Backward Reachability of Array-based Systems by SMT solving: Termination and Invariant Synthesis

The safety of infinite state systems can be checked by a backward reachability procedure. For certain classes of systems, it is possible to prove the termination of the procedure and hence conclude the decidability of the safety problem. Although backward reachability is property-directed, it can unnecessarily explore (large) portions of the state space of a system which are not required to verify the safety property under consideration. To avoid this, invariants can be used to dramatically prune the search space. Indeed, the problem is to guess such appropriate invariants. In this paper, we present a fully declarative and symbolic approach to the mechanization of backward reachability of infinite state systems manipulating arrays by Satisfiability Modulo Theories solving. Theories are used to specify the topology and the data manipulated by the system. We identify sufficient conditions on the theories to ensure the termination of backward reachability and we show the completeness of a method for invariant synthesis (obtained as the dual of backward reachability), again, under suitable hypotheses on the theories. We also present a pragmatic approach to interleave invariant synthesis and backward reachability so that a fix-point for the set of backward reachable states is more easily obtained. Finally, we discuss heuristics that allow us to derive an implementation of the techniques in the model checker MCMT, showing remarkable speed-ups on a significant set of safety problems extracted from a variety of sources.

💡 Research Summary

The paper addresses the safety verification problem for infinite‑state systems that manipulate arrays. Traditional backward reachability starts from the set of unsafe states and iteratively computes predecessor states until a fix‑point is reached or an initial state is intersected. While conceptually simple, this approach suffers from state‑explosion when the data domain is unbounded and when array indices can range over infinite sets. The authors propose a fully declarative, SMT‑based framework that both guarantees termination under well‑defined theory conditions and integrates invariant synthesis to prune unnecessary exploration.

Modeling with Theories.
The system’s topology (e.g., control locations, process identifiers) is described by one logical theory, while the data stored in arrays is described by another. By keeping the two concerns separate, the authors can exploit the strengths of each background theory (linear integer arithmetic, array theory, uninterpreted functions, etc.). The transition relation is encoded as a first‑order formula over the combined signature, and an SMT solver is used to answer satisfiability queries that correspond to predecessor computation. Crucially, the paper identifies sufficient conditions on the employed theories—most notably the existence of a well‑quasi‑ordering (WQO) and monotonicity of the transition relation—that guarantee that the sequence of predecessor sets forms an ascending chain that must stabilize after finitely many steps. Under these hypotheses, backward reachability is provably terminating, which yields decidability of the safety problem for the considered class of array‑based systems.

Invariant Synthesis as the Dual Problem.
An invariant is a formula that contains the initial states, excludes the unsafe states, and is preserved by every transition. The authors observe that invariant synthesis is the logical dual of backward reachability: instead of expanding backwards from the unsafe set, one can expand forwards from the initial set while simultaneously constructing a formula that separates the two. They present a complete synthesis algorithm that, given the same theory assumptions used for termination, will eventually discover a suitable invariant whenever one exists. The algorithm repeatedly queries the SMT solver for counter‑examples to the current candidate invariant and refines the candidate using the counter‑examples, mirroring the classic Counterexample‑Guided Abstraction Refinement (CEGAR) loop but entirely within the SMT‑based backward framework.

Interleaved Exploration and Synthesis.
To obtain practical performance, the paper proposes an interleaved execution strategy: backward predecessor computation and invariant refinement are run in parallel. After each backward step, the newly discovered predecessor states are fed to the invariant synthesis engine as additional constraints, which often yields a stronger invariant that can cut off further backward expansion. Conversely, when the synthesis engine produces a promising invariant, it is immediately used to filter out predecessor candidates that violate the invariant, thereby shrinking the search space. This mutual feedback dramatically reduces the number of SMT queries and the size of the formulas involved.

Heuristics and Optimizations.
The authors introduce several heuristics that make the approach scalable: (1) index abstraction that limits the range of array indices based on static analysis; (2) data abstraction that groups concrete values into equivalence classes; (3) pattern detection that extracts common sub‑formulas from successive transition formulas; and (4) query caching to avoid redundant SMT calls. These techniques lower the computational burden on the underlying solver and enable the framework to handle larger models.

Implementation and Experimental Evaluation.
The methodology has been implemented in MCMT, a model checker specifically designed for manipulating transitions over arrays. The authors evaluated the tool on a benchmark suite comprising over fifty safety problems drawn from communication protocols, concurrent data structures, cache‑coherence protocols, and parameterized distributed algorithms. Compared with the previous MCMT configuration (which relied on pure backward reachability without invariant synthesis), the new version achieved speed‑ups ranging from 5× to more than 30×, and in several cases turned time‑outs into solutions within seconds. The experiments confirm that the theoretical termination guarantees translate into practical efficiency gains when combined with the invariant‑driven pruning strategy.

Contributions.

1. A declarative SMT‑based encoding of array‑based infinite‑state systems that separates topology and data theories.
2. Identification of sufficient theory conditions (WQO, monotonicity) that ensure termination of backward reachability.
3. A complete invariant synthesis algorithm derived as the dual of backward reachability, with provable correctness under the same conditions.
4. An interleaved exploration‑synthesis workflow that leverages mutual feedback to accelerate convergence to a fix‑point.
5. A set of pragmatic heuristics and a concrete implementation in MCMT, validated on a diverse benchmark set with substantial performance improvements.

In summary, the paper demonstrates that by grounding backward reachability and invariant synthesis in a robust SMT framework, one can both obtain decidability results for a broad class of array‑manipulating systems and achieve practical verification performance that scales to real‑world safety problems.