First-order finite satisfiability vs tree automata in safety verification

In this paper we deal with verification of safety properties of term-rewriting systems. The verification problem is translated to a purely logical problem of finding a finite countermodel for a first-order formula, which further resolved by a generic finite model finding procedure. A finite countermodel produced during successful verification provides with a concise description of the system invariant sufficient to demonstrate a specific safety property. We show the relative completeness of this approach with respect to the tree automata completion technique. On a set of examples taken from the literature we demonstrate the efficiency of finite model finding approach as well as its explanatory power.

💡 Research Summary

The paper addresses the verification of safety properties for term‑rewriting systems (TRSs), a class of infinite‑state systems that are widely used to model programs, protocols, and other computational artifacts. Traditional approaches to this problem rely on tree‑automata completion (TAC): one builds a tree automaton A_I representing the set of initial terms, another automaton A_U representing unsafe terms, and then applies a completion procedure to the rewrite rules R to obtain an over‑approximation automaton A_* that recognises (or over‑approximates) all terms reachable from A_I. If the language of A_* and A_U are disjoint, safety is concluded. While powerful, TAC suffers from two practical drawbacks. First, the completion process can be computationally heavy and may generate large automata, making the overall verification expensive. Second, the resulting automaton provides little insight into why a system is safe; the abstraction is opaque to a human analyst.

The authors propose an alternative method based on finite countermodels (FCM). The key observation is that the reachability relation induced by a TRS can be encoded as a binary predicate R in first‑order logic (FOL). Each rewrite rule l → r becomes an axiom R(l, r). Additional axioms enforce transitivity of R and congruence with respect to each function symbol (i.e., if R(x_i, x_i′) then R(f(…, x_i, …), f(…, x_i′, …))). The initial and unsafe term sets, originally given by tree automata, are translated into collections of ground facts of the form R(c, q) where c → q is a transition of the corresponding automaton. The whole verification problem is then expressed by the existential formula

 ψ_P = ∃x∃y ∨_{q_i∈Q_I, q_u∈Q_U}