, A theory of timed automata, Theor. Comput. Sci, vol.126, issue.2, pp.183-235, 1994.
, Automatic verification of integer array programs, Proc. of CAV'09, vol.5643, pp.157-172, 2009.
URL : https://hal.archives-ouvertes.fr/hal-00558070
, Alternation. J. ACM, vol.28, issue.1, pp.114-133, 1981.
, A symbolic decision procedure for symbolic alternating finite automata, 2016.
, Antichains: Alternative algorithms for ltl satisfiability and model-checking, TACAS 2008, Proceedings, pp.63-77, 2008.
, Proof spaces for unbounded parallelism, SIGPLAN Not, vol.50, issue.1, pp.407-420, 2015.
, Synthesizing software verifiers from proof rules, SIGPLAN Not, vol.47, issue.6, pp.405-416, 2012.
, Lazy abstraction. SIGPLAN Not, vol.37, pp.58-70, 2002.
, Symbolic model checking for realtime systems, Information and Computation, vol.111, pp.394-406, 1992.
, Generalized property directed reachability, SAT 2012. Proceedings, pp.157-171, 2012.
, Abstraction refinement and antichains for trace inclusion of infinite state systems, TACAS 2016, Proceedings, pp.71-89, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01418885
, Finite-memory automata, Theor. Comput. Sci, vol.134, issue.2, pp.329-363, 1994.
, Alternating timed automata, FOSSACS 2005, Proceedings, pp.250-265, 2005.
URL : https://hal.archives-ouvertes.fr/hal-00335734
, Decision problems for propositional linear logic, Annals of Pure and Applied Logic, vol.56, issue.1, pp.239-311, 1992.
, An interpolation theorem in the predicate calculus, Pacific J. Math, vol.9, issue.1, pp.129-142, 1959.
, Lazy abstraction with interpolants, Proc. of CAV'06, vol.4144, 2006.
, Lazy annotation revisited, CAV2014, Proceedings, pp.243-259, 2014.
, Numerical Transition Systems Repository, 2012.
, On the language inclusion problem for timed automata: closing a decidability gap, Proceedings of LICS 2004, pp.54-63, 2004.
, The temporal logic of programs, Proceedings of the 18th Annual Symposium on Foundations of Computer Science, SFCS '77, pp.46-57, 1977.
, Verifying parametrised hardware designs via counter automata, HVC'07, pp.51-68, 2007.
, Reasoning about infinite computations. Information and Computation, vol.115, pp.1-37, 1994.
, Symbolic finite state transducers: Algorithms and applications, Proc. of POPL'12, 2012.
, Sat-based reachability checking for timed automata with discrete data, Fundamenta Informaticae, vol.79, pp.1-15, 2007.
, ) | = Post A (?, µ(i)). We have Post A (?, u) | = Post A (?, u) for all u ? ? * . But since ? is a finite set, also the set {Post A (?, u) | u ? ? * } is finite. Thus there exists k ? 0 such that
, Proposition 2. Given a formula ? ? Form + (Q, x) and a ? ?, we have ?(?, a) ? ?Q . ?[Q /Q]? q?Q
, for some valuations ? : Q ? B and ? : x ? Data I , ? : x ? Data I , then we build a valuation ? : Q ? B such that I, ? ? ? ? ? ? ? | = ?[Q /Q] ? q?Q (q ? ?(q, a)). For each occurrence of a formula ?(q, a) in ?(?, a) we set ? (q ) = true if I, ? ? ? ? ? | = ?(q, a) and ? (q ) = false, otherwise. Since there are no negated occurrences of such subformulae, the definition of ? is consistent, and the check I, ? ? ? ? ? ? ? | = ?
, We apply Proposition 2 recursively and get: Post A (?, u)
, we obtain a model for Acc A (u) ? Post A (?, u)?? n+1
, (n k?1 , a k , n k ), where n 0 = r and (n, a, m) = (n i?1 , a i , n i ), for some i ? [1, k] and, moreover, a 1 . . . a k was found, at some point, to be a spurious counterexample. Let , I ? 0 , . . . , I ? k , ? be an interpolant for ?(a 1 . . . a k ) ? ?(r) ? k i=1 ? i ? q?R(n k ) (q k ? ?), such that I ? i ? Form + (Q, x), for all i ? [0, k]. According to Lyndon's Interpolation Theorem, it is possible to build such an interpolant, when ?(a 1 . . . a k ) is unsatisfiable. By Proposition 2, we obtain ? i (I ? i?1 , a i )[Q i /Q] ? ?Q i?1 . I ? i?1 [Q i?1 /Q, x i?1 /x]? ? i and, since I ? i?1 [Q i?1 /Q, x i?1 /x]?? i | = I ? i, = 0, we have Post A (?, ?) we compute: Post A
, Since ?(n i?1 ) = ??? I ? i?1 and ?(n i ) = ??? I ? i , we obtain Post A (?(n i?1 ), a i ) | = ?
, We prove first that
, Suppose that (4) holds at when reaching line 3 and some node n was removed from W and inserted into N. We distinguish two cases, either: -n is covered, in which case W becomes W \ {n} and (4) holds, or -n is not covered, in which case W becomes (W \{n})?S , where S = {s N | (n, a, s) ? E, a ? ?} is the set of fresh successors of n, ) holds trivially
, or -for each a ? ? there exists s ? N such that (n, a, s) ? E. We prove that, in this case, n?N ?(n) defines a safety invariant and conclude that L(A) = ?, by Lemma 2. To this end, let u = a 1 . . . a k ? ? * be an arbitrary sequence and let v 1 be the largest prefix of u that labels a path from r to some node n 1 ? N. If v 1 = u we are done. Otherwise, by the choice of v 1 , it must be the case that a successor of n 1 is missing from (N, E), thus n 1 must be covered, by (4) and the fact that W = ?, v ? ? * and nodes r = m 0 , m 1 , . . . , m such that
, ) | = ?(m ) and we are done showing that n?N ?(n) is an invariant. To prove that n?N ?(n) is, moreover, a safety invariant, suppose that Acc A (u) is satisfiable, for some u ? ? * and let n ? N be a node such that Post A (?, u) | = ?(n). By the previous point, such a node must exist