Regular Abstractions for Array Systems

Verifying safety and liveness over array systems is a highly challenging problem. Array systems naturally capture parameterized systems such as distributed protocols with an unbounded number of processes. Such distributed protocols often exploit process IDs during their computation, resulting in array systems whose element values range over an infinite domain. In this paper, we develop a novel framework for proving safety and liveness over array systems. The crux of the framework is to overapproximate an array system as a string rewriting system (i.e. over a finite alphabet) by means of a new predicate abstraction that exploits the so-called indexed predicates. This allows us to tap into powerful verification methods for string rewriting systems that have been heavily developed in the last few decades (e.g. regular model checking). We demonstrate how our method yields simple, automatically verifiable proofs of safety and liveness properties for challenging examples, including Dijkstra's self-stabilizing protocol and the Chang-Roberts leader election protocol.


INTRODUCTION
Over the past few decades, extensive research efforts (e.g.[Cimatti et al. 2021;Felli et al. 2021;Gurfinkel et al. 2016;Ma et al. 2019;Mann et al. 2022]) have been devoted to the verification of array systems.Array systems are natural models of sequential programs manipulating linear data structures such as arrays and lists.In addition, they have also been used as convenient abstractions of parameterized concurrent systems with local and shared variables (cf.[Alberti et al. 2017;Bloem et al. 2015]).Specifically, many distributed protocols require each process to maintain a numerical local variable as its process identifier, rendering these protocols suitable to be modeled as array systems.
Despite the amount of work on array systems verification, the problem remains highly challenging.Difficulty arises from the following two aspects, among others: (1) array elements range over an infinite domain (e.g. the set of integers), and (2) many properties of interest require quantification over the array elements.For instance, the property "array is sorted in ascending order" is expressed by a universally quantified formula stating that each element in the array is no smaller than its preceding elements.For this reason, in order to verify the correctness of an array system, it is often necessary to reason about quantified formulae, which is generally undecidable over arrays (cf.[Bradley and Manna 1998;Kroening and Strichman 2016]).
Contributions.This paper presents a new method for reasoning about array systems.We demonstrate its efficacy for verifying safety and liveness of challenging examples from array programs and distributed protocols, including Dijkstra's self-stabilizing protocol and the Chang-Roberts leader election protocol.The method has two main ingredients.Firstly, we provide a new predicate abstraction (using indexed predicates) that overapproximates an array system as a string rewriting system.String rewriting systems can be construed as array systems, whose array elements range over a finite domain (a.k.a.alphabet).The second ingredient answers why we use string rewriting systems as abstractions: this subclass of array systems has been more amenable to solutions than the general case of arrays.In fact, several powerful verification methods over string rewriting systems (for both safety and liveness, among others) have been developed in the last decade or so, which include methods in the framework regular model checking [Abdulla 2012; Bouajjani et al. 2004Bouajjani et al. , 2000;;Lin and Rümmer 2022].This framework relies on the decidable first-order theory over words with prefix-of-relation, regular constraints, and the equal-length predicate (a.k.a. the universal automatic structure [Benedikt et al. 2003;Blumensath and Gradel 2000]).The theory of universal automatic structure can be construed as a kind of array theory, whose elements range over a finite domain (e.g.bitvectors).In stark contrast to decidable array theories like [Bradley et al. 2006;Habermehl et al. 2008], however, the theory has no restrictions on the use of quantifiers, but restricts the manner in which the indices are related.The set of solutions definable by such formulae are precisely those that are captured by synchronized automata running on tuples of words (a.k.a.regular relations).
We now provide some details of our method.We use a variant of First-Order Linear Temporal Logic (FO-LTL) [Abadi 1989;Hodkinson et al. 2000] restricted to a quantified array theory, in order to specify both an array system and properties to be verified.This formalism may also be regarded as a variant of indexed LTL [Clarke et al. 1986;German and Sistla 1992] with atomic propositions replaced by expressions from the array theory.Our predicate abstraction reduces this FO-LTL model checking problem over array systems to a verification problem over string rewriting systems that can be modeled in the framework of regular model checking.We discuss next our notion of predicate abstraction by means of indexed predicates.Indexed predicates have been used in previous work (e.g. in [Flanagan and Qadeer 2002] for invariant generation and in [Lahiri and Bryant 2007] for abstracting into a finite system), but never in the context of computing another infinitestate system that is more amenable to analysis.To this end, the right logic instantiating the indexed Table 1.Comparison between our approach and the classical methods.The first column is the se ing of the classical (indexed) predicate abstraction (e.g.[Flanagan and Qadeer 2002;Jhala et al. 2018;Lahiri and Bryant 2007]).The second column provides our se ing of indexed predicate abstraction (Section 4.2).The last column is our approximation of indexed predicate abstraction using regular languages (Section 4.4), which we refer to as regular abstraction.
Let us identify each variable with an array1 value [ ], and define a formula Priv( indicating that Process is privileged.One interesting property of Dijkstra's algorithm is that Process 1 will be privileged infinitely often, regardless of what the initial state is and how the privileged processes are scheduled.To prove this, we may use an index variable to represent the scheduled process, namely, = 1 means that Process 1 is scheduled.Then the property "Process 1 is privileged infinitely often" can be expressed in LTL as GF Priv(1).We would like to prove that this property holds for Dijkstra's algorithm under the scheduling assumption G Priv( ), namely, under the assumption that the scheduler always selects a privileged process.
In this manner, we can reduce verification problems of an array manipulating system to those of a string manipulating system, for which effective techniques and highly optimized tools exist (e.g.[Abdulla et al. 2012;Chen et al. 2017;Fiedor et al. 2017;Klarlund and Møller 2001;Klarlund et al. 2002;Lin and Rümmer 2016;Schuppan and Biere 2006]).Unfortunately, the approximations and given above are too rough to verify the desired property, in the sense that they will produce spurious counterexample paths after the reduction.We shall later show that an appropriate choice of predicates and approximations will allow us to verify this property.

PRELIMINARIES
Notation.We adopt the standard notation of many-sorted logic (see e.g.[van Dalen 1994]), and consistently use V to denote a set of sorted first-order variables.We use Σ(V) to denote the set of sort-consistent interpretations of V.
We write ′ for the primed version of variable , and define Given a formula , we use [ / ] to denote the formula obtained by substituting for all free occurrences of in .Finally, for defined over variables V, we let := { ∈ Σ(V) : | = }, and write ≡ when = .
Indexed array logic.An array theory typically combines two one-sorted theories: an index theory, which is used to express relations between indices, and an element theory, which is used to express properties of the array entries.The indexed array logic is a fragment of quantified array theory that (i) uses Difference Arithmetic as the index theory, and (ii) allows quantification only over index variables.To make our expositions concrete, we shall focus on an instantiation of indexed array logic that uses Difference Arithmetic as the element theory.(However, we note that our abstraction techniques can be directly applied to any indexed array logic with a decidable quantifier-free fragment, which allows for a rich set of element theories such as Linear Integer Arithmetic (cf.[Kroening and Strichman 2016]).)Throughout this paper, we shall fix an indexed array logic T with syntax given by :: where ⊲⊳ ∈ {=, ≠, ≤, <, ≥, >}, is a concrete integer, is a data variable, is an index variable, is an array variable, | | represents the array length of , and [ ] represents the array element of stored at position .A formula in form of ⊲⊳ or ⊲⊳ is called an atomic formula, or an atom for short.We extend the logic with logical connectives such as ⇒ (implies) and ⇔ (if and only if) in the usual way.An interpretation of a formula in the indexed array logic is intuitive: maps each integer/index variable to an integer, and each array variable to a function : Z → Z.The notion of satisfaction of a formula with respect to this interpretation is now standard.Although arrays are infinite, it is easy to confine an array to a finite array by focusing on the index range {1, . . ., | |}.
For example, a formula ∀ .( , ) can simply be rewritten to First-order array system.A first-order array system := (V, , ) is a triple where V is a finite set of first-order variables, and and are array formulae over variables V and V ⊎ V ′ , respectively.The variables in V are grouped into state variables and system parameters.A state variable has either an index sort, an element sort, or an array sort.A system parameter is a special index variable whose value is determined in an initial state and immutable during system execution.For each array variable ∈ V, we identify a system parameter in V with the array size | |.This effectively stipulates that the array size is not changeable after the array is allocated.
The semantics of an array system is determined by the array logic T and interpretations for V.A state of an array system := (V, , ) is a sort-consistent interpretation ∈ Σ(V) for the variables in V.The formula specifies the set of initial states.The formula specifies the system's evolution by relating the current variables V to their updated counterparts V ′ .A (finite or infinite) sequence : for ∈ {1, . . ., }.Since system parameters are immutable, is a legitimate path only if −1 ( ) = ( ) for all system parameters ∈ V and each ∈ {1, . . ., }.
A guarded modeling language.We describe a simple guarded command language for specifying transitions of array systems.While this language is less expressive than the full-fledged array logic, it is more concise and understandable, and is already expressive enough to capture all examples considered in this paper.A guarded command is in form of guard ⊲ update.A command is enabled if its guard is satisfied.At each time step, the system nondeterministically selects an enabled command and updates the current state accordingly.If no command is enabled, the system halts.More precisely, a guarded command is in form of ⊲ 1 , . . ., , where is a (possibly quantified) array formula, and each is an assignment in one of the two forms: -:= or := * , where is an index variable, is an index term, and * is a special symbol; -[ ] := or [ ] := * , where is an index term, is a data term, and * is a special symbol.The assignments 1 , . . ., are executed in parallel.The symbol " * " stands for a nondeterministic value, which ranges over the index domain when the left-hand side is , and ranges over the data domain when the left-hand side is [ ].For simplicity, assignments to data variables are not directly supported by our modeling language.This however is not an essential restriction, since data variables can be formally translated to array elements stored at dedicated positions, thereby allowing assignments as array elements.
Example 3.1.The transitions of Dijkstra's algorithm in the illustrative example may be given as The array system := (V, , ) of Dijkstra's algorithm is specified by where is an index variable, is an array variable, , are system parameters, and | | is identified with .The transition formula is defined by three formulae 1 , 2 , and 3 , which are in turn derived from the three guarded commands listed above.For example, 1 can be formally derived from the first command as

REGULAR LANGUAGES AS ABSTRACTIONS
In this section, we define a novel predicate abstraction of array formulae and array systems using indexed predicates.Since each array will be mapped to a word (over a finite alphabet) in the abstraction, we shall use regular languages to represent sets of words, and use regular relations to represent relations over words.We start by recalling a logical framework of regular relations.( ), respectively.Given two words 1 ∈ Σ * 1 and 2 ∈ Σ * 2 , we define the convolution 1 ⊙ 2 of 1 and 2 as the word where :: denotes the concatenation of the bitvectors and .Intuitively, 1 ⊙ 2 is obtained by juxtaposing 1 and 2 (in a left-aligned manner), and padding the shorter word with enough 2 We note that this structure is equally expressive in first-order logic to the so-called universal automatic structures [Benedikt et al. 2003;Blumensath and Grädel 2004;Colcombet and Löding 2007].
0s.For example, for two words 01, 0001 over Σ 1 , 01 ⊙ 0001 is the word (0, 0) (1, 0) (0, 0) (0, 1) over Σ 2 .We lift ⊙ to languages by defining 1 ⊙ We say that a relation is regular if its language representation is regular under unary encoding.Formally, suppose w.l.o.g. that ⊆ N × (Σ * ) .We define the language representation of as L ( ) The following result states that a relation is regular if and only if it is first-order definable in , see e.g., [Benedikt et al. 2003;Blumensath and Grädel 2004;Colcombet and Löding 2007].P 4.1.Given a first-order formula defined over , we can compute a finite automaton recognizing L ( ).Conversely, given a finite automaton recognizing ⊆ 1 * and ⊆ Σ * for each , we can compute a first-order formula over such that L = L ( ).

Abstraction of Array Formulae
We use indexed predicates to express constraints on arrays.Definition 4.2 (Indexed predicate).An indexed predicate is an atom (in the indexed array logic) containing a designated index variable i.A set of indexed predicates P := 1 , . . ., is said to be defined over variables V if each predicate ∈ P is defined over variables V ⊎ {i}.
For convenience, we shall fix a set of variables V and a set of indexed predicates P := 1 , . . ., over variables V throughout the rest of this section.For each bitvector := 1 • • • ∈ Σ comprising bits, we define a quantifier-free array formula P over variables V ⊎ {i} as follows: Formula P effectively regards each bit of the bitvector as the truth value of predicate at the parametric position i.We furthermore use a word over bitvectors to encode the truth values of the predicates ranging over an interval of positions: for each word ∈ Σ * , we define an array formula For example, if Fix an array system := (V, , ).Let V denote the set of parameters and index variables in V, and V denote the set of parameters in V. Let := |V | and := |P |.We shall identify an interpretation ∈ Σ(V ) with an -tuple ( ( 1 ), . . ., ( )) ∈ N where denotes the th variable in V .We define the concrete domain of the system as Σ(V), and the abstract domain as N × Σ * .Each abstract state ( , ) ∈ N × Σ * comprises a tuple ∈ N representing an interpretation of V , and a word ∈ Σ * encoding the valuations of P at positions 1, . . ., | |.
Given a set ⊆ Σ(V) of concrete states, we define P ( ) Here, denotes the interpretation obtained by restricting to V .Given a set ⊆ N × Σ * of abstract states, we define Notice that P ( ) and P ( ) are computable when and are finite.To simplify the notation, we may omit the superscript P from P and P when it is clear from the context.Also, for a single state , we shall write ( ) and ( ) instead of ({ }) and ({ }) when there is no danger of ambiguity.Finally, for a formula , we shall write ( ) and ( ) instead of ( ) and ( ).
Example 4.3.Recall the illustrative example in Section 2. With indexed predicates P := we can define and as For instance, given a concrete state : ) and ( ∈ ) ⊆ ∈ ( ).
By the definition of , contains all abstract states ( , ) such that ∈ and | = Φ P .However, this implies that for any ∈ , if | = Φ P holds, then ( , ) ∈ also holds.It follows that ∈ ( ) by the definition of .
The following result is a consequence of Lemma 4.4, Lemma 4.5, and Proposition 7 of [Cousot and Cousot 1977].We provide a proof here for the sake of completeness.P 4.6.For any concrete state set and abstract state set , it holds that ( ) ⊆ ⇐⇒ ⊆ ( ).

Abstract Safety and Liveness Analysis
For an array system := (V, , ), applying predicate abstraction for safety and liveness verification involves performing reachability analysis for the abstract system of .In each step of the analysis, we concretize the current set of reachable abstract states via the concretization operation , apply the concrete next-step function in the concrete state space, and map the result back to the abstract state space via the abstraction operation .We can view this process as performing state exploration in an abstract transition system with a set ( ) of initial states and an abstract next-step function Proc.ACM Program.Lang., Vol. 8, No. POPL, Article 22. Publication date: January 2024.
Proposition 4.6, together with the fact that , , and are monotonic, establishes the soundness of abstract reachability analysis using (cf.[Cousot and Cousot 1977]).For example, let Π( , ) denote the set of paths starting from states in through transition relation , and let ( ) denote the set of states in path .Given a set of initial states and a set of bad states, one can show (e.g. by induction on the length of a counterexample path) that the safety property holds in the concrete domain if ∀ ∈ Π( ( ), ).( ) ∩ ( ) = ∅ holds in the abstract domain.Similarly, given a set of final states, the liveness property holds in the concrete domain if ∀ ∈ Π( ( ), ).( ) ∩ ( c ) c ≠ ∅ holds in the abstract domain,where c denotes the complement of the concrete (resp.abstract) state set with respect to the concrete (resp.abstract) state space.These facts allow us to reduce the verification of concrete safety/liveness properties to that of their counterparts in the abstract domain.

Approximation with Regular Languages
Since indexed array logic is undecidable, the abstraction ( ) of an indexed array formula is generally not computable.Therefore, we propose to overapproximate these formulae in the abstract domain using regular languages.As before, fix a set V of variables and a set P of indexed predicates over V, and let := |V | and := |P |.Then V and P induce an abstract domain N × Σ * .Recall that we regard a relation as regular when 's language representation L ( ) is regular.
Definition 4.7 (Regular abstraction for state formulae).Let be an indexed array formula over variables V. Then a tuple ( , P) is a regular abstraction of if ⊆ N × Σ * is a regular relation such that P ( ) ⊆ .
Definition 4.8 (Regular abstraction for transition formulae).Let be an indexed array formula over variables V ⊎V ′ .Then a tuple ( , P) is a regular abstraction of if ⊆ (N ×Σ * ) × (N ×Σ * ) is a regular relation such that P * P ′ ( ) ⊆ ( ), where is an isomorphic mapping defined by A regular abstraction ( , P) of a transition formula induces a next-step function , defined by ( ) := { : there exists ∈ such that ( , ) ∈ }, over the abstract state sets.It can be shown that provides an abstract interpretation [Cousot and Cousot 1977] of the concrete array system.T 4.9.Let := (V, , ) be an array system and P be a set of indexed predicates over V.If ( , P) is a regular abstraction of , then provides an abstract interpretation of .

P .
To show that is an abstract interpretation, we need to check that (1) is monotonic; (2) is null-preserving, namely, (∅) = ∅; (3) simulates w.r.t. a simulation relation defined by , namely, ( ( )) ⊆ ( ( )).The first two conditions directly follow from the definition of regular abstraction, so it suffices to check the last condition.Suppose first that = ∅.

Since
(∅) = (∅) = (∅) = ∅, the condition holds trivially.Now suppose that ≠ ∅ and consider an arbitrary state ∈ .Observe that where the inclusion in the third line follows from the definition of regular abstraction and the stipulation that parameters are immutable.Note that , , and are all distributive over union.
Since is arbitrary in , we have Finally, a regular abstraction can be computed by composing smaller regular abstractions.This fact is an immediate consequence of Lemma 4.4.P 4.10.Let 1 , . . ., be indexed array formulae, and ( , P) be a regular abstraction of for ∈ {1, . . ., }.Then ( =1 , P) is a regular abstraction of =1 , and ( =1 , P) is a regular abstraction of =1 .

COMPUTATION OF REGULAR ABSTRACTIONS
We have proposed to overapproximate indexed predicate abstractions with regular abstractions.However, it remains unclear how to find such approximations that are sufficiently precise for a verification task.In this section, we address this issue by providing an automated procedure to compute regular abstractions for a fragment of array logic called singly indexed array formulae.In a nutshell, give such a formula := 1 • • • . , we compute an overapproximation of by replacing the matrix of with a quantifier-free formula ˜ such that ⇒ ˜ is valid.We shall choose ˜ in such a way that the resulting formula 1 • • • . ˜ , called an abstraction formula, can be faithfully encoded as a first-order formula over an automatic structure.This encoding is equally expressive to regular languages, and can be conveniently manipulated using tools such as Mona [Klarlund and Møller 2001;Klarlund et al. 2002] and Gaston [Fiedor et al. 2017] for abstract analysis.

Singly Indexed Array Formulae
An atomic indexed array formula is a data expression if it contains an array variable; otherwise it is an index expression.A singly indexed array (SIA) formula is an indexed array formula in which every data expression contains at most one quantified index variable.The satisfiability problem of SIA formulae is already undecidable when the element theory is instantiated to Difference Arithmetic [Habermehl et al. 2008, Lemma 5].Note that an SIA formula can be syntactically rewritten to a logically equivalent SIA formula where every data expression has exactly one quantified index variable -hence the name "singly indexed".For example, a data expression [1] ≠ [ ] in an SIA formula can be replaced with ∃ .= 1 ∧ [ ] ≠ [ ] to obtain an equivalent SIA formula.We shall assume an SIA formula to have this form when we are computing a regular abstraction for the formula.

A Constraint-Based Abstraction Procedure
We need a couple more definitions before we introduce our abstraction method.As before, fix a set V of variables and a set P := 1 , . . ., of indexed predicates over V.A formula over V is expressible in P if each atom of the formula is either an index expression or an expression ).Note that P ( ) is defined over structure and variables V ⊎ { }.Specifically, the free variables of P ( ) comprise the index variables and parameters of , as well as a fresh word variable over domain Σ * .We may simply write P ( ) as ( ) when P is clear from the context.Now we are ready to describe our abstraction method.Consider a singly indexed formula over V. Suppose w.l.o.g. that the matrix of is given in disjunctive normal form ( ∧ ℎ ), where each is a conjunction of index expressions, and each ℎ is a conjunction of data expressions.Our procedure computes a regular abstraction for in two steps: Step 1: Replace each ℎ in with a formula cstr(ℎ ), where cstr( ) denotes the conjunction of disjunctive clauses defined by and ( , P) := { [ /i], ¬ [ /i] : ∈ P, and is an index term of or P}.Intuitively, cstr( ) attempts to express in P the necessary conditions for a concrete state to satisfy .Note that ( , P) is finite, and hence cstr( ) is computable by our assumption on T .
Step 2: Let * denote the formula obtained by replacing each ℎ with cstr(ℎ ).This formula * , which we shall refer to as the abstraction formula of , is expressible in P. We then define P = P ( , ) := P ( * ), and use ( P , P) as a regular abstraction for .
Note that when computing cstr( ), we can exclude a clause if P ( ) is valid in (e.g. when { , ¬ } ⊆ for some atom ), since such a clause imposes no restrictions on the abstract states.Furthermore, it suffices to consider the minimal clauses satisfying ⇒ .Thus, we can reduce the computation of cstr( ) to enumerating the minimal unsatisfiable cores (MUCs) of ∧ ( , P), as negating such a core essentially leads to a minimal feasible clause of cstr( ).There are rich tool supports for MUC enumeration in the literature, see e.g.[Bendík and Černá 2020;Bendík et al. 2018;Liffiton et al. 2016].In practice, it is often possible to compute cstr( ) incrementally and obtain a precise enough abstraction without including all MUCs in the abstraction formula.We shall discuss these optimizations in Section 8.
Example 5.1.As an illustration, let us use our abstraction method to prove that there always exists at least one privileged process in Dijkstra's self-stabilizing algorithm (cf.Example 3.1).Consider the singly indexed array formula which expresses that no process is privileged in a system containing ≥ 2 processes.We shall compute a regular abstraction of using indexed predicates P := which comprises the atomic formulae of .The first step computes the abstraction formula * as

The nontrivial minimal feasible clauses for cstr(
From these clauses, we then compute a regular abstraction of as P = P ( , We can effectively check that P is unsatisfiable in 2 by Proposition 4.1.Since regular abstractions are overapproximations, this implies that is unsatisfiable in T .In this way, with the provided indexed predicates, our tool can prove that is unsat in a second, while solvers like Z3 and cvc5 fail to handle the formula (i.e. both of them output "unknown" for checking satisfiability of .) Transition formulae.Given a singly indexed transition formula over variables V ⊎ V ′ , we can compute a regular abstraction for by first extending the predicates P to P ⊎ P ′ , where P ′ is obtained from P by replacing each ∈ V with ′ .We then compute an abstract transition formula P (( , ), ( ′ , ′ )) analogously to how we compute an abstract state formula P ( , ).However, if we only consider transition formulae induced by our guarded command language, we can compute an abstract transition formula directly from a command as follows.Define copy_except( ) := ∈ V\{ } ( ′ = ).Consider w.l.o.g. a guarded command ⊲ , where is in form of either := or [ ] := .For := , the corresponding transition formula is For [ ] := , the corresponding formula is where { ← } is a notation from the theory of extensional arrays [McCarthy 1993], denoting the array obtained by assigning to [ ]. (We may set to a fresh variable when is the nondeterministic symbol " * ".)Note that the abstraction formulae of ( 9) and (10) are computable.Indeed, for an array formula and a clause , the validity check of ( ∧ ′ = { ← }) ⇒ can be compiled into a decidable array theory supported by most SMT solvers (cf.[Kroening and Strichman 2016]).

Correctness of the Abstraction Procedure
Let := 1 • • • .be a singly indexed array formula, where is quantifier-free.Recall that, to compute a regular abstraction of , our procedure first computes an abstraction formula * = 1 • • • .˜ by replacing with a quantifier-free formula ˜ such that (1) ˜ is in negation normal form (NNF), (2) ˜ is expressible in P, and (3) ⇒ ˜ holds in T .Our procedure then outputs the formula P = ( * ), where (•) replaces each atom [ /i] (resp.¬ [ /i]) in the formula with ⇒ Δ ( , ) (resp.⇒ ¬Δ ( , )), using to encode the boundary check of [ /i].Now we show that this procedure is sound, that is, ( P , P) is indeed a regular abstraction of .L 5.2.Let P be a set of indexed predicates, and be a singly indexed array formula that is expressible in P. If is satisfiable, then (NNF( )) is also satisfiable, where NNF( ) denotes the negation normal form of .

P
. ).The statement therefore holds for formulae of all ranks by induction.

T 5.3 (C
).Let P be a set of indexed predicates, and be a singly indexed array formula.Then P is regular and ( ) ⊆ P .Namely, P yields a regular abstraction of .

A Closure Property
Consider a finite set Φ of singly indexed array formulae.Note that we can always select a set of indexed predicates that expresses all formulae in Φ.In such cases, if Φ is closed under Boolean operations, then the abstractions our procedure computes for Φ are also closed under Boolean operations, as is indicated by the following proposition.P 5.4.For indexed predicates P and singly indexed array formulae and , it holds that ( ∨ ) P ≡ P ∨ P .Furthermore, we have ( ∧ ) P ≡ P ∧ P and (¬ ) P ≡ ¬ P ∧ true P3 when and are expressible in P.
Finally, note that (¬ ) P ∧ P ≡ (¬ ∧ ) P ≡ false P ≡ false, and (¬ ) P ∨ P ≡ (¬ ∨ ) P ≡ true P .This allows us to deduce that (¬ ) P ≡ ¬ P ∧ true P .Proposition 5.4 makes it possible to compute precise regular abstractions of complex formulae by composing abstractions of simple formulae.For example, we may compute the regular abstraction of (10) as P = P ∧ (copy_except( ) ∧ ′ = { ← }) P .The two regular abstractions on the right-hand side can then be reused for computing abstractions of other formulae.Even if is not expressible in P, we can still compute P using composition since regular abstractions are closed under conjunction (Proposition 4.10), but at the price of potentially losing precision.
We conclude this section with the following observation.P 5.5.Let P be a set of indexed predicates, and be a singly indexed array formula that is expressible in P. Then it holds that ( P ) = ( ( )).

VERIFICATION OF TEMPORAL ARRAY PROPERTIES
In this section, we discuss how to verify linear-time array system properties by combining our abstraction techniques with regular model checking.We shall first introduce the notion of temporal array properties and abstractable specifications.We then present two verification methods for typical safety and liveness array properties.Finally, we describe a generic technique to verify a syntactic fragment of array properties called the index-bounded monodic properties.

Temporal Array Property
To express the temporal properties of an array system, we provide a specification language combining the indexed array logic with LTL.This can be seen as a restriction of FO-LTL [Abadi 1989;Hodkinson et al. 2000] to the indexed array logic.For ease of exposition, we shall only consider the "globally" and "eventually" connectives in the sequel.Our approach however can be extended to handle other standard connectives such as "next" and "until" in a straightforward manner.
A temporal array property is a formula constrained by where is an indexed array formula, is an index variable, and G and F are the standard "globally" and "eventually" temporal connectives, respectively, in LTL.As usual, we extend the logic with logical operators such as ⇒ (implies) and ⇔ (if and only if).The semantics of a temporal array property is standard (see e.g.[Hodkinson et al. 2000]).Intuitively, temporal connectives offer means of relating two states at different time points in a path, whereas the first-order quantifiers allow one to relate different array positions.For example, both ) assert that the array has only 0 as elements throughout the path.We say that a temporal array property holds for an array system if the system does not have a path that satisfies ¬ .

Abstraction of Array System Specifications
Definition 6.1 (Abstractable specification).An array formula is abstractable if it is of form ∃ .for some (possibly quantified) SIA formula .An array system is abstractable if it is specified with abstractable array formulae.A temporal array property is abstractable if it is constrained by for (possibly quantified) SIA formulae .
Abstractable formulae slightly generalize SIA formulae by allowing multiple existentially indexed/quantified variables.In fact, a formula is abstractable if and only if it can be transformed into an SIA formula using Skolemization.Thus, an abstractable first-order array system can be formally transformed into a set of SIA formulae.More precisely, suppose that := ∃ . is an abstractable array formula over variables V. Define an SIA formula ★ := [ / ] over variables V ⊎ { }, where are fresh system parameters.We can then add the new parameters to the vocabulary of and substitute ★ for in the specification.Clearly, a temporal array property holds for if and only if the property holds for the Skolemized version of .
An abstractable temporal array property can furthermore be converted to an equisatisfiable temporal array property wherein all maximal non-temporal subformulae are singly indexed.The conversion is essentially the same as Skolemization, except that here we replace an indexed variable quantified inside a G operator with a fresh index variable, and replace an indexed variable that is only quantified inside an F operator with a fresh system parameter.The maximal non-temporal subformulae of the obtained temporal array property are all singly indexed, meaning that their semantics can be overapproximated by regular abstractions.In other words, an abstractable temporal array property can be abstracted to a propositional temporal formula with atoms being regular languages.This fact makes it possible to leverage existing verification techniques in regular model checking to perform abstract analysis for abstractable specifications and properties.
T 6.2.Let be an array system, and be a safety array property.Suppose that and ¬ are abstractable.Given a set of indexed predicates, we can effectively compute finite automata I, T , and B such that holds for if the safety property (I, T , B) holds.

Liveness Verification
A liveness array property is a temporal array property in form of ∀ .( 1 ⇒ F 2 ).(We pick this "eventuality" property for simplicity and sufficiency for our benchmarks, although our technique can easily be adapted to other liveness properties such as recurrence).Fix a liveness array property and an array transition system := (V, , ).Suppose that both and ¬ ≡ ∃ .( 1 ∧ G ¬ 2 ) are abstractable.Define ★ 1 := 1 [ / ] and ★ 2 := 2 [ / ] with fresh system parameters , and an array transition system ★ := (V ★ , ★ , , ), where V ★ := V ⊎ { }, ★ := ∧ ★ 1 , and := ★ 2 .It is clear that ★ is abstractable.Given a set P of indexed predicates over V ★ , we compute regular abstractions ( , P), ( , P), and ( , P) for ★ , , and ¬ , respectively.Now, following the reduction described in Section 4.3, we let := Σ * \ and define a regular liveness property ( , , ) that holds if and only if ( ) ∩ ≠ ∅ for every path ∈ Π( , ).It is not hard to see that the abstract transition system Σ * , , preserves infinite counterexample paths from .That is, if there exists an infinite concrete path 0 1 • • • such that 0 | = ★ and | = for all ≥ 0, then there exists an infinite abstract path 0 1 • • • such that 0 ∈ and ∉ for all ≥ 0. We say that a transition system is ¬ -progressing if every maximal system path satisfying ¬ is an infinite path.Observe that when is ¬ -progressing, ( , , ) holds only if satisfies the liveness array property .We hence have the following result.T 6.3.Let be an array system, and be a liveness array property.Suppose that and ¬ are abstractable, and that is ¬ -progressing.Then given a set of indexed predicates, we can effectively compute finite automata I, T , and F such that holds for if the liveness property (I, T , F ) holds.
Progress verification.Theorem 6.2 and 6.3 exploit the same technique that overapproximates the target array property with a counterpart property of the abstract system.Generally, this technique works for any temporal array property with an abstractable negated formula, as long as a false property remains false after new transitions are introduced to the system.For a safety property, this requirement is met automatically since extensions of a counterexample path are still counterexample paths.For a liveness array property , this requires the array system to be ¬ -progressing, i.e., the system does not have a finite maximal counterexample path.
We may formulate and verify the progress condition as a safety array property as follows.Given an array system := (V, , ) and a liveness array property := ∀ .( 1 ⇒ F 2 ), we aim to check if is ¬ -progressing.As before, define ★ 1 := 1 [ / ] and ★ 2 := 2 [ / ] with fresh system parameters .We then specify an array system * := (V ★ , ★ , ★ ) with V ★ := V ⊎ { }, ★ := ∧ ★ 1 , and ★ := ∧ ¬ ★ 2 .It is easy to see that the system * is safe w.r.t. the safety array property * := ∀ .G ∃ ′ .★ if and only if is ¬ -progressing.When the transition formula is specified with guarded commands, say with commands ( 1 ⊲ 1 ), . . ., ( ⊲ ), the safety property * can be written as . Notably, when both and ¬ are abstractable (which is precisely the assumption of Theorem 6.3), the induced system * and safety property * are also abstractable.Consequently, the progress condition of with respect to ¬ can be checked formally using the safety verification method stated in Theorem 6.2.

Liveness Verification under Fairness Requirements
We briefly discuss how to perform liveness verification of a subclass of array systems in the presence of fairness requirements.Such requirements are essential for specifying reactive and concurrent process systems (cf.[Demri et al. 2016;Manna and Pnueli 2012]).Definition 6.4 (Index-bounded array system).An array system (V, , ) is index-bounded if for each index variable ∈ V, there exist two parameters , ℎ ∈ V such that ( ) ≤ ( ) ≤ (ℎ ) holds in any reachable state of the system.In other words, the valuation of is bounded between and ℎ during system executions.
Intuitively, index-boundedness requires the range of index variables to be finite at runtime, while leaving the range of array elements unrestricted.This assumption is reasonable since in practice, index variables are mostly used to access elements of a finite array.Index-boundedness can be specified formally in the array system specification, or checked against a given array system by formulating the assumption as a safety array property.temporal property holds for the original system if and only if the product system has no fair path.
To apply the aforementioned reduction in our abstraction framework, however, the temporal property needs to meet some technical conditions.We say that is monodic [Hodkinson et al. 2000] if every temporal subformula of contains at most one free variable outside V.For instance, when et al. 2016, 2012;Cimatti et al. 2022;Emerson and Namjoshi 2003] if there exists an index variable ℎ ∈ V such that each quantified variable of is bounded above by ℎ.This index-boundedness restriction may be imposed syntactically, for example, by replacing each subformula ∃ . of with ∃ .≤ ℎ ∧ , and each subformula ∀ .with ∀ .≤ ℎ ⇒ .For a monodic formula over V, we write ( ) to indicate that is the only free variable of outside V, if there is any.In the case that has no such free variable, we just set to be an arbitrary index variable outside V.We use FO[ ] to denote a first-order representation of , defined inductively as follows with ∈ {∃, ∀}: Now, consider an index-bounded monodic property and an array system := (V, , ).Define a fair transition system := (V ¬ , , ) with fairness requirement , where The fair transition system is constructed as the product of the original system and a monitor of ¬ over the extended variables V ¬ .Given a subformula G of ¬ , the monitor updates the array along a path of in accordance with whether or not G is satisfied by the current path.More concretely, consider a path of and some ∈ N. If | = G ( ), then the monitor maintains the array value [ ] along the path to make sure ( ) is satisfied at every state of the path.Otherwise, if | = G ( ), then the monitor maintains the array value [ ] along the path to make sure ( ) is falsified at some state of the path.In the second case, the fairness condition guarantees that the event of ( ) being falsified will not be postponed forever.
For a fair path of , the projection of the path to the original variables V yields a path of the original system satisfying ¬ .Conversely, a path satisfying ¬ in the original system can be lifted to the extended variables V ¬ to obtain a fair path of .As a consequence, one can verify the temporal array property for by checking fair termination of .  . 2012; P . 2021]).Let be an index-bounded monodic array property, be an array system, and be the fair transition system induced by and .Then holds for if and only if has no fair path.
Furthermore, when is ¬ -progressing and the fair transition system is abstractable, termination analysis of is amenable to our liveness-to-safety reduction techniques in Section 6.5.This fact, in tandem with Theorem 6.6, leads to the following result: T 6.8.Let be an index-bounded monodic array property, and be a ¬ -progressing index-bounded array system.If the fair transition system is abstractable, then we can compute finite automata I and T as well as a fairness requirement Λ, such that holds for if the transition system (I, T ) always terminates under the fairness requirement Λ.

CASE STUDIES
We present four case studies in this section: two array programs implementing selection sort and a simplified version of merge sort, and two distributed algorithms Dijkstra's self-stabilizing protocol and Chang-Roberts leader election protocol.To make our presentation succinct, we shall often omit the index range constraint in a formula when the range is clear from the context.For example, we shall write

Selection Sort and Merge Sort
For selection sort, we consider a selection sort program as follows: The array transition system := (V, , ) induced by this program is where 1 , 2 , 3 , 4 are transition formulae derived from the four guarded commands.We verify the typical correctness properties of a sorting algorithm as follows.

Property Specification Explanation
Here, 1 is a safety property stating that at any step, the array segment after the pivot position ℎ ℎ is sorted; 2 is a safety property stating that the array produced by the program has the same content as the input array modulo multiplicities; 3 is a liveness property stating that the program eventually terminates.These three properties together establish the total correctness of the program for arrays with distinct values.
As for merge sort, we consider a nondeterministic merge sort program as follows: Here, ( ,ℎ) ] is an auxiliary formula expressing that the array segment [ . . .ℎ) is sorted.This program starts with = 0 and ℎ ℎ 1 = 1, and guesses the values of , , and ℎ ℎ within the range {1, . . ., }.If the program spots a merge opportunity by this guess (i.e. the guard of the first command is satisfied), it proceeds to = 1 and performs an in-place array merge.After the merge, the program returns to = 0 and guesses the values of , , and ℎ ℎ again.We verify the following eventuality property of the program: which states that the program eventually fails to pinpoint a merge opportunity at = 0.When 1 holds, any execution run that consistently spots a merge opportunity at = 0 eventually reaches = 0 with no further such opportunities, at which point the array segment [1 . . . ) is sorted.In other words, 1 indicates that the program eventually produces a sorted array on the "proper" execution runs, namely, the runs where the program consistently attempts to merge partially sorted array segments.
7.2 Dijkstra's Self-Stabilizing Algorithm Dijkstra's self-stabilizing algorithm [Dijkstra 1982], as introduced in Section 2, can be specified in our modeling language as follows: Here, we have identified | | with and used to denote the ID of the process to be selected by the scheduler.For simplicity, we assume that only privileged processes can be scheduled.Dijkstra's algorithm is progressing under this scheduling assumption, since there always exists at least one privileged process in the system.(Recall that we have proved this fact in Example 5.1.)Dijkstra's algorithm can be initialized with arbitrarily many privileged processes.When ≤ , the system will converge to a stable state containing exactly one privileged process.For convenience, define an auxiliary formula ).We can then express the self-stabilizing property of Dijkstra's algorithm as := FG (∃ . ( ) ∧ ∀ .≠ ⇒ ¬ ( )), meaning that the system eventually converges to exactly one privileged process and remains so forever.To prove the self-stabilizing property , we create subgoals 1 , . . ., 4 for the property as listed in the following table.

Property Specification Explanation
Self-stabilizing property Intuitively, 1 states that process 1 is privileged and scheduled infinitely often; 2 states that if process 1 is privileged and scheduled infinitely often, then eventually variable 1 differs from all the other variables; 3 states that if 1 differs from all the other variables at some point, then   [Chen et al. 2017] and the SLRP tool [Lin and Rümmer 2016] in the abstract analysis of the case studies.In the table, 0 denotes the progress conditions, and 1 , . . ., 4 are the temporal properties defined in Section 7. The table also shows the indexed predicates we used to compute regular abstractions.Note that these predicates contain Skolem constants produced in the formulae rewriting step of our method (see Section 6).For each property, we present the total runtime (Total), the computation time of the initial and refined abstract systems (Model), and the time consumed by the model checker (Solver).

Name
Indexed Predicates Total Model Solver s.sort 0 as a leader under the fairness requirement that each process is scheduled infinitely often.The validity of these properties relies on the assumption that the process IDs are unique.Thus, we need to specify this assumption in the properties.Each template consists of multiple premises and a consequence.The le most premise corresponds to an update (i.e. the assignment part of a guarded command), and the rest of the premises come from the guard.The consequence copies a predicate value from the current state to the next state.These templates exploit a simplifying assumption that one guarded command updates precisely one index variable or array element.

OPTIMIZATION AND EVALUATION
We have implemented a prototype to evaluate our approach over the case studies.The verification of an array system consists of two stages: (i) computing regular abstractions from the system specification, and (ii) performing abstract analysis based on these regular abstractions.When we compute a regular abstraction as described in Section 5.2, a crucial step is to compute the constraint cstr( ) at (8), which could be obtained by enumerating the minimal unsatisfiable cores (MUCs).
For this purpose, we first compute MUCs for using the MUST tool [Bendík and Černá 2020].Since the number of MUCs could be large, including all clauses induced by these MUCs in cstr( ) is generally impractical.Instead, our tool computes the constraint in an incremental manner: we sort these clauses by size, and include a clause only when the constraints generated by the smaller clauses lead to spurious counterexample or timeout in the abstract analysis.As our experimental results have shown, most of the properties in our case studies can be verified by including a moderate number of clauses in the state formulae abstractions.
For transition formulae abstractions, we additionally use templates to capture constraints involving array updates (Figure 1).We syntactically populate these templates with predicates and index terms in and P to derive feasible clauses for cstr( ).To illustrate, suppose that Then, the first template in Figure 1 syntactically derives a feasible clause { = , ′ [ ] ≤ ′ [ ]} for cstr( ).(To see this, note that the first template is in the form of ∧ ∧ ⇒ , which is equivalent to ∧ ⇒ {¬ , }.By instantiating to to ≠ , and to ′ [ ] ≤ ′ [ ], we obtain the desired clause.)Although such clauses may also be produced using the incremental method described earlier, we choose to generate them directly using templates as they are essential for computing precise transition formulae abstractions.
When computing an abstraction formula, we include singleton feasible clauses by default, and incrementally inject other nontrivial feasible clauses in the refinement loop.For transition formulae, we furthermore include clauses populated by templates.We convert the abstraction formulae of an array system specification into finite-state automata mechanically, leveraging Mona [Klarlund and Møller 2001] and Z3 [de Moura and Bjørner 2008].These automata comprise an abstract regular transition system for the concrete specification.We then analyze this abstract system using suitable regular model checkers in the literature.For safety properties, we perform the abstract analysis using the safety verifier by [Chen et al. 2017], which employs the * learning algorithm to generate inductive invariants.For liveness properties, we apply two independent, fully automated techniques: one combines liveness-to-safety reduction techniques (see Section 6.5) with the safety verifier by Chen et al.; the other exploits the liveness verifier SLRP [Lin and Rümmer 2016], which essentially uses an SAT solver to synthesize well-founded relations.Note that our case studies contain two liveness properties with fairness requirements (Dijkstra 2 and Chang-Roberts 2 ).SLRP can only verify liveness under arbitrary schedulers and does not apply to these two properties.
We conducted the experiments on a laptop computer with a 3.6GHz Intel i7 processor, a 16GB memory limit, and a 20-minute timeout.Table 2 presents the results.For each of these properties, our prototype tool can compute sufficiently precise regular abstractions using constraints generated by no more than 10 clauses from the incremental and template-based methods.As for the abstract analysis, the safety properties turn out to be relatively easy: all of them can be proved by the * safety verifier in seconds.Regarding liveness properties, SLRP successfully proves all four liveness properties not requiring fair schedulers, while the * safety verifier proves only one of them, namely selection sort 3 , within the timeout.This property can be verified without using any indexed predicates; the resulting abstract system thus degenerates into an integer program.Reducing a liveness property to a safety property could be expensive: this operation accounts for the majority of the runtime for verifying merge sort 1 , and is likely the main bottleneck in the verification of Dijkstra 1 and 3 by * .Interestingly, the reduction takes a relatively short time for Dijkstra 2 and Chang-Roberts 2 , and hence allows the safety verifier to prove them in time.Since these two properties hold only under fairness requirements, they cannot be handled by SLRP.

RELATED WORK
There is a huge body of research on the verification of array programs and systems.In this section, we provide some context for our work and discuss related work that has not yet been mentioned elsewhere in the paper.
Prior work exploiting predicate abstraction and interpolation exists in the context of verifying quantified inductive invariants for array programs [Alberti et al. 2012b;Cimatti et al. 2016;Jhala and McMillan 2007;Lahiri and Bryant 2007;McMillan 2008;Seghir et al. 2009].Indexed predicates, which are essentially predicates containing free index variables, were first introduced by Flanagan and Qadeer [Flanagan and Qadeer 2002] to compose universally quantified inductive invariants.Lahiri and Bryant later extended and formalized this notion in the framework of indexed predicate abstraction (IPA) [Lahiri andBryant 2004a,b, 2007].IPA encodes abstract state sets as propositional formulae over Boolean variables, and universally quantifies index variables in the predicates when performing concretization.Since post-images of abstract states are generally not computable in this setting, Lahiri and Bryant devised overapproximations of them using a quantifier instantiation heuristic, which enabled the authors to reduce abstract reachability analysis to solving quantified Boolean formulae.In comparison, our abstraction framework encodes abstract state sets as first-order formulae over word variables, and exploits regular languages to overapproximate sets and relations in the abstract domain.These apparatuses allow us to reason about quantified formulae and temporal properties beyond those considered by Lahiri and Bryant.On the other hand, our abstraction function induces infinite abstract systems, for which we employ infinite-state model checking techniques (i.e.regular model checking [Abdulla 2012;Lin and Rümmer 2022]).
For a class of array systems that are used to model multi-threaded programs, specialized predicate abstraction techniques have been developed to infer universally quantified inter-thread properties.Many techniques along this line have focused on symmetric systems (i.e. the system behaves correctly regardless of thread arrangement [Basler et al. 2009;Donaldson et al. 2011Donaldson et al. , 2012;;Pani et al. 2023]) and monotonic systems (i.e. the system is equipped with a well-quasi-ordering [Alberti et al. 2012a,b;Ranise and Ghilardi 2010]).Some techniques further abstract the target system into a symmetric/monotonic system by combining predication abstraction with some form of counter or monotonic abstraction (e.g.[Abdulla et al. 2010;Clarke et al. 2006Clarke et al. , 2008;;Ganjei et al. 2016;Kaiser et al. 2017]), thereby improving the expressiveness and effectiveness of the abstraction methods.Most of these techniques were designed for safety verification, and it is unclear whether they could be extended to handle liveness properties effectively.
Liveness verification of array systems is much more difficult than safety verification, and therefore has relatively fewer automatic techniques and tool supports.In the context of multi-threaded programs, thread-modular analysis [Cook et al. 2007;Ketema and Donaldson 2017;Malkis et al. 2007;Pani et al. 2021Pani et al. , 2023;;Popeea and Rybalchenko 2012] is a popular verification methodology.The analysis considers each thread in isolation and overapproximates the behavior of the other threads by assuming that their effects are passive or irrelevant.Thread-modular analysis is therefore not suitable for verifying liveness properties that require coordination among threads.For example, in the case of Dijkstra's self-stabilizing algorithm, proving that Process 1 eventually updates its local variable requires showing that the other processes collectively make progress on updating their own variables.To reason about liveness properties relying on thread coordination, Farzan et al. [Farzan et al. 2016] introduced well-founded proof spaces and quantified predicate automata (QPAs) for parameterized verification.Like our approach, well-founded proof spaces take a language-theoretic view of termination and reduce checking termination to showing the absence of lasso-shaped counterexample paths.The verification procedure provided by Farzan et al. explores symmetric proof spaces (i.e.proofs closed under permutation of thread identifiers).Also, the procedure requires to iteratively check language inclusion of QPAs, which is itself an undecidable problem and yet to have an effective implementation.
Ivy [McMillan andPadon 2018, 2020] is a deductive verification system that offers an automatic liveness-to-safety proof tactic for properties specified in LTL and a decidable fragment of pure first-order logic called Effectively Propositional Logic (EPR).Specifically, Ivy reduces liveness to safety for infinite-state systems through dynamic abstraction [Padon et al. 2017[Padon et al. , 2021]], which is an overapproximation of cycle detection by dynamically choosing a finite projection of an infinite path.Despite the automatic reduction to safety, the resulting safety property still needs to be proved by the user.Moreover, Ivy does not support theory reasoning inherently, i.e., theories have to be encoded in EPR.Notably, in Ivy's abstraction scheme, the concrete specification, the abstract system, and the safety proof are all expressed in EPR.Our logical formalism is not limited to EPR and directly supports array logic with background element theories.(Our presentation has used the theory of Difference Arithmetic for array elements, as the theory already suffices to analyze our case studies.But in principle, it is easy to adapt our techniques to other background theories such as Linear Integer Arithmetic.) 10 CONCLUDING REMARKS By combining indexed predicate abstraction, decision procedures, automatic structures, and regular model checking, we present a novel framework to verify linear-time properties of array systems.Given a first-order correctness specification, our framework provides a systematic method to compute regular overapproximations of the specification as a string rewriting system, which allows us to exploit a wealth of regular model checking techniques for analyzing both safety and liveness properties.Our experimental results show that this approach is able to verify non-trivial properties of array systems in several interesting case studies.
There are several immediate future research directions.Firstly, existing regular model checking techniques do not have good support for large alphabets.For this reason, the size of the resulting regular abstraction may grow exponentially in the number of predicates, especially with explicit representations of the letters (i.e.bitvectors).This leads to the following question: is it possible to extend regular model checking with symbolic representations of the alphabet symbols?We believe that the answer to this question is positive, given promising work in symbolic automata learning [Argyros and D'Antoni 2018;Drews and D'Antoni 2017] and bitvector theory SMT solving [Peled et al. 2023;Shi et al. 2021;Yao et al. 2020].Secondly, our abstraction computation procedure currently uses simple incremental and template-based methods to search for constraints.We are confident that more sophisticated techniques such as the refinement-based search in IC3 [Cimatti et al. 2014;Komuravelli et al. 2015] can be integrated with our procedure for constraint discovery.Lastly, we have assumed in this work that appropriate indexed predicates have been supplied.Generating nontrivial indexed predicates for array properties is very challenging.In our case studies, we extract predicates from the atomic formulae of system and property specifications.Thus far, this suffices for our current goal, which has been to demonstrate the expressive power and viability of regular abstractions for array systems in interesting case studies.The next step of our research is, therefore, to study automatic generation and refinement of indexed predicates.number 112-2222-E004-001-MY3.Anthony Lin is supported by European Research Council under European Union's Horizon 2020 research and innovation programme (grant agreement no 101089343).

Fig. 1 .
Fig.1.Example constraint templates for updating and copying array contents, where ⊲⊳ ∈ {=, ≠, <, ≤, >, ≥}.Each template consists of multiple premises and a consequence.The le most premise corresponds to an update (i.e. the assignment part of a guarded command), and the rest of the premises come from the guard.The consequence copies a predicate value from the current state to the next state.These templates exploit a simplifying assumption that one guarded command updates precisely one index variable or array element.

Table 2 .
Results of applying the * learning-based model checker