Regular Model Checking Upside-Down: An Invariant-Based Approach

TL;DR

This paper presents a novel invariant-based approach for regular model checking that starts from the set of all configurations and uses inductive invariants to verify safety, offering a complementary perspective to existing methods.

Contribution

It introduces the concept of b-invariants and proves the regularity of their intersections, providing a new technique for safety verification in infinite-state systems.

Findings

The intersection of all inductive b-invariants is regular for every b≥0.

Automaton acceptance of unsafe configurations is in EXPSPACE for all b≥0.

For b=1, the problem is PSPACE-complete.

Abstract

Regular model checking is a technique for the verification of infinite-state systems whose configurations can be represented as finite words over a suitable alphabet. The form we are studying applies to systems whose set of initial configurations is regular, and whose transition relation is captured by a length-preserving transducer. To verify safety properties, regular model checking iteratively computes automata recognizing increasingly larger regular sets of reachable configurations, and checks if they contain unsafe configurations. Since this procedure often does not terminate, acceleration, abstraction, and widening techniques have been developed to compute a regular superset of the reachable configurations. In this paper, we develop a complementary procedure. Instead of approaching the set of reachable configurations from below, we start with the set of all configurations and approach it from above. We use that the set of reachable configurations is equal to the intersection of all inductive invariants of the system. Since this intersection is non-regular in general, we introduce b-invariants, defined as those representable by CNF-formulas with at most b clauses. We prove that, for every $b\geq0$, the intersection of all inductive b-invariants is regular, and we construct an automaton recognizing it. We show that whether this automaton accepts some unsafe configuration is in EXPSPACE for every $b\geq0$, and PSPACE-complete for b=1. Finally, we study how large must b be to prove safety properties of a number of benchmarks.