a negativeinstance of the fixpoint checking problem.

Proposition 3.2 (Correctness – positive instances) If Alg. 1 says “OK” then wehave post∗(I) ⊆ S.

Proof. Algorithm says “OK” only if

αi(I ∪ post(γ(Ri))) v αi(Zi) line 4

⇔ I ∪ post(γ(Ri)) ⊆ γ ◦ αi(Zi) −−−→←−−−αi

γ

⇔ I ∪ post(γ(Ri)) ⊆ Zi Lem. 3.2


Then,

αi((I ∪ post(γ(Ri))) ∩ Zi) v Ri def. of Ri, lfp is a postfp

⇔ (I ∪ post(γ(Ri))) ∩ Zi ⊆ γ(Ri) −−−→←−−−αi

γ

⇒ I ∪ post(γ(Ri)) ⊆ γ(Ri) I ∪ post(γ(Ri)) ⊆ Zi

⇒ lfp⊆λX. I ∪ post(X) ⊆ γ(Ri) prop. of lfp, see (2.1)

⇒ post∗(I) ⊆ S γ(Ri) ⊆ S by Lem. 3.3 �

Proposition 3.3 (Correctness – negative instances) If Alg. 1 says “KO” thenwe have post∗(I) * S.

Proof. If at iteration i the algorithm says “KO” then we find that αi(I) 6v Si (line 8)

which is equivalent to I * γ(Si) by −−−→←−−−αi

γ. Let s0 ∈ I such that s0 /∈ γ(Si). We

have either s0 /∈ γ(Ri) or s0 ∈ γ(Ri). In the latter case, since s0 /∈ γ(Si), Lem. 3.1shows that s0 is not stuck in γ(Ri), i.e. there exists k ≥ 1, s /∈ γ(Ri) such thats0 →k s. In both cases, it follows that post∗(I) * γ(Ri), and finally that post∗(I) * Sby Prop. 3.1. �

Remark 3.1 The proofs of the above results remain correct if in line 9 of Alg. 1instead of λX. pre[T ](X) we take λX. pre[R](X) where R ⊆ T ∗. In fact for correctionto hold, Zi+1 must be such that pre[T ∗](γ(Si)) ⊆ Zi+1 ⊆ γ(Si). Later we will seehow we can benefit from acceleration techniques, which build a relation R such thatT ⊆ R ⊆ T ∗. This alternative refinement, using R including T , yields to strongertermination properties of the algorithm.

3.3.2 Termination of the Algorithm

To reason about the termination of the algorithm, we need the following technicalproposition and its corollary.

Proposition 3.4 In Alg. 1 the following holds:

1. if Zi+1 = Zi then post(Zi) ⊆ Zi;

2. if I * Zi then the algorithm terminates at iteration i and returns “KO”;

3. if I ∪ post(Zi) ⊆ Zi then the algorithm terminates at iteration i and returns“OK”.


Proof. (1) By Lem. 3.3 and line 9, Zi+1 = Zi implies Zi+1 = γ(Si) ∩ pre(γ(Si)) ⊆γ(Si) ⊆ Zi = Zi+1 so γ(Si) ∩ pre(γ(Si)) = γ(Si) = Zi proving Zi ⊆ pre(Zi) whencepost(Zi) ⊆ Zi by Lem. 2.12.

(2) The hypothesis implies that the test of line 4 fails; indeed if it does not fail αi(I ∪post(γ(Ri))) v αi(Zi), which implies by monotonicity of αi that αi(I) v αi(Zi), which

is equivalent by −−−→←−−−αi

γto I ⊆ γ ◦ αi(Zi) = Zi by Lem. 3.2, hence a contradiction.

The algorithm then computes Si, which is such that γ(Si) ⊆ Zi by Lem. 3.3. Thenthe hypothesis again shows that I * γ(Si) which is equivalent to αi(I) 6v Si by the

Galois connection −−−→←−−−αi

γso that the test of line 8 fails and the algorithm terminates at

iteration i returning “KO”.

(3) Lem. 3.3 shows that γ(Ri) ⊆ Zi, so since post(Zi) ⊆ Zi we obtain that post(γ(Ri)) ⊆Zi by monotonicity of post . Finally monotonicity of αi shows that αi(I∪post(γ(Ri))) vαi(Zi) and thus the test of line 4 succeeds and the algorithm terminates returning“OK”. �

Corollary 3.1 In Alg. 1 if Zi = Zi+1 then the algorithm terminates.

Proof. The proof falls naturally into two parts. If I ⊆ Zi then it is a logical consequenceof Prop. 3.4.1 and 3.4.3; Otherwise termination follows from Prop. 3.4.2. �

Alg. 1 terminates when submitted a negative instance, as proved below in Lem. 3.4and Prop. 3.5.

Lemma 3.4 In Alg. 1, γ(Ri) under-approximates the set pre[⋃ij=0 T

j](S) of stateswhich cannot escape from S in less than i+ 1 steps.

Proof. The result is shown by induction on the number i of steps. For the base case,Lem. 3.3 shows that γ(R0) ⊆ S = pre[T 0](S). For the inductive case,

pre[i+1⋃j=0

T j](S) = pre[i⋃

j=0

T j ∪i+1⋃j=1

T j](S) def. ∪

= pre[i⋃

j=0

T j](S) ∩ pre[T ](pre[i⋃

j=0

T j](S)) def. pre

⊇ γ(Ri) ∩ pre[T ](γ(Ri)) ind. hyp.

⊇ γ(Si) ∩ pre[T ](γ(Si)) by Lem. 3.3, pre mono.

= Zi+1 by line 9

⊇ γ(Ri+1) by Lem. 3.3 �


Proposition 3.5 If post∗(I) * S then Alg. 1 terminates.

Proof. The hypothesis says that there exist states s, s′ and a value k ∈ N such thats ∈ I, s′ /∈ S and s →k s′. Lem. 3.4 shows that γ(Rk−1) ⊆ ⋂k

j=0 pre[T j](S). So we

conclude from above that I *⋂kj=0 pre[T j](S), hence that I * γ(Rk−1) by transitivity

and finally that I * Zk by Lem. 3.3. The last step uses Prop. 3.4.2 to show that thealgorithm terminates, with the correct answer. �

The following proposition states that our algorithm also terminates under the de-scending chain condition in the concrete domain.

Proposition 3.6 If there exists a Y ⊆ ℘(C) such that the descending chain conditionholds on the poset 〈Y,⊆〉 and Zi ∈ Y for all i ∈ N then Alg. 1 terminates.

Proof. We prove the contrapositive. Assume the algorithm does not terminate. Wethus obtain that Z0 ⊃ Z1 ⊃ · · · ⊃ Zn ⊃ · · · by Cor. 3.1 and Lem. 3.3, which contradictsthe existence of a poset satisfying the above hypothesis. �

Below, Prop. 3.7 establishes another termination result for our algorithm, whichstates that, if the algorithm computes a value Zi from which the evaluation of thegreatest fixpoint gfp⊆λX.Zi ∩ pre(X) terminates after a finite number of iterations,then our algorithm terminates. Below, we provide intuitions about the sequence eval-uating the above greatest fixpoint. Consider the lower iteration sequence {I i}i∈N givenby I0 = Zi and I i+1 = Zi ∩ pre(I i) which stabilizes to gfp⊆λX.Zi ∩ pre(X), let usassume, after a finite number of steps. Along the sequence the states escaping from Ziare removed. At iterate I1 = Zi ∩ pre(Zi), states escaping Zi in 1 step are removed.At iterate I2, states escaping in 2 steps, and so forth. The sequence stabilizes whenno more states are removed.

Lemma 3.5 If gfp⊆λX.Zi ∩ pre(X) is computable in k steps, so is gfp⊆λX. γ(Ri) ∩pre(X). Moreover the following equality holds:

γ(Ri) ∩ gfp⊆λX.Zi ∩ pre(X) = gfp⊆λX. γ(Ri) ∩ pre(X) .

Proof. First, we recall that pre∗(Y ) = gfp⊆λX. Y ∩ pre(X) for any set Y of states. Lets be a state which is in Zi but not in the set pre∗(Zi) of states stuck in Zi. So, thereexists a state s′ /∈ Zi and a value k′ 6 k such that s →k′ s′, for otherwise the set ofstates stuck in Zi is not computable in k steps.

We conclude from line 3 that αi(I∪post(γ(Ri))∩Zi) v Ri, hence that post(γ(Ri))∩Zi ⊆ γ(Ri) by −−−→←−−−αi

γ, and finally that a state that escaping γ(Ri) escapes from Zi too.


Now, let s1 be a state which is in γ(Ri) but not in the set pre∗(γ(Ri)) of statesstuck in γ(Ri). Lem. 3.3 shows that γ(Ri) ⊆ Zi and hence that s1 ∈ Zi. So, bythe above reasoning since s1 escapes from γ(Ri), it escapes from Zi as well, that is,s1 is not in the set pre∗(Zi). Accordingly, there exists s′1 /∈ Zi and k′ 6 k such thats1 →k′ s′1, and finally that pre(γ(Ri)) is computable in k steps.

We prove pre∗(γ(Ri)) ⊆ γ(Ri) ∩ pre∗(Zi) as follows. The inclusion γ(Ri) ⊆ Ziwhich follows by Lem. 3.3 shows that pre∗(γ(Ri)) ⊆ pre∗(Zi) by monotonicity of pre,hence that pre∗(γ(Ri)) ⊆ γ(Ri) ∩ pre∗(Zi) since pre∗(γ(Ri)) ⊆ γ(Ri).

For the other direction, let s be a state which is in γ(Ri) and pre∗(Zi), the set ofstates stuck in Zi. Since, as shown above, a state escaping γ(Ri) escapes from Zi too,we find, using the contrapositive, that s is in the set pre∗(γ(Ri)). �

Proposition 3.7 If, in Alg. 1, there is a value for i such that gfp⊆λX.Zi ∩ pre(X)stabilizes after a finite number of steps, then Alg. 1 terminates.

Proof. We first prove that pre[T ∗](γ(Ri)) = pre[T ∗](Zi+1). To do so, we show thatpre[T ∗](γ(Ri)) ⊆ Zi+1 ⊆ γ(Ri), hence the result follows. Lem. 3.3 shows Zi+1 ⊆ γ(Ri).

pre[T ∗](γ(Ri)) ⊆ γ(Si) def. of Si, Lem. 3.1

⇒ pre[T ∗](γ(Ri)) ⊆ pre[T ∗](γ(Si)) T ∗ ◦ T ∗ = T ∗

⇒ pre[T ∗](γ(Ri)) ⊆ pre[T 0 ∪ T ](γ(Si)) T 0 ∪ T ⊆ T ∗, pre mono.

⇔ pre[T ∗](γ(Ri)) ⊆ γ(Si) ∩ pre[T ](γ(Si)) def. of pre, T 0

⇔ pre[T ∗](γ(Ri)) ⊆ Zi+1 def. of Zi+1

It follows that pre[T ∗](γ(Ri)) = pre[T ∗](Zi+1).

We conclude from the stabilization of gfp⊆λX.Zi∩pre(X) (= pre[T ∗](Zi)) at step k,that is pre[T ∗](Zi) = pre[

⋃kj=0 T

j](Zi), that gfp⊆λX. γ(Ri)∩pre(X) (= pre[T ∗](γ(Ri)))

stabilizes at step k, that is pre[T ∗](γ(Ri)) = pre[⋃kj=0 T

j](γ(Ri)), by Lem. 3.5. So, if

Zi+1 ⊆ pre[⋃1j=0 T

j](γ(Ri)) then pre[T ∗](γ(Ri)) = pre[⋃k−1j=0 T

j](Zi+1) by pre[T ∗](γ(Ri)) =pre[T ∗](Zi+1).

Thus we show Zi+1 ⊆ pre[⋃1j=0 T

j](γ(Ri)). Lem. 3.3 shows that γ(Si) ⊆ γ(Ri).

Zi+1 = γ(Si) ∩ pre[T ](γ(Si)) def. of Zi+1

= pre[T 0 ∪ T ](γ(Si)) def. of pre, T 0

⊆ pre[T 0 ∪ T ](γ(Ri)) by above and pre monotonicity


Repeated applications of the above reasoning show that gfp⊆λX.Zi+k ∩ pre(X)stabilizes at step 0. We thus obtain that

gfp⊆λX. γ(Ri+k) ∩ pre(X)

= γ(Ri+k) ∩ gfp⊆λX.Zi+k ∩ pre(X) Lem. 3.5

= γ(Ri+k) ∩ Zi+k stabilizes at step 0

= γ(Ri+k) γ(Ri+k) ⊆ Zi+k by Lem. 3.3

Since γ(Ri+k) is a fixpoint for λX.X ∩ pre(X) we conclude that γ(Ri+k) = γ(Si+k),hence that Zi+k+1 = γ(Ri+k) by line 9 and finally that γ(Ai+k+1) = γ(Ai+k) since nonew value is added at line 10. So, it is routine to check that Zi+k+1 = Zi+k and so thealgorithm terminates by Cor. 3.1. �

3.3.3 Termination of the Algorithm Enhanced by Accelera-tion Techniques

In this section we will study an enhancement of Alg. 1 which relies on accelerationtechniques (see [Boi03] and the references given there). Roughly speaking, accelerationtechniques allows us to compute under-approximations of the transitive closure of somebinary relation as, for instance, the transition relation.

Assume we are given some binary relation R such that T ⊆ R ⊆ T ∗. The enhance-ment we propose replaces line 9 (viz. Zi+1 = γ(Si) ∩ pre[T ](γ(Si))) by the following:Zi+1 = γ(Si) ∩ pre[R](γ(Si)). The definition of R suggests that the value added usingR should be at least as precise as the one given using T by monotonicity of pre. A veryfavorable situation is when R equals T ∗ which gives Zi+1 = γ(Si) ∩ pre[T ∗](γ(Si)) =pre[T ∗](γ(Si)). Recall that pre[T ∗](γ(Si)) = gfpλX. γ(Si) ∩ pre[T ](X). So at itera-tion zero we obtain Z1 = gfpλX. γ(S0) ∩ pre(X) which is such that post(Z1) ⊆ Z1 by

−−−−→←−−−−post

fpre. Hence the enhanced algorithm terminates at iteration 1 by Prop. 3.4. Indeed

if it is a positive instance we find that I ⊆ γ(R1) by Prop. 3.1, hence that I ⊆ Z1 byLem. 3.3, and finally that I ∪ post(Z1) ⊆ Z1. If it is a negative instance we find thatI * pre[T ∗](S), hence that I * pre[T ∗](Z1) = Z1 by monotonicity of pre and Lem. 3.3.Using the definition Zi+1 = γ(Si) ∩ pre[T ](γ(Si)) at line 9, the algorithm might notterminate. Below we illustrate this situation with a toy example.

Example 3.2 Fig. 3.2 shows a two counters automaton and its associated semantics.The domain of the counters is Z: the set of integers. In the automaton variables xand y refer to the current value of the counters while variables x′ and y′ refer to thenext value (namely the value after firing the transition). Transition t1 is given by asimultaneous assignment. Black dots depicts some reachable states, which are given by{(x, y) | y 6 x N 0 6 y}. We will submit to Alg. 1 a positive instance of the fixpoint


checking problem such that I and S are given by {(0, 0)} and {(x, y) | y 6= x + 1},respectively. Our initial abstract domain A0 is such that γ(A0) = {S,Z2}.

It is routine to check that R0, computed at line 3, is such that γ(R0) = S, hencethat the test of line 4 fails. It follows that we have to compute S0 given at line 7.Let {I i}i∈N be the lower iteration sequence over A0 given by I0 = >0 and I i+1 =α0(γ(R0) ∩ pre[T ](γ(I i))) which stabilizes to S0 after a finite number of steps. Firstlet us compute

S ∩ pre[t2](S)

= S ∩ ¬ ◦ pre[t2] ◦ ¬(S) def. of pre

= S ∩ ¬ ◦ pre[t2]({(x, y) | y = x+ 1}) def. of ¬, S

= S ∩ ¬({(x, y) | y = x+ 2}) see Fig. 3.3

= S ∩ {(x, y) | y 6= x+ 2}= {(x, y) | y 6= x+ 1} ∩ {(x, y) | y 6= x+ 2} def. of S

We now turn to the evaluation of the gfp.

I0 = >0

I1 = α0(γ(R0) ∩ pre[T ](γ(I0)))

= α0(S) γ(R0) = S,Z2 ⊆ pre[T ](Z2)

I2 = α0(S ∩ pre[T ](γ(I1)))

= α0

(S ∩ pre[t1](γ(I1)) ∩ pre[t2](γ(I1))

)def. pre

= α0

(S ∩ pre[t2](γ(I1))

)S ∩ pre[t1](S) = S

We have S ∩ pre[t2](γ(I1)) = S ∩ pre[t2](S) which has been computed above. So,by γ(A0) = {S,Z2}, we deduce that γ(S0) = S. Since the test of line 8 succeedsthe next step (line 9) is to compute Z1. We use acceleration techniques to computeZ1 for otherwise the algorithm does not converge. Without resorting to accelerationtechniques, each Zi escapes from S in i + 1 steps by firing transition t2. This clearlyindicates that the CEGAR approach considers counterexamples of increasing lengthand thus fails on this toy example. By considering the limit instead of the Zi’s we

x = 0, y = 0

t1 : y = 0→ 〈x′, y′〉 = 〈x + 1, x + 1〉;

t2 : y′ = y − 1;q0

y

x

Figure 3.2: A two counters automata and its associated semantics.


Figure 3.3: Circles are {(x, y) | y = x+ 1} and boxes are pre[t2]({(x, y) | y = x+ 1}

)obtain a value that is stuck in S. That value stuck in S can obtained using accelerationtechniques as shown below.

Our candidate relation to show termination is given by t1 ∪ t∗2, which is computableusing acceleration technique. It is routine to check that T ⊆ t1 ∪ t∗2 ⊆ T ∗. Let uscompute Z1 which is given by S ∩ pre[t1 ∪ t∗2](S).

S ∩ pre[t1 ∪ t∗2](S) = S ∩ pre[t1](S) ∩ pre[t∗2](S) def. pre

= pre[t∗2](S) S ∩ pre[t1](S) = S

= gfp⊆λX. S ∩ pre[t2](X)

Let {I i}i be the lower iteration sequence Z2 given by I0 = Z2 and I i+1 = S ∩pre[T ](I i) which stabilizes to Z1 after a finite number of steps.

We have:

I0 = Z2

I1 = S ∩ pre[t2](I0) def. of the iterates

= S Z2 ⊆ pre[t2](Z2)

= Z2 \ {(x, y) | y = x+ 1}I2 = S ∩ pre[t2](I1) def. of the iterates

= S ∩ pre[t2](S) X1 = S

= Z2 \ {(x, y) | y = x+ 1 or y = x+ 2} from above

...

Iδ = {(x, y) | y 6 x}

The new abstract domain A1 is thus such that γ(A1) =M(γ(A0)∪Z1). At iteration1, we find at line 3 that γ(R1) = Z1, hence that the test of line 4 succeeds since thereis no outgoing transition of Z1 (see Fig. 3.2), and finally that Alg. 1 terminates withthe right positive answer.

It is worth pointing that the forward reasoning (given by line 3 and line 4) is con-clusive: the test of line 4 succeeds. However algorithms using acceleration techniques


to compute the forward concrete semantics, viz. lfpλX. I ∪ post [T ](X), do not termi-nate. Basically, acceleration techniques identify regular expressions over the transitionalphabet and then compute an under-approximation of the transitive closure of the tran-sition relation. For the automaton of Fig. 3.2, acceleration techniques fail because thereis no finite regular expression that describes all the possible executions of the counterautomaton.

The rest of this section is devoted to establish some termination properties of theenhanced algorithm. In fact, as we said in Rem. 3.1, our correctness proof remainsvalid for the enhancement. Thus, below, we focus on termination properties.

Lemma 3.6 Let R be such that T ⊆ R ⊆ T ∗. If gfp⊆λX.Zi∩ pre[R](X) is computablein k steps, so is gfp⊆λX. γ(Ri) ∩ pre[R](X). Moreover the following equality holds:

γ(Ri) ∩ gfp⊆λX.Zi ∩ pre[R](X) = gfp⊆λX. γ(Ri) ∩ pre[R](X) .

Proof. First let us note that, by monotonicity of pre, the result of Lem. 3.3 is preservedfor the enhanced algorithm (recall that only line 9 is modified). Second, since usingthe above R, for each set Y of states we have gfp⊆λX. Y ∩ pre[R](X) = pre[T ∗](Y ),the proof of Lem. 3.5 is still valid. �

Proposition 3.8 Let R2 such that T ⊆ R2 ⊆ T ∗ and gfp⊆λX. S∩pre[R2](X) stabilizesafter a finite number of step, then Alg. 1 when using any R1 such that R2 ⊆ R1 ⊆ T ∗

at line 9 terminates as well.

Proof. We first prove that pre[T ∗](γ(R0)) = pre[T ∗](Z1). To do so, we show thatpre[T ∗](γ(R0)) ⊆ Z1 ⊆ γ(R0), hence the result follows. Lem. 3.3, which is preservedfor the enhanced algorithm (only line 9 is modified), shows Z1 ⊆ γ(R0).

pre[T ∗](γ(R0)) ⊆ γ(S0) def. of S0, Lem. 3.1

⇒ pre[T ∗](γ(R0)) ⊆ pre[T ∗](γ(S0)) T ∗ ◦ T ∗ = T ∗

⇒ pre[T ∗](γ(R0)) ⊆ pre[R01 ∪R1](γ(S0)) R0

1 ∪R1 ⊆ T ∗, pre mono.

⇔ pre[T ∗](γ(R0)) ⊆ γ(S0) ∩ pre[R1](γ(S0)) def. of pre, R01

⇔ pre[T ∗](γ(R0)) ⊆ Z1 def. of Z1

It follows that pre[T ∗](γ(R0)) = pre[T ∗](Z1), hence that pre[R∗2](γ(R0)) = pre[R∗2](Z1)since R∗2 = T ∗.

We conclude from the stabilization of gfp⊆λX.Z0 ∩ pre[R2](X) (= pre[R∗2](Z0))at step k, that is pre[R∗2](Z0) = pre[

⋃kj=0 R

j2](Z0), that gfp⊆λX. γ(R0) ∩ pre[R2](X)

3.4. RELATIONSHIPS WITH OTHER APPROACHES 39

(= pre[R∗2](γ(R0))) stabilizes at step k, that is pre[R∗2](γ(R0)) = pre[⋃kj=0 R

j2](γ(R0)),

by Lem. 3.5. So, if Z1 ⊆ pre[⋃1j=0R

j2](γ(R0)) then pre[R∗2](γ(R0)) = pre[

⋃k−1j=0 R

j2](Z1)

by pre[R∗2](γ(R0)) = pre[R∗2](Z1).

Thus we show Z1 ⊆ pre[⋃1j=0R

j2](γ(R0)). Recall that Lem. 3.3, which is preserved

for the enhanced algorithm, shows that γ(S0) ⊆ γ(R0).

Z1 = γ(S0) ∩ pre[R1](γ(S0)) def. of Z1

⊆ γ(S0) ∩ pre[R2](γ(S0)) R2 ⊆ R1, pre monotonicity

= pre[R02 ∪R2](γ(S0)) def. of pre, R0

2

⊆ pre[R02 ∪R2](γ(R0)) by above and pre monotonicity

Repeated application of the above reasoning shows that gfp⊆λX.Zk∩pre[R2](X) stabi-lizes at step 0 and so does gfp⊆λX.Zk ∩ pre[T ](X) because pre[R∗2](Zk) = pre[T ∗](Zk)since R∗2 = T ∗. We thus obtain that

gfp⊆λX. γ(Rk) ∩ pre[T ](X)

= γ(Rk) ∩ gfp⊆λX.Zk ∩ pre[T ](X) Lem. 3.5

= γ(Rk) ∩ Zk stabilizes at step 0

= γ(Rk) γ(Rk) ⊆ Zk by Lem. 3.3

Since γ(Rk) is a fixpoint for λX.X∩ pre[T ](X) we conclude that γ(Rk) = γ(Sk), hencethat Zk+1 = γ(Rk) by line 9 and finally that γ(Ak+1) = γ(Ak) since no new value isadded at line 10. So, it is routine to check that Zk+1 = Zk and so the algorithmterminates by Cor. 3.1. �

3.4 Relationships with Other Approaches

3.4.1 Counterexample Guided Abstraction Refinement

We first recall here the main ingredients of the CEGAR approach [Dam03, §4.2]. Givena transition system T = (C, T, I), called the concrete transition system, and a partitionof C into a finite number of equivalence classes C = {C1, . . . Ck}, the abstract transitionsystem is a transition system T α = (Cα, Tα, Iα) where:

• Cα = C, i.e. abstract states are the equivalence classes;

• Tα = {(Ci, Cj) | ∃c ∈ Ci, c′ ∈ Cj : (c, c′) ∈ T}, i.e. there is a transition from anequivalence class Ci to an equivalence class Cj whenever there is a state of Ciwhich has a successor in Cj by the transition relation;

• Iα = {Ci ∈ C | Ci ∩ I 6= ∅}, i.e. a class is initial whenever it contains an initialstate.


A path in the abstract transition system is a finite sequence of abstract states relatedby Tα that starts in an initial state. An abstract state Ci is reachable if there exists apath in T α that ends in Ci. The set of states within the equivalence classes that arereachable in the abstract transition system, is an over-approximation of the reachablestates in the concrete transition system.

An abstract counterexample to S ⊆ C is a path Ci1Ci2 . . . Cin in the abstracttransition system such that Cin 6⊆ S. The length of a counterexample is defined tobe the number of classes in the path −1. An abstract counterexample is spurious ifit does not match a concrete path in T . We define this formally as follows. To anabstract counterexample Ci1 , . . . , Cin , we associate a sequence t1, t2, . . . , tn−1 of subsetsof T (the transition relation of T ) such that tj = T ∩ (Cij × Cij+1

) (the projection ofT on successive classes).

An abstract counterexample is an error trace, only if I * pre[t1 ◦ . . . ◦ tn−1](S)(by monotonicity we have I * pre[T ∗](S)), otherwise it is called spurious and, soI ⊆ pre[t1 ◦ . . . ◦ tn−1](S). Eliminating a spurious counterexample is done by splitting aclass Cj where 1 6 j 6 n. The class Cj contains bad states (written bad) that can reach¬S but which are not reachable from Cj−1 or which are not initial if j = 0. Accordinglythe class Cj split in Cj ∩bad and Cj ∩¬bad. From the above definition, we can deducethat bad = pre[tj ◦ . . . ◦ tn−1](¬S), hence that ¬bad = ¬ ◦ pre[tj ◦ . . . ◦ tn−1] ◦ ¬(S),and, finally that ¬bad = pre[tj ◦ . . . ◦ tn−1](S). Hence the splitting of Cj is given byCj ∩ pre[tj ◦ . . . ◦ tn−1](S) and Cj ∩ ¬ ◦ pre[tj ◦ . . . ◦ tn−1](S). When the spuriouscounterexample has been removed, by splitting an equivalence class, a new abstracttransition system, based on the refined partition, is considered and the method isiterated.

The CEGAR approach concludes when it either finds an error trace (identifying anegative instance of the fixpoint checking problem) or when it does not find any newabstract counter example (identifying a positive instance of the fixed point problem).

We now relate the abstract model used by CEGAR with the abstract interpreta-tion of the system. Let T α = (Cα, Tα, Iα) be an abstract transition system. Theabstract domain A0 is compatible with T α if each C ∈ γ0(A0) coincides with a unionof equivalence classes Cα and vice versa.

Lemma 3.7 Given (C, T, I) and S ⊆ C a positive instance of the fixpoint checkingproblem. Let T α = (Cα, Tα, Iα) the initial abstract transition system given to theCEGAR algorithm which terminates. CEGAR produced a finite set {Tr`}`∈L of coun-terexamples. Let t1, t2, . . . , tn`

the sequence associated to counterexample Tr`, we definew` to be the composed sequence, that is t1 ◦ t2 ◦ . . . tn`

. Let A0 be an abstract domaincompatible with T α.

∃A ∈ γ(A0) : I ⊆V︷︸︸︷

A ∩⋂`∈L

pre[w`](S) ⊆ S and V ∈ postfp(post) .


Proof. Let T ω = (Cω, T ω, Iω) be the abstract transition system where Cω is thepartition that is obtained when the spurious counterexamples from {Tr`}`∈L has beenconsidered.

Let F ω ⊆ Cω be the subset of reachable classes in T ω. Let F be⋃Ci∈Fω Ci, i.e.

F contains the set of states that are within reachable classes in T ω. As the abstractanalysis is conclusive, we deduce that I ⊆ F ⊆ S, and post(F ) ⊆ F which is equivalentto

F ⊆ pre(F ) by −−−−→←−−−−post

fpre

⇒ F ⊆ S ∩ pre(F ) F ⊆ S

⇒ F ⊆ gfpλX. S ∩ pre(X) prop. of gfp, see (2.2)

⇔ F ⊆ pre[T ∗](S) def. of pre[T ∗]

⇒ F ⊆⋂`∈L

pre[w`](S) pre monotonicity

⇒⋃

Ci∈Fω

Ci ⊆⋂`∈L

pre[w`](S) def. of F

⇔ ∀Ci ∈ F ω : Ci ⊆⋂`∈L

pre[w`](S)

It follows by definition of CEGAR that for each Ci ∈ F ω there exists Cj ∈ Cα suchthat Ci = Cj ∩

⋂`∈L pre[w`](S). Hence, A is given by the union of such Cj. Finally

A ∩⋂`∈L pre[w`](S) = F concludes the proof. �

We need two more auxiliary results before presenting Th. 3.1.

Lemma 3.8 Let A be as in Lem. 3.7. In Alg. 1, at each iteration k, we have

γk ◦ αk(A) = A .

Proof. Our proof is by induction on k.

Base case. Lemma 3.7 shows that A ∈ γ(A0), hence that γ0 ◦ α0(A) = A.

Inductive case. We conclude from line 10 that γk(Ak) ⊆ γk+1(Ak+1), hence thatA ∈ γk+1(Ak+1) by induction hypothesis, and finally that γk+1 ◦ αk+1(A) = A. �

Proposition 3.9 In Alg. 1, ∀k ∈ N if post [T ∗](γ(Rk)) ⊆ S then post [T ](γ(Rk)) ⊆ Zk.


Proof. Our proof is by induction on k.

Base case. The result follows immediately since in Alg. 1 we have Z0 = S.

Inductive case. We show the contrapositive of the implication. We first relate Zk+1

with the set pre[T ∗](γ(Rk)) of states that cannot escape from γ(Rk) as follows

pre[T ∗](γ(Rk)) ⊆ γ(Sk) Lem. 3.1

⇒ pre[T ∗](γ(Rk)) ⊆ pre[T 0 ∪ T ](γ(Sk)) T 0 ∪ T ⊆ T ∗

⇔ pre[T ∗](γ(Rk)) ⊆ Zk+1 def. of Zk+1

We conclude from the contrapositive hypothesis post [T ](γ(Rk+1)) * Zk+1 and by theabove that post [T ](γ(Rk+1)) * pre[T ∗](γ(Rk)), hence that post [T ∗ ◦ T ](γ(Rk+1)) *γ(Rk) by −−−−→←−−−−

post

fpreat Lem. 2.12 and finally that post [T ∗](γ(Rk+1)) * γ(Rk) by T ◦

T ∗ ⊆ T ∗ and monotonicity of pre. Intuitively this means that some states of γ(Rk+1)escapes from γ(Rk).

So consider some sequence s0, s1, . . . , sn, sn+1 such that (si, si+1) ∈ T , si ∈ γ(Rk) for1 ≤ i ≤ n, s0 ∈ γ(Rk+1) and sn+1 /∈ γ(Rk). Such sequence exist since γ(Rk+1) ⊆ γ(Rk)which holds by Lem. 3.3 and post [T ∗](γ(Rk+1)) * γ(Rk).

Line 3 shows that αk(I∪post [T ](γ(Rk))∩Zk

)v Rk, hence that I∪post [T ](γ(Rk))∩

Zk ⊆ γ(Rk) by −−−→←−−−αk

γ. So we find that sn+1 /∈ Zk for otherwise post [T ](γ(Rk)) ∩ Zk ⊆

γ(Rk) does not hold.

We conclude from sn ∈ γ(Rk), sn+1 /∈ Zk and sn → sn+1 that post [T ](sn) *Zk, hence that post [T ](γ(Rk)) * Zk, and finally that post [T ∗](γ(Rk)) * S usingthe induction hypothesis. Finally since, by definition of the above sequence, sn+1 isreachable from γ(Rk+1) we find that post [T ∗](γ(Rk+1)) * S. �

Theorem 3.1 Assume a positive instance of the fixpoint checking problem, if CEGARterminates so does Alg. 1.

Proof. Let k be the size of the longest Tr` for ` ∈ L. Lem. 3.4 shows that γ(Rk) isan under-approximation of the states that cannot escape S in less than k + 1 steps.Formally, we have γ(Rk) ⊆

⋂kj=0 pre[T j](S). This implies that

γ(Rk) ⊆⋂`∈L

pre[w`](S) (3.1)

Our next step will be to show that post [T ∗](γ(Rk)) ⊆ S which intuitively says thatγ(Rk) cannot escape S.

Let A be defined as in Lem. 3.7.2 We first show that γ(Rk) ⊆ A. To this end weconsider the upper iteration sequence {I i}i∈N such that I0 = ⊥ and I i+1 = αk

(I ∪

2So, in addition to the requirement S ∈ γ0(A0), the initial abstract domain of our algorithm iscompatible with T α: the initial abstract transition system given to CEGAR.


post(γ(I i))∩Zk)

which stabilizes to Rk after a finite number of steps (by finiteness ofAk). We shall prove by induction that γ(I i) ⊆ A, hence that γ(Rk) ⊆ A.

Base case. We conclude from the complete lattice 〈Ak,v〉 that I0 = ⊥ v αk(A),hence that γk(I

0) ⊆ γk ◦ αk(A) by monotonicity of γk, and finally that γk(I0) ⊆ A by

Lem. 3.8.

Inductive case. First let us note that since each iterate I i is such that I i v Rk wehave that γk(I

i) ⊆ γk(Rk) by monotonicity of γk. Hence, we deduce from (3.1) andtransitivity of the inclusion that γk(I

i) ⊆ ⋂`∈L pre[w`](S). Next, we have

γk(Ii) ⊆ A induction hyp.

⇒ γk(Ii) ⊆ A ∩

⋂`∈L

pre[w`](S) by above

⇔ γk(Ii) ⊆ V def. of V

⇒ I ∪ post(γk(Ii)) ⊆ I ∪ post(V ) λX. I ∪ post(X) mono.

⇒ I ∪ post(γk(Ii)) ⊆ V Lem. 3.7

⇒(I ∪ post(γk(I

i)))∩ Zk ⊆ V

⇒ γk ◦ αk((I ∪ post(γk(I

i)))∩ Zk

)⊆ γk ◦ αk(V ) γ ◦ α monotonicity

⇒ γk(Ii+1) ⊆ γk ◦ αk(V ) def. of iterates

⇒ γk(Ii+1) ⊆ γk ◦ αk(A) γ ◦ α mono., V ⊆ A

⇒ γk(Ii+1) ⊆ A Lem. 3.8

We thus conclude that γ(Rk) ⊆ A. Our next step is to prove that γ(Rk) cannot escapefrom S, i.e. post [T ∗](γ(Rk)) ⊆ S. Eq. (3.1) says that γ(Rk) ⊆

⋂`∈L pre[w`](S) hence,

by definition of V and γ(Rk) ⊆ A, we find that γ(Rk) ⊆ V . As V ∈ postfp(post)and V ⊆ S, we conclude that post [T ∗](γ(Rk)) ⊆ S. Hence, Prop. 3.9 shows thatpost(γ(Rk)) ⊆ Zk.

To conclude the proof we show that the test of line 4 succeeds. As we are in presenceof a positive instance of the fixpoint checking problem, we obtain that I ⊆ γ(Rk)by Prop. 3.1. Moreover, we conclude from line 3 that Rk v αk(Zk), hence thatγ(Rk) ⊆ γ ◦ αk(Zk) by monotonicity of γ and finally that γ(Rk) ⊆ Zk by Lem. 3.2. Itfollows that I ⊆ Zk.

Finally, we conclude from the above reasoning that I ∪ post(γ(Rk)) ⊆ Zk, hencethat αk(I ∪ post(γ(Rk))) v αk(Zk) by monotonicity of αk, and finally that Alg. 1terminates by line 4. �

If we consider the converse property, namely that CEGAR terminates if Alg. 1terminates, we find that this does not hold, at least for the enhanced algorithm asshown in Ex. 3.2.

To conclude, recall that, as far as negative instances are concerned Alg. 1 alwaysterminates by Prop. 3.5.


3.4.2 Predicate Abstraction versus Moore Closed AbstractDomains

Predicate abstraction is a well-known technique used in abstract model-checking, thatconsists in using a finite set of predicates to define an abstract domain, the Booleancombinations of which define a partition of the state space. More formally, let P ={p1, p2, . . . , pn} be a set of predicates and let JpiK ⊆ C be the subset of states thatsatisfy the predicate pi. The set of predicates P implicitly defines a Boolean closedabstract domain, noted AP , such that γ(AP ) ⊆ ℘(C) which is the smallest set whichis Boolean closed and contains the sets {JpK | p ∈ P}, i.e. γ(AP ) = B({JpK | p ∈ P}).The elements of AP are equivalent to propositional formulas built from the predicatesin P . Elements of AP can also be viewed as unions of equivalence classes of states:two states c1, c2 ∈ C are equivalent whenever they satisfy exactly the same subset ofpredicates in P .

Moore closure is as strong as Boolean closure.

Below we prove that Alg. 1 does not take any advantage when maintaining a Booleanclosed abstract domain instead of a Moore closed one. The following Lemma showsthat if one adds a decreasing sequence of values to a set and then take the closure(Boolean or Moore) of the result, then every “interesting” value added by the Booleanclosure is added by the Moore closure as well.

Lemma 3.9 Let A be a finite subset of ℘(C) such that B(A) = A and let Z0, Z1, . . . , Zkbe elements of ℘(C) such that Zk ⊆ · · · ⊆ Z1 ⊆ Z0. Given e ∈ B(A ∪ {Z0, Z1, . . . , Zk}),if e ⊆ Zk we have e ∈M(A ∪ {Z0, Z1, . . . , Zk}).

Proof. We first notice that the value can be expressed in a form similar to the Con-junctive Normal From (CNF) used in propositional logic. Moreover since e ⊆ Zk wehave that e ∩ Z0 ∩ Z1 ∩ · · · ∩ Zk = e. So e can be expressed as follows:

e =⋂`∈L

(a1 ∪ · · · ∪ an`) ∩

k⋂j=0

Zj

such that the a`’s belong to A ∪ {Zj,¬Zj | j ∈ {0, . . . , k}} and L is a finite indexingset.

We now give two syntactic transformations of the above e that preserves its seman-tics.

• Remove from e each union of the form (Zj ∪ ψ). This rule does not modify thevalue of e since Zj ∩ (Zj ∪ ψ) = Zj.


• Replace in e any union of the form ¬Zj ∪ψ by ψ. This rule does not modify thevalue of e as shown below.

Zj ∩ (¬Zj ∪ ψ) subexpression of e

= (Zj ∩ ¬Zj) ∪ (Zj ∩ ψ) De Morgan laws

= ∅ ∪ (Zj ∩ ψ) Complete Boolean Algebra

= Zj ∩ ψ

Since e has finitely many union expressions the two rules can be applied finitely manytimes because the size of e decreases after applying each rule. It follows that therepeated application of these two rules stabilizes after a finite number of steps.

Moreover after stabilization no value Z0, . . . , Zk appears in a union of 2 or morevalues which means since B(A) = A that e ∈M(A ∪ {Z0, Z1, . . . , Zk}). �

Definition 3.2 (M&B-variant) The M-variant and the B-variant of Alg. 1 aredefined as follows: at line 10, γ(Ai+1) is equal to M({Zi+1} ∪ γ(Ai)) and B({Zi+1} ∪γ(Ai)), respectively. �

Intuitively, the B-variant uses a richer abstract domain with respect to theM-variantbecause it is a Boolean closed domain (and thus a Moore closed domain). In the sequelwe shall distinguish the values computed by either of the algorithms using M or B insuperscript.

Lemma 3.10 Assume that B(γ(AB0 )) = γ(AB0 ) = γ(AM0 ). Given the same instance ofthe fixpoint checking problem, for each value of i in the {M,B}-variant of Alg. 1 wehave γ(RMi ) = γ(RBi ), γ(SMi ) = γ(SBi ), and ZMi+1 = ZBi+1.

Proof. The result is shown by induction. At iteration 0, ZB0 = ZM0 = S the equalityγ(AB0 ) = γ(AM0 ) shows that γ(RM0 ) = γ(RB0 ), γ(SM0 ) = γ(SB0 ), and ZM1 = ZB1 .

For the inductive case (viz. i+ 1), for either variant we find that

RMi+1 v αi+1(ZMi+1) RBi+1 v αi+1(ZBi+1) line 3

⇒ γ(RMi+1) ⊆ γ ◦ αi+1(ZMi+1) ⇒ γ(RBi+1) ⊆ γ ◦ αi+1(ZBi+1) γ monotonicity

⇒ γ(RMi+1) ⊆ ZMi+1 ⇒ γ(RBi+1) ⊆ ZBi+1 Lem. 3.2

Then, from the induction hypothesis and Lem. 3.3 we find that ZBi+1 = ZMi+1 ⊆ ZBi =ZMi ⊆ · · · ⊆ ZB0 = ZM0 . This, together with the hypothesis B(γ(AB0 )) = γ(AB0 ) =γ(AM0 ), allows to use the result of Lem. 3.9 which yields γ(RMi+1) = γ(RBi+1). Indeedfor every v ∈ γ(ABi+1), if v ⊆ ZBi+1 = ZMi+1 (as it is the case for γ(RMi+1) and γ(RBi+1))then Lem. 3.9 shows that v ∈ γ(AMi+1).


We solve the remaining case as follows:

SMi+1 v αi+1(γ(RMi+1)) SBi+1 v αi+1(γ(RBi+1)) line 7

⇒ γ(SMi+1) ⊆ γ ◦ αi+1 ◦ γ(RMi+1) ⇒ γ(SBi+1) ⊆ γ ◦ αi+1 ◦ γ(RBi+1) γ monotonicity

⇒ γ(SMi+1) ⊆ γ(RMi+1) ⇒ γ(SBi+1) ⊆ γ(RBi+1) γ ◦ αi+1 ◦ γ = γ

⇒ γ(SMi+1) ⊆ ZMi+1 ⇒ γ(SBi+1) ⊆ ZBi+1 by above

Then for the same reason as mentioned above we find that γ(SMi+1) = γ(SBi+1). HenceZBi+2 = ZMi+2. �

Proposition 3.10 Provided B(γ(AB0 )) = γ(AB0 ) = γ(AM0 ), the B-variant of Alg. 1terminates at the ith iteration iff the same holds for the M-variant.

Proof. For the test of line 4, we have

αi(I ∪ post(γ(RBi ))) v αi(ZBi ) αi(I ∪ post(γ(RMi ))) v αi(Z

Mi ) line 4

⇔ I ∪ post(γ(RBi )) ⊆ γ ◦ αi(ZBi ) ⇔ I ∪ post(γ(RMi )) ⊆ γ ◦ αi(Z

Mi ) −−−→←−−−αi

γ

⇔ I ∪ post(γ(RBi )) ⊆ ZBi ⇔ I ∪ post(γ(RMi )) ⊆ ZMi Lem. 3.2

Hence, the equalities γ(RBi ) = γ(RMi ) and ZMi = ZBi given by Lem. 3.10 (and alsoZB0 = ZM0 = S) show that the B-variant terminates saying “OK” iff so does theM-variant. Next, for the test of line 8 we have

αi(I) 6v SBi αi(I) 6v SMi line 8

⇔ I * γ(SBi ) ⇔ I * γ(SMi ) −−−→←−−−αi

γ

Lemma 3.10 shows γ(SMi ) = γ(SBi ). So the B-variant terminates saying “KO” iff sodoes the M-variant. �

In predicate abstraction, evaluating αB(P )(V ): the abstraction function applied toa set V of states is given by the strongest Boolean combination of predicates of Pover-approximating V . A classical algorithm to compute αB(P )(V ) is given at Alg. 2.As far as we know, there is no algorithm which given V ⊆ C and a set P of predicatesreturns αB(P )(V ) in polynomial time.

Lemma 3.11 The runtime of Alg. 2 is bounded from below by an exponential in thesize |P | of P .

Proof. At each iteration a non empty subset PS of P is selected and there are 2|P |− 1such subsets. �

3.5. EXAMPLES 47

Algorithm 2: computes the best approximation in predicate abstraction

Input: A set P = {p1, . . . , pn} of predicates, a set V ⊆ COutput: A boolean combination αB(P )(V ) of predicates of PαB(P )(V ) = falseforeach PS ⊆ P such that PS 6= ∅ do

Let φ be given by∧p∈PS

p ∧∧p/∈PS¬p

if V ∩ JφK 6= ∅ then αB(P )(V ) := αB(P )(V ) ∨ (φ)

endreturn αB(P )(V )

Now, consider an abstract fixpoint computation such as the ones given at lines 3or 7 in Alg. 1, we have that Alg. 2 executes once for each iterate. So in the worst casethe time to compute a fixpoint is given by the height of the abstract lattice times anexponential in the number of predicates (see Lem. 3.11). It is generally admitted thatthis cost is not affordable and this is why approximations in time linear in the numberof predicates are preferred instead. When working with Moore-closed domain instead(i.e. M({JpK | p ∈ P})) we can evaluate the abstraction function, denoted αM(P ), intime linear in the size of P . Alg. 3 gives an algorithm evaluating αM(P ).

Algorithm 3: computes the best approximation in Moore-families

Input: A set P = {p1, . . . , pn} of predicates, a set V ⊆ COutput: A conjunction αM(P )(V ) of predicates of PαM(P )(V ) = trueforeach p ∈ P do if V ⊆ JpK then αM(P )(V ) := αM(P )(V ) ∧ preturn αM(P )(V )

It is routine to check that, in Alg. 3, the number of iterations of the loop coincideswith |P |.

Finally, consider Alg. 1 in the framework of predicate abstraction. Lemma 3.9suggests to use, each time the function αB(P ) needs to be evaluated, Alg. 3 instead ofAlg. 2 because in the context of Alg. 1 it returns the same result and has a better timecomplexity.

3.5 Examples

In this section we will show that Alg. 1 terminates on two well-known array sortingalgorithms. The property we prove is a safety property which states that the array tobe sorted is never accessed out of its bounds. We do not analyze directly the programcode of those algorithms but an abstraction instead. Our abstraction forgets aboutthe content of the array and so we replace the tests based on array’s values by non


deterministic choices. Our model is sound in the sense that it contains at least all thebehaviors of the program. So, if the abstract model satisfies the safety property, sodoes the program. The abstract model we use is given by counter automata whereeach counter corresponds to an array index. The safety property is naturally reducedto a reachability property on the counter automaton which in turn is reduced to afixpoint checking problem. For the class of model we use, namely counter automata,the reachability problem is undecidable. Consequently we study the termination of ouralgorithm for practical cases. Proposition 3.5 shows that, when submitted a negativeinstance, Alg. 1 terminates. Consequently the instances considered below are positiveinstances.

In the previous sections, we identified some conditions that, if satisfied, guaranteethe termination of Alg. 1. We thus rely on these conditions to show that our algorithmis going to conclude with the right answer. These conditions are non trivial but theycan be evaluated using available tools. We choose to rely on the Hytech model checker(see [HHT97]) to prove that the condition of Prop. 3.7 is satisfied and hence that Alg. 1terminates.

Besides Hytech we also rely on the FAST tool (see [BFLP03]). FAST is a tool thatuses acceleration techniques. If the FAST tool terminates when evaluating gfp⊆λX. S∩pre[T ](X), it returns an acceleration scheme R such that T ⊆ R ⊆ T ∗. Then Prop. 3.8is used to show that, for each R′ such that R ⊆ R′ ⊆ T ∗, Alg. 1 terminates providedline 9 is replaced by Zi+1 = γ(Si) ∩ pre[R′](γ(Si)).

The Heapsort Algorithm.

j=

n,n≥ 1

`4 `0 `1 `2 `3

t5 : i 6= max→ i := max

t2: l :=

2i;r :=

2i +1

t3 : max := i

t′3: l ≤

j −1→

max:=

l

t′4 : r ≤ j − 1→ max := r

t6 : i = max→ j := j − 1

t0 : j 6= 1→ i := 1

Figure 3.4: Counters automata modeling the Heapsort algorithm

Heapsort is a classical example in static analysis (see e.g. [CH78], using the poly-hedral abstraction). We shall prove that the array to be sorted is never accessed outof its bounds given by 1 and n. The counter automaton modeling the Heapsort algo-rithm is given in Fig. 3.4. The model has been derived manually from the code givenin [CLR90]. The array is accessed through the variables V = {l, i, r,max} and wewant to prove that each access is legal. Formally, the set S of states representing legalaccesses is given by the following formulas (ψ1 to ψ4) associated to the locations with

3.5. EXAMPLES 49

the same index (ψ1 at l1, ψ2 at l2, . . . ).

ψ1 = l 6 j − 1→ (1 6 l 6 nN 1 6 i 6 n)

ψ2 = r 6 j − 1→ (1 6 r 6 nN 1 6 max 6 n)

ψ3 = i 6= max→ (1 6 i 6 nN 1 6 max 6 n)

ψ4 = 1 6 j 6 n

The set I of initial states is given by

{j = nN n > 1 at l4

⊥ elsewhere.

Let P0 be the set of predicates appearing in the counter automaton and in S.Formally, P0 is given by {j 6= 1, j = n, n > 1, i = max, i 6= max, r 6 j − 1, l 6 j −1, ψ1, ψ2, ψ3, ψ4}. The initial abstract domain is such that γ(A0) =M({JpK | p ∈ P0}).

We are going to show that Alg. 1 terminates on the Heapsort algorithm. Let

ψ′1 = l 6 j − 1→ (1 6 l N 1 6 i 6 n)

ψ′2 = r 6 j − 1→ (1 6 r N 1 6 max 6 n)

ψ′3 = ψ3

ψ′4 = ψ4 .

With Hytech the evaluation of pre∗(∧4i=1 ψ

′i) terminates and so does Alg. 1 by Prop. 3.7.

Notice that in ψ′1 and ψ′2 we do not check for l 6 n (recall that component l of thearray is accessed). However since j, is not modified in locations l4, l0, l1, l2, by ψ4 wecan deduce that whenever the array is accessed through l, the inequality l 6 n holds.

Now, assume you do not want this ad hoc reasoning to convince yourself that thearray is never accessed out of its bounds. We can still manage this situation sincethe evaluation of pre∗(

∧4i=1 ψi) by FAST terminates and so does Alg. 1 terminates by

Prop. 3.8.

The Bubble sort algorithm.

We shall prove that the array to be sorted is never accessed out of its bounds, given by0 and n. The array is accessed through variable j only, so that we want to prove that0 6 j 6 n holds for each reachable state. The counter automaton given in Fig. 3.5 hasbeen extracted from [Cou78].

In our model we have variables i and j and a non negative parameter n representingthe array size. Let I and S be given by {(i, j, n) | i = n} and {(i, j, n) | 0 6 j 6 n}respectively. Let P0 be the set of predicates appearing in the counter automaton plusthe formula representing S. Formally, P0 is given by {i = n, i = 0, i = j, 0 6 j 6 n}.The initial abstract domain is such that γ(A0) =M({JpK | p ∈ P0}).

Finally we have that since the evaluation of pre∗(S) by FAST terminates, so doesAlg. 1 terminates by Prop. 3.8.


i = n

t3 : j = i→ i′ = i− 1

`0 `1t1 : i 6= 0→ j′ = 0

t2 : j 6= i→ j′ = j + 1

t1 : i 6= 0→ j′ = 0

Figure 3.5: Our two counters automata modeling the Bubblesort algorithm

3.6 Relaxing Some Hypotheses

This section is devoted to studying the consequences of relaxing some of the assump-tions we have made so far. We first study the consequences of relaxing a basic require-ment of our abstract domains: the finiteness assumption. In fact, given an abstractdomain, if the ACC or the DCC does not hold on it, then this domain is infinite. Itfollows that, in Alg. 1, the evaluation of the fixpoint of line 3 (resp. line 7) by the con-struction of an upper (resp. lower) iteration sequence is not guaranteed to terminateif the ACC (resp. DCC) does not hold on the abstract domain.

We thus define a generalization of Alg. 1 which gives a declarative definition for thevalues of line 3 and line 7. Our aim is to find the minimal requirements on the valuesRi and Si so that correctness and termination results are preserved for the generalizedalgorithm. We then discuss the possible solutions to palliate the absence of ACC (resp.DCC).

The generalized algorithm also allows to consider the relaxation of another hypoth-esis. For the iterated functions of the fixpoints of line 3 and line 7, Alg. 1 assumesthe best abstract counterparts. For various reasons (e.g. the function is too costly tocompute or, worst, the function is not computable) we might be constrained to use anupper-approximation of the function. This situation can be explained as a particularcase of the generalized algorithm. Again we show that correctness and terminationresults are preserved in this setting.

3.6. RELAXING SOME HYPOTHESES 51

Algorithm 4 defines our generalized algorithm, which differs from Alg. 1 at lines 3and 7.

Algorithm 4: A Generalized Abstract Fixpoint Checking Algorithm

Data: An instance of the fixpoint checking problem such that I ⊆ S and anabstract domain A0 such that S ∈ γ0(A0)

Z0 = S1

for i = 0, 1, 2, 3, . . . do2

Let Ri be such that αi(lfp⊆λX. (I ∪ post(X)) ∩ Zi

)v Ri v αi(Zi)3

if αi(I ∪ post(γi(Ri))) v αi(Zi) then4

return OK5

else6

Let Si be such that αi(gfp⊆λX. γi(Ri) ∩ pre(X)

)v Si v Ri7

if αi(I) v Si then8

Let Zi+1 = γi(Si) ∩ pre(γi(Si))9

Let Ai+1 be s.t. γi+1(Ai+1) ⊇ {Zi+1} ∪ γi(Ai)10

else11

return KO12

end13

end14

end15

To demonstrate correctness and termination results for Alg. 4 we need the followinglemma.

Lemma 3.12 In Alg. 4 we have

γ ◦ αi(Zi) = Zi for all i ∈ N,

Zi+1 ⊆ γ(Si) ⊆ γ(Ri) ⊆ Zi ⊆ · · · ⊆ Z1 ⊆ γ(S0) ⊆ γ(R0) ⊆ Z0 ⊆ S .

Proof. Since the requirements imposed on the abstract domain do not differ from Alg. 1the invariant still holds. The proof for the second statement follows the same line asfor Lem. 3.3. The inclusion Z0 ⊆ S follows from line 1. The inclusion γ(Ri) ⊆ Zifollows from the requirement Ri v αi(Zi) at line 3. In fact, we conclude from themonotonicity of γ that γ(Ri) ⊆ γ ◦ αi(Zi), hence that γ(Ri) ⊆ Zi using the invariantγ ◦ αi(Zi) = Zi. The inclusion γ(Si) ⊆ γ(Ri) follows from the requirement Si v Ri

at line 7 and monotonicity of γ. Finally the definition of Zi+1 shows the inclusionZi+1 ⊆ γ(Si). �

Below we show that correctness holds for Alg. 4 as well.

Proposition 3.11 In Alg. 4 we have


• if it says “OK” then post∗(I) ⊆ S;

• if it says “KO” then post∗(I) * S;

Proof. Algorithm says “OK” only if

αi(I ∪ post(γ(Ri))) v αi(Zi) line 4

⇔ I ∪ post(γ(Ri)) ⊆ γ ◦ αi(Zi) −−−→←−−−αi

γ

⇔ I ∪ post(γ(Ri)) ⊆ Zi Lem. 3.2

Henceforth we abbreviate lfp⊆λX. (I ∪ post(X)) ∩ Zi as LF i. We find that

αi(LF i

)v Ri line 3

⇔ LF i ⊆ γ(Ri) −−−→←−−−αi

γ

⇒ I ∪ post(LF i

)⊆ I ∪ post(γ(Ri)) λX. I ∪ post(X) monotonicity

⇒ I ∪ post(LF i

)⊆ Zi by above

It follows that,(I ∪ post(LF i)

)∩ Zi ⊆ LF i prop. of lfp

⇒ I ∪ post(LF i) ⊆ LF i I ∪ post(LF i

)⊆ Zi

⇒ lfp⊆λX. I ∪ post(X) ⊆ LF i prop. of lfp, see (2.1)

We conclude from αi(LF i) v Ri at line 3 and −−−→←−−−αi

γthat LF i ⊆ γ(Ri), hence that

LF i ⊆ S by Lem. 3.12, and finally that lfp⊆λX. I∪post(X) ⊆ S, hence that post∗(I) ⊆S by def. of post∗(I).

For the correction on negative instances, Algorithm says “KO” only if

αi(I) 6v Si⇒ αi(I) 6v αi

(gfp⊆λX. γ(Ri) ∩ pre(X)

)line 7

⇒ I * gfp⊆λX. γ(Ri) ∩ pre(X) αi monotonicity

Recall that each state of gfp⊆λX. γ(Ri) ∩ pre(X) cannot leave γ(Ri) and so if I doesnot belong to this greatest fixpoint then some state of I can leave γ(Ri), hence wefind that post∗(I) * γ(Ri). We show that post∗(I) * S by using the contrapositive ofProp. 3.1. However, the proposition, in order to be used, needs the result of Lem. 3.12and the inclusion gfp⊆λX. γ(Ri)∩pre(X) ⊆ γ(Si), which holds since αi

(gfpλX. γ(Ri)∩

pre(X))v Si by line 7 and −−−→←−−−αi

γ. �

Proposition 3.12 In Alg. 4 we have


• if there exists Y ⊆ ℘(C) such that the descending chain condition holds on theposet 〈Y,⊆〉 and Zi ∈ Y for all i ∈ N then it terminates; and

• if there is a value for i such that Ri ∈ postfp(λX. αi

((I∪post(γ(X)))∩Zi

))and

gfp⊆λX.Zi ∩ pre(X) stabilizes after a finite number of step, then it terminates.

Proof. For the first statement we reuse the proof of Prop. 3.6 done for Alg. 1. Theresult still holds by Lem. 3.12.

Now, let us turn to the second statement. The result has been established for Alg. 1at Prop. 3.7, the proof of which uses Lem. 3.5, which in turn uses the following hy-

pothesis: γ(Ri) ∈ postfp(λX. (I ∪post(X))∩Zi

)which is preserved by the hypothesis

Ri ∈ postfp(λX. αi

((I ∪ post(γ(X))) ∩ Zi

))and −−−→←−−−αi

γ. In addition, the proof needs

the result of Lem. 3.12, and so we obtain that the second statement holds. �

It follows that correctness and termination shown for Alg. 1 are preserved by Alg. 4.Also, acceleration techniques are still compatible with Alg. 4.

The general definitions given at lines 3 and 7 allow us to use techniques to computeRi and Si which terminate even if no chain condition holds. As an example of suchtechniques which terminates without chain conditions, we may mention here the ex-trapolation techniques (widening and narrowing) seen in Chapt. 2. In what follows, wepresent a result which should convince the reader of the relevance of these operatorsto our settings.

The widening operator can be used at line 3 to over-approximate the fixpointlfpλX. αi

(I ∪ post(γ(X)) ∩ Zi

), as shown in the following proposition.

Proposition 3.13 Given an abstract domain (〈A,v〉 , α, γ) and an instance of thefixpoint checking problem given by (C, T, I) and Z ∈ ℘(C). Consider the sequencedefined in Prop. 2.2 where L is given by A and f is given by λX. α

((I∪post(γ(X))∩Z)

).

The limit of the sequence, denoted u, is such that lfp(f) v u u α(Z) v α(Z).

Proof. It is clear that uuα(Z) v α(Z). To prove that lfp(f) v uuα(Z) we show thatu u α(Z) ∈ postfp(f), hence the result follows by Eq. (2.1) which defines lfp.

f(u) v u, f(α(Z)) v α(Z) Prop. 2.2, α(Z) ∈ postfp(f)

⇒ f(u) u f(α(Z)) v u u α(Z) def. of meet

⇒ f(u u α(Z)) v u u α(Z) f monotonicity �

Now, thanks to Alg. 4, we study the relaxation of the best abstract counterpart ofthe iterated functions in Alg. 1. Indeed in Alg. 1, the fixpoints Ri and Si are defined


according to the best abstract counterpart of the functions λX. ((I ∪ post(X)) ∩ Zi)and λX. γ(Ri) ∩ pre(X), respectively. For various reasons (e.g. the function is toocostly to compute or, worst, the function is not computable) we might be constrainedto use an upper-approximation of those functions. This situation can be explainedas a particular case of Alg. 4. In fact, reasoning with upper-approximations allowsto satisfy the requirements of lines 3 and 7. Below, Ri is given by line 3 in Alg. 1,except that the iterated function of the least fixpoint computation is replaced by anupper-approximation.

Definition 3.3 (Upper-approximations of Iterated Function (Forward))Given an abstract domain (〈A,v〉 , α, γ) and Z ∈ ℘(C), a forward upper-approximationof the iterated function is a function f such that

λX. α((I ∪ post(γ(X))) ∩ Z

)⊆ f ⊆ λX. α(Z) (Up1)

and the corresponding R is given by lfpλX. f(X). �

The next proposition shows that the requirement α(lfp⊆λX. (I ∪post(X))∩Z

)v R v

α(Z) in line 3 of Alg 4 is satisfied by the above definition. Since the forward reasoningevaluates in the context of instantiated Alg. 4, we assume that the value Z is such thatγ ◦ α(Z) = Z by virtue of Lem. 3.12.

Proposition 3.14 For each abstract domain (〈A,v〉 , α, γ) and for each Z ∈ ℘(C)such that γ ◦ α(Z) = Z, def. 3.3 yields:

α(lfp⊆λX. (I ∪ post(X)) ∩ Z

)v R v α(Z) .

Proof. We first notice that lfpλX. α(Z) equals α(Z) by definition of fixpoint. Then,we conclude from (Up1) and Lem. 2.8 that lfpλX. f(X) v α(Z), hence that R v α(Z)

and also that R ∈ postfp(λX. α

((I ∪ post(γ(X)))∩Z

)). Equivalently stated, we have

α((I ∪ post(γ(R))) ∩ Z

)v R

⇒ lfpvλX. α((I ∪ post(γ(X))) ∩ Z

)v R prop. of lfp, see (2.1)

⇒ α(lfp⊆λX. (I ∪ post(X)) ∩ Z

)v R Prop. 2.4 �

As for line 3, We next consider Si is given by line 7 in Alg. 1, except that theiterated function of the greatest fixpoint is replaced by an upper-approximation.

Definition 3.4 (Upper-approximations of Iterated Function (Backward)) Givenan abstract domain (〈A,v〉 , α, γ) and R ∈ A, a backward upper-approximation of theiterated function is a function g such that

λX. α(γ(R) ∩ pre(γ(X))

)⊆ g ⊆ λX.R (Up2)

and the corresponding S is given by gfpλX. g(X). �


The next proposition shows that the requirement α(gfp⊆λX. γ(R)∩ pre(X)

)v S v R

in line 7 of Alg 4 is satisfied by the above definition.

Proposition 3.15 For each abstract domain (〈A,v〉 , α, γ) and for each R ∈ A,def. 3.4 yields:

α(gfp⊆λX. γ(R) ∩ pre(X)

)v S v R .

Proof. Lemma 2.8 and (Up2) show that S v R. Then,

λX. α(γ(R) ∩ pre(γ(X))

)⊆ λX. g(X) (Up2)

⇒ gfpλX. α(γ(R) ∩ pre(γ(X))

)v gfpλX. g(X) Lem. 2.8

⇒ α(gfpλX. γ(R) ∩ pre(X)) v gfpλX. g(X) Prop. 2.4

⇒ α(gfpλX. γ(R) ∩ pre(X)) v S def. of S �

Note that, the above requirements on the iterated functions f ⊆ λX. α(Z) andg ⊆ λX.R given by (Up1) and (Up2) are reasonable since the values α(Z) and R arethe most trivial possible values for R and S, respectively.

As a particular case of the above discussion we show that whenever f and g returnsthose trivial values then the obtained algorithm corresponds to the plain backwardalgorithm.

Proposition 3.16 Consider Alg. 4 and let fi and gi the forward and backward func-tions defined at def. 3.3 and 3.4 be given by λX. αi(Zi) and λX.Ri (see (Up1) and(Up2)), respectively. Then the algorithm behaves like the plain backward algorithm:the Zi sequence evaluates gfpλX. S ∩ pre(X) as long as I ⊆ Zi.

Proof. We conclude from Ri = αi(Zi) that γ(Ri) = Zi by monotonicity of γ andLem. 3.12, hence that γ(Si) = γ(Ri) = Zi by Si = Ri. It follows that by Zi+1 =Zi ∩ pre(Zi) and Z0 = S, the sequence of Zi’s coincides with the lower iterationsequence evaluating gfpλX. S ∩ pre(X). The algorithm says “OK” only if

αi(I ∪ post(Zi)) v αi(Zi) Zi = γ(Si)⇔ I ∪ post(Zi) ⊆ γ ◦ αi(Zi) −−−→←−−−αi

γ

⇔ I ∪ post(Zi) ⊆ Zi Lem. 3.2

⇒ post(Zi) ⊆ Zi

⇔ Zi ⊆ pre(Zi) −−−−→←−−−−post

fpre

⇔ Zi = gfpλX. S ∩ pre(X)


The algorithm says “KO” only if

αi(I) 6v Si⇔ I * γ(Si) −−−→←−−−αi

γ

⇔ I * Zi γ(Si) = Zi

⇒ I * gfpλX. S ∩ pre(X) pre∗(S) ⊆ Zi �

We conclude this section by making a remark on line 10.

Remark 3.2 At line 10 we require that γ(Ai) is enlarged by, at least, Zi+1: termina-tion and correctness proofs of the algorithm remain correct if we add more sets of statesat line 10. This may be crucial since the practical efficiency of Alg. 1 or 4 depends on(i) the precision of the over-approximations Ri and Si and (ii) the time (and space)needed to build those over-approximations. Point (i) is crucial since inconclusive ap-proximations will lead to the computation of pre∗(S), which might be time and spaceconsuming in practice [VanB03]. Point (ii) is important because an inefficient com-putation of over-approximations leads to an inefficient algorithm. Hence, a trade-offbetween (i) and (ii) must be chosen.

3.7 How to instantiate

The reader may have noticed that many questions of practical interest have been left(deliberately) unanswered: Which family of abstract domains to choose ? How tocompute the fixpoints ? etc. The answers to these questions depend on the classof TS we want to analyze. This section identifies those questions which, given thecorresponding answers for a given class of TS, allow to implement our algorithms. Wecall this process the instantiation of the algorithms.

In the rest of this thesis we instantiate our algorithms to three different classes oftransition systems. We shall successively study in Chapt. 4, 5 and 6 the WSTS —a large class of infinite state systems, a class of finite state concurrent systems andthe Petri nets. Let us mention that both classes of TS studied in Chapt. 5 and 6 aresubclasses of WSTS.

Below we shall see how to instantiate our algorithms in a systematic way. Todo so, we review each notion our algorithms relies on and needs to be studied (e.g.termination of fixpoint computation) or defined (e.g. the family of abstract domains)for each class of transition systems. So we state the guidelines which give a list ofquestions to be addressed for each class of TS. Thus, in each of the following chapters,we shall systematically study and address the points given by the guidelines so that at

3.7. HOW TO INSTANTIATE 57

the end of chapter it is straightforward to provide an implementation which solves thefixpoint checking problem for the particular class of systems studied in the chapter.

We said above that the TS of Chapt. 5 are a subclass of WSTS. Moreover, sincewe use the same family of abstract domain as in Chapt. 4, once the guidelines arecompleted for the WSTS so it is for the subclass of Chapt. 5. It is worth to say herethat Chapt. 4 concentrates on a effective algorithm for the general class of WSTS, whilein Chapt. 5 we focus on a efficient algorithm for a particular subclass of WSTS.

The guidelines are made of five points.

3.7.1 Reduction to the Fixpoint Checking Problem

If we want to use one of the above algorithms (Alg. 1 or Alg. 4) it is clear that we have toreduce the considered decision problems to equivalent fixpoint checking problems. Foreach decision problem instance we call the equivalent instance of the fixpoint checkingproblem: the fixpoint instance.

3.7.2 The Family of Abstract Domains

For each class of TS, we need to define an adequate family of abstract domains asso-ciated to a fixpoint instance of the fixpoint checking problem.

Definition 3.5 (An adequate family of abstract domains) Let {〈Aj,vj〉 , αj, γj}j∈Jbe a family of abstract domains for 〈℘(C),⊆〉. We say that the family is adequate forY ∈ ℘(C) and f ∈ ℘(C) 7→ ℘(C) if

1. ∃j ∈ J : Y ∈ γ(Aj), and

2. ∀j1 ∈ J ∀Z ∈ γ(Aj1)∃j2 ∈ J : γ(Aj2) ⊇ f(Z) ∪ γ(Aj1).

�

The next proposition characterizes the abstract domains used in the above algorithms.

Proposition 3.17 Given (C, T, I) and S ⊆ C an instance of the fixpoint problem, thesequence of abstract domain {Ai}i∈N in Alg. 1 and 4 can be characterized as follows:{

S ∈ γ(A0)

γ(Ai+1) ⊇ {Z} ∪ γ(Ai) where Z ∈ {Y ∩ pre[T ](Y ) | Y ∈ γ(Ai)}.


Proof. Immediate from the algorithms. �

The next proposition relates an adequate family of abstract domains with the sequenceof abstract domains used in our algorithms. The sequence is actually extracted fromthe adequate family.

Proposition 3.18 Given (C, T, I) and S ⊆ C an instance of the fixpoint problem,let {〈Aj,vj〉 , αj, γj}j∈J be an adequate family of abstract domains for S and λX.X ∩pre[T ](X). There exists a sequence of abstract domain which satisfy the characteriza-tion of Prop. 3.17.

Proof. By point 1, def. 3.5 we find that ∃j ∈ J : S ∈ γ(Aj). Moreover, point 2, def. 3.5shows that

∀j1 ∈ J ∀Y ∈ γ(Aj1)∃j2 ∈ J : γ(Aj2) ⊇ {Y ∩ pre[T ](Y )} ∪ γ(Aj1) �

Hence, for each fixpoint instance (C, T, I) and S ⊆ C of the fixpoint checkingproblem we need to provide a family of abstract domains which is adequate for S andλX.X ∩ pre[T ](X).

In the following chapters whenever a family is defined, we shall use the followinglemma to show that the family is adequate.

Lemma 3.13 Let {〈Aj,vj〉 , αj, γj}j∈J be a family of abstract domain and Y ∈ ℘(C)and f ∈ ℘(C) 7→ ℘(C). Define V =

⋃j∈J γj(Aj), if (i) Y ∈ V; and (ii) for each

Z ∈ V : f(Z) ∈ V; and (iii) for each j1, j2 ∈ J there exists j ∈ J such that γ(Aj) ⊇γ(Aj1) ∪ γ(Aj2) then {〈Aj,vj〉 , αj, γj}j∈J is an adequate family of abstract domains.

Proof. Point 1 of def. 3.5 follows directly from (i) and point 2 is a consequence ofconditions (ii) and (iii). �

Remark 3.3 Our definition of an adequate family of abstract domains relates to thenotion of backward complete domain defined by [GQ01]. In fact, the set V definedin Lem. 3.13 is backward complete for the function f and the constant value Y . Sothe adequate family as given in def. 3.5 covers the backward complete domain V usingabstract domains of finite size. From this perspective, the abstract domain refinementcan be seen as a form of backward completion which is demand driven.

Since ultimately we want to implement an algorithm we shall address effectivity(and efficiency) issues as well. More precisely, we shall establish the effectivity ofthe abstract domain (i.e. prove it is an effective complete lattice) or of a relevantpart of it (namely where the computations take place). We also provide an effectivecharacterization of α when applied on some concrete values of interest, e.g. the Zi’s orthe set I of initial states.

3.7. HOW TO INSTANTIATE 59

3.7.3 Forward Reasoning

In Chapt. 4 our solution is based on Alg. 1. Hence the forward reasoning, given by line 3and 4, first evaluates an abstract least fixpoint expression, and then performs a test onthe fixpoint that allows to identify positive instances of the fixpoint checking problem.Thus we shall provide an effective characterization of the iterated function. We do sofor each abstract domain of the adequate family. Since each abstract domain of thefamily is finite, we find that the fixpoint evaluation stabilizes after a finite number ofsteps, which means that the fixpoint of line 3 is computable.

Also for each abstract domain of the family, we give an effective characterization ofthe test of line 4. It follows that we have an effective characterization of the forwardreasoning.

In Chapt. 6 we instantiate Alg. 4 instead. In this setting, the evaluation of Ri atline 3 is given to an external procedure which satisfies the requirement of line 3. So,for each abstract domain of the family, we prove that the requirements of line 3 aresatisfied by the external procedure. It remains to provide an effective characterizationof the test of line 4 which, in addition to the effectivity of the external procedure,yields to an effective characterization of the forward reasoning.

3.7.4 Backward Reasoning

In the next chapters, the backward reasoning first evaluates an abstract greatest fix-point expression, and then performs a test on the fixpoint that allows to identifynegative instances of the fixpoint checking problem. Thus, as for the forward reason-ing, we shall provide an effective characterization of the iterated function. We do sofor each abstract domain of the adequate family. We shall also show that the fixpointevaluation stabilizes after a finite number of steps.

Also for each abstract domain of the family, we give an effective characterizationof the test that identifies negative instances. It follows that we have an effectivecharacterization of the backward reasoning.

3.7.5 Abstract Domain Refinement

We then study the refinement of the current abstract domain, that is how to pick anew abstract domain in the adequate family which will be used at the next iterationof the algorithm. What is needed is an abstract domain which enjoys the followingproperty: represent exactly a certain value besides the values exactly representable bythe current domain. Since we consider adequate families we know that there alwaysexists such a domain in the family.

Formally it means that, given (C, T, I) and S ⊆ C a fixpoint instance of the fix-point checking problem for each abstract domain (〈A,v〉 , α, γ) of the adequate fam-


ily, we effectively characterize λX.X ∩ pre[T ](X) restricted to values in γ(A). Thisrequirement corresponds to what is defined at line 9 in Alg. 1 but also in Alg. 4:Zi+1 = γ(Si) ∩ pre[T ](γ(Si)). Then, given a value Y ∈ γ(A) we effectively definean abstract domain (〈A′,v′〉 , α′, γ′) of the adequate family such that the requirementγ′(A′) ⊇ {Y ∩ pre[T ](Y )} ∪ γ(A) holds. Line 10 in Alg. 1 and Alg. 4 imposes thisrequirement. Finally we give an effective characterization of α′(Y ∩ pre[T ](Y )).

3.7.6 Termination

For each fixpoint instance of the fixpoint checking problem, we shall prove that thealgorithm we instantiated terminates. To this end, we use termination results given inSect. 3.3.2.

Chapter 4

The Coverability Problem ofWell-Structured Transition Systems

We present an abstract interpretation based approach to solve the coverability prob-lem of well-structured transition systems. In this chapter we reduce the coverabilityproblem to a fixpoint checking problem which is solved using Alg. 1. As shown in theprevious chapter, we need to instantiate Alg. 1 for the peculiar class of WSTS. This isdone systematically by following the so-called guidelines.

From a broader point of view, our approach contrasts with other attempts in thatwe solve this problem for the class of well-structured transition systems as described in[ACJT96]. So, our algorithm has to deal with possibly infinite downward closed sets.Whereas other approaches have a non generic representation for downward closed setsof states, which turns out to be hard to devise in practice, we introduce a genericrepresentation requiring no additional implementation effort.

4.1 Introduction

Model-checking is nowadays widely accepted as a powerful technique for the automaticverification of reactive systems that have natural finite state abstractions. However,many reactive systems are only naturally modeled as infinite state systems. This iswhy a large research effort was done in the recent years to allow the direct appli-cation of model-checking techniques to infinite state models. This research line hasshown successes for several interesting classes of infinite state systems, like: timedautomata [AD94], hybrid automata [Hen96], fifo channel systems [AJ96, AAB99],extended Petri nets [DRVanB02, BFLP03], broadcast protocols [EFM99], etc.

The WSTS introduced in Chapt. 2 form a large class of infinite state systems forwhich general decidability results hold. We refer the interested reader to [ACJT96]for more details on those results. Examples of WSTS are Petri nets [Rei86], mono-

61

62 CHAPTER 4. THE COVERABILITY PROBLEM OF WSTS

tone extensions of Petri nets (Petri nets with transfer arcs [Cia94], Petri nets withreset arcs [DFS98], and Petri nets with non-blocking arcs [RVanB04]), broadcast pro-tocols [EN98], lossy channel systems [AJ96]. For all those classes of infinite statesystems, we know that an interesting and large class of safety properties are decidableby reduction to the coverability problem. The coverability problem is defined as follows:“given a WSTS ((C,�), δ, c0), and a state c ∈ C, does there exist a state c which isreachable from c0 and such that c � c ?”

Broadly speaking, there are two ways to solve the coverability problem for WSTS.The first way to solve the coverability problem is to explore backwardly the transitionsystem by iterating the predicate transformer pre[δ] starting from the set of statesthat are greater or equal to c. This simple procedure is effective when very mildassumptions are met. In fact, as seen in Sect. 2.1, for each wqo-set (C,�), the followingnice property holds: every �-uc-set has an effective representation by a finite set. Thisgeneric representation of �-uc-sets is adequate since union and inclusion are effectivein the following sense: given a finite representation of two sets, one can construct afinite representation for their union, or check their inclusion. The only further propertythat is needed for the procedure to be effective is that, given an effective representationof the �-uc-set U , it must be possible to compute an effective representation of the�-uc-set pre[δ](U). The ACC on the lattice (UCS (C),⊆) ensures the termination ofthis procedure.

The second way is to explore forwardly the transition system from the initial statec0. Here, the situation is more complicated. A fixpoint computation procedure that it-erates the predicate transformer post [δ] from c0 may diverge as the reachability problemis undecidable for WSTS. In [GRVanB04] the authors define an abstraction refinementbased algorithm for the coverability problem. Their solution comes under the formof an algorithmic schema which has to be instantiated for each class of WSTS. Thisschema of algorithm is general but, to be applicable to a given class of WSTS, the userhas to provide a so called adequate and effective domain of limits. This set is in facta (usually infinite) set of abstract values that allows to represent any �-dc-set. Thesituation is less satisfactory than for �-uc-sets for which there exists, as we have seenbefore, a simple and finite generic representation based on minor sets. Such a genericrepresentation of downward closed sets may be missing and this problem is solved inthis chapter.

First, we show that, for each wqo-set (C,�), there exists a generic and effectiverepresentation of �-downward closed sets. To the best of our knowledge, this is thefirst time that such a generic representation is proposed. An attempt in that directionwas taken in [ADMN04] but the result is a methodology for designing symbolic repre-sentation of �-downward closed sets and not a generic symbolic representations of suchsets. As a consequence, their methodology has to be instantiated for each subclass ofWSTS which is considered and this is not a trivial task.

Second, as �-downward closed sets are abstractions for sets of reachable states in

4.2. THE COVERABILITY PROBLEM: STATE-OF-THE-ART 63

the forward algorithm, we embed our generic representation of �-downward closedsets into a family of abstract domains. This allows us to rephrase in a simpler waythe algorithm of [GRVanB04] in the context of abstract interpretation. Moreover weshall see that, to instantiate Alg. 1 for the WSTS, we need no more assumptions than[ACJT96].

The structure of the chapter reflects the guidelines contents and is organized asfollows. Section 4.2 recalls the coverability problem on WSTS and gives an overview ofthe state-of-the-art solutions. In Sect. 4.3 we instantiate Alg. 1 following the guidelines.So we reduce the coverability problem to a fixpoint checking problem, we propose afamily of abstract domains and prove its adequacy, hence we give effective characteri-zations of the fixpoints and tests of Alg. 1, and finally we address the issues related tothe refinement and termination of the algorithm. To conclude the chapter we illustratethe algorithm with an example in Sect. 4.4.

4.2 The Coverability Problem: State-of-the-art

The decision problem we study in this chapter is formally defined as follows:

The coverability problem for WSTSInstance: given an WSTS ((C,�), δ, c0) and bad ∈ UCS (C)Question: Does post∗(c0) ∩ bad = ∅ hold ?

In general, bad is an �-uc-set of states which describes states that you do not wantyour system to reach. They can represent, for instance, configurations of the system inwhich an error occurs. Considering the set complement of bad, we obtain a �-dc-setof states where none of the errors specified by bad occurs. We denote this set by S.

The following lemma gives an equivalent question to post∗(c0) ∩ bad?= ∅.

Lemma 4.1 Let ((C,�), δ, c0) be a WSTS and let bad ∈ UCS (C), the two followingstatements are equivalent:

post∗(c0) ∩ bad = ∅ ,{c0} ⊆ gfp⊆λX. S ∩ pre[δ](X) where S = ¬bad.

Proof. Since S = ¬bad we find that post∗(c0) ∩ bad = ∅ iff post∗(c0) ⊆ S which, bydefinition of post∗(c0), can be rewritten as lfpλX. c0 ∪ post [δ](X) ⊆ S. We concludefrom [Cou00, Thm. 4] that lfp⊆λX. c0∪post [δ](X) ⊆ S if and only if {c0} ⊆ gfp⊆λX. S∩pre[δ](X), hence that the two above statements are equivalent. �

Below we review the existing approaches.


4.2.1 The Backward Approach

Let us consider the characterization given by Lem. 4.1; we have the following lemma.

Lemma 4.2 Let ((C,�), δ, c0) be a WSTS and let S ∈ DCS (C). The lower iterationsequence {I i}i∈N given by I0 = C, I i+1 = S ∩ pre[δ](I i) stabilizes to gfp⊆λX. S ∩pre[δ](X) after a finite number of steps.

Proof. Lemma 2.9 shows that ∀V ∈ DCS (C) : pre[δ](V ) ∈ DCS (C). Moreover, sinceS ∈ DCS (C) and (DCS (C),⊆) is a complete lattice, we find that ∀i ∈ N : I i ∈DCS (C). Finally by the DCC, which holds on (DCS (C),⊆) (see Lem. 2.7), we havethat the lower iteration sequence stabilizes after a finite number of steps. �

To link this fixpoint with existing algorithms we need the following lemma.

Lemma 4.3 Let ((C,�), δ, c0) be a WSTS and let bad ∈ UCS (C). Defining S =¬bad, we have

gfp⊆λX. S ∩ pre[δ](X) = ¬lfp⊆λX. bad ∪ pre[δ](X) .

Proof.

gfp⊆λX. S ∩ pre[δ](X) =

¬lfp⊆λX.¬(S ∩ pre[δ](¬X)) = Th. 2.1

¬lfp⊆λX. (¬S) ∪ (¬pre[δ](¬X)) = De Morgan laws

¬lfp⊆λX. bad ∪ (¬pre[δ](¬X)) = bad = ¬S¬lfp⊆λX. bad ∪ ¬ ◦ ¬ ◦ pre[δ] ◦ ¬ ◦ ¬(X) = def. of pre

¬lfp⊆λX. bad ∪ pre[δ](X) ¬ ◦ ¬ = λX.X �

The fixpoint lfp⊆λX. bad∪pre[δ](X) is given by the limit of an upper iteration sequencedefined in the lattice of �-uc-sets which satisfies the ACC and so the iteration sequencestabilizes after a finite number of steps.

In [ACJT96, FS01], the authors evaluate algorithmically this fixpoint. To do sothey rely on some effectivity hypothesis we mention here because our algorithm doesnot need more effectivity hypothesis.

Effective WSTS. According to [ACJT96], a WSTS ((C,�), δ, c0) is effective if both� and δ are decidable and for all c ∈ C : minpre[δ](c) is computable where minpre[δ]is the predicate transformer given by λX.min(

x(pre[δ](↑X ))). For the sake of brevity,we sometimes simply write minpre instead of minpre[δ].

4.2. THE COVERABILITY PROBLEM: STATE-OF-THE-ART 65

Lemma 4.4 (From [ACJT96]) Given a WSTS ((C,�), δ, c0) and S ⊆ C, we havexminpre(S) = pre(↑S ) andxminpre∗(S) = pre∗(↑S ) .

Given an effective WSTS, the previous lemma together with the effectiveness �-uc-sets,and the ACC on the lattice of �-uc-sets (see Lem. 2.7), show how to effectively com-pute a symbolic representation for the (possibly) infinite set pre∗(↑S ) using effectiverepresentations of �-uc-sets. Once an effective representation of pre∗(↑S ) is computed,one can decide the coverability problem by testing if c0 ∈ pre∗(↑S ) using Lem. 2.5.

This approach is described in very details in [ACJT96, FS01]. The approaches basedon the predicate transformers pre or pre are referred to as the backward approaches.

4.2.2 The Forward Approach

Now, let us turn to the formulation based on the predicate transformer post , that werefer to as the forward approach.

Lemma 4.5 Let ((C,�), δ, c0) be a WSTS and let bad ∈ UCS (C), the two followingstatements are equivalent:

post∗(c0) ∩ bad = ∅ ,y(lfpλX. c0 ∪ post [δ](X)) ⊆ S where S = ¬bad.

Proof. Since S = ¬bad we find that post∗(c0) ∩ bad = ∅ iff post∗(c0) ⊆ S which, bydefinition of post∗(c0), can be rewritten as lfpλX. c0 ∪ post [δ](X) ⊆ S. Then since S ∈DCS (C), we have that lfpλX. c0 ∪ post [δ](X) ⊆ S iff

y(lfpλX. c0 ∪ post [δ](X)) ⊆ S.�

The downward closure of the set of reachable states appearing in the previouslemma is commonly referred to as the coverability set ([Fin90, EN98]) and is denotedCover(S0). The interest in defining the coverability set stems from the fact that,provided an ad-hoc representation depending on the wqo-set (C,�), it is possible torepresent it. Indeed the coverability set is a �-dc-set. However, there is no hope incomputing the coverability set in all generality; a result of [DFS98] shows that thecoverability set is not effectively computable for some subclasses of WSTS.

Nevertheless, there exist a forward approach that solves the coverability problemand which is summarized below.


Expand, Enlarge and Check. In [GRVanB04] the authors use the abstractionrefinement paradigm to construct, given the WSTS S0 and the �-dc-set S, two se-quences of approximations of the reachable states of S0, one from below (an under-approximation) and one from above (an over-approximation). Along each sequencethe approximations gets more and more precise. Under-approximations allow to iden-tify whenever the inclusion Cover(S0) ⊆ S does not hold and they are given by thebounded iteration of post from c0. Over-approximations are given by the iteration of anupper-approximation f of post such that f returns a set of states which is �-downwardclosed. Over-approximations allow to identify whenever Cover(S0) ⊆ S holds. If so,their algorithm returns a set of states R ∈ DCS (C) such that Cover(S0) ⊆ R ⊆ Sand post(R) ⊆ R. Nevertheless the algorithmic schema the authors proposed requiresto be instantiated for each class of WSTS and so their algorithm is not fully generic.

In this chapter, we provide a completely generic algorithm to solve the coverabilityproblem for WSTS. This algorithm is the result of instantiating Alg. 1. The followingsection is devoted to that instantiation of Alg. 1.

4.3 Instantiation

Following the guidelines given in Sect. 3.7, the instantiation process will be carried outas follows.

First we reduce the coverability problem to a fixpoint checking problem, namelywe define for each instance of the coverability problem an equivalent instance (calledthe fixpoint instance) of the fixpoint checking problem.

Second we propose a family of abstract domains to be used by the instantiatedAlg. 1. For every fixpoint instance given by (C, T, I) and S ⊆ C of the fixpointchecking problem we prove the family is adequate for S and λX.X ∩ pre[T ](X). Wealso discuss the effectivity of each abstract domain in the family. Finally we give aneffective characterization α restricted to some values of interest, like for instance c0.

Third, for every fixpoint instance and every abstract domain of the adequate familywe provide an effective characterization of the fixpoint of lines 3 and 7. Also we givean effective characterization for the test of line 4 and line 8.

Fourth, given an abstract domain of the adequate family (〈A,v〉 , α, γ) we showhow to effectively compute Y ∩ pre[T ](Y ) for each value Y ∈ γ(A). This requirementcorresponds to what is defined at line 9 in Alg. 1: Zi+1 = γ(Si)∩ pre[T ](γ(Si)). Then,given a value Y ∈ γ(A) we also define and compute an abstract domain (〈A′,v′〉 , α′, γ′)of the adequate family such that the requirement γ′(A′) ⊇ {Y ∩ pre[T ](Y )} ∪ γ(A)holds, as required by Line 10 in Alg. 1. Finally we give an effective characterization ofα′(Y ∩ pre[T ](Y )).

Fifth we shall prove that, for each fixpoint instance of the fixpoint checking problem,the instantiated Alg. 1 terminates.

4.3. INSTANTIATION 67


Our reduction of the coverability problem into a fixpoint checking problem is based onthe coverability set. Recall that the coverability set allows to decide the coverabilityproblem as suggested by Lem. 4.5 and the coverability set is a �-dc-set: a structuralproperty that makes it more convenient to represent and handle than the set of reach-able states. Our first step is to give an alternative characterization of the coverabilityset directly as a fixpoint rather than the �-downward closure of a fixpoint. To thisend we introduce the lossy transition relation of a WSTS.

Definition 4.1 (Lossy Transition Relation) Given a WSTS ((C,�), δ, c0) wedenote by δ↓ its lossy transition relation which is defined to be δ ◦ �. �

The following lemma studies the properties of the lossy transition relation of a WSTSthrough its predicate transformers.

Lemma 4.6 Given a WSTS ((C,�), δ, c0), we have

λX. post [δ↓ ](X) = λX. ↓ ◦ post [δ](X) ,

pre[δ](U) = pre[δ↓ ](U) for all U ∈ UCS (C)

pre[δ](S) = pre[δ↓ ](S) for all S ∈ DCS (C) .

Proof. The first statement follows immediately from the equality δ↓ = δ ◦ �. For thesecond statement, the definition δ↓ = δ ◦ � shows that δ ⊆ δ↓ by reflexivity of �,hence that λX. pre[δ](X) ⊆ λX. pre[δ↓ ](X) by monotonicity of pre. For the reverseinclusion, let c ∈ pre[δ↓ ](U) which means there exists u ∈ U such that (c, u) ∈ δ↓ orequivalently (c, u) ∈ δ ◦ �. So by definition of the composition there exists u′ � u and(c, u′) ∈ δ. We find that u′ ∈ U since U is a �-uc-set and so c ∈ pre[δ](U). The resultof the third statement follows the previous statement, from the fact that ¬S ∈ UCS (C)iff S ∈ DCS (C), and from the definition of pre which is given by λX.¬ ◦ pre ◦ ¬(X).�

Here follows a characterization of the coverability set as a fixpoint.

Lemma 4.7 Given a WSTS S0 = ((C,�), δ, c0), we have

Cover(S0) = lfpλX. ↓c0 ∪ post [δ↓ ](X)

Proof. We conclude from the WSTS definition and Cover(S0) =y(lfpλX. c0 ∪ post [δ](X))

that c0 ∪ post [δ](Cover(S0)) ⊆ Cover(S0), hence that(i)y(c0 ∪ post [δ](Cover(S0))) ⊆ Cover(S0) since Cover(S0) ∈ DCS (C) and finally


that(ii) lfpλX.

y(c0 ∪ post [δ](X)) ⊆ Cover(S0) by def. of lfp.

Then λX. c0 ∪ post [δ](X) ⊆ λX.y(c0 ∪ post [δ](X)) implies that

lfpλX. c0 ∪ post [δ](X) ⊆ lfpλX.y(c0 ∪ post [δ](X)) Lem. 2.8

⇒y(lfpλX. c0 ∪ post [δ](X)) ⊆

y(lfpλX.y(c0 ∪ post [δ](X))) ↓ monotonicity

⇒y(lfpλX. c0 ∪ post [δ](X)) ⊆ lfpλX.

y(c0 ∪ post [δ](X)) fixpoint property

⇒ Cover(S0) ⊆ lfpλX.y(c0 ∪ post [δ](X))

From the above we find that,

Cover(S0) = lfpλX.y(c0 ∪ post [δ](X))

= lfpλX. ↓c0 ∪ ↓ ◦ post [δ](X)y(S1 ∪ S2) = ↓S1 ∪ ↓S2

= lfpλX. ↓c0 ∪ post [δ↓ ](X) Lem. 4.6 �

We can now define the fixpoint instance of the fixpoint checking problem.

Definition 4.2 (Fixpoint Instance (WSTS)) Let a WSTS ((C,�), δ, c0) and bad ∈UCS (C) be an instance of the coverability problem, the fixpoint instance of the fixpointchecking problem is given by the TS ((C,�), δ↓ , ↓c0 ) and S ∈ DCS (C) where S = ¬bad.

�

The following proposition establishes that each instance of the coverability problemis equivalent to its fixpoint instance of the fixpoint checking problem.

Proposition 4.1 Given a WSTS ((C,�), δ, c0) and bad ∈ UCS (C) the following state-ments are equivalent:

post∗(c0) ∩ bad = ∅ ,lfpλX. ↓c0 ∪ post [δ↓ ](X) ⊆ S where S = ¬bad.

Proof. Lem. 4.5 shows that post∗(c0)∩bad = ∅ is equivalent toy(lfpλX. c0 ∪ post [δ](X))

⊆ S. The definition of the coverability set and Lem. 4.7 conclude the proof. �


4.3.2 An Adequate Family of Abstract Domains

For each fixpoint instance ((C,�), δ↓ , ↓c0 ) and S ∈ DCS (C) of the fixpoint checkingproblem we propose a family of abstract domains and show it is adequate (see def. 3.5)for S and λX.X ∩ pre[δ↓ ](X); we also study the effectivity of each abstract domain.

Given the wqo-set (C,�) of a WSTS, the concrete lattice is naturally given byPL(C). Now, let D be a finite subset of C called the set of observations ; (D,�) istrivially a wqo-set. In this chapter (and also in the next one), the symbol D is usedto denote the set of observations. We define the abstract lattice to be DPL(D) (seedef. 2.1 for a detailed definition). Also, we define the abstraction and concretizationmappings as follows:

αD(E)def= ↓E ∩D for each E ∈ PL(C)

γD(P )def= {c ∈ C | ↓c ∩D ⊆ P} for each P ∈ DCS (D) .

For simplicity of notation, we also write γ(P ), α(E), if the subscript is clear from thecontext.

Let D be a finite subset of C, the abstraction α ∈ PL(C) 7→ DPL(D) and con-cretization γ ∈ DPL(D) 7→ PL(C) maps form a Galois insertion.

Proposition 4.2 For each finite subset D of C, PL(C) −−−→−→←−−−−α

γDPL(D).

Proof. We use the alternative definition given at Lem. 2.11 to establish the Galoisconnection. To establish the Galois insertion, we show, in addition, that α ◦ γ = λX.X.It follows immediately from the definitions that α is monotone (i.e., S1 ⊆ S2 impliesα(S1) ⊆ α(S2)) and γ as well. Indeed, γ(P1) ⊆ γ(P2)⇔ {c ∈ C | ↓c ∩D ⊆ P1} ⊆ {c ∈C | ↓c ∩D ⊆ P2} ⇔ P1 ⊆ P2. So, it suffices to prove (a) and (b) below:

(a) P ⊆ (γ ◦ α)(P ) for every P ∈ PL(C).

(γ ◦ α)(P ) = {c ∈ C | ↓c ∩D ⊆ ↓P ∩D}⊇ {c ∈ P | ↓c ∩D ⊆ ↓P ∩D}= P

(b) (α ◦ γ)(P ) = P for every P ∈ DCS (D).

(α ◦ γ)(P ) =y{c | ↓c ∩D ⊆ P} ∩D

= {c | ↓c ∩D ⊆ P} ∩D γ(P ) ∈ DCS (C)

= {c ∈ D | ↓c ∩D ⊆ P}= P P ⊆ D and P ∈ DCS (D) �


1

2

3

1 2 3x

y

C

B

A

Figure 4.1: Abstraction of �-dc-sets in N2.

We next show through an example that the finite subset D of C actually param-eterizes the precision of the abstract domain with respect to the concrete domain.

Example 4.1 Let us consider the �-dc-sets of Fig. 4.1 and consider the following fi-nite domain D = {(0, 0), (3, 0), (0, 2), (0, 3)} depicted by the black dots. Applying α onthe �-dc-sets A, B and C give, respectively, the (abstract) sets α(A) = {(0, 0), (3, 0)}, α(B) ={(0, 0), (0, 2), (0, 3)}, α(C) = {(0, 0), (0, 2)}. A and C are exactly represented, i.e.γ(α(A)) = A and γ(α(C)) = C, but B is not: γ(α(B)) = {(x, y) ∈ N2 | x ≤ 2}.But, if we add (2, 0) to D then B becomes representable.

Definition 4.3 (Family of abstract domain) Given a WSTS ((C,�), δ, c0), wedefine the family of abstract domains as follows:

{(〈DCS (D),⊆〉 , αD, γD) | D is a finite subset of C} .

�

Effectivity. Note that since D is a finite set then DPL(D) is an effective completelattice (as defined in Sect. 2.2). So, given a finite subset D of C, the complete latticeDPL(D) provides an effective way to manipulate (possibly) infinite sets.

We now prove this family is adequate for S and λX.X ∩ pre[δ↓ ](X). We show thisresult in Prop. 4.5 but, prior to this, we need intermediary results.

Lemma 4.8 For any S, S ′ ⊆ C, ↓S ∩ ↑S ′ 6= ∅ ⇔ ↓S ∩ S ′ 6= ∅ ⇔ S ∩ ↑S ′ 6= ∅.


Proof.

↓S ∩xS ′ 6= ∅

⇔ {c | ∃x ∈ S : x � c} ∩ {c | ∃y ∈ S ′ : c � y} 6= ∅⇔ {c | ∃x ∈ S ∃y ∈ S ′ : x � c ∧ c � y} 6= ∅⇔ {c | ∃x ∈ S ∃y ∈ S ′ : x � c ∧ c = y} 6= ∅⇔ {c | ∃x ∈ S : x � c} ∩ S ′ 6= ∅⇔ ↓S ∩ S ′ 6= ∅

A similar reasoning is used to obtain ↓S ∩ ↑S ′ 6= ∅ ⇔ S ∩ ↑S ′ 6= ∅. �

The next lemma states that any �-dc-set of C can be represented exactly using a finitesubset D of C.

Lemma 4.9 Let E ∈ DCS (C) and let D = min(C \ E) we have (γ ◦ α)(E) = E.

Proof. Let us first show that (γ ◦ α)(E) ⊆ E. For that, suppose by contradiction thatthere exists c ∈ (γ ◦ α)(E) ∧ c /∈ E.

c /∈ E⇔ ↓c * E E ∈ DCS (C)

⇔ ↓c ∩ (C \ E) 6= ∅⇔ ↓c ∩

x(min(C \ E)) 6= ∅ C \ E =xmin(C \ E)

⇔ ↓c ∩min(C \ E) 6= ∅ Lem. 4.8

⇔ ∃c′ : c′ ∈ ↓c ∧ c′ ∈ min(C \ E)

⇔ ∃c′ : c′ ∈ ↓c ∧ c′ ∈ D ∧ c′ /∈ E def. of D (4.1)

c ∈ (γ ◦ α)(E)

⇔ ↓c ∩D ⊆ α(E) def. of γ

⇔ ↓c ∩D ⊆ ↓E ∩D def. of α

⇔ ↓c ∩D ⊆ E ∩D E ∈ DCS (C)

⇔ ↓c ∩D ⊆ E

⇔ ∀c′ : c′ ∈ ↓c ∧ c′ ∈ D ⇒ c′ ∈ E⇔ ¬¬ (∀c′ : c′ ∈ ↓c ∧ c′ ∈ D ⇒ c′ ∈ E)

⇔ ¬ (∃c′ : c′ ∈ ↓c ∧ c′ ∈ D ∧ c′ /∈ E) (4.2)

From (4.1) and (4.2) follows a contradiction.

E ⊆ (γ ◦ α)(E) is immediate by property of Galois insertion. So, we have provedthat (γ ◦ α)(E) = E. �

Prop. 4.3, which is used in many proofs, provides an equivalent definition for γ(P ).


Proposition 4.3 Fix a finite subset D of C, γ(P ) = C \x(D \ P ) for all P ∈

DCS (D).

Proof.

γ(P ) = {c ∈ C | ↓c ∩D ⊆ P} def. of γ

C \ γ(P ) = {c ∈ C | ¬ (↓c ∩D ⊆ P )}= {c ∈ C | ↓c ∩D ∩ (C \ P ) 6= ∅}= {c ∈ C | ↓c ∩ (D \ P ) 6= ∅} D ∩ (C \ P ) = D \ P= {c ∈ C | {c} ∩

x(D \ P ) 6= ∅} Lem. 4.8

= {c ∈ C | c ∈x(D \ P )}

=x(D \ P )

Hence, γ(P ) = C \x(D \ P ) . �

Corollary 4.1 DCS (C) =⋃D⊆C

D is finite

γD(DCS (D)) .

Proof. The “⊆” inclusion follows from Lem. 4.9 and the fact that min(U) is finite forevery U ∈ UCS (C), while the reverse one follows from Prop. 4.3. �

Proposition 4.4 shows that the more observations you consider, the more �-dc-setsthe abstract domain is able to represent exactly.

Proposition 4.4 Fix two finite subsets D ⊂ D′ of C, γD(DCS (D)) ⊆ γD′(DCS (D′)).

Proof. We show that for each P ∈ DCS (D), there exists a P ′ ∈ DCS (D′) such thatγD(P ) = γD′(P

′). We define the set P ′ = D′ ∩ γD(P ). Corollary 4.1 shows thatγD(P ) ∈ DCS (C), hence that P ′ ∈ DCS (D′).

γD′(P′) = {c | ↓c ∩D′ ⊆ P ′} def. of γ

= {c | ↓c ∩D′ ⊆ γD(P ) ∩D′}= {c | ↓c ∩D′ ⊆ γD(P )}= {c | ↓c ∩D′ ∩

x(D \ P ) = ∅} prop. 4.3

= {c | ¬(∃c1 ∈ D′ ∃c2 ∈ (D \ P ) : c � c1 � c2

)} def. of ↑ and ↓

= {c | ¬(∃c1 ∈ D′ ∃c2 ∈ (D \ P ) : c � c1 = c2

)} D ⊂ D′

= {c | ¬(∃c2 ∈ (D \ P ) : c � c2

)}

= {c | c /∈x(D \ P )}

= C \x(D \ P )

= γD(P ) prop. 4.3 �


Remark 4.1 We have seen above that any �-dc-set can be represented using an ap-propriate set D of observations; there is usually no finite set D of observations which isable to represent all the �-dc-sets. It should be pointed out that �-dc-sets can be easilyrepresented through their (�-uc-set) complement, i.e. by using an effective represen-tation of the �-uc-set. However, with this approach, the manipulation of �-dc-sets isnot obvious. In particular, we do not know a generic way to compute the post opera-tion applied on a �-dc-set by manipulating its complement. Also, as Cover(S0) is notconstructible, it is, in some sense, useless to try to represent exactly all the �-dc-setsencountered during the forward exploration.

We now prove the adequacy of the family of abstract domains.

Proposition 4.5 Let ((C,�), δ↓ , ↓c0 ) and S ∈ DCS (C) be a fixpoint instance of thefixpoint checking problem, the family of abstract domains defined in def. 4.3 is adequatefor S and λX.X ∩ pre[δ↓ ](X).

Proof. Our proof uses Lem. 3.13 to establish the desired result. So we have to demon-strate its premisses that is: (i) S ∈ DCS (C), (ii) ∀V ∈ DCS (C) : S ∩ pre[δ↓ ](V ) ∈DCS (C) and (iii) ∀D1, D2 ∃D : γD(DCS (D)) ⊇ γD1(DCS (D1))∪γD2(DCS (D2)). Point(i) trivially holds. For point (ii), Lem. 2.9 shows that V ∩ pre[δ](V ) ∈ DCS (C) if V ∈DCS (C). Also Lem. 4.6 shows that the functions λX. pre[δ](X) and λX. pre[δ↓ ](X)coincide as long as they are applied on �-dc-sets. Hence we have V ∩ pre[δ↓ ](V ) ∈DCS (C) if V ∈ DCS (C). The completeness property of DPL(C) concludes the proofof point (ii). Point (iii) is shown by taking D = D1 ∪ D2 and using the result ofProp. 4.4. �

We finish our study of the family of abstract domains by giving an effective char-acterization of α.

Lemma 4.10 Let D and M be two finite subsets of C, α(M) is computable.

Proof. The result follows from definition of α, finiteness of D and M , and from thefact that � is decidable. �

Lemma 4.11 Fix a finite subset D of C and let Z ∈ DCS (C),

α(Z) = D \ ¬Z .

Moreover, given an effective representation R of ¬Z, the value α(Z) is effectivelycomputable.


Proof.

α(Z) = ↓Z ∩D def. of α

= Z ∩D Z ∈ DCS (C)

= D ∩ ¬¬Z ¬ ◦ ¬ = λx. x

= D \ ¬Z

Finally, given an effective representation R of ¬Z, the finiteness of D and R and thedecidability of � show that α(Z) is effectively computable. �


Given a fixpoint instance and an abstract domain of the adequate family of def. 4.3,we shall show how to compute the fixpoints of lines 3 and 7 of Alg. 1. We also givean effective characterization for the test of lines 4 and 8. Prior to this we need sometechnical results.

Lemma 4.12 Let P ∈ DCS (C) and let S such that γ ◦ α(S) = S. We have

α(S) ∩ α(P ) = α(S ∩ P )

Proof. The monotonicity of α shows the inclusion “⊇” holds; so let us examine thereverse one. We conclude from γ ◦ α(S) = S, α(S) ∈ DCS (D) and Prop. 4.3 that Sis a �-dc-set, hence that ↓S ∩ D ⊆ S, and finally that α(S) ⊆ S by definition of α.Next, since P is a �-dc-set, α(P ) ⊆ P so that α(S) ∩ α(P ) ⊆ S ∩ P . Moreover weconclude from the definition of α that

α(S) ∩ α(P ) ⊆ D

⇒ α(S) ∩ α(P ) ⊆ (S ∩ P ) ∩D by above

⇒ α(S) ∩ α(P ) ⊆y(S ∩ P ) ∩D S ∩ P ⊆

y(S ∩ P )

⇒ α(S) ∩ α(P ) ⊆ α(S ∩ P ) def. of α �

Lemma 4.13 Fix a WSTS ((C,�), δ, c0) and a finite subset D of C. We have

λX ∈ DCS (D). α ◦ post [δ↓ ] ◦ γ(X) = λX ∈ DCS (D). α ◦ post [δ] ◦ γ(X) ,

λX ∈ DCS (D). α ◦ pre[δ↓ ] ◦ γ(X) = λX ∈ DCS (D). α ◦ pre[δ] ◦ γ(X) .


Proof. For the first equality we have:

λX. α ◦ post [δ↓ ] ◦ γ(X) =

λX. α ◦ ↓ ◦ post [δ] ◦ γ(X) = Lem. 4.6

λX. (↓ ◦ ↓ ◦ post [δ] ◦ γ(X)) ∩D = def. of α

λX. (↓ ◦ post [δ] ◦ γ(X)) ∩D = ↓ is idempotent

λX. α ◦ post [δ] ◦ γ(X) def. of α

The latter equality immediately follows from Lem. 4.6 and γ(X) is a �-dc-set (seeCor. 4.1). �

In what follows, given ((C,�), δ↓ , ↓c0 ) and S ∈ DCS (C) a fixpoint instance, wegive an effective characterization of the fixpoint expression of line 3 in Alg. 1. Tothis end we follow the guidelines of Sect. 3.7 and so we shall prove the following.For each abstract domain (DPL(D), α, γ) of the family defined at def. 4.3 and foreach Z ∈ γ(DPL(D)) we give an effective characterization of the following fixpointexpression: lfpλX. α(↓c0 ∪ post [δ↓ ](γ(X)) ∩ Z). The assumption Z ∈ γ(DPL(D)) isexplained by Lem. 3.2. In fact, at each iteration i the abstract domain (DPL(Di), αi, γi)is such that γ ◦ αi(Zi) = Zi.

The first step is to effectively characterize λX. α(↓c0 ∪ post [δ↓ ](γ(X)) ∩ Z).

Our first lemma gives an equivalent formulation of the iterated function, omittingeffectivity concerns for the moment.

Lemma 4.14 Let ((C,�), δ, c0) be a WSTS, D be a finite subset of C and let Z ⊆ Cbe such that γ ◦ α(Z) = Z. We have

λX. α(↓c0 ∪ post [δ↓ ](γ(X)) ∩ Z) = λX. (α(c0) ∪ α ◦ post [δ] ◦ γ(X)) ∩ α(Z) .

Proof. Lem. 4.6 shows that λX. post [δ↓ ](X) = λX. ↓ ◦ post [δ](X), which means thatthe returned value is always a �-dc-set. Then since ↓c0 ∈ DCS (C) we find that∀V ⊆ C : ↓c0 ∪ post [δ↓ ](V ) ∈ DCS (C). Hence,

λX. α(↓c0 ∪ post [δ↓ ](γ(X)) ∩ Z) = by above and Lem. 4.12

λX. α(↓c0 ∪ post [δ↓ ](γ(X))) ∩ α(Z) = α additivity in Lem. 2.10

λX. α(↓c0 ) ∪ α ◦ post [δ↓ ] ◦ γ(X) ∩ α(Z) = Lem. 4.13

λX. α(↓c0 ) ∪ α ◦ post [δ] ◦ γ(X) ∩ α(Z) = α(c0) = α(↓c0 ) by def. of α

λX. α(c0) ∪ α ◦ post [δ] ◦ γ(X) ∩ α(Z) �


Now, we give an effective characterization of λX. (α(c0)∪α ◦ post [δ] ◦ γ(X))∩α(Z).Since the lattice DPL(D) is effective, we focus on each of the abstract value of theexpression separately. We conclude from the finiteness of c0 (it is a singleton) andLem. 4.10 that α(c0) is computable. For the case α(Z), we have seen in Lem. 4.11that, given an effective representation of ¬Z, the value α(Z) is computable. We shallshow in Lem. 4.20 how to obtain such an effective representation. So, it remains togive an effective characterization of λX. α ◦ post [δ] ◦ γ(X), but before we need thefollowing lemma.

Lemma 4.15 Given a WSTS ((C,�), δ, c0), ∀c, c′ ∈ C : c ∈ pre(↑c′ )⇔ c′ ∈ypost(c) .

Proof. c ∈ pre(↑c′ )⇔ ∃c′′ : c′′ � c′ ∧ c→ c′′ ⇔ c′ ∈ypost(c) . �

Proposition 4.6 Given a WSTS ((C,�), δ, c0) and a finite subset D of C. For everyc ∈ D and for every P ∈ DCS (D):

c ∈ α ◦ post ◦ γ(P )⇔(c ∈ D ∧ ¬(minpre(c) ⊆

x(D \ P ))).

If moreover ((C,�), δ, c0) is an effective WSTS it gives an effective characterization ofλX. α ◦ post ◦ γ(X).

Proof.

c ∈ α ◦ post ◦ γ(P )

⇔ c ∈ D ∧ c ∈ (↓ ◦ post ◦ γ)(P ) def. of α

⇔ c ∈ D ∧ (pre(↑c) ∩ γ(P )) 6= ∅ Lem. 4.15

⇔ c ∈ D ∧ (pre(↑c) ∩ C \x(D \ P )) 6= ∅ Prop. 4.3

⇔ c ∈ D ∧ ¬(pre(↑c) ⊆x(D \ P ))

⇔ c ∈ D ∧ ¬(xminpre(c) ⊆

x(D \ P )) Lem. 4.4

We know that minpre(c) and (D \ P ) are effective representation ofxminpre(c) andx(D \ P ) , respectively. Moreover they are computable since D is finite and the WSTS

is effective. Also the decidability of � shows that we have an effective procedure todecide if

xminpre(c) ⊆x(D \ P ) by Lem. 2.5. �

At this point, we have to make clear the following. The fixpoint instance of def. 4.2is defined using the lossy transition relation δ↓ and in the expose we show that it ispossible to solve the fixpoint instance using the non lossy transition relation δ whichis exactly what we want.Indeed, recall that the coverability problem (the problem we solve in this chapter) doesnot refer to a lossy transition relation: an instance of the coverability problem is givenby an effective WSTS ((C,�), δ, c0) and an effective representation of bad ∈ UCS (C).


We are now in a position to show that the fixpoint expression at line 3 in theinstantiation of Alg. 1 is computable.

Proposition 4.7 Given an effective WSTS ((C,�), δ, c0), a finite subset D of C andα(Z) such that γ ◦ α(Z) = Z, lfpλX. α(↓c0 ∪ post [δ↓ ](γ(X)) ∩ Z) is computable.

Proof. The iterated function of the above fixpoint is given by λX. α(↓c0∪post [δ↓ ](γ(X))∩Z). Lemma 4.14 provides an equivalent characterization of the iterated function whichturns out to be effective following the effective characterization of α(c0), and Prop. 4.6.Finally since the abstract lattice DPL(D) is of finite height, the upper iteration se-quence {I i}i∈N given by I0 = ∅ and I i+1 = α(↓c0 ∪ post [δ↓ ](γ(I i))∩Z) stabilizes aftera finite number of steps to the value lfpλX. α(↓c0 ∪ post [δ↓ ](γ(X)) ∩ Z), which yieldsthe desired result. �

This last result shows that the fixpoint Ri of line 3 in Alg. 1

Ri = lfpλX. αi(↓c0 ∪ post [δ↓ ](γi(X)) ∩ Zi)

is computable given (1) an effective WSTS, (2) an abstract domain (DPL(Di), αi, γi)of the adequate family defined in def. 4.3 and (3) αi(Zi) such that γ ◦ αi(Zi) = Zi.

We shall now give an effective characterization of the test of line 4. We first needthe following characterization of the function involved in the test.

Lemma 4.16 Let ((C,�), δ, c0) be a WSTS, D be a finite subset C and let Z ⊆ C besuch that γ ◦ α(Z) = Z. We have

λX. α(↓c0 ∪ post [δ↓ ](γ(X))) = λX. α(c0) ∪ α ◦ post [δ] ◦ γ(X) .

Proof.

λX. α(↓c0 ∪ post [δ↓ ](γ(X))) = α additivity in Lem. 2.10

λX. α(↓c0 ) ∪ α ◦ post [δ↓ ] ◦ γ(X) = Lem. 4.13

λX. α(↓c0 ) ∪ α ◦ post [δ] ◦ γ(X) = α(c0) = α(↓c0 ) by def. of α

λX. α(c0) ∪ α ◦ post [δ] ◦ γ(X) �

This result together with Prop. 4.6 shows that the test of line 4 in Alg. 1

αi(↓c0 ∪ post [δ↓ ](γi(Ri))) ⊆ αi(Zi)


is effective given an effective WSTS, an abstract domain (DPL(Di), αi, γi) of the ad-equate family defined in def. 4.3 and αi(Zi). As a matter of fact, let us consider thecharacterization given at Lem. 4.16. The values αi(c0) and αi ◦ post [δ] ◦ γi(Ri) arecomputable by Lem. 4.10 and Lem. 4.14, respectively. Finally, the effectivity of thelattice DPL(Di) concludes our reasoning. Let us now turn to the backward reasoningcase.


Given ((C,�), δ↓ , ↓c0 ) and S ∈ DCS (C) a fixpoint instance of the fixpoint checkingproblem, we give an effective characterization of the fixpoint of line 7 in Alg. 1. Tothis end, we follow the guidelines of Sect. 3.7 and so we shall prove the following.For each abstract domain (DPL(D), α, γ) of the family defined at def. 4.3 and foreach A ∈ DCS (D) we give an effective characterization of the fixpoint expression:gfpλX. α(γ(A)∩pre[δ↓ ](γ(X))). The first step is to effectively characterize the iteratedfunction λX. α(γ(A) ∩ pre[δ↓ ](γ(X))).

Our first lemma gives an equivalent formulation of the iterated function, omittingeffectivity concerns for the moment.

Lemma 4.17 Let ((C,�), δ, c0) be a WSTS, D be a finite subset C and let A ∈DCS (D). We have

λX. α(γ(A) ∩ pre[δ↓ ](γ(X))) = λX.A ∩ α ◦ pre[δ] ◦ γ(X) .

Proof. Corollary 4.1 shows that γ(A) ∈ DCS (C) and so is the value given to thefunction pre[δ↓ ]. Also Lem. 4.6 shows that functions λX. pre[δ↓ ](X) and λX. pre[δ](X)coincide as long as they are given a �-dc-set. Moreover the returned value is a �-dc-setby Lem. 2.9. So we have

λX. α(γ(A) ∩ pre[δ↓ ](γ(X))) = Lem. 4.12, γ ◦ α ◦ γ(A) = γ(A) by Lem. 2.10

λX.A ∩ α ◦ pre[δ↓ ] ◦ γ(X) = Lem. 4.13, α ◦ γ(A) = A by Prop. 4.2

λX.A ∩ α ◦ pre[δ] ◦ γ(X) �

Now, we examine the effectivity of evaluating: λX.A∩α ◦ pre[δ] ◦ γ(X). Since thelattice DPL(D) is effective and we are given A, we focus on an effective characterizationof λX. α ◦ pre[δ] ◦ γ(X).

Proposition 4.8 Given a WSTS ((C,�), δ, c0) and a finite subset D of C. For allP ∈ DCS (D):

α ◦ pre ◦ γ(P ) = D \xminpre(D \ P ) .


If, moreover, ((C,�), δ, c0) is an effective WSTS, this gives an effective characterizationof λX. α ◦ pre ◦ γ(X).

Proof.

α ◦ pre ◦ γ(P ) = (↓ ◦ pre ◦ γ(P )) ∩D def. of α

= pre(γ(P )) ∩D Lem. 2.9

= ¬ ◦ pre ◦ ¬(γ(P )) ∩D def. of pre

= ¬ ◦ pre ◦x(D \ P ) ∩D Prop. 4.3

= D \ pre ◦x(D \ P )

= D \xminpre(D \ P ) Lem. 4.4

The set minpre(D\P ) is an effective representation ofxminpre(D \ P ) . Moreover the

finiteness of D and the effectivity of the WSTS show that minpre(D\P ) is computable.So, provided � is decidable, we have an algorithm to compute the effect of applyingλX. α ◦ pre ◦ γ(X). �

Let us turn to the proof of the main result, as far as backward reasoning is con-cerned.

Proposition 4.9 Given an effective WSTS ((C,�), δ, c0), a finite subset D of C andA ∈ DCS (D), gfpλX. α(γ(A) ∩ pre[δ↓ ](γ(X))) can be effectively computed.

Proof. Lemma 4.17 provides an equivalent characterization of the iterated functionwhich turns out to be effective by Prop. 4.8 and effectivity of A ∈ DCS (D). Finallysince the abstract lattice corresponding to D is of finite height, the lower iterationsequence {I i}i∈N given by I0 = γ(A) and I i+1 = γ(A) ∩ pre[δ↓ ](I i) stabilizes after afinite number of steps which yields the desired result. �

This last result shows that the fixpoint Si of line 7 in Alg. 1

Si = lfpλX. αi(γi(Ri) ∩ pre[δ↓ ](γi(X)))

is computable given (1) an effective WSTS, (2) an abstract domain (DPL(Di), αi, γi)of the adequate family defined in def. 4.3 and (3) the abstract value Ri of the forwardreasoning phase.

Finally, we find that the test of line 8

αi(c0) * Si

is effective since αi(c0) is computable by Lem. 4.10, Si is computable by Prop. 4.9 andby effectivity of the lattice DPL(Di).



In this section we show how to refine the current abstract domain. Recall that thenext abstract domain to pick up in the family satisfies the requirement that the domainrepresents exactly a certain value besides the values represented exactly by the currentdomain. In our setting this means that, given the set D which defines the currentabstract domain, we give an effective characterization of the set D′ which defines thenext abstract domain.

More precisely, let ((C,�), δ↓ , ↓c0 ) and S ∈ DCS (C) be a fixpoint instance ofthe fixpoint checking problem and let (DPL(D), α, γ) be an abstract domain of theadequate family of def. 4.3, in order to refine this abstract domain we need to computethe value Z such that Z = Y ∩ pre[δ↓ ](Y ) for some Y ∈ γ(DCS (D)). This correspondsto the statement of line 9: Zi+1 = γi(Si) ∩ pre[δ↓ ](γi(Si)). Then we have to pick anabstract domain (DPL(D′), α′, γ′) of the family of def. 4.3 such that γ′(DCS (D′)) ⊇{Z} ∪ γ(DCS (D)). This corresponds to the statement of line 10. Our first step is tocharacterize Z.

Lemma 4.18 Let ((C,�), δ, c0) be a WSTS, and D be a finite subset of C. We have,∀Y ∈ γ(DCS (D)) : Y ∩ pre[δ↓ ](Y ) ∈ DCS (C)

Proof. Corollary 4.1 shows that Y ∈ DCS (C). Next the property that DPL(C) is acomplete lattice and Lem. 2.9 show that Y ∩ pre[δ](Y ) ∈ DCS (C). Finally, Lem. 4.6shows that Y ∩ pre[δ↓ ](Y ) ∈ DCS (C). �

It is clear from Alg. 1 that such a Z is needed in the forward reasoning. Moreprecisely, we see at line 3 that Z is used in a fixpoint expression of the followingform: lfpλX. α(↓c0 ∪ post [δ↓ ](γ(X)) ∩ Z). However, Prop. 4.7 provides an effectivecharacterization of the above fixpoint, given an effective WSTS and α(Z). So, as faras the forward reasoning is concerned, α(Z) is sufficient.

Note that, by Lem. 4.18 and the definition of Z, we know that ¬Z is a �-uc-set,hence it has an effective representation. So, given an abstract domain (DPL(D), α, γ)of the family defined at def. 4.3 and given an effective representation of ¬Z, Lem. 4.11provides an effective characterization of α(Z). The next two lemmas give an effectivecharacterization of ¬Z.

Lemma 4.19 Let ((C,�), δ, c0) be a WSTS, let D be a finite subset of C. For allY ∈ DCS (D) we have ¬(γ(Y ) ∩ pre[δ↓ ](γ(Y ))) =

x((D \ Y ) ∪minpre[δ](D \ Y ))

.


Proof.

¬(γ(Y ) ∩ pre[δ↓ ](γ(Y ))) = Lem. 4.6

¬(γ(Y ) ∩ pre[δ](γ(Y ))) = De Morgan laws

¬γ(Y ) ∪ ¬pre[δ](γ(Y )) = def. of pre

¬γ(Y ) ∪ ¬ ◦ ¬ ◦ pre[δ] ◦ ¬(γ(Y )) = ¬ ◦ ¬ = λx. x

¬γ(Y ) ∪ pre[δ](¬γ(Y )) = Prop. 4.3x(D \ Y ) ∪ pre[δ](x(D \ Y )

)= Lem. 4.4x(D \ Y ) ∪

xminpre[δ](D \ Y ) = ↑U1 ∪ ↑U2 =x(U1 ∪ U2)x((D \ Y ) ∪minpre[δ](D \ Y )

)�

Now, we show how to compute((D \ Y ) ∪ minpre[δ](D \ Y )

), which turns out to be

an effective representation ofx((D \ Y ) ∪minpre[δ](D \ Y )

).

Lemma 4.20 Let ((C,�), δ, c0) be an effective WSTS, let D be a finite subset of C.For all Y ∈ DCS (D),

((D \ Y ) ∪minpre[δ](D \ Y )

)is computable.

Proof. The sets D and Y ⊆ D are finite sets, hence D \ Y is computable. Theneffectivity of the WSTS yields the desired result. �

Finally, we give an effective characterization of the refinement of the abstract do-mains of the family of def. 4.3 based on an effective representation of ¬Z.

Lemma 4.21 Given an abstract domain (DPL(D), α, γ) of the adequate family ofdef. 4.3 and a �-uc-set U , each abstract domain (DPL(D′), α′, γ′) such that D′ ⊇ D ∪D∆, where D∆ is given by an effective representation of U , is such that γ′(DCS (D′)) ⊇{¬U} ∪ γ(DCS (D)).

Proof. Lemma 4.9 shows that if D∆ = min(U) then (DPL(D∆), α∆, γ∆) representsexactly ¬U , i.e. ¬U ∈ γ∆(DCS (D∆)). We conclude from Prop. 4.4 that eachfinite subset D∆ of C such that D∆ ⊇ min(U) yields ¬U ∈ γ∆(DCS (D∆)). Inother words, for each D∆ given by an effective representation of U , we find that¬U ∈ γ∆(DCS (D∆)). Finally, Prop. 4.4 shows that each D′ ⊇ D ∪ D∆ is suchthat γ′(DCS (D′)) ⊇ {¬U} ∪ γ(DCS (D)). �

We conclude from the above results that what we need to instantiate Alg. 1 is aneffective representation of ¬Zi for each i.

For ¬Z0, the equality ¬S = ¬Z0 = bad shows that the effective representationof ¬Z0 is given by the effective representation of bad, which is given in input of thecoverability problem. Then, for ¬Zi with i > 0 we use the result of Lem. 4.20.


In the instantiated Alg. 1, the refinement (see line 9 and line 10) of the abstractdomain (DPL(Di), αi, γi) into (DPL(Di+1), αi+1, γi+1) such that γi+1(Di+1) ⊇ {Zi+1}∪γi(Di) is given by:

Di+1 = Di ∪min({(Di \ Si) ∪minpre[δ](Di \ Si)}

).

4.3.6 Termination

Proposition 4.10 Given ((C,�), δ↓ , ↓c0 ) and S ∈ DCS (C) a fixpoint instance of thefixpoint checking problem, the instantiated Alg. 1 terminates.

Proof. For each abstract domain (DPL(D), α, γ) of the adequate family of def. 4.3 wehave, by Lem. 4.18, that ∀Y ∈ DCS (D) : Y ∩ pre[δ↓ ](γ(Y )) ∈ DCS (C). Hence foreach value of i in the instantiated Alg. 1 we find that Zi ∈ DCS (C) by line 9. Sincethe DCC holds for the poset (DCS (C),⊆) we conclude that the instantiated Alg. 1terminates by Prop. 3.6. �

4.4 Illustration

We describe in this section the execution of Alg. 1 when applied on a toy example. Theexample WSTS is represented through a Petri net, depicted in Fig. 4.2, which modelsa very simple mutual exclusion protocol. We refer the reader of Chapt. 6 or [Rei86] fordetails about Petri nets. For Petri nets, the underlying WSTS is such that the wqo-setis given by (Nk,6) where k is given by the number of places in the net and 6 relatesk-tuples of Nk as follows. Given x, y ∈ Nk if x 6 y only if

∧ki=1 x(i) ≤ y(i). We want

to check for the safety of the protocol, that is there is never more than one process inthe critical sections. The markings that violates the property, denoted bad, are givenbyx{〈0, 0, 0, 1, 1〉 , 〈0, 0, 0, 0, 2〉 , 〈0, 0, 0, 2, 0〉} . It is worth pointing that we want to

establish the safety for any number of processes taking part in the protocol (recall thatt0 spawns processes). We give here the coverability set to ease the understanding of thereader, Cover(S0) = {(p1, p2, p3, p4, p5) ∈ N5 | (∧5

i=2 pi ≤ 1) ∧ p4 + p5 ≤ 1 ∧ p3 + p4 ≤1 ∧ p2 + p5 ≤ 1} and so our example is a positive instance of the fixpoint checkingproblem.

Execution of the algorithm.

We describe the execution of the prototype, iteration by iteration. On account ofRem. 3.2, we do not take min(bad) (min(bad) is an effective representation of bad) asthe initial set of observations but its 6-downward closure instead and we do not addthe set (Di \ Si) ∪minpre(Di \ Si) to Di at the ith iteration but its downward closure

4.4. ILLUSTRATION 83

instead. Taking the �-downward closure of the sets allows us to efficiently prove thesafeness of the protocol.

Initialisation. As mentioned before, the initial set of observations, which is referredto as D0, is given by

y{〈0, 0, 0, 1, 1〉 , 〈0, 0, 0, 0, 2〉 , 〈0, 0, 0, 2, 0〉} .

Iteration 1 (i=0). Using Cover(S0), the reader can check that after the fixpointcomputation of line 3, we have R0 = D0 \ {〈0, 0, 0, 1, 1〉 , 〈0, 0, 0, 0, 2〉 , 〈0, 0, 0, 2, 0〉},and so

γ(R0) = C \x(D0 \ R0)

= C \x{〈0, 0, 0, 1, 1〉 , 〈0, 0, 0, 0, 2〉 , 〈0, 0, 0, 2, 0〉}

= S = Z0 = ¬bad

Since Z0 /∈ postfp(post), e.g. 〈1, 1, 1, 1, 0〉 t1−→ 〈0, 1, 0, 2, 0〉, the test of line 4 failsand hence we compute S0. Then we show that S0 = R0 since

Z0 ∩ pre(Z0) = ¬(¬Z0 ∪ ¬ ◦ pre(Z0)) De Morgan laws

= ¬(¬Z0 ∪ ¬ ◦ ¬ ◦ pre ◦ ¬(Z0)) def. of pre

= ¬(¬Z0 ∪ pre ◦ ¬(Z0)) ¬ ◦ ¬ = λx. x

= ¬(¬Z0 ∪x{〈1, 1, 1, 0, 1〉 , 〈1, 1, 1, 1, 0〉})

the best approximation of which in γ(A0) is given by Z0 itself. It follows that thetest of line 8 succeeds and so we compute Z1 = Z0 ∩ pre(Z0). So D1 = D0 ∪y{〈1, 1, 1, 0, 1〉 , 〈1, 1, 1, 1, 0〉} .

Iteration 2 (i=1). Again, using Cover(S0), the reader can check that the fixpointcomputation of line 3 ends up with R1 such that γ(R1) = Z1 with Z1 /∈ postfp(post),

e.g. 〈2, 1, 2, 0, 0〉 t1−→ 〈1, 1, 1, 1, 0〉. Hence the test of line 4 fails and we compute S1.Again we show that S1 = R1 since

Z1 ∩ pre(Z1) = ¬(¬Z1 ∪ pre ◦ ¬(Z1))

= ¬(¬Z1 ∪x{〈0, 1, 1, 0, 1〉 , 〈0, 1, 1, 1, 0〉 , 〈2, 2, 1, 0, 0〉 , 〈2, 1, 2, 0, 0〉})

the best approximation of which in γ(A1) is given by Z1. It follows that the test ofline 8 succeeds and so we compute Z2 = Z1 ∩ pre(Z1). So D2 = D1 ∪ ↓ {〈0, 1, 1, 0, 1〉 ,〈0, 1, 1, 1, 0〉 , 〈2, 2, 1, 0, 0〉 , 〈2, 1, 2, 0, 0〉}.Iteration 3 (i=2). In this case we find that R2 is such that γ(R2) = Cover(S0)since Cover(S0) ∈ γ(A2) and Cover(S0) ⊆ γ(R2), which follows from Prop. 3.1. Toconvince yourself that Cover(S0) ∈ γ(A2) we show that min(C \Cover(S0)) ⊆ D2. Wehave that

C\Cover(S0) = {(p1, p2, p3, p4, p5) ∈ N5 | (5∨i=2

pi > 1)∨p4+p5 > 1∨p3+p4 > 1∨p2+p5 > 1} .


t1p4

(cs1)

(cs2)p5

p3

t4

t3

t2

p2

t0

p1(wait)

The processes (the tokens in place p1) canaccess some critical section (place p4 or p5)provided they acquired some lock (the to-kens in places p2 and p3). The initial mark-ing is given by 〈0, 1, 1, 0, 0〉. Transition t0spawns processes.

Figure 4.2: A simple mutual exclusion protocol.

Then it is clear that min(C \ Cover(S0)) is included in

min({(0, p2, p3, p4, p5) ∈ N5 | (5∨i=2

pi > 1)}) ∪min({(0, 0, 0, p4, p5) ∈ N5 | p4 + p5 > 1})

∪min({(0, 0, p3, p4, 0) ∈ N5 | p3 + p4 > 1})∪min({(0, p2, 0, 0, p5) ∈ N5 | p2 + p5 > 1})

which in turn is included in D2 hence the test of line 4 succeeds and Alg. 1 returns“OK”.

Notice that pre∗(bad) is computed in five iterations with the classical algorithm of[ACJT96]. Hence, the forward analysis allows to drastically cut the backward search.We hope this gain will appear also on many practical examples.

Chapter 5

Locality-Based Abstractions forFinite State Concurrent Systems

We now present locality-based abstractions, in which a set of states of a distributedsystem is abstracted to the collection of views that some observers have of the states.Special cases of locality-abstractions have been used in different contexts (planning,analysis of concurrent programs, concurrency theory). In this chapter we give a gen-eral definition in the Galois connection framework, show that arbitrary locality-basedabstractions are hard to compute in general, and provide a solution to this problem.We then evaluate it in several case studies.

5.1 Introduction

Consider a system acting on a set X of program variables over some value set V . Anabstraction of the system states, in the abstract-interpretation sense [CC77], deliber-ately loses information about the values of the variables. Many abstractions can beintuitively visualized by imagining an observer who has access to the program codebut is only allowed to retain limited knowledge about the values of the variables. Forinstance, the observer may only be allowed to retain the sign of a variable, its valuemodulo a number, or whether one value is larger than another one. In this chapterwe consider locality-based abstractions, which are best visualized by imagining a set ofobservers, each of which has a partial view of the system. Each observer has access toall the information ‘within his window’, but no information outside of it. For instance,in a system with three variables there could be three observers, each of them withperfect information about two of the variables, but no knowledge about the third one.Given the set {〈1, 1, 0〉 , 〈1, 0, 1〉 , 〈0, 1, 1〉} of valuations of the variables, the observerwith access to, say, the first two variables ‘sees’ {〈1, 1,u〉 , 〈1, 0,u〉 , 〈0, 1,u〉}, where ustands for absence of information. Notice that information is lost: Even if the three

85

86 CHAPTER 5. LOCALITY-BASED ABSTRACTIONS FOR FINITE SYSTEMS

observers exchange their informations, they cannot conclude that 〈1, 1, 1〉 does notbelong to the set of valuations.

The idea of local observers is particularly appropriate for distributed systems, inwhich the value of a variable corresponds to the local state of a component of thesystem. In this case, a partial view corresponds to having no information from anumber of components of the system. This is also the reason for the term “locality-based” abstraction.

Related works. Locality-based abstractions have been used before in the literature,but to the best of our knowledge not with the generality presented here. A particularcase of locality-based abstractions are the Cartesian abstractions of [MJ81] (see also[BPR01]), in which a set of tuples is approximated by the smallest Cartesian productcontaining this set. It corresponds to the case in which we have an observer for eachvariable (i.e., the observer can only see this variable, and nothing else). Anotherparticular case that has been independently rediscovered several times is the pairsabstraction, in which we have an observer for each (unordered) pair of variables. In[NA98, NAC99b, NAC99a], this abstraction is used to over-approximate the pairs {l, l′}of program points of a concurrent program such that during execution the control cansimultaneously be at l, l′. In [Kov92], it is used to over-approximate the pairs of placesof a Petri net that can be simultaneously marked, and the abstraction is proved tobe exact for the subclass of T-nets, also called marked graphs. In Graphplan, anapproach to the solution of propositional planning problems [BF97, BF95], it is usedto over-approximate the set of states reachable after at most n steps.

The chapter is organized as follows. The problem we want to solve is defined inSect. 5.2. The locality-based abstractions which are used to solve the problem are de-fined in Sect. 5.3. Since we use symbolic methods, in Sect. 5.4, we introduce a symbolicrepresentation and study the problem of computing the best abstract counterpart ofpost in Sect. 5.5. We observe that, in general, evaluating λX. α ◦ post ◦ γ(X) involvessolving an NP-complete problem, and present, in Sect. 5.6, a solution to this problemand to the one for λX. α ◦ pre ◦ γ(X). The solution works for a restricted class ofsystems. Finally, we report in Sect. 5.7 on the experimental evaluation of a prototype.

5.2 System and Problem Definition

Definition 5.1 (System model) Fix a finite set V of values (in our examples weuse V = {0, 1}). A state is a function s : X → V , where X = {x1, . . . , xn} is a set ofstate variables. We also represent a state s by the tuple (s[1], . . . , s[n]), where s[i] isan abbreviation for s(xi). The set of all states over the set X of variables is denotedby S = V n.

5.2. SYSTEM AND PROBLEM DEFINITION 87

Let X ′ be a disjoint copy of X. A transition t is a subset of S × S , which werepresent as a predicate t(X,X ′), i.e., (s, s′) ∈ t if and only if t(s, s′) is true.

A system is a triple (X,T, I) where X is a finite set of variables, T is a finite setof transitions, and I ⊆ S is a set of initial states. We define the transition relationR ⊆ S ×S as the union of all the transitions of T . Hence the underlying TS is givenby the triple (S , R, I). �

Below we define the problem we want to solve on those systems.

The reachability problemInstance: A system (X,T, I) and bad ⊆ SQuestion: Does post∗(c0) ∩ bad = ∅ hold ?

We shall later see that the above problem can be reduced to an equivalent cover-ability problem as defined in the previous chapter. To this end, we first introduce apartial order on states.

Partial states. Let V + = V ∪ {u} where u, disjoint from V , is the undefined value.It is convenient to define a partial order � on V +, given by

v � v′def⇐⇒ (v′ = u ∨ v = v′) .

A partial state is a function p : X → V +. The set of all partial states is denotedby P. The support of a partial state p is the set of indices i ∈ {1, . . . , n} such thatp[i] 6= u. We extend the partial order � to partial states:

p � p′def⇐⇒

(∀x ∈ X : p(x) � p′(x)

).

Finally, we use the following abbreviation p � S which stands for ∃s ∈ S : p � s.

The following proposition characterizes, given a system (X,T, I), the underlyingTS as a WSTS.

Proposition 5.1 Given a system (X,T, I), ((P,�), R, I) is a WSTS.

Proof. According to the definition of WSTS given p. 19, we first show that the pair(P,�) defines a wqo-set. It is routine to check that � is a partial order (i.e. areflexive transitive and anti-symmetric relation); then, since P is a finite set, we findthat (P,�) is a wqo. Then the strong compatibility of WSTS trivially holds sincethe transition relation is defined on S . Indeed given s ∈ S the set {s′ | s′ � s} is asingleton given by {s}, so the monotonicity property trivially holds. �

The definition of � shows that if bad ∈ ℘(S ) then bad ∈ UCS (P). We concludefrom above and Prop. 5.1 that given (X,T, I) and bad the reachability problem defined


on the underlying TS (S , R, I) is equivalent to the coverability problem defined onthe underlying WSTS ((P,�), R, I).

It follows that, at this very early point, we already have a solution to the reachabilityproblem which is given in the previous chapter. It consists of Alg. 1 instantiated forthe class of WSTS and which uses the family of abstract domains given in def. 4.3.This is the solution we adopt in this chapter.

However, in the previous chapter, our motivation to define an algorithm solving thecoverability problem for the whole class of WSTS was driven by decidability concerns.Here, since both the underlying TS and WSTS of a system (X,T, I) are finite statesystems, decidability trivially holds and we cannot have the same motivation. Themotivation here is rather driven instead by complexity concerns. So our objective is todefine an efficient algorithm to solve the reachability problem for this restricted classof systems.

In the next section, we intuitively explain the meaning of the abstraction mechanismfor this subclass of WSTS. As we will see, the abstraction makes sense in the contextof concurrent systems. As a matter of fact, the analysis of concurrent systems suffers,as many other systems, from the so-called state explosion problem that is the statespace grows exponentially as the number of components in the system increases. Moreprecisely, consider a concurrent system made up of n components, each of which is atwo states system. The state space of the concurrent system has a size 2n where eachstate defines the state for each of its components.

Below, the abstraction technique proposed in this chapter palliate the state explo-sion problem using the following idea. Given a state of the concurrent system, weabstract away the local state of some components. This tends to keep less informationand, as we will see, mitigates the state explosion problem. Indeed the less informationwe keep, the less memory we need to store it.

5.3 Locality-based Abstractions

Given a system (X,T, I), a partial state p is reachable from I if some state s � p isreachable from I. Observe that, with this definition, p is reachable if and only if allpartial states in the downward closure ↓p are reachable. So the pieces of informationwe have about the reachability of partial states can be identified with �-dc-sets of P.

Assume now that the only �-dc-sets we have access to are those included in someD ⊆ P, called as in the previous chapter the set of observations.1 If a state s isreachable, then all the elements of ↓s ∩ D are reachable by definition. However, thecontrary does not necessarily hold, since we may have s /∈ D. In our abstractions weover-approximate the reachability relation by declaring s reachable if all the elements

1Since P is finite, the finiteness requirement on D trivially holds

5.3. LOCALITY-BASED ABSTRACTIONS 89

of ↓s ∩D are reachable, i.e., if all the information we have access to is compatible withs being reachable.

Intuitively, we can look at D as the union of sets D1, . . . , Dk, where all the partialstates in Di have the same support, i.e., a partial state p ∈ Di satisfies p[i] = u onlyif all partial states p′ ∈ Di satisfy p′[i] = u. The sets Di correspond to the pieces ofinformation that the different observers have access to. Notice that we can have a setof possible observations Di like, say Di = {〈0, 0,u〉 , 〈1, 0,u〉} in which the observer isonly allowed to see some local states of the first two components, but not others, like〈1, 1,u〉.

From Sect. 4.3.2, we find that the concrete lattice is PL(P) and the abstractlattice of a locality-based abstraction is DPL(D). Following the previous chapter, theconcretization and abstraction mappings are defined as follows:

α(S) = ↓S ∩D for each S ∈ PL(P)

γ(P ) = {s ∈P | ↓s ∩D ⊆ P} for each P ∈ DCS (D).

Moreover, for each D ⊆P, we have PL(P) −−→−→←−−−−α

γDPL(D).

Example 5.1 Consider the set of values V and the state variables X defined by V ={0, 1} and X = {x1, x2, x3}, respectively. The observations, consisting of pairs over X,are given by

D2 = {(n,m,u), (n,u,m), (u, n,m) | n,m ∈ {0, 1}} .For the set S = {〈1, 1, 0〉 , 〈1, 0, 0〉 , 〈0, 1, 0〉} we get

α(S) = {〈1, 1,u〉 , 〈1, 0,u〉 , 〈0, 1,u〉 , 〈1,u, 0〉 , 〈0,u, 0〉 , 〈u, 1, 0〉 , 〈u, 0, 0〉}and γ ◦ α(S) = S, i.e., in this case no information is lost.

Consider now the observations

D1 = {(n,u,u), (u, n,u), (u,u, n), | n ∈ {0, 1}} .In this case we get

γ ◦ α(S) = γ({〈1,u,u〉 , 〈0,u,u〉 , 〈u, 1,u〉 , 〈u, 0,u〉 , 〈u,u, 0〉})= {0, 1} × {0, 1} × {0}

and in general γ ◦ α(S) is the smallest cartesian product of subsets of V containing S,matching the cartesian abstractions of [MJ81, BPR01] 2.

Observe that, for D = P, we obtain

α(S) = ↓S for any S ∈ PL(S )

γ(P ) = P ∩S for any P ∈ DPL(D).

and so γ ◦ α(S) = S, i.e., no information is lost.

2Actually, the functions α and γ of [MJ81, BPR01] are slightly different from ours, but theircomposition is the same.


5.4 An Introduction to MDDs

When solving the fixpoint checking problem for finite state systems, one has to eval-uate functions which require to manipulate sets of states. Due to the state explosionproblem these sets may be very large. Thus symbolic representations have been in-troduced to represent compactly and manipulate efficiently large sets of states. Suchsymbolic representations have been applied very successfully in verification as shown,for instance, in [BCM+90]. In this chapter we will use a symbolic data structure calledMulti-valued Decision Diagrams (or MDD for short) to represent and manipulate setsof (partial) states. Here follows an introduction to MDDs. For more details, we referthe interested reader to [KVBSV98].

MDDs generalize the Binary Decision Diagrams (or BDD for short) defined in[Bry86]. The mathematical foundation of MDD is based on multi-valued functions. Werestrict ourselves to multi-valued function with a boolean output. Those are definedas follows.

Definition 5.2 (Multi-valued Functions) Let f be a function of n variablesX = {x1, . . . , xn} to {0, 1}

f ∈ P n 7→ {0, 1}where P = {p0, p1, . . . , pk−1} are the k values that a variable x ∈ X may assume. �

For the sake of brevity we assume that the domain P of f is the finite set of the firstnatural integers {0, . . . , k−1}. To define the MDDs we need the notions defined below.The term xp represents a literal of variable x for p ∈ P , that is the boolean function

xp =

{1 if x = p

0 otherwise.

The cofactor of f with respect to a variable xi ∈ X is the function resulting whenxi is assigned to the constant value b ∈ P and is denoted fxb

i:

fxbi(x1, . . . , xn) = f(x1, . . . , xi−1, b, xi+1, . . . , xn) .

We are now able to state the Boole-Shannon expansion of a multi-valued functionwith respect to a variable x ∈ X as follows:

f =k−1∑j=0

xj · fxj

Intuitively the literal xj masks all but one cofactor given by fxj .

Let us now turn to the data structure used for MDDs: the canonical functiongraphs.

5.4. AN INTRODUCTION TO MDDS 91

Definition 5.3 (Function Graph) A function graph over a set X of variablesis a rooted, directed acyclic graph with a node set V containing two types of vertices.A nonterminal node v has two attributes: the variable it refers to which is given byvar(v) ∈ X and its children given by childk(v) ∈ V where k ∈ P . A terminal nodev has a unique attribute: value(v) ∈ {0, 1}. Moreover a function graph is said to beordered if on all paths through the graph the variables respect a given linear order onX. Finally an ordered function graph is said to be reduced if (1) it contains no nodev such that for all child j(v), childk(v) with j 6= k we have child j(v) = childk(v) and(2) there are no two distinct nodes v, v′ such that the subgraphs rooted at v and v′ areisomorphic. In particular, if a function graph is reduced there is a single terminal nodelabelled 1 (the accepting node) and a single node labelled 0 (the rejecting node). �

We define the multi-valued function associated to a function graph using the Bool-Shannon expansion.

Definition 5.4 (Multi-valued function of a function graph) Given a func-tion graph with a node set V, and a node v ∈ V the multi-valued function fv associatedto v is recursively given by:

• if v is a terminal node then fv = value(v),

• if v is a non-terminal node with var(v) = xi then fv is the function the Boole-Shannon expansion of which is given by

fv =k−1∑j=0

xji · fchildj(v) .

�

Theorem 5.1 (From [SKMB90]) Given a multi-valued function f and a linear or-der on its variables, there is a unique reduced function graph denoting f . Every otherfunction graph denoting f contains more nodes.

We define a MDD to be a reduced function graph. Because their domain is givenby {0, 1}, multi-valued functions can be seen as predicates which in turn can be seenas sets of tuples. In the rest of the chapter we assume that sets of (partial) statesare symbolically represented as MDD (we refer the reader to [KVBSV98] for furtherdetails) over the set of variables X equipped with a linear order. The cardinality of Xwill be denoted |X|. Given a set P of partial states we denote the MDD representing Pby PM and the size of PM by |PM|, where the size of a MDD is given by the numberof its nodes plus the number of its edges.

Our solution to the fixpoint checking problem requires to define operations onMDDs corresponding to the boolean manipulations of the predicates representing setsof (partial) states. In Table 5.1 the reader can find the time complexity of the booleanmanipulations needed in the expose.


Table 5.1: Time Complexity of some MDD manipulations, where F and G denotemulti-valued functions.

Operation ComplexityOR(F,G) O(k · |FM| · |GM|)AND(F,G) O(k · |FM| · |GM|)NEG(F) O(1)∃x ∈ X : F O(|FM|k)

5.5 Complexity of the Abstract Interpretation

As mentioned earlier, sometimes, abstract interpretation is used because computationsin the concrete lattice are too costly. In this chapter, we follow this idea and so westudy the complexity related to the computation of λX. α ◦ post [R] ◦ γ(X), which isinvolved in the fixpoint computation of line 3 of Alg. 1 as shown in Lem. 4.14.

We first define the size of a system. We assume that each transition t of a systemSys = (X,T, I) is symbolically represented as a MDD tM over variables X,X ′ with afixed variable order whose projection onto X coincides with the fixed order on X. Thesize of Sys is defined as

∑t∈T |tM|+ |X| and denoted by |Sys|.

We consider the following decision problem.

Definition 5.5 (The problem POST#)Instance: A system (X,T, I), an element p ∈ D and two MDDs DM, PM, where Dis a non-empty subset of P and P ∈ DCS (D).Question: p ∈ α ◦ post [R] ◦ γ(P ) ? �

If a class C of systems is said to be polynomial (we will give the definition later on)then the restriction POST#

C of POST# to instances in which the system Sys belongsto C can be solved in polynomial time in the size of the system. Unfortunately, aswe are going to show, unless P=NP holds, even very simple classes of systems arenot polynomial. This contrast with the concrete counterpart of the problem which isdefined as follows.

Definition 5.6 (The problem POST)Instance: A system (X,T, I), a state s ∈ S and a MDD SM.Question: p ∈ post [R](S) ? �

Below, we characterize the complexity of POST.

Lemma 5.1 The problem POST is solvable in polynomial time.

Proof. In polynomial time of |SM| and |tM| we compute the MDD A(X,X ′) givenby AND(S(X), t(X,X ′)). We then check for the emptiness of AND(A(X,X ′), s(X ′))

5.5. COMPLEXITY OF THE ABSTRACT INTERPRETATION 93

where s(X ′) is built in a time linear in |X|. We conclude from non emptiness thats ∈ post [t](S), hence that s ∈ post [R](S). Otherwise we apply the above reasoning oneach transition t as long as emptiness holds. Emptiness holds for each transition t ∈ Tif and only if s /∈ post [R](S). The problem POST is solvable in polynomial time sincefor each transition t ∈ T the problem s /∈ post [t](S) is solvable in a time polynomialin SM, tM and |X|. Moreover the size of the system give an upper bound to numberof transitions |T |. �

Now let us go back to the complexity of POST#. We first need a time complexitybound for some operation on MDD.

Proposition 5.2 Let p ∈ P and SM be a MDD for S ⊆ P. We can decide inO(|X|+ |SM|) time if p � S.

Proof. We use a simple marking algorithm. Initially we mark the root node of SM. If anode m such that var(m) = xi is marked, we mark each node n such that childk(m) = nwhere k ∈ V + and p(xi) � k. The state s exists if and only if at the end of thealgorithm the accepting node is marked. The algorithm marks the nodes accordingto a bottom-up traversal of the function graph. The traversal is linear in the size ofSM. �

The following proposition is proved by means of a simple reduction from the 3-colorability problem on graphs.

Proposition 5.3 The following problem is NP-complete:Instance: a set X of variables, and two MDDs DM, PM, where D is a non-emptysubset of P on X and P ∈ DCS (D).Question: γ(P ) ∩S 6= ∅ ?In particular, if P 6=NP then there is no polynomial time algorithm to compute γ(P )M.

Proof.

Easiness. Our nondeterministic algorithm first guesses a state p ∈ S which is givenby V |X|. Thus the amount of nondeterminism needed is polynomial in the size ofX. Then, according to Prop. 4.3 which says that for each P ∈ DCS (D) we haveγ(P ) = P \

x(D \ P ) , the algorithm checks if {p} � (D \P ). By Prop. 5.2, this latteroperation is done in time O(|X|+ |(D \P )M|). Moreover, by Table. 5.1 we know that(D \ P )M can be computed in time O(|DM| · |PM|) since D \ P = D ∩ (¬P ).

Hardness. Our proof uses a polynomial time many-one reduction in which we usethe 3-colorability problem of a graph G. This problem is known to be NP-complete(see [GJS76]) and is stated as follows: Given a graph G = (V , E) where V is a finite


set of vertices and E is the set of edges, the 3-colorability of G amounts to decide ifthere is a color assignment — there are three colors — to each vertex such that noedge has its vertices assigned to the same color. Hereafter two vertices v1, v2 are saidto be adjacent whenever (v1, v2) ∈ E . The size of G, denoted |G|, is given by |V|+ |E|.

Given an instance G = (V , E) of the 3-colorability problem, we fix an arbitraryordering on the variables of X = V . The value set is defined to be {black , yellow , red}.

We then compute DM where the observations of D intuitively represent everycoloring for every pair of adjacent vertices. For each edge e = (v1, v2) we build a MDDdMe with the set de characterized by the following predicate de(V) ≡ ∧ v∈V

v 6=v{1,2}(v = u).

dMe can be computed in time O(|V|) and consists in a unique accepting path. The setD of observations is given by

⋃e∈E de and, since |de| ∈ O(1) we find that |D| ∈ O(|E|).

Moreover, since DM cannot have more accepting paths than |D| and each non-terminalnode belongs to, at least, one accepting path (otherwise the MDD is not reduced), wefind that DM can be computed in a time polynomial in |G|.

We next build PM where P intuitively represents the fact that only different colorsare allowed for adjacent vertices. Notice that P ⊆ D. Hence for each edge e = (v1, v2)we build a MDD pMe such that pe(V) ≡ de(V) ∧ (v1 6= v2), so |pe| ∈ O(1). We canbuild pMe in time O(|dMe |) since (v1 6= v2)M is of constant size. Applying the samereasoning as for DM, we conclude that PM, where P =

⋃e∈E pe, can be computed in

a time polynomial in |G|.We claim that γ(P ) ∩S 6= ∅ iff G is 3-colorable.

If γ(P ) ∩S 6= ∅ then ∃p ∈ S : ↓p ∩ D ⊆ P which means, by construction of Dand P that for each pair of adjacent vertices (v1, v2) (expressed by D) we find thatp(v1) 6= p(v2) (expressed by P ). Hence we conclude that G is 3-colorable.

For the other direction suppose G is 3-colorable. Let f ∈ V 7→ {black , red , yellow}be an assignment of colors to the vertices that demonstrates this fact. Since X = V , fis also a state, i.e. f ∈ S . Now, assume that f /∈ γ(P ), i.e. ↓f ∩D * P . This meansthat there exists a f � f ′ such that f ′ ∈ D and f ′ /∈ P . By construction of D, thereexists a pair (v1, v2) such that ∀v ∈ X \ {v1, v2} : f ′(v) = u. By hypothesis, f ′ /∈ P iff ′(v1) = f ′(v2). Consider, f ′(v1) = f ′(v2) = u. In this case f ′ = u|X|, and f ′ ∈ P sinceP ∈ DCS (D). So the remaining case is f ′(v1) = f ′(v2) 6= u. We conclude from f � f ′

that f(v1) = f(v2) 6= u, and hence that f is not a valid color assignment. Hence acontradiction. �

We are now able to present the main result of this section. Fix V = {0, 1} andlet {Sysn}n∈N be the family of systems given by Sysn = (Xn, {tn}), Xn = {x1, . . . xn}and tn = S × S . Intuitively Sysn is a system with n state variables and a uniquetransition tn such that for any pairs of states s, s′ we find that (s, s′) ∈ tn.

Proposition 5.4 If the class C = {Sysn}n∈N of systems is polynomial, then P=NP.

5.6. EFFICIENT ABSTRACT FIXPOINT CHECKING 95

Proof. We reduce the problem of Prop. 5.3 to POST#C . This shows that POST#

C isNP-complete and so if C is polynomial, then P=NP.

Given an instance X, DM, PM of the problem of Prop. 5.3, we build in polynomialtime a partial state p of D (follow any path from the accepting node to the root nodeof DM; there exists at least one such path whenever D 6= ∅) and the MDD tM|X| such

that t|X| = S ×S . So we have γ(P ) ∩S 6= ∅ iff p ∈ α ◦ post [t|X|] ◦ γ(P ). �

In Lem. 5.1 we have proved that the problem POST is solvable in polynomial timefor every system. In Prop. 5.4, unless P=NP, the problem POST# (namely the abstractcounterpart of POST) is shown to be unsolvable in polynomial time for a trivial classof systems. This clearly contrasts with our motivation which was to define an abstractinterpretation of our systems which can be computed efficiently. In what follows, wefirst slightly modify the semantics of our systems and then identify a relevant class ofsystems for the abstract counterpart of POST is solvable in polynomial time.

5.6 Efficient Abstract Fixpoint Checking

In this section we show that, if we lift the transition relation to partial states, then aninteresting class of systems becomes polynomial. From now on, we assume the followingordering on X = {x1, . . . , xn} and its disjoint copy X ′: x1 < x′1 < · · · < xn < x′n.

5.6.1 Extending the Semantics to Partial States

We define the notion of kernel of a transition. Intuitively, the kernel of a transition isthe set of variables that are “involved” in it.

Definition 5.7 (kernel, kernel variables/width) Let t(X,X ′) be a transitionand let Y ⊆ X be the smallest subset of X such that

t(X,X ′) ≡ t(Y, Y ′) ∧∧

x∈X\Y

(x = x′)

for some relation t. We call t the kernel of t, Y the kernel variables and |Y | the kernelwidth. Given a partial state p ∈P, we denote by p the partial state given by

p[i] =

{p[i] if xi belongs to the kernel variables of t,

u otherwise,

and p the partial state given by

p[i] =

{p[i] if xi does not belong to the kernel variables of t,

u otherwise.

We identify a partial state p and the pair (p, p). �


The intuition conveyed by def. 5.7 is that only the value of the components insidethe kernel of t (possibly equal to X) do really matter. The value of each componentoutside of the kernel is left unchanged and thus if the value of some component is abefore the firing of t so it is after the firing of t. This is given by the equality (x = x′).

We naturally extent each transition t to a subset of P ×P by interpreting theequality (x = x′) over V + instead of V , thus adding the case (u = u). In the sequel,we consider the above interpretation but sometimes we need to distinguish it from theinterpretation on states. To this end we explicitly index the transition relation withthe appropriate symbol. This gives RS if interpreted on states and RP if interpretedas above.

The question that naturally arises at this point is the following: Does this extensionof the transition relation preserves the WSTS property ?

Proposition 5.5 Given a system (X,T, I), ((P,�), RP , I) is a WSTS.

Proof. The strong compatibility which is the only condition we need to check is provedas follows. Let m1,m2 ∈ P such that t(m1,m2) holds and consider m3 such thatm3 � m1, we have that m1 = m3 since for each i in the kernel we have m1[i] 6= u bydef. of t. So the only components on which m1 and m3 can differ are the ones outside ofthe kernel. So, consider m4 such that m4 = m2 and m4 = m3. We have that t(m3,m4)holds since t(m1, m2) and m1 = m3. Finally we have that m4 � m2 since m4 = m2

and m4 = m3 which is such that m3 � m1 = m2. �

Fix an abstract domain, the following proposition shows that lifting the transitionto partial states leads to increased approximation.

Proposition 5.6 Fix a system (X,T, I) and a subset D of P, we have λX. α ◦

post [RP ] ◦ γ(X) ⊆ λX. α ◦ post [RS ] ◦ γ(X), but the converse does not hold.

Proof.

The inclusion follows from RS ⊆ RP and the monotonicity of post .

Here we provide a detailed example proving the non inclusion of α ◦ post [RS ] ◦ γ(P )in α ◦ post [RP ] ◦ γ(P ).

Fix V = {0, 1, 2} and Sys = (X,T, I) with X = {x1, x2, x3, x4}, T = {t1, t2, t3, t4},I = {〈0, 0, 0, 0〉}, and such that:

t1(X,X ′) ≡ t1(Y, Y ′) ∧ x3 = x′3 t1 = {(〈0, 0, 0〉 , 〈1, 1, 1〉)} Y = X \ {x3}t2(X,X ′) ≡ t2(Y, Y ′) ∧ x2 = x′2 t2 = {(〈0, 0, 0〉 , 〈1, 1, 2〉)} Y = X \ {x2}

t3(X,X ′) ≡ t3(Y, Y ′) ∧(x1 = x′1x4 = x′4

)t3 = {(〈0, 0〉 , 〈1, 1〉)} Y = {x2, x3}

t4(X,X ′) ≡ t4(Y, Y ′) ∧ x4 = x′4 t4 = {(〈1, 1, 1〉 , 〈2, 2, 2〉)} Y = X \ {x4}


The set D of observations is the set of partial states p ∈ {0, 1, 2,u}4 such thatfor exactly two distinct indices i, j of {1, 2, 3, 4} : p[i] 6= u and p[j] 6= u. The set(α ◦ post [RP ] ◦ γ)(α(I)), denoted F , is given by

F = {〈1, 1,u,u〉 , 〈1,u,u, 1〉 , 〈u, 1,u, 1〉 , 〈1,u, 0,u〉 , 〈u, 1, 0,u〉 , 〈u,u, 0, 1〉〈1,u, 1,u〉 , 〈1,u,u, 2〉 , 〈u,u, 1, 2〉 , 〈1, 0,u,u〉 , 〈u, 0, 1,u〉 , 〈u, 0,u, 2〉 ,

〈u, 1, 1,u〉 , 〈0, 1,u,u〉 , 〈u, 1,u, 0〉 , 〈0,u, 1,u〉 , 〈u,u, 1, 0〉 , 〈0,u,u, 0〉}.It is routine to check that (α ◦ post [RS ] ◦ γ)(α(I)) and (α ◦ post [RP ] ◦ γ)(α(I))coincide. Observe that 〈1, 1, 1,u〉 ∈ γ(F ) but

{〈1, 1, 1, 0〉 , 〈1, 1, 1, 1〉 , 〈1, 1, 1, 2〉} ∩ γ(F ) = ∅ .

Now, consider the second iteration. In this case we find that 〈2, 2,u,u〉 ∈ α ◦

post [RP ] ◦ γ(F ) but 〈2, 2,u,u〉 /∈ α ◦ post [RS ] ◦ γ(F ) which proves our claim. �

In the rest of this section, the above negative result is mitigated by a reduced com-plexity cost for abstract operations when considering transitions extended on partialstates.

5.6.2 Finer Characterization of the Iterated Functions

By Prop. 5.5, systems with the transition relation extended to partial states are againWSTS and so all the results from the previous chapter are applicable. As mentionedbefore we are looking for efficient algorithms and in particular efficient algorithms forthe fixpoint computations of line 3 and line 7 in Alg. 1. In the previous chapter wegave effective characterization of the iterated functions for the whole class of WSTS.The first step towards an efficient algorithm is to specialize these characterizations toour subclass of WSTS.

We first study the fixpoint of line 3 in Alg. 1. We recall the characterizationfrom the previous chapter expressed for our subclass of WSTS. First let R↓ denotesthe lossy transition relation of the system (X,T, I) given by R ◦ �. In Lem. 4.14,for each abstract domain (DPL(D), α, γ) and each Z ∈ γ(DPL(D)), we characterizedλX. α(↓I ∪post [R↓ ](γ(X))∩Z) the iterated function of the instantiated forward reason-ing as follows λX.

(α(I) ∪ α ◦ post [R] ◦ γ(X)

)∩ α(Z). In what follows we concentrate

on the function λX. α ◦ post [R] ◦ γ(X).

Proposition 5.7 gives an alternative characterization for α ◦ post [R] ◦ γ, but we firstneed some additional concepts.

Definition 5.8 (Transition over partial states) Given a system (X,T, I) andt ∈ T . We define t′ ⊆P ×P such that

t′(p1, p2)⇔ ∃p ∈P : tP(p1, p) ∧ p � p2 ∧ p1 = p2 .

By extension we define R′ to be⋃t∈T t

′. �


The intuition behind this definition is as follows: If we know that p1 is reachable(i.e., that some state s � p1 is reachable) and that t′(p1, p2) holds, then we alreadyhave enough information to infer that p2 is reachable. Let us see why. We know thevalues of all the variables involved in t (this is p1), and we know that we can reach(p, p1) from (p1, p1) (because t(p1, p)). Now, since we can reach (p, p1) and we knowthat p � p2 and p1 = p2, we can infer that p2 is also reachable.

Example 5.2 Fix V = {0, 1, 2}, X = {x1, x2, x3, x4}, and t such that:

t(X,X ′) ≡ x2 = x3 = 0 ∧ x′2 = x′3 = 1 ∧ x1 = x′1 ∧ x4 = x′4 ∧ x1, x4 ∈ V .

To fire t, the value of variables x2 and x3 has to equal 0; after firing of t the value ofx2 and x3 changes to 1; the others variables are left unchanged by t. Variables x2 andx3 form the kernel of t. If we interpret t over the set of partial states P, we obtain

tP(X,X ′) ≡ x2 = x3 = 0 ∧ x′2 = x′3 = 1 ∧ x1 = x′1 ∧ x4 = x′4 ∧ x1, x4 ∈ V ∪ {u}(= V +) .

and finally, if we consider t′ as defined in def. 5.8 we obtain

t′(X,X ′) ≡ x2 = x3 = 0 ∧ 1 � x′2 ∧ 1 � x′3 ∧ x1 = x′1 ∧ x4 = x′4 ∧ x1, x4 ∈ V ∪ {u} .

Lemma 5.2 Given a system (X,T, I), for every S ⊆ P we have minpre[R](S) is aminor set of pre[R′](S).

Proof. We prove that for any m ∈P, we have minpre[t](m) = pre[t′](m). Hence theresult follows. Let m1 ∈ minpre[t](m), first for each component i in the kernel we havem1[i] 6= u by def. of t; also we have m1 = m for otherwise m1 is not �-minimal. Hencem1 ∈ pre[t′](m).

Let m1 ∈ pre[t′](m) and suppose there exists m2 ∈ P such that m1 � m2 andm2 ∈ pre[t′](m). Definition of t′ shows that for any p ∈ pre[t′](m) the following holds:for each i in the kernel we have p[i] 6= u by def. of t.

So the only components on which m1 and m2 can differ are the ones outside ofthe kernel. But here we have that m2 = m1 = m so a contradiction and so the setpre[t′](m) is canonical, hence m1 ∈ minpre[t](m). �

Proposition 5.7 Given a system (X,T, I) and D ⊆ P. For every x ∈ D, P ∈DCS (D) we have:

x ∈ α ◦ post [R] ◦ γ(P )⇔(x ∈ D ∧

∨t∈T

¬(pre[t′](x) ⊆x(D \ P ))

).


Proof.

x ∈ α ◦ post [R] ◦ γ(P )⇔ x ∈ D ∧ ¬(minpre[R](x) ⊆x(D \ P )) Prop. 4.6

⇔ x ∈ D ∧ ¬(pre[R′](x) ⊆x(D \ P )) Lem. 5.2

⇔ x ∈ D ∧ ¬(⋃t∈T

pre[t′](x) ⊆x(D \ P )) def. of R′

⇔ x ∈ D ∧∨t∈T

¬(pre[t′](x) ⊆x(D \ P )) �

Let us now turn to the backward reasoning, and in particular to the fixpointexpression of line 7 in Alg. 1. Lemma 4.17 shows that, for each abstract domain(DPL(D), α, γ) and eachA ∈ DCS (D), the iterated function λX. α(γ(A)∩pre[R↓ ](γ(X)))of the instantiated backward reasoning is characterized as follows: λX.A∩α ◦ pre[R] ◦

γ(X). In what follows we provide an alternative characterization of the functionλX. α ◦ pre[R] ◦ γ(X).

Proposition 5.8 Given a system (X,T, I) and D ⊆ P. For every P ∈ DCS (D) wehave:

x ∈ α ◦ pre[R] ◦ γ(P )⇔(x ∈ D ∧

∧t∈T

x � pre[t′](D \ P )).

Proof.

x ∈ α ◦ pre[R] ◦ γ(P )⇔ x ∈ D ∧ x /∈xminpre[R](D \ P ) Prop. 4.8

⇔ x ∈ D ∧ x � minpre[R](D \ P )

⇔ x ∈ D ∧ x � pre[R′](D \ P ) Lem. 5.2

⇔ x ∈ D ∧∧t∈T

x � pre[t′](D \ P ) �

Below we are using the two alternative characterizations of Prop. 5.7 and 5.8 tostudy the complexity of the abstract operations: λX. α ◦ post [R] ◦ γ(X) and λX. α ◦

pre[R] ◦ γ(X), respectively.

5.6.3 Efficient Iterated Functions: k-Bounded Systems

Given a system Sys , we define the problem POST# as POST#, just replacing RS byRP . As seen in Prop. 5.7, we can decide POST# by checking whether pre[t′](p) ⊆x(D \ P ) holds. Consider the class of systems satisfying the following three conditionsfor every partial state p and every set A ⊆P,

100CHAPTER 5. LOCALITY-BASED ABSTRACTIONS FOR FINITE SYSTEMS

(a) |pre[t′](p)| is bounded by a polynomial in |X|, and

(b) pre[t′](A)M can be computed in polynomial time in |X|+ |AM|, and

(c) the number of transitions (i.e. |T |) is bounded by a polynomial in |X|.

Proposition 5.9 Under the assumptions (a),(b) and (c), we can decide POST# inpolynomial time

Proof. Our decision procedure refers to the characterization of Prop. 5.7. Prop. 5.2shows that for p′ ∈ pre[t′](p), we can decide {p′} � (D\P ) in time O(|DM|·|PM|+|X|)and thus, given pre[t′](p)M, DM, and PM, (a) shows that we can decide, in polynomialtime, if for each p′ ∈ pre[t′](p) there exist a s ∈ (D \ P ) such that p′ � s. Moreoverassumption (b) shows that pre[t′](p)M can be computed in time polynomial in |X|,hence in |Sys|. Finally we conclude from (c) that we can decide POST# in polynomialtime. �

Definition 5.9 (The problem CPRE#)Instance: a system (X,T, I), an element p ∈ D and two MDDs DM, PM, where Dis a non-empty subset of P and P ∈ DCS (D).Question: p ∈ α ◦ pre[RP ] ◦ γ(P ) ? �

Proposition 5.10 Under the assumptions (a),(b) and (c), we can decide CPRE# inpolynomial time.

Proof. Our decision procedure refers to the characterization of Prop. 5.8. Recall thatby Prop. 5.2 we can decide {x} � A in time O(|AM| + |X|). Next, (b) shows thatgiven DM, and PM, we can compute pre[t′](D \ P )M in polynomial time. Finally (c)shows that we can decide p ∈ α ◦ pre[R] ◦ γ(P ) in polynomial time. �

Definition 5.10 (Polynomial Systems) A class C of systems is polynomial iffPOST#

C and CPRE#C can be decided in polynomial time. �

We now show that an interesting class of systems satisfies (a), (b) and (c). Intu-itively, we look at a system on a set X as a system made of |X| concurrent components.Each variable describes the local state of the corresponding component.

Definition 5.11 (k-bounded Systems) A system (X,T, I) is k-bounded if thewidth of the kernel of all transitions of T is bounded by k. �


Loosely speaking, a system is k-bounded if its transitions involve at most k compo-nents. Many systems are k-bounded. For instance, consider systems communicatingby point to point channels. If we describe the local state of a component/channel byone variable, then usually we have k = 2, because a transition depends on the currentstate of the receiving/sending component and on the state of the channel. Anotherexample are token ring protocols, where each component communicates only with itsleft and right neighbours. These systems are at most 3-bounded.

Fix k, our goal is to show that POST# can be solved in polynomial time for k-bounded systems.

Proposition 5.11 Fix k and let p be a partial state of a k-bounded system. The setpre[t′](p) contains at most |V +|k elements, pre[t′](A)M can be computed in a timepolynomial in |X|+ |AM| , and |T | is bounded by a polynomial in |X|.

Proof. Consider the set P t1 given by {p2 ∈P | t′(p2, p1)} for a fixed t ∈ T and p1 ∈P.

Since t′(p2, p1) implies p2 = p1 and the kernel of t contains at most k variables, this sethas at most |V +|k elements.

We now argue that t′M can be computed in polynomial time in |X|. From now on,we assume the following ordering on X = {x1, . . . , xn} and its disjoint copies X ′ andX ′′:

x1 < x′1 < x′′1 < · · · < xn < x′n < x′′n .

In terms of predicates, we have

t′(X,X ′) ≡ ∃Y ′′ : t(Y, Y ′′) ∧∧x∈Y

(x′′ � x′) ∧∧

x∈X\Y

(x = x′)

where Y ⊆ X is the kernel of t. The MDD (x = x′)M is computed in time O(1), andso, because of the above ordering, the runtime to build the MDD for

∧x∈X\Y (x = x′)

is O(|X| − k).

On the other hand, since the system is k-bounded, we have |Y | ≤ k, and given t,the MDD for ∃Y ′′ : t(Y, Y ′′) ∧∧x∈Y (x′′ � x′) can be computed in polynomial time fork-bounded systems. It follows that t′M can be computed in polynomial time in |X|.

We have the following characterization that can be directly implemented with stan-dard MDD operations:

pre[t′](A) ≡ ∃X ′ : t′(X,X ′) ∧ A(X ′) .

We have shown above that t′M is computable in polynomial time in |X|. The existen-tial quantification of the kernel variables Y ′ ⊆ X applied on the MDD representingpre[t′](A) is computed in polynomial time of |X| + |AM| since |Y ′| = k, k is fixedand by Tab. 5.1. Moreover the existential quantification of the variables in X ′ \ Y ′ iscomputed in polynomial time since for each x ∈ X \ Y we have that values of x andx′ coincide in t′(X,X ′) ∧ A(X ′) and because of the ordering.


Finally observe that each k-bounded system is equivalent to another one satisfying|T | ≤ |X|k: if there is ti(Yi, Y

′i ), tj(Yj, Y

′j ) such that i 6= j but Yi = Yj, then we can

replace ti and tj by (ti ∨ tj)(Yi, Y ′i ). �

Corollary 5.1 For a fixed k ≥ 0, the class of k-bounded systems is polynomial.

5.7 Experiments

We have produced a prototype implementation and applied it to two well-known ex-amples. Before discussing the experimental results we give precise definition of therefinement. Following the previous chapter, the abstract domain refinement is givenby

Di+1 = Di ∪min({(Di \ Si) ∪minpre[R](Di \ Si)}

).

Following Lem. 5.2, we see that3 Di ∪min((Di \ Si)∪ pre[R′](D \ Si)

)would be also a

correct choice for Di+1 as well as Di ∪ymin

((Di \ Si) ∪ pre[R′](D \ Si)

)by Lem. 4.21.

In our experiments Di+1 is given by this last value. Considering an over-approximationfor the refinement follows this idea: the more states we add in Di+1 the more precise isthe corresponding abstract domain and the sooner the instantiated Alg. 1 terminates.However if we add too many states in Di+1 then the forward/backward reasoning mightbe too costly. So it is all about compromise between precision and cost.

Remark 5.1 The experimental results presented here differ from the one given inthe publication [EGS05] from which this chapter is inspired. Therein the refinementwas defined using a subset of R′ (that is in line 9 we use R′ instead of R) which inpractice led to better memory usage as well as run times. Behind this refinement is thefollowing intuition. Let s be an unreachable state which is considered to be reachableby the abstract analysis. So s is deemed reachable due to an imprecision which hasbeen introduced by the abstraction. Since the states computed by the abstract fixpointare given by a fixpoint computation we can trace back the first iterate I i in which sis proved (erroneously) reachable. So an imprecision has been introduced at iterate I i.Whenever we refine, we restrict the transition relation R′ ∩ (I i−1× I i) so to isolate theinitial imprecision for s, omitting all the subsequent ones.

Let us now turn to the experimental evaluation. The examples only use booleanvariables, and so we use BDDs instead of MDDs. Since our implementation is prelim-inary and our main motivation is to provide a space-efficient method, we only reporton the sizes of the BDDs used to decide a property. It is nevertheless relevant to knowthat the running times on a Intel Xeon 3Ghz ranged from seconds to 3 hours (a timeout has been set after 3 hours of execution time). In our experiments, we compare the

3the minor set is unique since � is a partial order.

5.7. EXPERIMENTS 103

size of the largest BDDs computed by our algorithm with the BDD size of the full setof reachable states, which is computed using NuSMV [CCG+02].

5.7.1 Dining Philosophers Example

Our first example is a deterministic non-symmetric solution to the dining philosophersproblem taken from [ZPK02]. The model uses two arrays, one for the forks and theother for the philosophers, both of size N , the number of philosophers. Each fork isrepresented by two bits, and each philosopher by three. For our experiments, we usethe following variable order: the bits for the forks are at the top and the ones of thephilosophers at the bottom, while each array element is stored with its most significantbit at the top.

The sizes of the BDDs encoding the full set of reachable states are listed — forvarious values of N — in Table 5.2.

We consider the following three properties:

1. Is it possible that two neighbouring philosophers eat at the same time? (Thisproperty is false in the model.)

2. Is it possible for all forks to be taken at the same time? (This property is truein the model.)

3. Is it possible for philosophers 1 and 3 to eat at the same time? (This property istrue for all N > 3.)

The results for our approach are detailed in Table 5.3. We considered two differentinitial abstractions. In the first one, we take one observer for each component (philoso-pher or fork); in the second, we have one observer for each pair of components (left andright part of Table 5.3, respectively). Also for both initial abstractions the followingholds: the property to check is representable exactly.

The #ref columns denote the number of refinements that were necessary to proveor disprove the properties. The column marked Ri gives the number of BDD nodesused to represent the set Ri in the last refinement, where this number was highest.Also in almost all experiments we had that Si = Ri and so is their size. The exceptionsappeared in the analysis of property 2 starting with 1 component for N greater or equalthan 4. For those experiments, we obtain that the number of nodes in Si is less thannumber of nodes in Ri of about 1%. The representation of Di was either nearly of thesame size or significantly lower than for Ri. For properties 1 and 3, we observe: theapproach works reasonably well, especially for big values of N . Looking closely, weobserve that the 2-component initialization works better for property 1, presumablybecause the property is a conjunction of sub-properties concerning pairs of philoso-phers. For property 3, the 1-component initialization works better, probably because


Table 5.2: BDD sizes for the Dining Philosophers using NuSMV.N reachability set2 263 644 1405 2926 5967 1,2048 2,4209 4,852

10 9,71611 19,44412 38,90013 77,81214 155,63615 311,284

it concerns only 2 specific components. Property 2 is a case in which the locality-basedapproach works far worse than full reachability: The property is universally quantified,forcing the abstraction refinement to consider tuples ranging over all components. Inthe table the symbol “?” indicates that the prototype did not produce any result after3 hours of runtime.

5.7.2 Production Cell Example

Our second example is a model of the well-known production cell case study, takenfrom [HD95]. Our encoding of the model has 15 variables with 39 bits altogether.We tested all fifteen safety properties mentioned in [HD95]. All properties hold butproperty 10. The results are shown in Table 5.4. The initial abstraction has oneobserver for each component and is such that the good states are exactly representable.

Table 5.4 lists results for instantiations of the model with one and five plates. Thenumber |reach| is the BDD size of the reachable state space as computed by NuSMV,while Ri and #ref have the same meanings as in Table 5.3. For every example weobtain that Si = Ri.

The results show that, while the reachable state space grows (linearly) with thenumber of plates, the partial-reachability approach is largely unaffected by this number.All the figures actually coincide except for property 10 which is false. Moreover, whilethe number of refinement iterations varies (the largest number of refinements was 9),the BDD sizes vary only by about 50% between the smallest and the largest example.

5.7. EXPERIMENTS 105

Tab

le5.

3:R

esult

sfo

rth

eD

inin

gP

hilos

opher

susi

ng

inst

anti

ated

Alg

.1.

star

ting

wit

h1

com

pon

ent

star

ting

wit

h2

com

pon

ents

pro

p.

1pro

p.

2pro

p.

3pro

p.

1pro

p.

2pro

p.

3N

Ri

#re

fRi

#re

fRi

#re

fRi

#re

fRi

#re

fRi

#re

f2

524

292

n/a

n/a

380

282

n/a

n/a

320

86

192

323

46

730

179

373

04

729

689

64

586

411

20

759

437

64

51,

241

65,

832

584

14

156

03,

143

570

24

104,

483

6?

?1,

412

445

10

??

1,43

24

159,

458

6?

?1,

987

487

10

??

2,23

74


Table 5.4: Results for the production cell example using Alg. 1.One plate Five plates|reach| = 230 |reach| = 632

Prop |post∗| #ref |post∗| #ref1 83 1 83 12 187 3 187 33 176 5 176 54 76 0 76 05 82 1 82 16 289 4 289 47 115 2 115 28 76 0 76 09 177 4 177 410 479 6 295 911 146 1 146 112 171 2 171 213 267 3 267 314 120 4 120 415 168 4 168 4

As the number of plates increases, the space savings of the locality-based approachbecome significant.

Chapter 6

Place Merging Abstractions forPetri Nets

Current algorithms for the automatic verification of Petri nets suffer from the explosioncaused by the high dimensionality of the state spaces of practical examples. In thischapter, we develop an abstraction refinement based analyzer which explores statesspaces of reduced dimensionality. In our approach, the dimensionality is reduced bytrying to gather places that are suspected unessential for the property to establish.

6.1 Introduction

Petri nets (and their monotone extensions) are a well-adapted framework for modelingconcurrent and infinite state systems like, for instance, parameterized systems [GS92].Even though their state space may be infinite, several interesting problems are decid-able on Petri nets. In their seminal work, Karp and Miller [KM69] solve the coverabilityproblem for Petri nets by providing an effective characterization of the coverability set.However, empirical evidences shows that their algorithm is not applicable on practicalexamples. Since then, a large number of works have been devoted to the study ofefficient techniques for the automatic verification of coverability properties of infinitestate Petri nets, see for example [DRVanB01, VanB03, AIN00, Gra97, GRVanB04].Forward and backward algorithms are now available and have been implemented toshow their practical relevance. All those methods manipulate, somehow or other, in-finite sets of markings. Sets of markings are subsets of Nk, where k is the number ofplaces in the Petri net. We call k its dimension. When k becomes large, the afore-mentioned methods suffer from the dimensionality problem: the sets that have to behandled have large representations that make them hard to manipulate efficiently.

In this chapter, we develop an automatic abstraction technique that attacks thedimensionality problem. To illustrate our method, let us consider the Petri net of

107

108 CHAPTER 6. PLACE MERGING ABSTRACTIONS FOR PETRI NETS

p′1

p8

p9

p7p6(cs3)

(cs4)

t6

t7

t5

t8

t2

t1

p2

(cs2)p5

p4(cs1)

p3

t4

t3

(wait)p1

t9

t11

p10p11 p12

t1p4

(cs1)

(cs2)p5

p3

t4

t3

t2

p2

(init)

t10

{t9, t10}

{t6, t8}

{t5, t7, t11}

(a) (b)

2

2

Figure 6.1: A Petri net with two distinct mutual exclusion properties (a) and itsabstraction (b).

Fig. 6.1(a). This Petri net describes abstractly a system that spawns an arbitrarynumber of processes running in parallel. There are two independent critical sections inthe system that correspond to places p4, p5 and to places p8, p9. One may be interestedin proving that mutual exclusion is ensured between p4 and p5. That mutual exclusionproperty is local to a small part of the net, and it is intuitively clear that the placesp6, p7, p8, p9, p10, p11, p12 are irrelevant to prove mutual exclusion between p4 and p5.Hence, the property can be proved with an abstraction of the Petri net as shown inFig. 6.1(b) where the places {p1, p6, p7, p8, p9, p10, p11, p12} are not distinguished andmerged into a single place p′1. However, the current methods for solving coverability,when given the Petri net of Fig. 6.1(a) will consider the entire net and manipulatesubsets of N12. Our method will automatically consider sets of lower dimensionality (inthis case subsets of N4, hence still smaller than the ones of the Petri net of Fig. 6.1(b)).

In this setting, we will abstract markings by markings of lower dimension. Beyondtheir representation, we also define manipulations of sets of markings directly on theirrepresentation by markings of lower dimension. More precisely, instead of subsets in Nkour algorithm manipulates subsets of Nk′ with k′ ≤ k. Moreover, we will show that theoriginal coverability problem reduces to a coverability problem of lower dimensionalityand so our algorithm can reuse efficient techniques for the analysis of those abstractions.

We have implemented our automatic abstraction technique and we have evaluatedour new algorithm on several interesting examples of infinite state Petri nets takenfrom the literature. It turns out that our technique finds low dimensional systems thatare sufficiently precise abstractions to establish the correctness of complex systems.We also have run our algorithm on finite state models of well-known mutual exclusionprotocols. On those, the reduction in dimension is less spectacular but our algorithmstill finds simplifications that would be very hard to find by hand.

To the best of our knowledge, this work is the first that tries to automaticallyabstract Petri nets by lowering their dimensionality and which provides an automatic

6.2. PETRI NETS AND THE COVERABILITY PROBLEM 109

refinement when the analysis is not conclusive. In [BRV75], the authors provide syn-tactical criteria to simplify Petri nets while our technique is based on their semantics.Our technique provides automatically much coarser abstractions than the one we couldobtain by applying rules in [BRV75].

The rest of our chapter formalizes the above ideas and is organized as follows. Aftersome reminder about Petri nets and the coverability problem in Sect. 6.2, we instantiateAlg. 4 in Sect. 6.3. More precisely, in Sect. 6.3.2 we define a family of abstract domainsand prove it to be adequate. In Sect. 6.3.3, we define the forward reasoning and providean efficient characterization. The same results are achieved for the backward reasoningin Sect. 6.3.4. In Sect. 6.3.5, we show how to refine automatically the abstract domains.We then present our algorithm in Sect. 6.3.6 and discuss its effectivity and terminationin Sect. 6.3.7. Section 6.4 concludes the chapter by reporting on experimental results.

6.2 Petri Nets and the Coverability Problem

We start this section by recalling some notions about Petri nets and their semantics.In what follows, given a set S we denote by |S| its cardinality.

Definition 6.1 (Petri nets) A Petri net N is given by a tuple (P, T, F,m0) where:

• P and T are finite disjoint sets of places and transitions, respectively,

• F = (I,O) are two mappings: I,O ∈ P × T 7→ N describing the relationshipbetween places and transitions. Once a linear order has been fixed on P and onT , I and O can be seen as (|P |, |T |)-matrices over N (N|P |×|T | for short). Lett ∈ T , I(t) denotes the t-column vector in N|P | of I.

• m0 is the initial marking. A marking m ∈ N|P | is a column vector giving anumber m(p) of tokens for each place p ∈ P .

�

Throughout the chapter we will use the letter k to denote |P |, i.e. the dimen-sionality of the net. We introduce the partial order 6⊆ Nk × Nk such that for allm,m′ ∈ Nk : m 6 m′ iff m(i) ≤ m′(i) for all i ∈ [1..k] (where [1..k] denotes theset {1, . . . , k}). It turns out that 6 is a well-quasi order on Nk and, moreover, is apartial order. We can thus define ↓ and ↑ the downward and upward closure operator,respectively. Hence we define the 6-dc-set and 6-uc-set of markings.

Definition 6.2 (Firing Rules of Petri net) Given a Petri net N = (P, T, F,m0)and a marking m ∈ Nk we say that the transition t is enabled at m, written m(t〉, iffI(t) 6 m. If t is enabled at m then the firing of t at m leads to a marking m′, writtenm(t〉m′, such that m′ = m− I(t) +O(t). �


In the sequel we also use t to refer to the relation in Nk×Nk given by {(m,m′) | m(t〉m′}.Hence, R ⊆ Nk×Nk given by

⋃t∈T t denotes the transition relation of the TS underlying

the Petri net. We now define the predicate transformers we need.

Definition 6.3 (the pre and post) Let N be a Petri net given by (P, T, F,m0) andlet t ∈ T , we define preN [t], postN [t] ∈ ℘(Nk) 7→ ℘(Nk) as follows

postN [t] = λX. {m′ ∈ Nk | ∃m : m ∈ X ∧m(t〉m′}preN [t] = λX. {m ∈ Nk | ∃m′ : m′ ∈ X ∧m(t〉m′} .

�

Actually it is well-known that Petri nets are instances of WSTS.

Lemma 6.1 (From [ACJT96]) Given a Petri net N = (P, T, F,m0), ((Nk,6), R,m0)is a WSTS.

Lemma 6.2 Let N a Petri net given by (P, T, F,m0) and let t ∈ T , we define preN [t] ∈℘(Nk) 7→ ℘(Nk) as follows,

preN [t] = λX. {m ∈ Nk | I(t) m ∨m ∈ preN [t](X)} .

Proof. For the last equality we have:

preN [t] = λX. {m | ∀m′ : (m,m′) ∈ t→ m′ ∈ X} def. of pre

= λX. {m | ∀m′ : m(t〉m′ → m′ ∈ X} def. of t

= λX. {m | I(t) 6 m ∧m− I(t) +O(t) ∈ X} ∪ {m | I(t) m} def. 6.2

= λX. {m | ∃m′ : m(t〉m′ ∧m′ ∈ X} ∪ {m | I(t) m}= λX. {m | m ∈ preN [t](X)} ∪ {m | I(t) m} above equality

= λX. {m | m ∈ preN [t](X) ∨ I(t) m} �

The extension from a single transition to the set T of transitions is naturally definedas follows,

fN =

{λX.

⋃t∈T fN [t](X) if fN is preN or postN

λX.⋂t∈T fN [t](X) for fN = preN .

In the sequel when the Petri net N is clear from the context we omit to mentionN as a subscript.


Sometimes we also use logical formulas. Given a logical formula ψ we write JψKfor the set of its satisfying valuations. If ψ works on markings of a Petri net, JψK willdenote a set of states of it.

The coverability problem is the problem we are interested to solve on Petri net. Thisproblem has been already studied in the larger context of WSTS. Below we specializethe coverability problem to Petri nets.

The coverability problem for Petri netsInstance: A Petri net N = (P, T, F,m0) and bad ∈ UCS (Nk)Question: Does post∗N(m0) ∩ bad = ∅ hold ?

In this chapter we give a solution to the coverability problem on Petri nets whichis given by an instantiation of Alg. 4. As in the previous chapters the instantiationprocess follows the guidelines of Sect. 3.7.

6.3 Instantiation

Following the guidelines given at Sect. 3.7, the instantiation process will be carried outas follows.

First we reduce the coverability problem to a fixpoint checking problem, namelywe define for each instance of the coverability problem the equivalent fixpoint instanceof the fixpoint checking problem.

Second we propose a family of abstract domains to be used by the instantiatedAlg. 4. For every fixpoint instance given by (C, T, I) and S ⊆ C of the fixpointchecking problem we prove the family is adequate for S and λX.X ∩ pre[T ](X). Wealso discuss the effectivity related to each abstract domain in the family.

Third, for every fixpoint instance and every abstract domain of the adequate familywe provide an effective characterization of forward and backward reasoning as definedat lines 3 and 7, respectively.

Fourth given an abstract domain of the adequate family (〈A,v〉 , α, γ) we showhow to effectively compute Y ∩ pre[T ](Y ) for each value Y ∈ γ(A). This requirementcorresponds to what is defined at line 9 in Alg. 4: Zi+1 = γ(Si)∩ pre[T ](γ(Si)). Then,given a value Y ∈ γ(A) we also define and compute an abstract domain (〈A′,v′〉 , α′, γ′)of the adequate family such that the requirement γ′(A′) ⊇ {Y ∩ pre[T ](Y )} ∪ γ(A)holds. This requirement is imposed at line 10 of Alg. 4. Finally we give an effectivecharacterization of α′(Y ∩ pre[T ](Y )).

Fifth we shall prove that, for each fixpoint instance of the fixpoint checking problem,the instantiated Alg. 4 terminates. We shall give an effective characterization of theinstantiated Alg. 4 as well.



Let N = (P, T, F,m0) be a Petri net and bad ∈ UCS (Nk) and instance of the cover-ability problem, the reduction to a fixpoint checking problem follows immediately fromthe equality: post∗N(m0) = lfpλX.m0∪postN(X). We thus define the fixpoint instanceof the fixpoint checking problem as follows.

Definition 6.4 (Fixpoint Instance (Petri nets)) Let N = (P, T, F,m0) bea Petri net and let bad ∈ UCS (Nk) be an instance of the coverability problem, thefixpoint instance of the fixpoint checking problem is given by N and S ∈ DCS (Nk)where S = ¬bad. �

6.3.2 An Adequate Family of Abstract Domains

The semantics of the Petri net N (e.g. post∗N(m0)) is defined using predicate transform-ers such as postN , preN , preN , as basic blocks. Each of those predicate transformersis a monotone function over the complete lattice PL(Nk). All the existing algorithmswhich evaluate (sometimes approximate) the semantics of Petri nets suffer from theexplosion caused by the high dimensionality of the state spaces of practical examples.

In order to mitigate the dimensionality problem, we define a family of abstractdomains where subsets of Nk are abstracted by subsets of Nk′ where k′ ≤ k (k′ dependson the abstract domain). More precisely, when each dimension in the concrete domainrecords the number of tokens contained in a place of the Petri net, in the abstractdomain, each dimension records the sum of the number of tokens contained into a setof places. At the basis of our abstraction technique are the partitions (of the set ofplaces).

Definition 6.5 (The Lattice of Partitions) Let A be a partition of the set[1..k] into kA classes {Ci}i∈[1..kA]. We define the order 4 over partitions as follows:A 4 A′ iff ∀C ∈ A ∃C ′ ∈ A′ : C ⊆ C ′. It is well known, see [BS81], that the setof partitions of [1..k] together with 4 form a complete lattice where {{1}, . . . , {k}}is the 4-minimal element, {{1, . . . , k}} is the 4-maximal element and the greatestlower bound of two partitions A1 and A2, noted A1 f A2, is the partition given by{C | ∃C1 ∈ A1 ∃C2 ∈ A2 : C = C1 ∩ C2 and C 6= ∅}. The least upper bound of twopartitions A1 and A2, noted A1gA2, is the finer partition such that given C ∈ A1∪A2

and {a1, a2} ⊆ C we have ∃C ′ ∈ A1 g A2 : {a1, a2} ⊆ C ′. �

Example 6.1 Given the set {a, b, c} and two partitions A1 = {{a, b}, {c}} and A2 ={{a, c}, {b}}. We have that A1 f A2 = {{a}, {b}, {c}} and A1 g A2 = {a, b, c}.

Partitions will be used to abstract sets of markings by lowering their dimensionality.Given a marking m (viz. a k-uple) and a partition A of [1..k] into kA classes we abstract


m into a kA-uple mA by taking the sum of all the coordinates of each class. A simpleway to apply the abstraction on a marking m is done by computing the product of amatrix A with the vector of m (noted A·m). So we introduce a matrix based definitionfor partitions.

Definition 6.6 (Partitions as Matrices) Let A be a partition of [1..k] given by{Ci}i∈[1..kA]. We associate to this partition a matrix A := (aij)kA×k such that aij = 1if j ∈ Ci, aij = 0 otherwise. So, A ∈ {0, 1}kA×k. We write AkA×k to denote the set ofmatrices associated to the partitions of [1..k] into kA classes. �

From the above definition, we deduce that two distinct partitions A1 and A2 leads totwo different matrices. We also find that a matrix A matches a unique partition. Alsonote that, since in the matrix based representation a linear order is given on the rows,permuting rows does not modify the associated partition. Hence, whenever a partitionA has several classes, several matrices matches A. However if a linear order is fixedon the classes of the partitions then the associated matrix is unique. Henceforth weassume that each partition is provided with a linear order on its classes so that we canidentify a partition with its unique associated matrix.

We are now equipped to define an abstraction technique for sets of markings.

Definition 6.7 (Merging Abstraction) Let A ∈ AkA×k so that the concrete andabstract lattice are given by PL(Nk) and PL(NkA) respectively, we define the abstractionfunction αA ∈ ℘(Nk) 7→ ℘(NkA) and the concretization function γA ∈ ℘(NkA) 7→ ℘(Nk)respectively as follows

αAdef= λX. {A·x | x ∈ X} γA

def= λX. {x | A·x ∈ X} .

�

For simplicity of notation, we also write γ, α, if the subscript is clear from the context.

Proposition 6.1 Let A ∈ AkA×k, we have PL(Nk) −−−→−→←−−−−α

γPL(NkA).

Proof. Let X ⊆ Nk and Y ⊆ NkA ,

α(X) ⊆ Y

⇔ {A·x | x ∈ X} ⊆ Y def. 6.7

⇔ ∀x : x ∈ X → A·x ∈ Y⇔ X ⊆ {x | A.x ∈ Y }⇔ X ⊆ γ(Y ) def. 6.7


Now, we prove that α ◦ γ = λx. x. Given y ∈ Y , we define x ∈ Nk such that for eachclass Ci of A we choose j ∈ Ci and set x(j) = y(i) and x(k) = 0 for k ∈ Ci \ {j}. It isroutine to check that A · x = y.

α ◦ γ(Y ) = α({x | A·x ∈ Y })= {A·x | A·x ∈ Y } def. 6.7

= Y by above �

As we announced previously, we see that sets of markings of dimension k are abstractedby sets of markings of dimension k′ with k′ ≤ k. We are now in a position to defineour family of abstract domains.

Definition 6.8 (Family of abstract domain) Let a Petri net with k places, thefamily of abstract domains is given by:

{(PL(NkA), αA, γA) | 1 ≤ kA ≤ k ∧ A ∈ AkA×k} .

�

In the sequel we identify partitions (or matrices) and abstract domains since theyuniquely define each other. We shall now follow the guidelines stated in Sect. 3.7.

Adequacy

The next results states that the 4-minimal partition leads to no loss of information.

Lemma 6.3 Let A⊥ denote the 4-minimal partition which partitions [1..k]. We haveγA⊥(℘(Nk)) = ℘(Nk).

Proof. Each class of the partition A⊥ is a singleton. Hence the associated matrix isthe identity matrix (up to a permutation of the rows). So it is routine to check thatγA⊥ ◦ αA⊥ = λx. x. Hence the result follows. �

The above result allows to state the adequacy of the proposed family.

Proposition 6.2 Let (P, T, F,m0) and S ∈ DCS (Nk) be a fixpoint instance of thefixpoint checking problem, the family of def. 6.8 is adequate for S and λX.X∩preN(X).

Proof. It is clear that S is a set of markings as well as the value returned by thefunction λX.X ∩ preN(X) applied on any set of markings. We conclude from Lem. 6.3


that using A⊥, which belongs to the family, we represent exactly any set of markings.This yields the desired result. �

We know from the above that each set of markings can be represented exactly usingthe abstraction given by A⊥. However, using A⊥ does not reduce the dimensionalityof the sets to represent since a set of markings of dimension k is then abstracted by aset of markings of the very same dimension. So, in what follows, we further study theadequate family of abstract domains and show, for instance, that there are sets thatcan be represented exactly using a partition A different from A⊥, hence reducing thedimensionality of the sets to represent.

The next lemma relates partitions and the precision of the abstract domains thereof.

Lemma 6.4 Let A1, A2 be two partitions of [1..k] such that A2 4 A1, we have

γA1(℘(NkA1 )) ⊆ γA2(℘(NkA2 )) .

Proof. By definition of the concretization function, γA(X) =⋃m∈X γA({m}). Hence,

it is sufficient to prove that

γA1({{m} | m ∈ NkA1}) ⊆ γA2({{m} | m ∈ NkA2}) .

Also by the surjectivity of the abstract function (which holds by Galois insertion) it issufficient to prove the following. Let m ∈ Nk, we denote by m and m′ the markingsαA1(m) and αA2(m), respectively; we show that γA1(m) ⊆ γA2(m

′).

We conclude from A1 4 A2 that for any C ′ ∈ A2 the set ℘(C ′) ∩ A1 is a partitionof C ′, hence that ∑

C∈℘(C′)C∈A1

m(C) = m′(C ′) (6.1)

by definition of m′,m. Then, we have

{m1 ∈ Nk |∑s′∈C′

m1(s′) = m′(C ′)}

= {m1 ∈ Nk |∑s′∈C′

m1(s′) =∑

C∈℘(C′)C∈A1

m(C)} by (6.1)

⊇ {m1 ∈ Nk |∧

C∈℘(C′)C∈A1

∑s∈C

m1(s) = m(C)}(a = b ∧c = d

)→(a+ c =b+ d

)

=⋂

C∈℘(C′)C∈A1

{m1 ∈ Nk |∑s∈C

m1(s) = m(C)} (6.2)


Finally,

γA2({m′}) =⋂

C′∈A2

{m1 ∈ Nk |∑s′∈C′

m1(s′) = m′(C ′)} by def. of γA2

⊇⋂

C′∈A2

⋂C∈℘(C′)C∈A1

{m1 ∈ Nk |∑s∈C

m1(s) = m(C)} by (6.2)

=⋂C∈A1

{m1 ∈ Nk |∑s∈C

m1(s) = m(C)} A1 4 A2

= γA1({m}) def. of γA1 �

Corollary 6.1 Let A1, A2 be two partitions of [1..k] and let A = A1 f A2, we have

γA1(℘(NkA1 )) ∪ γA2(℘(NkA2 )) ⊆ γA(℘(NkA)) .

So by refining partitions, we refine abstractions. The following result tells us that iftwo partitions are able to represent exactly a set then their join is also able to representthat set.

Lemma 6.5 Let A1, A2 be two partitions of [1..k] and let A = A1gA2. For all M ⊆ Nkwe have

if

{γA1

◦ αA1(M) = MγA2

◦ αA2(M) = M

}then γA ◦ αA(M) = M . (6.3)

Proof. We first observe that by Lem. 2.10 we have that γ′A ◦ α′A(M) ⊇ M for each

partition A′ and each set of markings M . We thus concentrate on the reverse inclusionproperty. Given an abstraction A, we define µA = γA ◦ αA. Let m ∈ M and m′ ∈µA({m}). We will show that there exists a finite sequence µAi1

, µAi2, . . . , µAin

such thatm′ ∈ µAi1

◦ µAi2◦ . . . ◦ µAin

({m}) and ∀j ∈ [1..n] : ij ∈ [1..2]. Then we will concludethat m′ ∈M by the left hand side of (6.3).

It is well known that given a set S, the set of partitions of S coincides with the setof equivalence classes in S. So we denote by ≡A the equivalence relation defined bythe partition A.

We thus get m′ ∈ µA({m}) iff m′ may be obtained from m by moving tokens insidethe equivalence classes of ≡A. More precisely, let v ∈ N, and a, b two distinct elementsof [1..k] such that 〈a, b〉 ∈≡A and two markings m1,m2 ∈ Nk such that

m2(q) =

m1(q) + v if q = a

m1(q)− v if q = b

m1(q) otherwise.


Intuitively the marking m2 is obtained from m1 by moving v tokens from b into a. So,since on one hand b and a belong to the same equivalence class and, on the other handm2 and m1 contain an equal number of tokens we find that m2 ∈ µA({m1}).

Now, we use the result of [BS81, Thm. 4.6] over the equivalence classes of a set.The theorem states that 〈a, b〉 ∈≡A iff there is a sequence of elements c1, . . . , cn′ of[1..k] such that

〈ci, ci+1〉 ∈≡A1 or 〈ci, ci+1〉 ∈≡A2 (6.4)

for i ∈ [1..n − 1] and a = c1, b = cn′ . From c1, . . . , cn′ we define a sequence of n′

moves whose global effect is to move v tokens from b into a. So given m1, the markingobtained by applying this sequence of n′ moves is m2. Moreover, by Eq. (6.4) we havethat each move of the sequence is defined inside an equivalence class of ≡A1 or ≡A2 .Hence each move of the sequence can be done using operator µA1 or µA2 .

Repeated application of the above reasoning shows that m′ is obtained by movingtokens of m where moves are given by operators µA1 and µA2 . Formally this finitesequence of moves µAi1

, µAi2, . . . , µAin

is such that

∀j ∈ [1..n] : ij ∈ [1..2] and m′ ∈ µAi1◦ µAi2

◦ . . . ◦ µAin({m}) .

Finally, left hand side of (6.3) and monotonicity of µA1 , µA2 shows that m′ ∈M . �

Corollary 6.2 Let A1, A2 be two partitions of [1..k] and let A = A1 g A2, we have

γA1(℘(NkA1 )) ∩ γA2(℘(NkA2 )) ⊆ γA(℘(NkA)) .

Proposition 6.3 Given k ∈ N and M ⊆ Nk, the coarsest partition of [1..k] whichrepresents exactly M exists and is given by

b{A | γA ◦ αA(M) = M}.

Proof. From Lem. 6.3 there is at least one partition that represents exactly M . More-over by Cor. 6.2 we deduce that

b{A | γA ◦ αA(M) = M} is unique by definition ofthe lattice of partitions, represents exactly M and is the coarsest. �

Below we establish a few technical results which turn out to be useful later on.

Lemma 6.6 Let A ∈ AkA×k, we have

∀m ∈ Nk ∀m ∈ NkA ∃m′ ∈ Nk : m 6 A·m↔ (m′ 6 m ∧ A·m′ = m) , (6.5)

∀m ∈ Nk ∀m ∈ NkA ∃m′ ∈ Nk : A·m 6 m↔ (m 6 m′ ∧ A·m′ = m) . (6.6)


Proof. The case “←” of (6.5) is trivial, so we study directly the case “→” of (6.5).Consider the system

A·x = (A·m− m) ∧ x 6 m .

The system A·x = (A·m− m) has at least one solution in Nk since m 6 A·m and Agives rise to a surjective mapping. Moreover, among the possible solution there existsat least one such that x 6 m. We denote by m∆ such a solution. Let m′ be given bym−m∆. We have m′ ∈ Nk since m∆ 6 m. Then, m′ 6 m and

A·m′ = A· (m−m∆) def. of m′

= A·m− A·m∆

= A·m− (A·m− m)

= m

Again the case “←” of (6.6) is trivial, so we study the case “→” of (6.6). Lemma 2.10shows that α is additive which implies that α(X) =

⋃x∈X{A·x} by definition of α.

So, we rewrite (6.6) as follows:

∀m∀m∃m′ : α(m) 6 m↔ (m 6 m′ ∧ α(m′) = m) .

Then let m∆ = m − α(m), we have m∆ ∈ NkA . Finally set md ∈ γ(m∆) and m′ =m+md, we have

α(m′) = α(m+md) def. of m′

= A· (m+md) def. of α

= A·m+ A·md prop. of matrix product

= α(m) + α(md) def. of α

= α(m) +m∆ −−→−→←−−−−α

γ, def. of md

= m def. of m∆ �

The following result basically says that each closed set, whenever abstracted orconcretized, is still a closed set.

Lemma 6.7 Let A ∈ AkA×k, X ⊆ Nk and Y ⊆ NkA, we have

α ◦x(X) = ↑ ◦ α(X) , (6.7)

α ◦y(X) = ↓ ◦ α(X) , (6.8)

γ ◦x(Y ) = ↑ ◦ γ(Y ) , (6.9)

γ ◦y(Y ) = ↓ ◦ γ(Y ) . (6.10)


Proof. We establish (6.7) using (6.5) of Lem. 6.6 which shows that:

∀m∀m∃m′ : m 6 A·m↔ (m′ 6 m ∧ A·m′ = m)

⇔ ∀m∀m∃m′ : m 6 α(m)↔ (m′ 6 m ∧ α(m′) = m) def. of α

⇔ ∀m∀m : m ∈ ↓ ◦ α(m)↔ m ∈ α ◦y({m}) def. of ↓

⇔ ∀X ⊆ Nk : ↓ ◦ α(X) = α ◦y(X)

Again we establish (6.9) using (6.5) of Lem. 6.6 which shows that:

∀m∀m∃m′ : m 6 A·m↔ (m′ 6 m ∧ A·m′ = m)

⇔ ∀m∀m∃m′ : m 6 α(m)↔ (m′ 6 m ∧ α(m′) = m) def. of α

⇔ ∀m∀m∃m′ : α(m) ∈x(m) ↔ (m′ 6 m ∧ α(m′) = m) def. of ↑

⇔ ∀m∀m∃m′ : m ∈ γ ◦x(m) ↔ (m′ 6 m ∧m′ ∈ γ(m)) −−→−→←−−−−

α

γ

⇔ ∀m∀m : m ∈ γ ◦x(m) ↔ m ∈ ↑ ◦ γ(m) def. of ↑

⇔ ∀Y ⊆ NkA : γ ◦x(Y ) = ↑ ◦ γ(Y )

We establish (6.8) using (6.6) of Lem. 6.6 which shows that:

∀m∀m∃m′ : A·m 6 m↔ (m 6 m′ ∧ A·m′ = m)

⇔ ∀m∀m∃m′ : α(m) 6 m↔ (m 6 m′ ∧ α(m′) = m) def. of α

⇔ ∀m∀m : m ∈ ↑ ◦ α(m)↔ m ∈ ↑ ◦ α(m) def. of ↑⇔ ∀X ⊆ Nk : ↑ ◦ α(X) = ↑ ◦ α(X)

Finally, we establish (6.10) using (6.6) of Lem. 6.6 which shows that:

∀m∀m∃m′ : A·m 6 m↔ (m 6 m′ ∧ A·m′ = m)

⇔ ∀m∀m∃m′ : α(m) 6 m↔ (m 6 m′ ∧ α(m′) = m) def. of α

⇔ ∀m∀m∃m′ : α(m) ∈ ↓m ↔ (m 6 m′ ∧ α(m′) = m) def. of ↓⇔ ∀m∀m∃m′ : m ∈ γ ◦

y(m) ↔ (m 6 m′ ∧m′ ∈ γ(m)) −−→−→←−−−−α

γ

⇔ ∀m∀m : m ∈ γ ◦y(m) ↔ m ∈ ↓ ◦ γ(m) def. of ↓

⇔ ∀Y ⊆ NkA : γ ◦y(Y ) = ↓ ◦ γ(Y ) �

It follows that the Galois insertion holds between the restriction of the abstractand concrete domains to the 6-dc-sets.

Corollary 6.3 Let A ∈ AkA×k, we have DPL(Nk) −−−→−→←−−−−α

γDPL(NkA).


Effectivity

Given a Petri net, we notice that for each abstract domain in the family as well as for theconcrete domain (viz. PL(Nk)), values are given by (infinite) sets of markings. Sincewe want to represent and manipulate those values, we need an effective representationas well as algorithms to manipulate it. The situation is pretty much complicated ifthe values to represent and manipulate are arbitrary sets of markings. However, thesituation is better whenever the values we manipulate are 6-closed sets of markingsfor which there exists well-known algorithms and data structures [Gan02, GMD+07].

After the instantiation of Alg. 4 is completed, we will see that, in the proposedsolution to the coverability problem for Petri nets, every manipulated set (abstract orconcrete) is a 6-dc-set of markings. We have already seen, at Lem. 6.7, that every6-dc-set which is concretized or abstracted remains a 6-dc-set.

This clearly advocates for the definition of an effective representation for 6-dc-setsof markings. This representation has to come with a set of effective manipulationsall of which are formalized in the following definition. Moreover the following lemmastates that 6-dc-sets are closed for the application of the predicate transformer pre.

Lemma 6.8 Given a Petri net N = (P, T, F,m0) and a set S ∈ DCS (Nk), we havepreN(S) ∈ DCS (Nk) and preN [t](S) ∈ DCS (Nk) for every t ∈ T .

Proof. Lemma 6.1 allows to reuse the result of Lem. 2.9 which shows that preN(S) ∈DCS (Nk) for any S ∈ DCS (Nk). The result for transition t is proved by considering aPetri net which coincides with N except for T which is given by T = {t}. �

Definition 6.9 (an effective representation for 6-dc-sets) Let {Ij}j∈J bea family of effective representation for 6-dc-sets of markings and let I be a member ofthe family, we denote by JIK the 6-dc-set of markings it actually represents. We saythe family is a proper effective representation for 6-dc-sets if

• for each 6-dc-set of marking W there exists j ∈ J such that W = JIjK;

• there is an algorithm which, given I1, I2, returns I such that JIK = JI1K ∩ JI2K;

• there is an algorithm which, given I1, I2, decides if JI1K ⊆ JI2K;

• given a Petri net N = (P, T, F,m0) and t ∈ T , there exists an algorithm which,given I such that JIK represent markings of N , returns I→t such that JI→t K = ↓ ◦postN [t](JIK);

• under the previous hypothesis, there exists an algorithm which, given I, returnsI←t such that JI←t K = preN [t](JIK);


• given an abstraction A of the family of def. 6.8, there exists an algorithm which,given I, returns Iα (resp. Iγ) such that JIαK = α(JIK) (resp. JIγK = γ(JIK)).

�

Despite the long list of requirements there are several effective representations whichsupports all the above requirements. We restrict ourselves to a brief discussion of theserepresentations and the associated manipulations. We also give references where theinterested reader can find further details.

ω-markings. The first effective representation is given by the ω-markings whichextend the definition of markings with a special value ω. Let Nω be given by N ∪ {ω}where ω is a new element capturing the notion of something being “arbitrarily large”.We assume the following arithmetic for ω: ∀c ∈ N : c < ω, furthermore, we haveω+ c = ω− c = ω, ∀c ∈ Nω. We extend markings to ω-markings which assigns a valuec ∈ Nω to each places. The ordering 6 on markings is extended to ω-markings in theobvious way. Let Nkω denote the set of ω-markings of dimension k. Given M ⊆ Nkω,let JMK denote the set of markings represented by M , that is ↓M ∩ Nk. It is routineto check that for each M ⊆ Nkω, JMK ∈ DCS (Nk). Moreover for each S ∈ DCS (Nk)there exists a finite subset M ⊆ Nkω such that JMK = S. Regarding the manipulationof finite sets of ω-markings we have:

intersection. given M1,M2 ⊆ Nkω, we define

V = {v ∈ Nkω | v(i) = min(m1(i),m2(i)) where i ∈ [1..k], m1 ∈M1 and m2 ∈M2} .

In the above definition, it is easy to check that JvK = Jm1K ∩ Jm2K, hence thatJV K = JM1K ∩ JM2K.

inclusion. Let M1,M2 ⊆ Nkω, if JM1K ⊆ JM2K only if ∀m1 ∈M1 ∃m2 ∈M2 : m1 6 m2.

↓ ◦ postN for a transition t. For a detailed definition, we refer the reader to the con-struction of the Karp&Miller tree given in [KM69].

preN for a transition t. Recall that preN [t] coincides with λX.¬ ◦ preN [t] ◦ ¬(X).Regarding the complement operation if the argument is a 6-dc-set of markings,we find that it returns a 6-uc-set of markings, and vice versa. Here the 6-dc-setis given by a finite set M of ω-markings and what we want to compute are theminimal elements of the 6-uc-set. We can do so using the algorithm of [VJ85].We quote their main theorem: “For each U ∈ UCS (Nk), min(U) is effectivelycomputable iff for every v ∈ Nkω, the problem ’JvK ∩ U 6= ∅’ is decidable. In oursetting we rewrite the above problem as follows: JvK * ¬U where ¬U is given byJMK. Hence the problem asks if JvK * JMK holds. From the previous point weknow this latter problem is decidable. We thus obtain a finite set V of markings.


The next step is to compute the minimal elements of preN [t](↑V ). We do sofollowing the algorithms given in [DR00]. We call resulting finite set of markingsV ′. For the remaining complementation, a finite set M of ω-markings such thatJMK = ¬(↑V ′ ) can be obtained as follows. Let c ∈ N is the greatest constantappearing in the markings of V ′. The set M ′ = {m ∈ Nkω | JmK ∩ ↑V ′ = ∅}is such that JM ′K = ¬(↑V ′ ) but M ′ may be infinite. So we show that the setM given by M ′ ∩ ([0..c] ∪ {ω})k is such that JMK = ¬(↑V ′ ). Moreover this setcan be obtained by enumerating the elements of the finite set ([0..c] ∪ {ω})k.In fact consider a ω-marking m such that JmK ∩ ↑V ′ = ∅. Such a m satisfies∀v′ ∈ V ′ : v′ m. It follows that for each v′ ∈ V ′ there exist some componenti ∈ [1..k] such that v′(i) � m(i), hence that m(i) ≤ c by def. of c. Let j 6= i, ifm(j) > c then any marking m′ which coincide with m on all components but jwhere m′(j) = ω is such that v′ m′ and JmK ⊆ Jm′K. Hence we have shownthat it is sufficient to restrict the enumeration to the values [0..c] ∪ {ω}.

α for a matrix A. given a finite set W of ω-markings, the set of ω-markings Wα suchthat JWαK = α(JW K) is given by α(W ). Since W is finite, so is α(W ).

γ for a matrix A. given a finite set W of ω-markings, the set of ω-markings Wγ suchthat JWγK = γ(JW K) is given by γ(W ). However since ω + c = ω, the set γ(W )might be infinite. Since we want a finite set each time we need to “decompose”ω into a sum given by A we only consider the case ω + ω = ω. The resulting setW ′ of ω-markings is finite and is such that JW ′K = γ(JW K).

IST. Another effective representation which satisfies the above list of requirementsis given the Interval Sharing Trees (IST for short). The IST’s are a symbolic repre-sentations to manipulate (possibly infinite) sets of k-uples such as markings. We referthe reader to [Gan02, GMD+07] for further material. In the experiments of Sect. 6.4,we use IST’s.


As suggested by the guidelines and Alg. 4, we instantiate the forward reasoning forPetri nets. For the value Ri, we show our definition satisfies the requirement of line 3.We do so for each abstract domain of the family defined at def. 6.8. Besides thedefinition satisfies the requirement, it turns out in Prop. 6.5 that it also meets ourneed to reduce the dimensionality of the manipulated sets. We provide an effectivecharacterization of the test of line 4 as well.

Definition 6.10 (Forward Reasoning (Petri nets)) Let N be a Petri netgiven by (P, T, F,m0), and Z ⊆ Nk, for each abstract domain (PL(NkA), αA, γA) ofthe family of def. 6.8. We define R to be R ∩ αA(Z) where R ∈ postfp

(λX. αA(m0 ∪

postN(γA(X)))). �


The next proposition establishes that the previous definition satisfies the require-ment of line 3. Since the previous definition is intended to be used in the context ofinstantiated Alg. 4 we assume that the value Z is such that γA ◦ αA(Z) = Z by virtueof Lem. 3.12.

Proposition 6.4 Let N be a Petri net given by (P, T, F,m0), for each abstract domain(PL(NkA), αA, γA) of the family of def. 6.8 and for each Z ⊆ Nk such that γA ◦ αA(Z) =Z, the value R given at def. 6.10 satisfies the requirement given at line 3 in Alg. 4:

αA(lfpλX.m0 ∪ postN(X)

)⊆ R ⊆ αA(Z) .

Proof. We establish the first inclusion by showing that R ∈ postfp(λX. αA

((m0 ∪

postN(γA(X))) ∩ Z))

, hence that lfpλX. αA(m0 ∪ postN(γA(X))) ⊆ R by prop. of lfp

(see (2.1)), and finally that αA(lfpλX.m0 ∪ postN(X)

)⊆ R by Prop. 2.4. Thus the

proof goes as follows

αA(m0 ∪ postN(γA(R))) ⊆ R def. 6.10

⇔ m0 ∪ postN(γA(R)) ⊆ γA(R) −−−→←−−−αA

γA

⇒ m0 ∪ postN(γA(R)) ∩ Z ⊆ γA(R) ∩ Z⇒ m0 ∪ postN(γA(R) ∩ Z) ∩ Z ⊆ γA(R) ∩ Z postN monotonicity

⇒ m0 ∪ postN(γA(R) ∩ γA ◦ αA(Z)) ∩ Z ⊆ γA(R) ∩ γA ◦ αA(Z) γA ◦ αA(Z) = Z

⇒ m0 ∪ postN(γA(R ∩ αA(Z))

)∩ Z ⊆ γA(R ∩ αA(Z)) γA coadditivity

⇔ αA(m0 ∪ postN(γA(R ∩ αA(Z))

)∩ Z) ⊆ R ∩ αA(Z) −−−→←−−−

αA

γA

⇔ αA(m0 ∪ postN(γA(R)

)∩ Z) ⊆ R def. of R

⇔ R ∈ postfp(λX. αA

((m0 ∪ postN(γA(X))) ∩ Z

))The second inclusion follows from R ∩ αA(Z) ⊆ αA(Z). Hence R ⊆ αA(Z). �

Let us turn to the definition of R given at def. 6.10, by the additivity of αA, thefunction λX. αA(m0 ∪ postN(γA(X))) is equal to λX. αA(m0) ∪ αA ◦ postN ◦ γA(X).Since αA(m0) has to be computed only once, we focus on computing the result ofapplying λX. αA ◦ postN ◦ γA(X). This definition naturally suggests to concretize theargument, then apply postN and finally to abstract its result.

We now discuss the computational cost of explicitly evaluating γ on a finite setof markings. The explicit computation of γ is in general costly: in our setting, ithappens that given a finite subset M of markings the set γ(M) could be exponentiallylarger. In fact, let A be a partition of [1..k] given by {Ci}i∈[1..kA] and let m ∈ NkA , we

have |γA(m)| =∏

i∈[1..kA]

(m(i)+|Ci|−1|Ci|−1

). Hence the explicit evaluation of γ to evaluate

λX. α ◦ postN ◦ γ(X) leads to inefficient algorithms.


Since we are interested in defining an efficient instantiated forward reasoning, belowwe give a characterization of λX. α ◦ postN ◦ γ(X) which does not explicitly evaluateγ. In fact, we show that the evaluation of λX. α ◦ postN ◦ γ(X) reduces to computingpost on a Petri net which is defined below. This way, we avoid the costly explicitcomputation of γ.

More precisely, we show that given a Petri net N with k places and A ∈ AkA×k,we can associate a Petri net N with kA places such that λX. post N(X) coincide withλX. αA ◦ postN ◦ γA(X). Note that we mitigate the dimensionality problem by evalu-ating in PL(NkA) only.

Definition 6.11 (Abstract net) Let N be a Petri net given by (P, T, F,m0) andlet A ∈ AkA×k. We define the tuple (P , T, F , m0) where

• P is a set of kA places (one for each class of the partition A),

• F = (I, O) is such that I def= A· I and O def

= A· O,

• m0 is given by A·m0.

Since m0 ∈ N|P |, and I, O ∈ N(|P |,|T |) the tuple defines a Petri net denoted N . �

Proposition 6.5 Given a Petri net N = (P, T, F,m0), A ∈ AkA×k and the Petri netN given by def. 6.11, we have

λX. α ◦ postN ◦ γ(X) = λX. post N(X) .

Proof. Recall that postN = λX.⋃t∈T postN [t](X). Thus, for t ∈ T , we show that

α ◦ postN [t] ◦ γ(m) = post N [t](m). Then the additivity of α shows the desired result.


For each t ∈ T , for each m ∈ NkA ,

α ◦ postN [t] ◦ γ(m)

= α ◦ postN [t]({m | m ∈ γ(m)})= α({m− I(t) +O(t) | m ∈ γ(m) ∧ I(t) 6 m}) def. 6.2

= {A· (m− I(t) +O(t)) | m ∈ γ(m) ∧ I(t) 6 m} def. 6.7

= {A·m− A· I(t) + A· O(t) | m ∈ γ(m) ∧ I(t) 6 m}= {α(m)− A· I(t) + A· O(t) | m ∈ γ(m) ∧ I(t) 6 m} def. of α

= {m− A· I(t) + A· O(t) | m ∈ γ(m) ∧ I(t) 6 m} −−→−→←−−−−α

γ

= {m− I(t) + O(t) | m ∈ γ(m) ∧ I(t) 6 m} def. 6.11

= {m− I(t) + O(t) | {I(t)} ⊆ ↓ ◦ γ(m)} def. of ↓= {m− I(t) + O(t) | {I(t)} ⊆ γ ◦

y(m)} Lem. 6.7

= {m− I(t) + O(t) | α({I(t)}) ⊆y(m)} −−→−→←−−−−

α

γ

= {m− I(t) + O(t) | I(t) 6 m} def. 6.11

= post N [t](m) def. 6.2 �

The consequences of Prop. 6.5 are twofold. First, it gives a way to compute λX. α ◦

postN ◦ γ(X) without evaluating γ explicitly: λX. post N(X) = λX. α ◦ postN ◦ γ(X).This allows to reformulate the definition of line 3 as follows.

Corollary 6.4 Let N = (P, T, F,m0) be a Petri net, let Z ⊆ Nk, for each abstractdomain (PL(NkA), αA, γA) of the family of def. 6.8. We characterize the value R givenat def. 6.10 as follows R = R ∩ αA(Z) where R ∈ postfp

(λX. m0 ∪ post N(X)

).

Second if, in the above definition, the set of markings Z is a 6-dc-set then sois αA(Z) by Lem. 6.7. It follows that the value R given at Cor. 6.4 is computableby any coverability checker for Petri net. By deferring the evaluation of line 3 to acoverability checker we are guarantee of its termination. So, assume Z ∈ DCS (Nk),the test of line 4 is reformulated as follows.

Proposition 6.6 Let N = (P, T, F,m0) be a Petri net, and let (PL(NkA), αA, γA) bean abstract domain of the family of def. 6.8, given Z ∈ DCS (Nk), Y ⊆ NkA the twofollowing statements are equivalent

αA(m0 ∪ postN(γA(Y ))) ⊆ αA(Z) ,ym0 ∪ypost N(γA(Y )) ⊆ αA(Z) .


Proof. We first note that since Z ∈ DCS (Nk), Lem. 6.7 shows that αA(Z) ∈ DCS (NkA).Then we have

αA(m0 ∪ postN(γA(Y ))) ⊆ αA(Z)

⇔ ↓ ◦ αA(m0 ∪ postN(γA(Y ))) ⊆ αA(Z) by above

⇔y(αA(m0) ∪ αA ◦ postN ◦ γA(Y )

)⊆ αA(Z) αA additivity

⇔y(m0 ∪ post N(Y )

)⊆ αA(Z) def. of m0, Prop. 6.5

⇔ym0 ∪

ypost N (Y ) ⊆ αA(Z)y(A ∪B) = ↓A ∪ ↓B �


The next step given by the guidelines and Alg. 4 is to instantiate the backward rea-soning for Petri nets. For the value Si we show our definition satisfies the requirementof line 7. We do so for each abstract domain of the family defined at def. 6.8. Besidesthe definition satisfies the requirement, it turns out in Prop. 6.8 that it also meets ourneed to reduce the dimensionality of the manipulated sets.

For line 7 we choose to reason in the framework of upper-approximations. Inparticular, the iterated function is denoted gA so that line 7 is given by gfp(gA). Thefunction gA is defined as follows.

Definition 6.12 (gA) Given a Petri net N = (P, T, F,m0), A ∈ AkA×k, and R ⊆NkA. The function gA is given by

λX.R∩⋂t∈T

αA ◦ preN [t] ◦ γA(X) .

�

First, notice that the function gA is monotone because α, preN [t], γ and⋂

are monotoneas well. It follows that lfp(gA) and gfp(gA) (see line 7) exist and can be constructivelydefined by means of upper and lower iteration sequences, respectively.

In Prop. 6.7 we show that gA satisfies the requirement (Up2) of def. 3.4, hence thatthe requirement of line 7 is satisfied. Prior to this we show the following result whichis eventually used to characterize how much gA upper-approximates.

Lemma 6.9 For each A ∈ AkA×k, M ⊆ NkA, and P ⊆ Nk we have

α(γ(M)) ∩ α(P ) = α(γ(M) ∩ P ) .


Proof. Monotonicity of α and set reasoning shows the inclusion ⊇ holds and so let usexamine the reverse one. Let y′ be such that y′ ∈ α(P ) and y′ ∈ α ◦ γ(M) we have

∃y ∈ P : α(y) = y′ ∧ {y′} ⊆ α ◦ γ(M) def. of α

⇒ ∃y ∈ P : α({y}) ⊆ α ◦ γ(M) α({y}) = {y′}⇔ ∃y ∈ P : {y} ⊆ γ ◦ α ◦ γ(M) −−→←−−α

γ

⇔ ∃y ∈ P : {y} ⊆ γ(M) Lem. 2.10

⇔ ∃y ∈ P : y ∈ γ(M) y′ ∈ α(P ) ∩ α(γ(M)), α(y) = y′

⇒ ∀y′ ∈ α(P ) ∩ α(γ(M))∃y ∈ P ∩ γ(M) : α(y) = y′

⇔ α(P ) ∩ α(γ(M)) ⊆ α(P ∩ γ(M)) �

Proposition 6.7 Let N be a Petri net given by (P, T, F,m0), for each A ∈ AkA×k andR ⊆ NkA the function gA is such that

λX. αA(γA(R) ∩ preN(γA(X))

)⊆ gA ⊆ λX.R .

Proof. It is routine to check that gA ⊆ λX.R. The other statement is proved asfollows.

λX. αA(γA(R) ∩ preN(γA(X))

)= Lem. 6.9

λX. αA(γA(R)) ∩ αA ◦ preN ◦ γA(X) = −−−→−→←−−−−−αA

γA

λX.R∩ αA ◦ preN ◦ γA(X) = def. of pre

λX.R∩ αA ◦⋂t∈T

preN [t] ◦ γA(X) ⊆(

α(A ∩B) ⊆α(A) ∩ α(B)

)λX.R∩

⋂t∈T

αA ◦ preN [t] ◦ γA(X) = def. of gA

λX. gA(X) �

Remark 6.1 It is worth pointing that under the assumption that T is given by asingleton, then gA coincides with λX. αA

(γA(R) ∩ preN(γA(X))

). From another point

of view we can say that gA upper-approximates it when considering the whole systembut is precise when considering each single transition. Formally, for each A ∈ AkA×k

and R ⊆ NkA:

λX.R∩ αA ◦ preN [t] ◦ γA(X) = λX. αA(γA(R) ∩ preN [t](γA(X))) .

The loss of precision stems from the definition of λX. preN [T ](X) = λX.⋂t∈T preN [t](X)

and the fact that α is, in general, not co-additive (i.e. α(A ∩B) 6= α(A) ∩ α(B)).


Note that if, in the definition of gA, the set R of markings is a 6-dc-set, so are eachiterate of the lower iteration sequence stabilizing to gfpλX. gA(X) (which defines thevalue of line 7). It follows that the iteration sequence stabilizes after a finite numberof steps as shown below. This result will be used subsequently when proving thetermination of instantiated Alg. 4.

Lemma 6.10 Let N = (P, T, F,m0) be a Petri net, A ∈ AkA×k and R ∈ DCS (NkA),the lower iteration sequence {I i}i∈N given by I0 = NkA and I i+1 = gA(I i) stabilizes togfpλX. gA(X) after a finite number of steps. Moreover each iterate, hence the gfp, isa 6-dc-set.

Proof. Recall that gA is monotone which shows that the lower iteration sequenceconverges to gfp(gA). To prove the result, we simply have to show that the iteratesform a descending chain of 6-dc-sets. The proof is by finite induction on the loweriteration sequence. Hence, since all iterates are 6-dc-set and that the DCC holds onDPL(NkA) we find that the lower iteration sequence stabilizes after a finite number ofsteps.

The base case follows from the equality I0 = NkA and NkA ∈ DCS (NkA).

For the inductive case, we find that

I i ∈ DCS (NkA) induction hypothesis

⇒ γA(I i) ∈ DCS (Nk) Lem. 6.7

⇒ ∀t ∈ T : preN [t](γA(I i)) ∈ DCS (Nk) Lem. 6.8

⇒⋂t∈T

preN [t](γA(I i)) ∈ DCS (Nk) prop. of DPL(Nk)

⇒ αA

(⋂t∈T

preN [t](γA(I i)))

∈ DCS (NkA) Lem. 6.7

⇒ R∩ αA(⋂t∈T

preN [t](γA(I i)))

∈ DCS (NkA) prop. of DPL(NkA) and R

⇔ gA(I i) ∈ DCS (NkA) def. of gA

⇔ I i+1 ∈ DCS (NkA) def. of I i+1 �

Above we assume that the set of markings R is a 6-dc-set. As we will see, thisturns out to be true since the set of markings returned by the coverability checker is a6-dc-set of markings.

We now show that the instantiated backward reasoning also meets our need toreduce the dimensionality of the manipulated sets. This implies γ should never beexplicitly evaluated. This result is shown at Prop. 6.8.


Hereunder, Lem. 6.11 shows that preN coincide with the best abstract counterpartof preN . Moreover we show in Prop. 6.8 that given t ∈ T , the best abstract counter-part of preN [t] coincide with preN [t] if N satisfies some condition and with λX.NkA

otherwise. To obtain those results, the intermediary lemmas Lem. 6.11, 6.12 and 6.13are needed.

Lemma 6.11 Given a Petri net N = (P, T, F,m0), A ∈ AkA×k and the Petri net Ngiven by def. 6.11, we have

λX. α ◦ preN ◦ γ(X) = λX. preN(X) .

Proof. The proof is similar to the proof of Prop. 6.5 with O (resp. O) replaced by I(resp. I) and vice versa. �

Lemma 6.12 Given a Petri net N = (P, T, F,m0) and a partition A = {Cj}j∈[1..kA]

of [1..k], if ∃i ∈ [1..k] : I(i, t) > 0 and {i} 6∈ A then α({m ∈ Nk | I(t) m}) = NkA.

Proof. Besides we assume i ∈ Cj and consider l ∈ [1..k] such that l ∈ Cj and l 6= i.The set {m ∈ Nk | I(t) m} is a 6-dc-set given by the following formula:∨

p∈[1..k]I(p,t)>0

xp < I(p, t).

We conclude from I(i, t) > 0 that Jxi < I(i, t)K = {〈v1, . . . , vi, . . . , vk〉 | vi < I(i, t)}⊇ {〈v1, . . . , 0, . . . , vk〉}, hence that α(Jxi < I(i, t)K) = NkA by {i, l} ⊆ Cj ∈ A, andfinally that α(Jxi < I(i, t)K) ⊆ α(J

∨p∈[1..k]I(p,t)>0

xp < I(p, t)K) by monotonicity of α. It

follows that α({m ∈ Nk | I(t) m}) = α(J∨

p∈[1..k]I(p,t)>0

xp < I(p, t)K) = NkA . �

Lemma 6.13 Given a Petri net N = (P, T, F,m0), a partition A = {Cj}j∈[1..kA] of

[1..k] and the Petri net N given by def. 6.11, if for any i ∈ [1..k] : I(i, t) > 0 implies

{i} ∈ A, then α({m ∈ Nk | I(t) m}) = {m ∈ NkA | I(t) m}.

Proof.

α({m ∈ Nk | I(t) m})= {A ·m | m ∈ Nk ∧ I(t) m} def. of α

= {A ·m | m ∈ Nk ∧ A · I(t) A ·m} hyp.

= {A ·m | m ∈ Nk ∧ I(t) A ·m} def. of I= {m ∈ NkA | ∃m ∈ Nk : m = A ·m ∧ I(t) m}= {m ∈ NkA | I(t) m} α is surjective by −−→−→←−−−−

α

γ�


Proposition 6.8 Given a Petri net N = (P, T, F,m0), a partition A = {Cj}j∈[1..kA]

of [1..k] and the Petri net N given by def. 6.11, we have

λX. α ◦ preN [t] ◦ γ(X) =

{NkA if ∃i ∈ [1..kA] : |Ci| > 1 ∧ I(i, t) > 0

λX. preN [t](X) otherwise.

Proof.

α ◦ preN [t] ◦ γ(S)

= α ◦ preN [t]({m ∈ Nk | m ∈ γ(S)})= α({m | (I(t) m) ∨ (I(t) 6 m ∧m− I(t) +O(t) ∈ γ(S))}) Lem. 6.2

= α({m | I(t) m}) ∪ α({m | I(t) 6 m ∧m− I(t) +O(t) ∈ γ(S)}) additivity of α

= α({m | I(t) m}) ∪ α ◦ preN [t] ◦ γ(S) def. of preN [t]

= α({m | I(t) m}) ∪ preN [t](S) Lem. 6.11

We now consider two cases:

• ∃i ∈ [1..k] : I(i, t) > 0 and {i} 6∈ A (which is equivalent to ∃i ∈ [1..kA] : |Ci| >1 ∧ I(i, t) > 0). From Lem. 6.12, we conclude that α ◦ preN [t] ◦ γ(S) = NkA ;

• ∀i ∈ [1..k] : I(i, t) > 0 implies {i} ∈ A. In this case we have

α ◦ preN [t] ◦ γ(S) = {m ∈ NkA | I(t) m} ∪ preN [t](S) Lem. 6.13

= preN [t](S) Lem. 6.2 �

It follows that Prop. 6.8 provides a way to evaluate λX. α ◦ preN ◦ γ(X) withoutexplicitly evaluating γ, hence we fulfill our objective which was to reduce the dimen-sionality of the manipulated sets. However, since we work with an upper-approximationwe lose some precision.

We are now able to give an equivalent characterization of the iterated function gA.

Lemma 6.14 Given a Petri net N = (P, T, F,m0), A ∈ AkA×k, and R ⊆ NkA. Let

φt denote the following formula ∃i ∈ [1..kA] : |Ci| > 1 ∧ I(i, t) > 0. The function gAcoincides with

λX.R∩⋂t∈T

φt holds

preN [t](X) .

Proof. The proof follows directly from Prop. 6.8 and definition of gA. �



In this section we show how to refine the current abstract domain. Let N be a Petrinet and S ∈ DCS (Nk) form a fixpoint instance of the fixpoint checking problem and let(DPL(NkA), αA, γA) be an abstract domain of the adequate family of def. 6.8. In orderto refine this abstract domain we need to compute the value Z such that Z = Y ∩preN(Y ) for some Y ∈ γA(℘(NkA)). This corresponds to the statement of line 9: Zi+1 =γi(Si) ∩ preN(γi(Si)). Then we have to pick an abstract domain (DPL(NkA′ ), αA′ , γA′)of the family of def. 6.8 such that γA′(℘(NkA′ )) ⊇ {Z}∪ γA(℘(NkA)). This correspondsto the statement of line 10.

Let Z ∈ Nk, Prop. 6.3 tells us that there exists a partition that represents exactly Zand the coarsest partition that represent exactly Z is given by

b{A | γA ◦ αA(Z) = Z}.In what follows, we give an algorithm which, given Z, returns the coarsest partition.We want to compute the coarsest partition because we want to keep the dimensionalityas small as possible.

Now, we present the algorithm refinement that, given a setM of markings, computesthe coarsest partition A which is able to representM exactly. The algorithm starts fromthe 4-minimal partition then it chooses non-deterministically two candidate classesand merge them in a unique class. If this new partition still represents M precisely,we iterate the procedure. Otherwise the algorithm tries choosing different candidates.The algorithm is presented in Alg. 5.

Algorithm 5: computes the coarsest partition which represents exactly M

Input: M ⊆ NkOutput: a partition A of [1..k] such that γA ◦ αA(M) ⊆Mrefinement(M)begin

Let A be {{1}, {2}, . . . , {k}}while ∃Ci, Cj ∈ A : Ci 6= Cj and γACi∪Cj

◦ αACi∪Cj(M) ⊆M do

Let Ci, Cj ∈ A such that Ci 6= Cj and γACi∪Cj◦ αACi∪Cj

(M) ⊆M1

A← (A \ {Ci, Cj}) ∪ {Ci ∪ Cj}2

endreturn A

end

Below we establish that refinement computes the coarsest partition representingexactly the set given in input. Recall that for every A ∈ AkA×k and for every M ⊆ Nkwe have γA ◦ αA(M) = M if and only if γA ◦ αA(M) ⊆ M . Indeed, M ⊆ γA ◦ αA(M)trivially holds by property of Galois connection (see Lem. 2.10).

Let A = {Ci}i∈[1..kA] be a partition of [1..k], we define ACi= {Ci} ∪ {{s} | s ∈

[1..k] ∧ s /∈ Ci}. We first prove the following lemma.


Lemma 6.15 Let A = {Ci}i∈[1..kA] be a partition of [1..k], M ⊆ Nk, we have:

γA ◦ αA(M) ⊆M ⇔(∀Ci ∈ A : γACi

◦ αACi(M) ⊆M

).

Proof. We conclude from ACi4 A and Lem. 6.4 that the implication ⇒ holds. For

the other direction the result follows from Lem. 6.5 and the following equality: A =b{ACi}Ci∈A which follows by definition of

b. Indeed, ACi

gACjis given by {Ci, Cj}∪

{{s} | s ∈ [1..k] ∧ s /∈ (Ci ∪ Cj)}. �

The following two lemmas and the corollary state the correctness and the optimalityof Alg. 5.

Lemma 6.16 Given M ⊆ Nk, the partition A returned by refinement(M) is such thatγA ◦ αA(M) = M .

Proof. Initially A = {{1}, . . . , {k}} so that γA ◦ αA(M) = M , hence γA ◦ αA(M) ⊆Mwhich is an invariant maintained by the iterations. Indeed, suppose the invariantholds before executing line 1: γA ◦ αA(M) ⊆ M . We conclude from line 1 thatγACi∪Cj

◦ αACi∪Cj(M) ⊆ M , hence that the new value for A satisfies γA ◦ αA(M) ⊆ M

by Lem. 6.15 and line 2. �

Lemma 6.17 Given M ⊆ Nk, let A be the partition returned by refinement(M). Thereis no partition A′ with A 4 A′ and A 6= A′ such that γA′ ◦ αA′(M) = M .

Proof. Suppose that such a partition A′ exists. Since A 4 A′, ∃Ci, Cj ∈ A∃C ′ ∈A′ : (Ci 6= Cj) ∧ Ci ∪ Cj ⊆ C ′. We conclude from Lem. 6.15 and γA′ ◦ αA′(M) ⊆ M

(hence γA′ ◦ αA′(M) = M by −−−−→−→←−−−−−αA′

γA′), that γAC′

◦ αAC′ (M) = M .

Moreover, ACi∪Cj4 AC′ shows that γACi∪Cj

◦ αACi∪Cj(M) ⊆ γAC′

◦ αAC′ (M) = M

by Lem. 6.4 and Lem. 2.10. Hence, the equality γACi∪Cj◦ αACi∪Cj

(M) = M holds.

It follows that the condition of the while loop of the refinement algorithm is verifiedby A, hence the algorithm should execute the loop at least once more before terminationand return a partition A′′ such that A 4 A′′ and A 6= A′′. �

Putting together Prop. 6.3 and Lem. 6.17 we get:

Corollary 6.5 Given M ⊆ Nk, the partition A returned by refinement(M) is the coars-est partition representing exactly M , that is refinement(M) =

b{A | γA ◦ αA(M) =M}.


The next entry in the guidelines is about choosing, in the family of def. 6.8, thenext abstract domain Ai+1 given the current one Ai and the set Zi+1. Given thepartition Ai ∈ Aki×k we want a partition Ai+1 ∈ Aki+1×k such that γAi+1

(℘(Nki+1)) ⊇{Zi+1} ∪ γAi

(℘(Nki)).

Corollary 6.1 shows Ai+1 = Ai f refinement(Z) is such that γAi+1(℘(Nki+1)) ⊇

{Zi+1} ∪ γAi(℘(Nki)).

We are now in a position to define the instantiation of Alg. 4 for Petri nets.

6.3.6 The Place Merging Algorithm

Alg. 6 is an instantiation of Alg. 4 for Petri nets.

Algorithm 6: Algorithm for the coverability problem of Petri nets

Data: A Petri net N = (P, T, F,m0) and a 6-dc-set S such that m0 ∈ SZ0 = S1

A0 = refinement(Z0)2

for i = 0, 1, 2, 3, . . . do3

Given Ai, compute N given by def. 6.114

R = Checker(m0, post N , αi(Zi))5

Compute Ri = R ∩ αi(Zi)6

ifym0 ∪

ypost N(Ri) ⊆ αi(Zi) then7

return OK8

else9

Compute Si = gfpλX.Ri ∩⋂

t∈Tφt holds

preN [t](X)10

if m0 ⊆ Si then11

Let Zi+1 = γi(Si) ∩ preN(γi(Si))12

Let Ai+1 = Ai f refinement(Zi+1)13

else14

return KO15

end16

end17

end18

Given a Petri net N and a 6-dc-set S, the algorithm builds abstractions N withsmaller dimensionality than N (line 4), analyses them (lines 5–18), and refines them(line 13) until it concludes. To obtain the value R ∈ postfp

(λX. m0 ∪ post N(X)

)the

algorithm uses a coverability checker. Henceforth, when speaking about the coverabil-ity checker we refer to any algorithm proposed in [KM69, GRVanB04, GRVanB06].According to the guidelines, we give an effective characterization of Alg. 6 and proveit terminates.


6.3.7 Termination and Effectivity

In order to establish that Alg. 6 terminates, we first characterize the values it computes.

Lemma 6.18 In Alg. 6 for each value of i, Zi,Ri and Si are 6-dc-sets.

Proof. Our proof is by induction on i.

Base case. We have Z0 = S and S is a 6-dc-set, and so is α0(Z0) by Lem. 6.7. Thenwe obtain that R0, which is given by R ∩ α0(Z0), is a 6-dc-set by the properties ofthe coverability checker (R is a 6-dc-set) and by the properties of

⋂. Hence, S0 is a

6-dc-set by Lem. 6.10.

Inductive case. Induction hypothesis and Lem. 6.7 show that γi(Si) is a 6-dc-setand so is γi(Si) ∩ preN(γ(Si)) by Lem. 6.8 and property of

⋂. It follows that Zi+1

is a 6-dc-set. We conclude from Lem. 6.7 that αi+1(Zi+1) is a 6-dc-set, and so isR∩αi+1(Zi+1) by properties of the coverability checker and by properties of

⋂. Hence

we find that Ri+1 is a 6-dc-set and so is Si+1 by Lem. 6.10. �

From the previous result we can draw the following conclusions.

Proposition 6.9 In Alg. 6 for each value of i, the computation of Ri and Si termi-nates.

Proof. Regarding Ri we know that if Zi is a 6-dc-set, so is αi(Zi) by Lem. 6.7 and thusthe coverability checker used at line 5 terminates. We refer the interested reader to[KM69, GRVanB04, GRVanB06] for more details. Then, we show that the computationof Si terminates. This result directly follows from Lem. 6.18 which proves that at eachiteration, Ri is a 6-dc-set and Lem. 6.10 which states that if Ri is a 6-dc-set theninstantiated backward reasoning terminates. �

Corollary 6.6 Algorithm 6 terminates.

Proof. By virtue of the previous proposition we know that both the instantiated for-ward and backward reasoning terminate. In fact, besides the result of Prop. 6.9, thetest of line 7 and 11 evaluates in finite time. Then, since at each iteration the set ofmarkings Zi is a 6-dc-set as shown by Lem. 6.18, we find that Alg. 6 terminates usingProp. 3.6. The proposition states that if all the Zi’s belong to a poset for which theDCC holds then the algorithm terminates, and the poset given by the 6-dc-sets ofmarkings satisfies the DCC (see Lem. 2.7). �

As far as effectivity is concerned the result of Lem. 6.18 shows that for each i thesets Ri,Si and Zi are 6-dc-sets of markings, hence they can be effectively represented

6.4. EXPERIMENTAL RESULTS 135

using an effective representation (see def. 6.9) as detailed in [Gan02] or [GMD+07].Now, we show that, besides being effectively representable, they can be effectivelycomputed as well.

Proposition 6.10 Given an effective representation of 6-dc-sets of markings satisfy-ing the requirements of def. 6.9, Alg. 6 is effective.

Proof. Let us assume we are given an effective representation of Z0 = S. For A0 =refinement(Z0) given at line 2, Alg. 5 terminates since the lattice of partitions of thefinite set [1..k] is finite. Moreover Alg. 5 is effective. In fact, the lattice of partitionsof [1..k] is an effective lattice and def. 6.9 gives an algorithm, which given an effectiverepresentation for X, computes an effective representation for γA ◦ αA(X) for anypartition A. We also say that def. 6.9 effectively characterize the value γA ◦ αA(X).

Then we obtain an effective characterization ofR0 = R∩α0(Z0) by the properties ofthe coverability checker and by def. 6.9 which effectively characterizes α0(Z0). Prop. 6.6and def. 6.9 give an effective characterization of the test of line 7.

The set S0 is defined as the limit of a lower iteration sequence {I i}i∈N given byI0 = Nk0 and I i+1 = λX.R0 ∩

⋂t∈T

φt holdspreN [t](X) (see Lem. 6.14). In {I i}i∈N, each

iterate I i is effectively characterized by def. 6.9. Using the same argument we obtainan effective characterization of the test m0 ⊆ S0.

Again def. 6.9 effectively characterizes the concrete value Z1 = γ(S0)∩ preN(γ(S0)).Finally we effectively characterize A1 = A0 f refinement(Z1) given at line 13 using theabove reasoning as far as refinement is concerned and by effectivity of the lattice ofpartitions.

Since we have shown in Cor. 6.6 that Alg. 6 terminates, repeated applications ofthe above reasoning concludes the proof. �

We now report about an experimental evaluation of Alg. 6.

6.4 Experimental results

We implemented Alg. 6 in C, using the symbolic data structure of [Gan02] to representand manipulate sets of markings. We used, for the coverability checker referenced atline 5, the algorithm of [GRVanB04].

We tested our method against a large set of examples. The properties we considerare mutual exclusions and the results we obtained are shown in Table 6.1. In the table,each column is read as follows. Var denotes the number of places of the Petri net; Var]

denotes the number of places of the abstraction that allows to conclude; #refdenotesthe total number of abstract domain refinements and time denotes execution time inseconds on Intel Xeon 3Ghz.


Table 6.1: Results for various examples using Alg. 6

Unbounded PN

Example Var Var] #ref time

ME 5 4 3 0.02multiME 12 5 3 2.69FMS 22 4 3 8.30CSM 14 9 4 11.78mesh2x2 32 9 4 340mesh3x2 52 9 4 3,357

Bounded PN

Example Var Var] #ref time

lamport 11 9 4 8.50dekker 16 15 4 60.2peterson 14 12 5 21.5

We distinguish two kinds of examples. Parameterized systems (those are the “Un-bounded PN” in Tab. 6.1) describe systems where we have a parameterized number ofresources: ME [DRVanB01, Fig. 1], MultiME (Fig. 6.1 of Sect. 6.2), CSM [MBC+95,Fig. 76, p. 154], FMS [CM97], the mesh 2x2 of [MBC+95, Fig. 130, p. 256] and itsextension to the 3x2 case. For all those infinite state Petri nets, the mutual exclusionproperties depend only on a small part of the nets. For instance, to prove that wenever reach a marking with more than one token in the set of places {p4, p5} in theMultiME (Fig. 6.1) our algorithm finds that the following partition

{{p1, p6, p7, p8, p9, p10, p11, p12}, {p2}, {p3}, {p4, p5}}

is sufficient to establish the mutual exclusion between p4 and p5. So our algorithmmanipulates subsets of N4 instead of subsets of N12.

The mesh 2x2 (resp. 3x2) example corresponds to 4 (resp. 6) processors running inparallel with a load balancing mechanism that allows tasks to move from one processorto another. The mutual exclusion property says that one processor never processes twotasks at the same time. That property is local to one processor and our algorithm buildsan abstraction where the behavior of the processor we consider is exactly describedand the other places are totally abstracted into one place. In that case, we manipulatesubsets of N9 instead of subsets of N32 for mesh 2x2 or N52 for mesh 3x2.

For the other examples, we have a similar phenomenon: only a small part of thePetri nets is relevant to prove the mutual exclusion property. The rest of the net de-scribes other aspects of the parameterized system and are abstracted by our algorithm.Hence, all the parameterized systems are analysed building an abstract Petri net withfew places.

6.4. EXPERIMENTAL RESULTS 137

The other examples (those are the “Bounded PN” in Tab. 6.1) are classical algo-rithms to ensure mutual exclusion of critical sections for two processes. In those cases,our method concludes by building very precise abstractions, i.e. only few places aremerged. The reasons are twofold: (i) the algorithms are completely dedicated to mu-tual exclusion, and (ii) the nets have been designed by hand in a “optimal” manner.However, and quite surprisingly, we noticed that our algorithm found for those exam-ples places that can be merged. In our opinion, this shows that our algorithm foundreductions that are (too) difficult to find by hand.

Chapter 7

Conclusion

This final chapter looks back and evaluates the results presented in the thesis. Thenwe close briefly by looking ahead.

7.1 Summary

We contributed to the abstraction refinement paradigm by defining a new abstractionrefinement algorithm which is formulated inside the general framework of abstract in-terpretation. We thus turn this framework which is mainly intended for model analysis(where the property to be checked is not given a priori and so analysis might not beconclusive) into a framework for model verification (where the property is given a prioriand so, unless it does not terminate, verification is conclusive).

In addition to its correctness, we identify sufficient conditions for termination ofthe algorithm. We proved, for instance, that if CEGAR terminates on a given fixpointinstance so does our algorithm. However, our algorithm distinguishes from CEGARas far as the abstract domain refinement is concerned. In fact, at each refinement stepCEGAR eliminates a single counterexample (to be found and chosen) while after irefinements our algorithm has eliminated all counterexample of length less than i.

We also study the properties of our algorithm if more powerful abstract domainsare allowed. We choose to consider predicate abstraction which induces boolean closedabstract domains whereas abstract interpretation induces Moore closed abstract do-mains. It turns out that using boolean closed domains does not improve the propertiesof termination of our algorithm. This result is relevant because the cost of computingin boolean closed domain is higher than computing in Moore closed domains.

Part of the research has been devoted to study extensions of the algorithm. First,recall that the algorithm falls naturally into three parts: the forward reasoning, thebackward reasoning, and the abstract domain refinement.

139

140 CHAPTER 7. CONCLUSION

For the abstract domain refinement, we have seen that acceleration techniques canbe elegantly integrated into our algorithm. As far as we know, this is the first successfulattempt to bring acceleration techniques into the abstraction refinement paradigm.

Regarding the forward and backward reasoning, we formulate minimal requirementswhich allow to maintain the correctness as well as the termination properties. In somecases (see, for instance, Chapt. 6) this allows to reuse existing analyzers as long as theminimal requirements are satisfied.

The general algorithm we defined is provided together with a methodology whichaims to instantiate the algorithm for a given setting. This methodology has been ap-plied to three different settings, the WSTS in Chapt. 4, a class of finite state concurrentsystems in Chapt. 5 and the Petri nets in Chapt. 6. The instantiation of our algorithmis a manual effort which requires rigour but also creativity. As a matter of fact, toinstantiate the algorithm one has to devise an abstraction, hence an adequate familyof abstract domains. We did so for the three aforementioned cases.

For WSTS, we devised an abstraction that gives rise to, as far as we know, the firstgeneric representation for downward closed sets, hence the first completely genericabstract refinement based algorithm for WSTS. For finite state concurrent systemswe devised an abstraction which generalizes some previous works like [MJ81, BPR01].Finally, for Petri nets, we devised an abstraction which dramatically reduces, in mostof our experimental results, the dimensionality of the manipulated sets. The noveltyof our approach is to reduce the dimensionality of the manipulated sets based on thesemantics of the Petri net to analyze, rather than its syntax.

7.2 Future Works

The algorithm we defined in this thesis is mainly dedicated to establish safety prop-erties. A natural extension is to study more complicated properties like, for instance,liveness properties. The difficulty stems from the fact that these properties require toevaluate more complicated fixpoint expressions.

Another possible theoretical development is to further investigate the relationshipbetween our algorithm and the domain completion extensively studied in [GRS00,GQ01, RT02]. In the thesis, we pointed out that the family of abstract domains isdomain complete but we did not further investigate.

Also the relationship with CEGAR has to be further investigated, both from a the-oretical and empirical standpoint. Indeed, in the thesis, we consider the basic CEGAR.However, this approach has been recently enhanced by using the so-called Craig’s in-terpolants. Basically these interpolants allow the refinement to eliminate more thana single counterexample in one iteration. In this new context, we should consider is-sues related to termination: “Does CEGAR enhanced with Craig’s interpolant is more

7.2. FUTURE WORKS 141

powerful than our algorithm in terms of termination ?”, “If so does it happen often inpractice ?”.

In our algorithm, the abstract domain refinement uses the transition relation Ror any superset of R included in R∗. As pointed in Rem. 5.1, in some situations itleads to better performances to consider a subset of the transition relation. Furtherinvestigations should provide a formal characterization of the subsets to use whilepreserving termination results. Also empirical evidences should support the claim.

Relatively to Chapt. 6, a natural question that arises is: “How far can we gener-alize the Petri net model while maintaining the results on predicate transformers ?”Preliminary investigations has revealed that, for the model of Petri net with transfers,the predicate transformer post of the abstract net no longer coincides with the bestabstract counterpart of post .

Abstract interpretation is typically used to analyze Turing Complete models. Inthis thesis, we have shown that abstract interpretation is worth to analyze decidablemodels as well because it leads to algorithms which scale up. In fact many modelswhich are decidable are nevertheless intractable. So by using techniques similar toours or CEGAR, we increase the applicability of model-checking. Much of the workpresented in this thesis is theoretical. As a future work, we recommend an extensiveapplication of our algorithm to evaluate its relevancy.

142 CHAPTER 7. CONCLUSION

Bibliography

[AAB99] P. A. Abdulla, A. Annichini, and A. Bouajjani. Symbolic verificationof lossy channel systems: Application to the bounded retransmissionprotocol. In TACAS ’99: Proc. 5th Int. Conf. on Tools and Algorithmsfor the Construction and Analysis of Systems, volume 1579 of LNCS,pages 208–222. Springer, 1999. 2, 61

[ACJT96] P. A. Abdulla, K. Cerans, B. Jonsson, and Y.-K. Tsay. General de-cidability theorems for infinite-state systems. In LICS ’96: Proc. 11thAnnual IEEE Symp. on Logic in Computer Science, pages 313–321. IEEEComputer Society, 1996. 11, 19, 61, 63, 64, 65, 84, 110

[AD94] R. Alur and D. L. Dill. A theory of timed automata. Theoretical Com-puter Science, 126(2):183–236, 1994. 2, 61

[ADMN04] P. A. Abdulla, J. Deneux, P. Mahata, and A. Nylen. Forward reachabilityanalysis of timed petri nets. In FORMATS-FTRTFT ’04: Proc. of JointInt. Conf. on Formal Modelling and Analysis of Timed Systems and For-mal Techniques in Real-Time and Fault-Tolerant Systems, volume 3253of LNCS, pages 343–362. Springer, 2004. 62

[AIN00] P. A. Abdulla, S. P. Iyer, and A. Nylen. Unfoldings of unbounded petrinets. In CAV ’00: Proc. 12th Int. Conf. on Computer Aided Verification,volume 1855 of LNCS, pages 495–507. Springer, 2000. 107

[AJ96] P. A. Abdulla and B. Jonsson. Verifying programs with unreliable chan-nels. Inf. Comput., 127(2):91–101, 1996. 2, 19, 61, 62

[AO91] K. R. Apt and E.-R. Olderog. Verification of sequential and concurrentprograms. Springer-Verlag, New York, Berlin, 1991. 3

[BCM+90] J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and J. L. Hwang.Symbolic model checking: 1020 states and beyond. In LICS’90: Proc. 5thAnnual IEEE Symp. on Logic in Computer Science, pages 1–33. IEEEComputer Society, 1990. 90

143

144 BIBLIOGRAPHY

[BF95] A. L. Blum and M. L. Furst. Fast planning through planning graph anal-ysis. In IJCAI ’05: Proc. 14th Int. Joint Conf. on Artificial Intelligence,volume 2, pages 1636–1642. 1995. 86

[BF97] A. L. Blum and M. L. Furst. Fast planning through planning graphanalysis. Artificial Intelligence, 90(1–2):279–298, 1997. 86

[BFLP03] S. Bardin, A. Finkel, J. Leroux, and L. Petrucci. Fast: Fast accelera-tion of symbolic transition systems. In CAV ’03: Proc. 15th Int. Conf.on Computer Aided Verification, volume 2725 of LNCS, pages 118–121.Springer, 2003. 48, 61

[Boi03] B. Boigelot. On iterating linear transformations over recognizable setsof integers. Theoretical Computer Science, 309(2):413–468, 2003. 6, 35

[BPR01] T. Ball, A. Podelski, and S. K. Rajamani. Boolean and cartesian abstrac-tion for model checking C programs. In TACAS ’01: Proc. 7th Int. Conf.on Tools and Algorithms for the Construction and Analysis of Systems,pages 268–283. 2001. 86, 89, 140

[BPR02] T. Ball, A. Podelski, and S. K. Rajamani. Relative completeness ofabstraction refinement for software model checking. In TACAS’02: Proc.8th Int. Conf. on Tools and Algorithms for the Construction and Analysisof Systems, volume 2280 of LNCS, pages 158–172. Springer, 2002. 25

[BR02] T. Ball and S. K. Rajamani. The slam project: debugging system soft-ware via static analysis. In POPL ’02: Proc. 29th ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages, pages 1–3.ACM Press, 2002. 5, 6, 24

[BRV75] G. Berthelot, G. Roucairol, and R. Valk. Reductions of nets and parallelprgrams. In Advanced Course: Net Theory and Applications, volume 84of LNCS, pages 277–290. Springer, 1975. 109

[Bry86] R. E. Bryant. Graph-based algorithms for boolean function manipula-tion. IEEE Trans. Computers, 35(8):677–691, 1986. 90

[BS81] S. Burris and H. P. Sankappanavar. A Course in Universal Algebra.Springer, New York, 1981. 112, 117

[CC77] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice modelfor static analysis of programs by construction or approximation of fix-points. In POPL ’77: Proc. 4th ACM SIGACT-SIGPLAN Symp. onPrinciples of Programming Languages, pages 238–252. ACM Press, 1977.4, 16, 23, 85

BIBLIOGRAPHY 145

[CC79a] P. Cousot and R. Cousot. Constructive versions of Tarski’s fixed pointtheorems. Pacific Journal of Mathematics, 81(1):43–57, 1979. 15

[CC79b] P. Cousot and R. Cousot. Systematic design of program analysis frame-works. In POPL ’79: Proc. 6th ACM SIGPLAN-SIGACT Symp. onPrinciples of Programming Languages, pages 269–282. ACM Press, NewYork, NY, 1979. 22

[CC92a] P. Cousot and R. Cousot. Abstract interpretation frameworks. Journalof Logic and Computation, 2(4):511–547, 1992. 19

[CC92b] P. Cousot and R. Cousot. Comparing the Galois connection and widen-ing/narrowing approaches to abstract interpretation, invited paper. InPLILP ’92: Proc. Int. Workshop on Programming Language Implemen-tation and Logic Programming, volume 631 of LNCS, pages 269–295.Springer, 1992. 16, 17

[CC99] P. Cousot and R. Cousot. Refining model checking by abstract interpre-tation. Automated Software Engineering, 6(1):69–95, 1999. 19

[CCG+02] A. Cimatti, E. M. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore,M. Roveri, R. Sebastiani, and A. Tacchella. NuSMV version 2: Anopensource tool for symbolic model checking. In CAV ’02: Proc. 14thInt. Conf. on Computer Aided Verification, volume 2404 of LNCS, pages359–364. Springer, 2002. 103

[CCG+03] S. Chaki, E. M. Clarke, A. Groce, S. Jha, and H. Veith. Modular verifi-cation of software components in C. In ICSE ’03: Proc. 25th Int. Conf.on Software Engineering, pages 385–395. IEEE Computer Society, 2003.5, 6, 24

[CE81] E. M. Clarke and E. A. Emerson. Synthesis of synchronisation skele-tons for branching time temporal logic. In Proc. Workshop on Logics ofPrograms, volume 131. Springer, 1981. 3, 4

[CES86] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verifica-tion of finite-state concurrent systems using temporal logic specifications.ACM Transactions on Programming Languages and Systems, 8(2):244–263, 1986. 4

[CGJ+03] E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith.Counterexample-guided abstraction refinement for symbolic modelchecking. J. ACM, 50(5):752–794, 2003. 5, 23, 24

[CGP99] E. M. Clarke, O. Grumberg, and D. A. Peled. Model Checking. The MITPress, Cambridge, Massachusetts, 1999. 4

146 BIBLIOGRAPHY

[CH78] P. Cousot and N. Halbwachs. Automatic discovery of linear restraintsamong variables of a program. In POPL ’78: Proc. 5th ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages, pages 84–97.ACM Press, 1978. 48

[Chu85] A. Church. The Calculi of Lambda Conversion. (AM-6) (Annals of Math-ematics Studies). Princeton University Press, Princeton, NJ, USA, 1985.9

[Cia94] G. Ciardo. Petri nets with marking-dependent arc multiplicity: proper-ties and analysis. In APN ’94: Proc. of 15th Int. Conf. on Applicationand Theory of Petri Nets, volume 815 of LNCS, pages 179–198. Springer,1994. 2, 19, 62

[CLR90] T. H. Cormen, C. E. Leiserson, and R. L. Rivest. Introduction to Algo-rithms. MIT Press and McGraw-Hill, 1990. 48

[CM97] G. Ciardo and A. Miner. Storage alternatives for large structured statespace. In Proc. Computer Performance Evaluation 1997: 9th Int. Conf.on Modelling Techniques and Tools, volume 1245 of LNCS, pages 44–57.Springer, 1997. 136

[Cou78] P. Cousot. Methodes Iteratives de construction et d’approximation depoints fixes d’operateurs monotones sur un treillis, analyse semantiquede programmes (in French). These d’etat es sciences mathematiques,Universite scientifique et medicale de Grenoble, March 1978. 20, 25, 49

[Cou81] P. Cousot. Semantic foundations of program analysis. In S. Muchnickand N. Jones, editors, Program Flow Analysis: Theory and Applications,chapter 10, pages 303–342. Prentice-Hall, Inc., 1981. 21

[Cou00] P. Cousot. Partial completeness of abstract fixpoint checking, invitedpaper. In SARA’00: Proc. 4th Int. Symp. on Abstraction, Reformulationsand Approximation, volume 1864 of LNAI, pages 1–25. Springer, 2000.21, 63

[Dam03] D. Dams. Comparing abstraction refinement algorithms. Electr. NotesTheor. Comput. Sci, 89(3), 2003. 39

[DFS98] C. Dufourd, A. Finkel, and P. Schnoebelen. Reset nets between decid-ability and undecidability. In ICALP ’98: Proc. of 25th Int. Colloquiumon Automata, Languages and Programming, volume 1443 of LNCS, pages103–115. Springer, 1998. 19, 62, 65

[DP89] B. A. Davey and H. A. Priestley. An Introduction to Lattices and Order.Cambridge University Press, Cambridge, 1989. 14

BIBLIOGRAPHY 147

[DR00] G. Delzanno and J.-F. Raskin. Symbolic representation of upward-closedsets. In TACAS ’00: Proc. 6th Int. Conf. on Tools and Algorithms forthe Construction and Analysis of Systems, pages 426–440. 2000. 122

[DRVanB01] G. Delzanno, J.-F. Raskin, and L. Van Begin. Attacking symbolic stateexplosion. In CAV ’01: Proc. 13th Int. Conf. on Computer Aided Ver-ification, volume 2102 of LNCS, pages 298–310. Springer, 2001. 107,136

[DRVanB02] G. Delzanno, J.-F. Raskin, and L. Van Begin. Towards the automatedverification of multithreaded java programs. In TACAS ’02: Proc. 8thInt. Conf. on Tools and Algorithms for the Construction and Analysis ofSystems, volume 2280 of LNCS, pages 173–187. Springer, 2002. 61

[EFM99] J. Esparza, A. Finkel, and R. Mayr. On the verification of broadcastprotocols. In LICS ’99: Proc. 14th Annual IEEE Symp. on Logic inComputer Science, pages 352–359. IEEE Computer Society, 1999. 2, 61

[EGS05] J. Esparza, P. Ganty, and S. Schwoon. Locality-based abstractions. InSAS ’05: Proc. 12th Int. Static Analysis Symp., volume 3672 of LNCS,pages 118–134. Springer, 2005. 102

[EN98] E. A. Emerson and K. S. Namjoshi. On model checking for non-deterministic infinite-state systems. In LICS ’98: Proc. 13th AnnualIEEE Symp. on Logic in Computer Science, pages 70–80. IEEE Com-puter Society, 1998. 19, 62, 65

[Fin90] A. Finkel. Reduction and covering of infinite reachability trees. Inf.Comput., 89(2):144–179, 1990. 65

[Fra92] N. Francez. Program Verification. Addison-Wesley Publishing Co., Cam-bridge, UK, 1992. 3

[FS01] A. Finkel and P. Schnoebelen. Well-structured transition systems ev-erywhere! Theoretical Computer Science, 256(1-2):63–92, 2001. 19, 64,65

[Gan02] P. Ganty. Algorithmes et structures de donnees efficaces pour la manip-ulation de contraintes sur les intervalles (in French). Master’s thesis,Universite Libre de Bruxelles, Belgium, 2002. 120, 122, 135

[GJS76] M. R. Garey, D. S. Johnson, and L. J. Stockmeyer. Some simplifiedNP-complete graph problems. Theor. Comput. Sci., 1(3):237–267, 1976.93

148 BIBLIOGRAPHY

[GMD+07] P. Ganty, C. Meuter, G. Delzanno, G. Kalyon, J.-F. Raskin, andL. Van Begin. Symbolic data structure for sets of k-uples. Technicalreport, Universite Libre de Bruxelles, Belgium, 2007. 120, 122, 135

[GQ01] R. Giacobazzi and E. Quintarelli. Incompleteness, counterexamples andrefinements in abstract model-checking. In SAS’01: Proc. 8th Int. StaticAnalysis Symp., volume 2126 of LNCS, pages 356–373. Springer, 2001.6, 25, 58, 140

[Gra97] B. Grahlmann. The PEP tool. In CAV’97: Proc. 9th Int. Conf. on Com-puter Aided Verification, volume 1254 of LNCS, pages 440–443. Springer,1997. 107

[GRS00] R. Giacobazzi, F. Ranzato, and F. Scozzari. Making abstract interpre-tations complete. J. ACM, 47(2):361–416, 2000. 140

[GRVanB04] G. Geeraerts, J.-F. Raskin, and L. Van Begin. Expand, enlarge and check:new algorithms for the coverability problem of WSTS. In FSTTCS ’04:Proc. 24th Int. Conf. on Fondation of Software Technology and Theoret-ical Computer Science, volume 3328 of LNCS, pages 287–298. Springer,2004. 62, 63, 66, 107, 133, 134, 135

[GRVanB06] P. Ganty, J.-F. Raskin, and L. Van Begin. A complete abstract interpre-tation framework for coverability properties of WSTS. In VMCAI ’06:Proc. 7th Int. Conf. on Verification, Model Checking and Abstract In-terpretation, volume 3855 of LNCS, pages 49–64. Springer, 2006. 133,134

[GS92] S. M. German and A. P. Sistla. Reasoning about systems with manyprocesses. Journal of ACM, 39(3):675–735, 1992. 107

[HD95] M. Heiner and P. Deussen. Petri net based qualitative analysis - a casestudy. Technical Report I-08/1995, Brandenburg Tech. Univ., Cottbus,1995. 104

[Hen96] T. A. Henzinger. The theory of hybrid automata. In LICS ’96: Proc.11th Annual IEEE Symp. on Logic in Computer Science, pages 278–292.IEEE Computer Society, 1996. 2, 61

[HHT97] T. A. Henzinger, P. H. Ho, and H. W. Toi. Hytech: A model checker forhybrid systems. Int. Journal on Software Tools for Technology Transfer,1(1-2):110–122, 1997. 48

[HJMS02] T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction.In POPL ’02: Proc. 29th ACM SIGPLAN-SIGACT Symp. on Principlesof Programming Languages, pages 58–70. ACM Press, 2002. 24

BIBLIOGRAPHY 149

[HJMS03] T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Software verifica-tion with BLAST. In SPIN’03: Proc. 10th Int. Model Checking SoftwareSPIN Workshop, volume 2648 of LNCS, pages 235–239. Springer, 2003.5, 6, 24

[HNRW06] K. Havelund, M. Nunez, G. Rosu, and B. Wolff, editors. Formal Ap-proaches to Software Testing and Runtime Verification, First CombinedInternational Workshops, FATES 2006 and RV 2006, volume 4262 ofLNCS. Springer, 2006. 3

[KM69] R. M. Karp and R. E. Miller. Parallel program schemata. Journal ofComput. Syst. Sci., 3(2):147–195, 1969. 107, 121, 133, 134

[Kov92] A. Kovalyov. Concurrency relations and the safety problem for petrinets. In APN ’92: Proc. of 13th Int. Conf. on Application and Theory ofPetri Nets, volume 616 of LNCS, pages 299–309. Springer, 1992. 86

[KVBSV98] T. Kam, T. Villa, R. K. Brayton, and A. Sangiovanni-Vincentelli. Multi-valued decision diagrams: Theory and applications. Multiple-ValuedLogic, 4(1–2):9–62, 1998. 90, 91

[Mas01] D. Masse. Combining forward and backward analyses of temporal prop-erties. In PADO’01: Programs as Data Objects, 2nd Symp., volume 2053of LNCS, pages 103–116. Springer, 2001. 25

[MBC+95] M. A. Marsan, G. Balbo, G. Conte, S. Donatelli, and G. Franceschinis.Modelling with Generalized Stochastic Petri Nets. Wiley series in parallelcomputing. Wiley, 1995. 136

[MJ81] S. Muchnick and N. Jones. Complexity of flow analysis, inductive asser-tion synthesis, and a language due to Dijkstra. In S. Muchnick andN. Jones, editors, Program Flow Analysis: Theory and Applications,chapter 12, pages 380–393. Prentice-Hall, Inc., 1981. 86, 89, 140

[MP92] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and ConcurrentSystems: Specification. Springer, 1992. 3

[MP95] Z. Manna and A. Pnueli. Temporal Verification of Reactive Systems:Safety. Springer, 1995. 3

[NA98] G. Naumovich and G. S. Avrunin. A conservative data flow algorithmfor detecting all pairs of statements that may happen in parallel. InFSE’98 Proc. of the ACM SIGSOFT Int. Symp. on Foundations of Soft-ware Engineering, volume 23, 6 of Software Engineering Notes, pages24–34. ACM Press, 1998. 86

150 BIBLIOGRAPHY

[NAC99a] G. Naumovich, G. S. Avrunin, and L. A. Clarke. Data flow analysis forchecking properties of concurrent Java programs. In ICSE’99: Proc. Int.Conf. on Software Engineering, pages 399–410. ACM Press, 1999. 86

[NAC99b] G. Naumovich, G. S. Avrunin, and L. A. Clarke. An efficient algorithmfor computing mhp information for concurrent Java programs. In FSE’99Proc. of the Int. Symp. on Foundations of Software Engineering, volume1687 of LNCS, pages 338–354. Springer, 1999. 86

[Par69] D. Park. Fixpoint induction and proofs of program properties. In Ma-chine Intelligence, volume 5, pages 59–78. American Elsevier, 1969. 17

[Pet62] C. A. Petri. Kommunikation mit Automaten. Ph.D. thesis, TechnicalUniversity Darmstadt, 1962. 2

[Pnu77] A. Pnueli. The temporal logic of programs. In Proc. 18th Annual Symp.on Foundations of Computer Science, pages 46–57. IEEE Computer So-ciety, 1977. 4

[QS82] J. P. Queille and J. Sifakis. Specification and verification of concurrentsystems in CESAR. In Proc. Int. Symp. on Programming, volume 137,pages 337–351. Springer, 1982. 3

[Rei86] W. Reisig. Petri Nets. An introduction. Springer, 1986. 19, 61, 82

[Ric53] H. G. Rice. Classes of recursively enumerable sets and their decision prob-lems. Transactions of the American Mathematical Society, 74(2):358–366,1953. 3

[RT02] F. Ranzato and F. Tapparo. Making abstract model checking stronglypreserving. In SAS ’02: Proc. 9th Int. Static Analysis Symp., volume2477 of LNCS, pages 411–427. Springer, 2002. 6, 140

[RVanB04] J.-F. Raskin and L. Van Begin. Petri nets with non-blocking arcs aredifficult to analyze. Electr. Notes Theor. Comput. Sci, 98:35–55, 2004.19, 62

[SKMB90] A. Srinivasan, T. Kam, S. Malik, and R. K. Brayton. Algorithms fordiscrete function manipulation. In ICCAD’90: Proc. of IEEE/ACM Int.Conf. on Computer-Aided Design, pages 92–95. IEEE Computer Society,1990. 91

[VanB03] L. Van Begin. Efficient Verification of Counting Abstractions for Para-metric systems. Ph.D. thesis, Universite Libre de Bruxelles, Belgium,2003. 56, 107

BIBLIOGRAPHY 151

[VJ85] R. Valk and M. Jantzen. The residue of vector sets with applications todecidability problems in Petri nets. Acta Informatica, 21:643–674, 1985.121

[ZPK02] L. D. Zuck, A. Pnueli, and Y. Kesten. Automatic verification of proba-bilistic free choice. In VMCAI ’02: Proc. 3rd Int. Workshop on Verifica-tion, Model Checking and Abstract Interpretation, volume 2294 of LNCS,pages 208–224. Springer, 2002. 103

the fixpoint checking problem: an abstraction refinement...

Documents