Infinite State Model Checking by Learning Transitive Relations

We propose a new approach for proving safety of infinite state systems. It extends the analyzed system by transitive relations until its diameter D becomes finite, i.e., until constantly many steps suffice to cover all reachable states, irrespective of the initial state. Then we can prove safety by checking that no error state is reachable in D steps. To deduce transitive relations, we use recurrence analysis. While recurrence analyses can usually find conjunctive relations only, our approach also discovers disjunctive relations by combining recurrence analysis with projections. An empirical evaluation of the implementation of our approach in our tool LoAT shows that it is highly competitive with the state of the art.

💡 Research Summary

The paper introduces a novel method for proving safety of infinite‑state systems by dynamically extending the transition relation with learned transitive relations until the system’s diameter becomes finite. In traditional bounded model checking (BMC) the diameter D – the longest shortest path from any initial state to any reachable state – must be finite; otherwise BMC cannot guarantee safety. The authors observe that if one can add extra transition clauses that capture the effect of arbitrarily many steps, the effective diameter can be reduced to a constant, after which a standard BMC run suffices.

To obtain such extra clauses, the authors combine recurrence (or loop) analysis with a new form of projection they call “transitive projection”. Classical recurrence analysis extracts conjunctive (single‑case) summaries of loops, which works well for straight‑line loops but fails for loops with branching because a single conjunct cannot distinguish different paths. The paper therefore augments recurrence analysis with a model‑based projection technique that, given a concrete model of a loop execution, projects away selected variables to obtain a concise description of the loop’s effect. This projection is always conjunctive (QF∧) and is driven by the current model, ensuring that the derived summary is relevant to the concrete execution observed.

The overall algorithm, named Transitive Relation Learning (TRL), proceeds as follows. An SMT solver is used incrementally, mirroring standard BMC: the initial state ψ_init is encoded, then for each bound b the error condition ψ_err is added and a SAT check is performed. If the error is reachable, the algorithm returns “unknown”. Otherwise, the transition relation τ and all previously learned relations π are instantiated for step b (renaming variables appropriately) and added to the solver. A set of blocking clauses prevents the same learned relation from being used twice in a row, which is crucial for forcing the solver to prefer the new, “shortcut” transitions.

When the SAT check succeeds, a model σ is extracted. The algorithm reconstructs the concrete trace that σ represents and searches this trace for loops. A loop is identified by a start index s and a length ℓ. Using the model of the loop (σ_loop) the algorithm builds a transitive projection of the loop body, producing a new relation π_new that connects the state at step s directly to the state at step s+ℓ. Two safety conditions are enforced for any learned relation: (1) the relation must be realizable by the current model, guaranteeing progress, and (2) the set of possible relations derivable from a given loop must be finite, which prevents infinite learning from a single loop.

The new relation π_new is appended to the list of learned relations, and a corresponding blocking clause is added to the SMT problem. The solver then backtracks to the beginning of the loop (by popping push‑points) and continues unrolling. If at some point the SMT problem becomes UNSAT, this means that no further unrolling is possible with the current set of transitions and learned shortcuts; consequently the effective diameter has been reached and safety is proved.

A technical contribution is the replacement of expensive convex‑hull and polyhedral projection operations (common in integer‑arithmetic recurrence analysis) with a cheaper model‑based projection (cvp) and the transitive projection. While cvp under‑approximates quantifier elimination, the overall approach remains sound because adding extra disjuncts to the transition relation can never introduce spurious counter‑examples. The combination of under‑approximation (cvp) and over‑approximation (standard recurrence) yields concise yet correct summaries.

The authors implemented the method in a tool called LoAT and evaluated it on a benchmark suite of infinite‑state problems, including systems expressed as transition relations, linear constrained Horn clauses, and control‑flow automata. LoAT was compared against state‑of‑the‑art tools such as Z3/Spacer, LAWI, IMC, TP‑A, and PDKIND. The experiments show that LoAT solves many benchmarks that these tools cannot, especially when the initial condition is slightly altered (e.g., adding a redundant equality). This demonstrates that TRL is less sensitive to small changes in the input or to the behavior of the underlying interpolation engine, a known weakness of interpolation‑based verification.

The paper also discusses related work: interpolation‑based model checking, acceleration techniques, and previous uses of recurrence analysis for verification. It highlights that while acceleration (ABMC) can speed up counterexample search, it does not directly help with safety proofs in the presence of branching loops. The blocking‑clause mechanism introduced here is a novel way to guide the solver toward using learned shortcuts, effectively reducing the diameter without explicitly computing it.

In summary, the paper presents a theoretically grounded and practically effective framework for infinite‑state safety verification. By learning transitive relations from concrete loop executions, integrating them into a BMC loop, and carefully managing their reuse with blocking clauses, the method achieves finite‑diameter reasoning without explicit diameter computation. The empirical results validate the approach, showing competitive or superior performance on a range of challenging benchmarks. This work opens new avenues for combining recurrence analysis, model‑based projection, and SMT‑driven model checking in the verification of systems with unbounded state spaces.