Infinitary Limit Program Verification

• Infinitary Limit Program is a construction that reduces the safety verification of infinite families of systems to a single, canonical limit structure.
• It exploits local symmetry and universality through Fraïssé limit constructions to enable automated and complete safety proofs.
• The approach uses T-predicate automata and well-structured search methods to establish proof equivalence between finite systems and the limit program.

An infinitary limit program, in the context of safety verification for parameterized programs over arbitrary topologies, is a construction that allows the reduction of verification for an entire (potentially infinite) family of finite-state or infinite-state systems to analysis of a single, canonical infinitary structure. This methodology is deployed to exploit local symmetry and universality in the underlying class of system topologies, thereby yielding strong results for algorithmic verification—including decision procedures—without requiring explicit axiomatization of every member of the family. The approach is grounded in recent advances in model theory, automata theory, and parametric proof systems (Cheng et al., 26 Jan 2026).

1. Parameterized Programs, Topologies, and Symmetry

A parameterized program consists of an infinite family $\{P_i\}$ of concurrent programs, each defined over a finite (or possibly infinite) topology $T_i$ determined by a fixed first-order vocabulary $V$ (which includes predicates and functions but no constants). These topologies model communication networks or interconnection graphs for processes or components.

Nodes within each $T_i$ serve as the indices for indexed commands (i.e., program actions parameterized by location). Symmetry arises from local structural isomorphisms: two tuples of nodes $\vec{a} \in T^k$, $\vec{b} \in {T'}^k$ are considered locally isomorphic (denoted $\vec{a} \simeq \vec{b}$) if there is a structure isomorphism between their generated neighborhoods, enabling transfer of proof arguments across isomorphic localities (Cheng et al., 26 Jan 2026).

2. Parametric Proof Spaces and Local Proof Reasoning

A parametric proof space is a set of valid Hoare triples (precondition, command sequence, postcondition), syntactically formulated over a universal topology $T$ encompassing all $T_i$ as substructures. The proof space is syntactically closed under three inference rules:

• Sequencing: Chaining of triples via shared postconditions/preconditions, respecting combinatorial entailment of assertions.
• Conjunction: Parallel composition of independent proof arguments for the same command.
• Parametric Symmetry: Transport of triples along local isomorphisms between neighborhoods in $T$, allowing local argument reuse even when no global symmetry exists.

The language $L(H)$ recognized by a proof space $H$ consists of all runs whose error traces are covered by the closure of $H$, and is closed under local isomorphism $\simeq$ (Cheng et al., 26 Jan 2026).

3. Fraïssé Limit Construction: Definition and Properties

To enable reasoning about the entire family $\{T_i\}$, one constructs a Fraïssé-style limit $\widetilde{T}$. This countable structure is the unique (up to isomorphism) ultrahomogeneous, universal limit of the class of all finitely generated substructures of the $T_i$. Formally, for any finite substructure in any $T_i$, there is an isomorphic copy within $\widetilde{T}$, and all isomorphisms between finite substructures extend to automorphisms of $\widetilde{T}$.

This universality and homogeneity ensure that any safety property or counterexample for a member of the family is also manifest in the limit structure. Every finite topology embeds in $\widetilde{T}$, and the local isomorphism types of subtuples remain representative for the whole class (Cheng et al., 26 Jan 2026).

4. Definition of the Infinitary Limit Program

Given the Fraïssé limit topology $\widetilde{T}$, one defines the infinitary limit program $\widetilde{P}$ over $\Sigma \times \widetilde{T}$—that is, $\widetilde{P}$ comprises one instance of each indexed command for each node in $\widetilde{T}$, following the same operational semantics as in the family $\{P_i\}$ but interpreted over the universal structure.

Each command is lifted by local isomorphism expansions so every run/behavior in a finite $P_i$ corresponds, modulo $\simeq$, to a run/behavior in $\widetilde{P}$, and vice versa (Cheng et al., 26 Jan 2026).

5. Completeness and Verification Equivalence

A central theorem establishes logical equivalence between the verification problems for the family and its infinitary limit:

• The parameterized system $\{P_i\}$ is safe (no error admits a run in any $P_i$) if and only if the limit program $\widetilde{P}$ is safe (no error run in $\widetilde{P}$).
• Any $T$-proof space $H$ covers (proves safety for) all $P_i$ if and only if it covers $\widetilde{P}$, i.e., if $L_{err}(\widetilde{P}) \subseteq L(H)$.

It thus suffices to construct and analyze $H$ and verify the inclusion $L_{err}(\widetilde{P}) \subseteq L(H)$ rather than working with the potentially infinite union over $i$ of $L_{err}(P_i)$ (Cheng et al., 26 Jan 2026).

6. Decision Procedures: Automata and Well-Structured Search

Error traces and proof spaces are represented using $T$-predicate automata (T-PAs), automata whose alphabet is $\Sigma \times \widetilde{T}$ and whose transition function uses positive quantifier-free formulas over a vocabulary extending $V$. Under effective finiteness conditions on the local isomorphism types in $\widetilde{T}$, both $L_{err}(\widetilde{P})$ and $L(H)$ can be accepted by T-PAs.

The inclusion check $L_{err}(\widetilde{P}) \subseteq L(H)$ is reduced to the emptiness of $L_{err}(\widetilde{P}) \cap (\overline{L(H)})$, which is semi-decidable via a standard backward coverability search for well-structured transition systems (WSTS). Decidability is achieved when:

• $\widetilde{T}$ is homogeneous and $\widetilde{T}^d/\simeq$ is finite for all $d$,
• Quantifier-free satisfiability in $\widetilde{T}$ is decidable,
• Covering is a well-quasi-order (WQO) on the reachable configurations of the automaton (e.g., for Boolean data and homogeneous topologies like rings) (Cheng et al., 26 Jan 2026).

7. Illustrative Example: Token-Passing Ring

In the standard token-passing ring, each process updates the token bit at its neighbors. The limit program $\widetilde{P}$ is defined over the universal ring $\widetilde{T}$, the countable disjoint union of all finite rings. The parametric proof space $H$ is constructed from a finite basis (e.g., triples for rings of size 3), closed under local symmetry, sequencing, and conjunction.

The error language $L_{err}(\widetilde{P})$ and the coverage language $L(H)$ are recognized by monadic T-PAs. Verification reduces to checking emptiness of their intersection, which is guaranteed decidable by the finiteness of $\widetilde{T}^2/\simeq$ and WQO properties, providing a fully constructive and complete verification algorithm for safety properties across all ring sizes (Cheng et al., 26 Jan 2026).