Modular Abstractions of Reactive Nodes using Disjunctive Invariants

We wish to abstract nodes in a reactive programming language, such as Lustre, into nodes with a simpler control structure, with a bound on the number of control states. In order to do so, we compute disjunctive invariants in predicate abstraction, with a bounded number of disjuncts, then we abstract the node, each disjunct representing an abstract state. The computation of the disjunctive invariant is performed by a form of quantifier elimination expressed using SMT-solving. The same method can also be used to obtain disjunctive loop invariants.

💡 Research Summary

The paper addresses the problem of state‑space explosion in reactive programming languages such as Lustre, Scade, Sao, and Simulink, where each node may contain a large number of input, output, and internal state variables. When the internal state is modeled as a finite vector of Booleans, the node can be represented as a finite automaton, but the number of automaton states grows exponentially with the number of state variables, making analysis intractable. The authors propose a method to automatically construct a more abstract automaton whose number of control states is bounded by a user‑specified constant n, while still over‑approximating the concrete node’s behavior.

The core idea is to compute disjunctive invariants—formulas of the shape C₁ ∨ … ∨ Cₙ, where each Cᵢ is a conjunction of a selected subset of predicates drawn from a finite predicate set Π = {π₁,…,π_m}. A template T = ∨ᵢ∧ⱼ(bᵢⱼ ⇒ πⱼ) is introduced, with Boolean variables bᵢⱼ indicating whether predicate πⱼ appears in disjunct Cᵢ. Finding a suitable invariant reduces to assigning truth values to the matrix B = (bᵢⱼ) such that a universally quantified formula ∀σ F(B,σ) holds, where σ denotes a concrete program state (inputs, outputs, internal variables) and F encodes the inductiveness conditions (initial inclusion, preservation under transition, and post‑condition implication).

To solve the quantified problem, the authors employ a two‑solver loop. A SAT (or propositional) solver enumerates candidate Boolean assignments B that satisfy the current set of propositional constraints H. For each candidate, an SMT solver checks the satisfiability of ¬F(B,σ). If ¬F is unsatisfiable, B is a valid invariant. If it is satisfiable, the SMT solver returns a concrete counter‑example state σ₁; the corresponding ground instance F(σ₁) is added to H, thereby pruning B from future consideration. This loop iterates until either a valid B is found or H becomes unsatisfiable, guaranteeing termination because the Boolean search space is finite (size 2^{m·n}) and each iteration eliminates at least one assignment.

The basic algorithm is sound, complete, and terminating, but naïve execution can generate many redundant candidates. The paper introduces two practical refinements:

1. Canonical ordering of disjuncts – By enforcing a strict lexicographic order on the Boolean vectors representing each disjunct, permutations that encode the same logical disjunction are eliminated, reducing duplicate search paths.

2. Removal of subsumed disjuncts – A disjunct Cᵢ that is logically contained in the union of the other disjuncts is useless. The authors encode a constraint ∃σ Cᵢ(σ) ∧ ∧_{j≠i} ¬Cⱼ(σ) and add it to H, ensuring each Cᵢ is satisfiable and not subsumed. This also prevents the creation of empty or redundant disjuncts.

Beyond finding any invariant, the authors aim for minimal invariants with respect to set inclusion. Starting from an arbitrary inductive invariant B⁰, they iteratively strengthen the search by adding the constraint “B ⊂ B⁰” (expressed as ∀σ T(B,σ) ⇒ T(B⁰,σ) together with ∃σ T(B⁰,σ) ∧ ¬T(B,σ)). Each iteration yields a strictly smaller invariant until no further reduction is possible. Because the Boolean matrix space is finite and strictly descending, the process must converge, though multiple incomparable minima may exist.

The methodology is applied to Lustre nodes. By selecting a predicate set that captures relevant numeric comparisons (e.g., x > 0, x < 1, y > 0) and fixing n (often 2 or 3), the algorithm produces an abstract automaton with at most n abstract states. These abstract states correspond to the disjuncts and can be used in a modular compositional analysis: each node in a larger system is replaced by its abstraction, and the whole system can be analyzed with far fewer states.

Experimental examples demonstrate that the approach can dramatically reduce the number of states compared with classical predicate abstraction (which would generate 2^m states). The paper also shows that the same technique can be used to synthesize disjunctive loop invariants for imperative programs, by treating the loop body as a transition relation and applying the same quantified‑formula solving.

Contributions:

• A systematic way to bound the number of abstract states via disjunctive invariants.
• Reduction of invariant synthesis to a combination of SAT and SMT solving with quantifier elimination.
• Practical optimizations (canonical ordering, subsumption elimination) that make the approach scalable.
• Extension of the technique to loop invariant generation, enabling broader applicability.

Limitations include the need for a manually chosen predicate set Π and a bound n; poor choices can lead either to overly coarse abstractions or to infeasibility due to excessive search. The approach also heavily depends on the performance of underlying SMT solvers, especially when the theory T involves non‑linear arithmetic or uninterpreted functions.

In conclusion, the paper presents a novel, SMT‑driven framework for constructing bounded‑state abstractions of reactive nodes and for generating disjunctive loop invariants. By integrating quantifier elimination with a SAT‑guided search, it overcomes the classic state‑explosion problem of predicate abstraction while preserving enough precision for modular verification of safety‑critical reactive systems. Future work may explore automatic predicate selection, adaptive adjustment of the disjunct bound n, and extensive empirical evaluation on industrial‑scale Lustre models.