Incremental, Inductive Coverability
We give an incremental, inductive (IC3) procedure to check coverability of well-structured transition systems. Our procedure generalizes the IC3 procedure for safety verification that has been successfully applied in finite-state hardware verification to infinite-state well-structured transition systems. We show that our procedure is sound, complete, and terminating for downward-finite well-structured transition systems —where each state has a finite number of states below it— a class that contains extensions of Petri nets, broadcast protocols, and lossy channel systems.
We have implemented our algorithm for checking coverability of Petri nets. We describe how the algorithm can be efficiently implemented without the use of SMT solvers. Our experiments on standard Petri net benchmarks show that IC3 is competitive with state-of-the-art implementations for coverability based on symbolic backward analysis or expand-enlarge-and-check algorithms both in time taken and space usage.
The IC3 algorithm  was recently introduced as an efficient technique for safety verification of hardware. It computes an inductive invariant by maintaining a sequence of over-approximations of forward-reachable states, and incrementally strengthening them based on counterexamples to inductiveness. The counterexamples are obtained using a backward exploration from error states. Efficient implementations of the procedure show remarkably good performance on hardware benchmarks .
A natural direction is to extend the IC3 algorithm to classes of systems beyond finite-state hardware circuits. Indeed, an IC3-like technique was recently proposed for interpolation-based software verification , and the technique was generalized to finite-data pushdown systems as well as systems using linear real arithmetic . Hoder and Bjørner show that their generalized IC3 procedure terminates on timed pushdown automata , and it is natural to ask for what other classes of infinite-state systems does IC3 form a decision procedure for safety verification.
In this paper, we consider well-structured transition systems (WSTS) [1, 12]. WSTS are infinite-state transition systems whose states have a well-quasi order, and whose transitions satisfy a monotonicity property w.r.t. the quasi-order. WSTS capture many important infinite-state models such as Petri nets and their monotonic extensions [11, 4, 7, 13], broadcast protocols [9, 10], and lossy channel systems . A general decidability result shows that the coverability problem (reachability in an upward-closed set) is decidable for WSTS . The decidability result performs a backward reachability analysis, and shows, using properties of well-quasi orderings, that the reachability procedure must terminate. In many verification problems, techniques based on computing inductive invariants outperform methods based on backward or forward reachability analysis; indeed, IC3 for hardware circuits is a prime example. Thus, it is natural to ask if there is a IC3-style decision procedure for coverability analysis for WSTS.
We answer this question positively. We give a generalization of IC3 for WSTS, and show that it terminates on the class of downward-finite WSTS, in which each state has a finite number of states lower than itself. The class of downward-finite WSTS contains the most important classes of WSTS used in verification, including Petri nets and their extensions, broadcast protocols, and lossy channel systems. Hence, our results show that IC3 is a decision procedure for the coverability problem for these classes of systems. While termination is trivial in the finite-state case, our technical contribution is to show, using the termination of the backward reachability procedure, that the sequence of (downward closed) invariants produced by IC3 is guaranteed to converge. We also show that the assumption of downward-finiteness is necessary: we give a (technical) example of a general WSTS on which the algorithm does not terminate.
We have implemented our algorithm in a tool called IIC to check coverability in Petri nets. Using combinatorial properties of Petri nets, we derive an optimized implementation of the algorithm that does not use an SMT solver. Our implementation shows that IIC outperforms several state-of-the-art implementations of coverability [13, 16] on a set of Petri net examples, both in space and in time requirements. For example, on a set of standard Petri net examples, we outperform implementations of EEC and backward reachability, often by orders of magnitude.
Well-quasi Orders For a set , a relation is a well-quasi-order (wqo) if it is reflexive, transitive, and if for every infinite sequence of elements from , there exists such that . A set is upward-closed if for every and , implies . Similarly, a set is downward-closed if for every and , implies . For a set , by we denote its upward closure, i.e., the set . For a singleton , we simply write for . Similarly, we define for the downward closure of a set . Clearly, (resp., ) is an upward-closed set (resp. downward-closed) for each . The union and intersection of upward-closed sets are upward-closed, and the union and intersection of downward-closed sets are downward-closed. Furthermore, the complement of an upward-closed set is downward-closed, and the complement of a downward-closed set is upward-closed. For the convenience of the reader, we will mark upward-closed sets with a small up-arrow superscript, like this: , and downward-closed sets with a small down-arrow superscript, like this: .
A basis of an upward-closed set is a set such that . It is known [14, 1, 12] that any upward-closed set in a wqo has a finite basis: the set of minimal elements of has finitely many equivalence classes under the equivalence relation , so take any system of representatives. We write for such a system of representatives. Moreover, it is known that any non-decreasing sequence of upward-closed sets eventually stabilizes, i.e., there exists such that .
A wqo is downward-finite if for each , the downward closure is a finite set.
Let be the set of -tuples of natural numbers, and let be pointwise comparison: if for . Then, is a downward-finite wqo .
Let be a finite alphabet, and consider the subword ordering on words over , given by for if results from by deleting some occurrences of symbols. Then is a downward-finite wqo .
Well-structured Transition Systems A well-structured transition system (WSTS) consists of a set of states, a finite set of initial states, a transition relation , and a well-quasi ordering such that for all such that and there exists such that and . A WSTS is downward-finite if is downward-finite.
Let . If , we call a predecessor of , and a successor of . We write for the set of predecessors of , and for the set of successors of . For , and are defined as natural extensions, i.e., and .
We write if there are states such that , and for . Furthermore, iff there exists a such that , i.e., is the reflexive and transitive closure of . We say that there is a path from to of length if , and that there is a path from to if .
The set of -reachable states is the set of states reachable in at most steps, formally, . The set of reachable states . Using downward closure, we can define the -th cover and the cover of the WSTS as and . The coverability problem for WSTS asks, given a WSTS and a downward-closed set , if every reachable state is contained in , i.e., if . It is easy to see that this question is equivalent to checking if .
In the following, we make some standard effectiveness assumptions on WSTS [1, 12]. We assume that is decidable, and that for any state , there is a computable procedure that returns a finite basis for . These assumptions are met by most classes of WSTS considered in verification .
Under the preceding effectiveness assumptions, one can show that the coverability problem is decidable for WSTS by a backward-search algorithm . The main construction is the following sequence of upward-closed sets:
It is easy to see that the sequence of sets forms an increasing chain of upward-closed sets, therefore it eventually stabilizes: there is some such that for all . Then, iff . Moreover, if , then contains , is contained in and satisfies .
We generalize from , in the style of inductive invariants for safety verification, to the notion of an (inductive) covering set. A downward-closed set is called a covering set for iff (a) , (b) , and (c) if . By induction, it is clear that for any covering set . Therefore, to solve the coverability problem, it is sufficient to exhibit any covering set.
3 IC3 for Coverability
We now describe an algorithm for the coverability problem that takes as input a WSTS and a downward-closed set , and constructs either a path from some state in to a state not in (if ), or an inductive covering set for . In the algorithm we consider sets that are not necessarily inductive by themselves, but they are inductive relative to some other sets. Formally, for a set such that , a downward-closed set is inductive relative to if and . An upward-closed set is inductive relative to if its downward-closed complement is inductive relative to , i.e. if and .
It can be easily shown that the condition is equivalent to . Stated in terms of an upward-closed set , the equivalent condition is . Since all these conditions are equivalent, we will use them interchangeably.
Figure 1 shows the algorithm as a set of non-deterministic state transition rules, similar to . A state of the computation is either the initial state Init, the special states valid and invalid that denote termination, or a pair defined as follows.
The first component of the pair is a vector of downward-closed sets, indexed starting from 0. The elements of are denoted . In particular, we denote by the downward closure of , i.e., . These sets contain the successive approximations to the inductive covering set. The function gives the length of the vector, disregarding , i.e., . If it is clear from the context which vector is meant, we often abbreviate simply with . We write for the concatenation of the vector with the downward closed set : .
The second component of the pair is a priority queue , containing elements of the form , where is a state and is a natural number. The priority of the element is given by , and is called the level of the element. The statement means that the priority queue contains an element of the given form, while means that the minimal element of the priority queue has the given form. Furthermore, yields after removal of its minimal element, and yields after adding element .
The elements of are states that lead outside of . Let be an element of . Either is a state that is in and outside of , or there is a state leading to such that . Our goal is to try to discard those states and show that they are not reachable from the initial state, as denotes an overapproximation of the states reachable in or less steps. If an element of is reachable from the initial state, then .
The state valid signifies that the search has terminated with the result that holds, while invalid signifies that the algorithm has terminated with the result that . In the description of the algorithm, we will omit the actual construction of certificates and instead just state that the algorithm terminates with invalid or valid; the calculation of certificates is straightforward.
The transition rules of the algorithm are of the form
and can be read thus: whenever the algorithm is in state and conditions – are fulfilled, the algorithm can apply rule [Name] and transition to state . We write if there is some rule such that the algorithm applies the rule to go from to . We write for the reflexive transitive closure of .
Let be a predicate on states. When we say that a rule preserves the invariant if whenever satisfies and conditions to are met, it also holds that satisfies .
Two of the rules use the map . It yields those states that are valid generalizations of relative to some set . A state is a generalization of the state relative to the set , if and is inductive relative to . Formally,
Finally, the notation means that is transformed by replacing by for each , i.e.,
We provide an overview of each rule of the calculus.
The algorithm starts by defining the first
downward-closed set to be the downward closure of the initial
If there is a state such that but at the same time it is not an element of we add to the priority queue .
To check if the elements of are spurious counterexamples, we start by processing an element with the lowest level . If there is an element in such that , then we add to the priority queue .
If the queue contains a state from the level 0, then we have found a counterexample trace and the algorithm terminates in the state invalid.
Similarly, if the queue contains a state such , this is again a counterexample trace and the algorithm terminates in the state invalid.
If none of predecessors of a state from the level is contained in , then belongs to a spurious counterexample trace and can be safely removed from the queue. Additionally, we update the downward-closed sets as follows: since the states in are not reachable in steps, they can be safely removed from all the sets . Moreover, instead of we can remove even a bigger set , for any state which is a generalization of the state relative to , as defined in (1).
If for some state that was previously removed from , a set becomes inductive relative to (i.e. ), none of the states in can be reached in at most steps. Thus, we can safely remove from as well. Similarly as in , we can even remove for any generalization .
If there is a downward-closed set such that , the algorithm terminates in the state valid.
If the queue is empty and all elements of are in , we start with a construction of the next set . Initially, contains all the states, , and we append to the vector .
We first show that the algorithm is sound: if it terminates, it produces the right answer. If it terminates in the state invalid there is a path from an initial state to a state outside of , and if it terminates in the state valid then .
We prove soundness by showing that on each state the following invariants are preserved by the transition rules:
These properties imply , that is, the region provides an over-approximation of the -cover.
The first step of the algorithm (rule ) results with the state , which satisfies (I2)–(I4) trivially, and establishes (I1). The following lemma states that the invariants are preserved by rules that do not result in valid or invalid. For lack of space, full proofs are given in Appendix A.
By induction on the length of the trace, it can be shown that if , then satisfies (I1) – (I4). When , there is a state such that , and the last applied rule is . To be able to apply , there is an such that .
We claim that is an inductive covering set. This claim follows from the fact that (1) by invariant (I4), (2) by invariant (I1), and (3) by invariant (I2). This claim proves the correctness of the algorithm in case :
[Soundness of coverability] Given a WSTS and a downward-closed set , if , then .
We next consider the case when . The following lemma describes the structure of the priority queues used in the algorithm.
Let . If , then for every , there is a path from to some .
[Soundness of uncoverability] Given a WSTS and a downward-closed set , if , then .
The assumption implies that there is some state such that , and the last applied rule was either or . In both cases .
If the last applied rule was , there is an such that . By Lemma 2 there is a path from to . Let . Since is a WSTS, there is such that and . The set is upward-closed, and thus . The path is a path from to , proving that .
If the last applied rule was , then . This implies , as is constant in the algorithm. Equivalently, and we apply the same arguments as in the case for .
While the above non-deterministic rules guarantee soundness for any WSTS, termination requires some additional choices. We modify the and rules into more restricted rules and , while all other rules are unchanged. Figure 2 shows the new rules and . These rules additionally use a sequence of sets . Intuitively, there can be infinitely many elements in . Sets provide a finite representation of those elements.
Recall the sequence of backward reachable states from (BackwardReach). We define sets using sets . The set captures all new elements that are introduced in and that were not present in the previous iterations. Formally, we define sets as follows:
By induction, and the finiteness of the set of minimal elements, we have that is finite for all . Further, assume that . Then, for all . As a consequence, the set is finite.
To show that the algorithm always terminates, we first show that the system can make progress until some final state is reached.
Proposition 1 (Maximal finite sequences)
Let be a maximal sequence of states, i.e., a sequence such that there is no such that . Then or .
We prove the termination of the algorithm by defining a well-founded ordering on the tuples .
Let and be two finite sequences of downward-closed sets of the equal length . Define iff for all . Let be a priority queue whose elements are tuples , and let be a natural number. Define , to be the smallest priority in or if is empty.
For two states and , such , we define the ordering as:
and we write if but or .
Lemma 3 ( is a well-founded quasi-order.)
The relation is a well-founded strict quasi-ordering on the set , where is a set of downward-closed sets over , and denotes the set of priority queues over .
The following proposition characterizes infinite runs of the algorithm. The proof follows from the observation that if as a result of applying the , , , or rules, then .
Proposition 2 (Infinite sequence condition)
For every infinite sequence , there are infinitely many such that by applying the rule .
We first prove that the algorithm terminates for the case when .
Let be a WSTS and a downward-closed set such that . For every sequence , there are at most different values for such that using the rule.
[Termination when ] Given a WSTS and a downward-closed set , if , then the algorithm terminates and all maximal execution sequences have the form .
Since , there is a state . By the definition of , there are states such that , and for some . Because is upward-closed, we have . Combining Lemma 4 and Proposition 2, we prove that the algorithm terminates.
To prove that the algorithm terminates when , we use an additional assumption:
Apply whenever it is applicable. ()
This is natural assumption: since the algorithm is used to decide the coverability problem and answers the problem positively, choosing the rule when it is applicable is the most efficient choice. The main argument for showing the termination will reduce to showing that, for downward-finite WSTS, we can generate only a finite number of different sets , so will be applicable at some point. The key combinatorial property of downward-finite wqos is as follows.
Let be a downward-finite wqo and let be a finite set. Consider a sequence , where each for . Then there is such that .
By downward-finiteness, is finite. Hence, there are only a finite number of different s we can construct, and the sequence must converge.
[Termination when ] For a given downward-finite WSTS and a downward-closed set , if and the rule is applied whenever possible, then the algorithm terminates and all maximal execution sequences have the form .
Consider any execution sequence . To show that it is finite, by Proposition 2, it is sufficient to show that there are only finitely many such that via rule . Note that every time is applied, the length of the sequence goes up. Consider the bound obtained by applying Lemma 5 to the finite set . After applications of , by Lemma 5, the rule applies. Since is taken whenever it is applied, the sequence must terminate. By soundness, it must terminate in valid.
Note that Theorem 4 is the only result that requires downward-finiteness of the WSTS. We show that the downward-finiteness condition is necessary. Consider a WSTS , where for each and , and is the natural order on extended with for all . Consider the downward closed set . The backward analysis terminates in one step, since . However, the IC3 algorithm need not terminate. After unfolding, we find a conflict since , which is not initial. Generalizing, we get . At this point, we unfold again. We find another conflict, and generalize to . We continue this way to generate an infinite sequence of steps without terminating.
4 Coverability for Petri Nets
Petri nets  are a widely used model for concurrent systems. They form a downward-finite class of WSTS. We now describe an implementation of our algorithm for the coverability problem for Petri nets.
4.1 Petri Nets
A Petri net (PN, for short) is a tuple , where is a finite set of places, is a finite set of transitions disjoint from , and is the arc multiplicity function.
The semantics of a PN is given using markings. A marking is a function from to . For a marking and place , we say has tokens.
A transition is enabled at marking , written , if for all . A transition that is enabled at can fire, yielding a new marking such that . We write to denote the transition from to on firing .
A PN and an initial marking give rise to a WSTS as follows. The set of states is the set of markings. There is a single initial state . There is an edge if there is some transition such that . Finally, if for each , we have . It is easy to check that the compatibility condition holds: if and , then there is a marking such that and . Moreover, the wqo is downward-finite. The coverability problem for PNs is defined as the coverability problem on this WSTS.
We represent Petri nets as follows. Let be the set of places. A marking is represented as the tuple of natural numbers . A transition is represented as a pair , where represents the enabling condition, and represents the difference between the number of tokens in a place if the transition fires, and the current number of tokens. Formally, is defined as:
We represent upward-closed sets with their minimal bases, which are finite sets of -tuples of natural numbers. A downward-closed set is represented as its complement (which is an upward-closed set). The sets , which are constructed during the algorithm run, are therefore represented as their complements. Such a representation comes naturally as the algorithm executes. Originally each set is initialized to contain all the states. The algorithm removes sets of states of the form from , for some . If a set was removed from , we say that states in are blocked by at level . At the end every becomes to a set of the form and we conceptually represent with .
The implementation uses a succinct representation of , so called delta-encoding . Let and for some finite sets and . Applying the invariant (I3) yields . Therefore we only need to maintain a vector such that if is the highest level where was blocked. This is sufficient because is also blocked on all lower levels. As an illustration, for , the matching vector might be . The set represents states that can never be reached.
4.2 Implementation Details and Optimizations
Our implementation follows the rules given in Figures 1 and 2. In addition, we use optimizations from . The main difference between our implementation and  is in the interpretation of sets being blocked: in  those are cubes identified with partial assignments to boolean variables, whereas in our case those are upward-closed sets generated by a single state. Also, a straightforward adaptation of the implementation  would replace a SAT solver with a solver for integer difference logic, a fragment of linear integer arithmetic which allows the most natural encoding of Petri nets. However, we observed that Petri nets allow an easy and efficient way of computing predecessors and deciding relative inductiveness directly. Thus we were able to eliminate the overhead of calling the SMT solver.
Testing membership in . Many of the rules given in Figures 1 and 2 depend on testing whether some state is contained in a set . Using the delta-encoded vector this can be done by iterating over for and checking if any of them contains a state such that . If there is such a state, it blocks , otherwise . If , we search for only in .
Implementation of the rules. The delta-encoded representation also makes easy to implement. Checking if reduces to checking if is empty for some . is applied when can no longer yield a bad state contained in . It increases and inserts an empty set to position in the vector , thus pushing from position to . We implemented rules , , and in a straightforward manner.
Computing predecessors. In the rest of the rules we need to find predecessors in , or conclude relative inductiveness if no such predecessors exist. The implementation in  achieves this by using a function solveRelative() which invokes the SAT solver. But solveRelative() also does two important improvements. In case the SAT solver finds a cube of predecessors, it applies ternary simulation to expand it further. If the SAT solver concludes relative inductiveness, it extracts information to conclude a generalized clause is inductive relative to some level . We succeeded to achieve analogous effects in case of Petri nets by the following observations. While it is unclear what ternary simulation would correspond to for Petri nets, the following lemma shows how to compute the most general predecessor along a fixed transition directly.
Let be a state and be a transition. Then is a predecessor along if and only if .
Therefore, to find an element of