Abstract Framework for All-Path Reachability Analysis toward Safety and Liveness Verification (Full Version)

An all-path reachability (APR) predicate over an object set is a pair of a source set and a target set, which are subsets of the object set. APR predicates have been defined for abstract reduction systems (ARSs) and then extended to logically constrained term rewrite systems (LCTRSs) as pairs of constrained terms that represent sets of terms modeling configurations, states, etc. An APR predicate is said to be partially (or demonically) valid w.r.t. a rewrite system if every finite maximal reduction sequence of the system starting from any element in the source set includes an element in the target set. Partial validity of APR predicates w.r.t. ARSs is defined by means of two inference rules, which can be considered a proof system to construct (possibly infinite) derivation trees for partial validity. On the other hand, a proof system for LCTRSs consists of four inference rules, leaving a gap between the inference rules for ARSs and LCTRSs. In this paper, we revisit the framework for APR analysis and adapt it to verification of not only safety but also liveness properties. To this end, we first reformulate an abstract framework for partial validity w.r.t. ARSs so that there is a one-to-one correspondence between the inference rules for partial validity w.r.t. ARSs and LCTRSs. Secondly, we show how to apply APR analysis to safety verification. Thirdly, to apply APR analysis to liveness verification, we introduce a novel stronger validity of APR predicates, called total validity, which requires not only finite but also infinite execution paths to reach target sets. Finally, for a partially valid APR predicate with a cyclic-proof tree, we show a necessary and sufficient condition for the tree to ensure total validity. The condition implies that if there exists a cyclic-proof tree for an APR predicate, the proof graph of which is acyclic, then the APR predicate is totally valid.

💡 Research Summary

The paper presents a unified and extended framework for All‑Path Reachability (APR) analysis, targeting both safety and liveness verification. APR predicates, originally defined for abstract reduction systems (ARSs) as a pair of source and target sets, were later adapted to logically constrained term rewrite systems (LCTRSs) using constrained terms. The authors identify a mismatch between the inference systems used for partial (demonic) validity in ARSs (the two‑rule DVP system) and LCTRSs (the four‑rule DCC system). To bridge this gap, they reformulate the ARS proof system into DVP⁺, a version of DVP that explicitly allows the source‑minus‑target set (P \ Q) and the derivative set ∂ₐ(P) to be split into arbitrary non‑empty subsets. This reformulation yields a one‑to‑one correspondence between the ARS rules (Subsumption, Step) and the LCTRS rules (Subs, Der, Circ, Axiom), thereby simplifying the correctness argument for DCC and enabling seamless transfer of proof techniques between the two formalisms.

With this solid foundation, the authors demonstrate how APR analysis can be applied to safety verification. Safety properties require that every finite execution that reaches an error state does so within a finite number of steps; thus, partial validity suffices. By constructing proof trees using DVP⁺ (or DCC) from an initial state set P₀ to an error set Q, one can systematically explore all reachable configurations. The process is amenable to automation because the splitting of P \ Q and ∂ₐ(P) can be performed algorithmically, and empty sub‑goals are immediately closed by the Axiom rule.

The core contribution for liveness verification is the introduction of total validity. Unlike partial validity, total validity demands that all execution paths—finite or infinite—starting from the source eventually intersect the target. This stronger notion captures liveness requirements such as starvation‑freedom or eventual response. To reason about total validity, the authors employ cyclic‑proof trees, a technique that folds potentially infinite proof trees into finite graphs by allowing back‑edges (cycles). However, not every cyclic proof guarantees total validity; the paper proves a necessary and sufficient condition: a cyclic‑proof tree ensures total validity iff the underlying proof graph is acyclic. In other words, while the tree may contain cycles in its logical structure, the dependency graph formed by the proof obligations must contain no directed cycles. This condition bridges the gap between coinductive reasoning (for infinite behaviors) and inductive reasoning (for finite steps), providing a sound and complete method for liveness verification within the APR framework.

The authors illustrate the practical impact of their theory with concrete examples. For race‑free verification, they model a concurrent program as an LCTRS, define the set of error configurations, and show that a partial‑valid APR proof suffices. For starvation‑freedom, they augment the program with a counter that tracks waiting time; states where the counter exceeds a predefined bound are treated as error states. By constructing a cyclic‑proof whose graph is acyclic, they establish total validity, thereby proving that no infinite execution can avoid reaching a “service” state, i.e., the system is starvation‑free.

In summary, the paper makes three major contributions: (1) a reformulated APR proof system (DVP⁺) that aligns ARS and LCTRS inference rules, (2) the definition of total validity to capture liveness properties, and (3) a precise graph‑acyclicity condition for cyclic proofs that guarantees total validity. These results extend APR‑based verification from purely safety‑oriented analyses to a unified framework capable of handling both safety and liveness, offering a robust theoretical foundation and practical techniques for the verification of concurrent and nondeterministic systems.