InVeST: A Tool for the Verification of Invariants

There are basically two approaches to the veriication of reactive systems, the algorithmic approach on one hand and the deductive approach on the other hand. The algorithmic approach is based on the computation of x-points, on eeective representations of sets of states, and on decision procedures to solve the inclusion problem of sets of states. For example the backward procedure is an instance of this approach. To prove that a set of states P is an invariant of a system S, the backward procedure computes the largest set Q of states satisfying Q P and Q wp(; Q), for every transition 2 T of S. Here wp(; Q) is the weakest precondition of with respect to Q. Then, P is an invariant of S if and only if every initial state of S satisses Q. In general, the algorithmic approach is based on an eeective representation R for sets of states, eeective boolean operations, a procedure for deciding inclusion in R, eeective predicate transformers to guarantee recursiveness of the method, and convergence of x-points to guarantee completeness. In general, in case of innnite state systems, rst-order logic with Peano arithmetic is considered as representation R. In fact, it can be proved that any weaker logic is not expressive enough (e.g. 7]), when the considered system contains variables that range over innnite domains. Thus, one has eeective boolean operations and can deene predicate transformers, but inclusion is undecidable. Moreover, convergence of x-points is not guaranteed. Consequently, the algorithmic approach cannot be applied in general to innnite state systems. On the other hand, the deductive approach is very powerful and gives a complete method even for innnite state systems. It relies upon nding auxiliary invariants and proving validity of rst-order formulas, called veriication conditions. The deductive approach is, however, in contrast to the algorithmic approach, diicult to apply. Indeed, it is in general a hard task to nd suitable auxiliary invariants and time consuming to discharge all generated veriication conditions. Therefore, there is a strong need for tools that support both tasks. InVeSt is such a tool as it supports the veriication of invariance properties of innnite state systems. The salient feature of InVeSt is that it combines the algorithmic with the deductive approaches to program veriication in two diierent ways: 1. It integrates the principles underlying the algorithmic (e.g. 3, 18]) and the deductive methods (e.g. 14]) in the sense that …