Abstract
Proving that an unbounded distributed protocol satisfies a given safety property amounts to finding a quantified inductive invariant that implies the property for all possible instance sizes of the protocol. Existing methods for solving this problem can be described as search procedures for an invariant whose quantification prefix fits a particular template. We propose an alternative constructive approach that does not prescribe, a priori, a specific quantifier prefix. Instead, the required prefix is automatically inferred without any enumerative search by carefully analyzing the spatial and temporal regularity of the protocol. The key insight underlying this approach is that structural regularity and quantification are closely related concepts that express protocol invariance under different re-arrangements of its components and its unbounded evolution over time. We extended the finite-domain IC3/PDR algorithm to use these regularities and boost clause learning to automatically derive the required quantified inductive invariant by exploiting the connection between structural regularities and quantification. We also describe a procedure to automatically find a minimal finite size, the cutoff, that yields a quantified invariant proving safety for any size. Our approach is implemented in IC3PO, a new verifier for distributed protocols that significantly outperforms the state of the art, scales orders of magnitude faster, and robustly derives compact inductive invariants fully automatically.
Similar content being viewed by others
Notes
We assume familiarity with basic notions from group theory including permutation groups, cycle notation, group action on a set, orbits, etc., which can be readily found in standard textbooks on Abstract Algebra [37].
A totally ordered sort is a sort that has a binary relation symbol < defined that satisfies the axioms of a total order.
Sort dependencies, if any, should be considered to ensure that any dependent sort size is also increased when increasing the size of an independent sort.
Future theoretical investigations along these lines have the potential to possibly identify a new subclass of parameterized systems whose safety can be determined in a decidable manner.
Since \(\mathtt{quorum}\) is a dependent sort on \(\mathtt{node}\), it is increased together with the \(\mathtt{node}\) sort.
References
Lamport L (2002) Specifying systems: the TLA+ language and tools for hardware and software engineers. Addison-Wesley Longman Publishing Co., Inc., Boston
Padon O, McMillan KL, Panda A, Sagiv M, Shoham S (2016) Ivy: safety verification by interactive generalization. In: Proceedings of the 37th ACM SIGPLAN conference on programming language design and implementation, pp 614–630
Hawblitzel C, Howell J, Kapritsos M, Lorch JR, Parno B, Roberts ML, Setty S, Zill B (2015) Ironfleet: proving practical distributed systems correct. In: Proceedings of the 25th symposium on operating systems principles. ACM, pp 1–17
Wilcox JR,Woos D, Panchekha P, Tatlock Z, Wang X, Ernst MD, Anderson T (2015) Verdi: a framework for implementing and formally verifying distributed systems. In: Proceedings of the 36th ACM SIGPLAN conference on programming language design and implementation, pp 357–368
Apt KR, Kozen D (1986) Limits for automatic verification of finite-state concurrent systems. Inf Process Lett 22(6):307–309
Clarke EM, Grumberg O (1987) Avoiding the state explosion problem in temporal logic model checking. In: Proceedings of the sixth annual ACM symposium on principles of distributed computing, pp 294–303
Barras B, Boutin S, Cornes C, Courant J, Filliâtre J-C, Giménez E, Herbelin H, Huet G, Muñoz C, Murthy C, Parent C, Paulin-Mohring C, Saïbi A, Werner B (1997) The Coq proof assistant reference manual: version 6.1. Research report RT-0203, INRIA. Projet COQ. https://hal.inria.fr/inria-00069968
Nipkow T, Wenzel M, Paulson C (2002) Isabelle/HOL: a proof assistant for higher-order logic. Springer, Berlin
Abel A, Benke M, Bove A, Hughes J, Norell U (2005) Verifying Haskell programs using constructive type theory. In: Proceedings of the 2005 ACM SIGPLAN workshop on Haskell, pp 62–73
Bradley AR (2011) SAT-based model checking without unrolling. In: Proceedings of the 12th international conference on verification, model checking, and abstract interpretation, VMCAI’11. Springer, Berlin, pp 70–87. http://dl.acm.org/citation.cfm?id=1946284.1946291
Een N, Mishchenko A, Brayton R (2011) Efficient implementation of property directed reachability. In: Proceedings of the international conference on formal methods in computer-aided design, FMCAD ’11. FMCAD Inc, Austin, pp 125–134
Emerson EA, Sistla AP (1996) Symmetry and model checking. Formal Methods Syst Des 9(1):105–131
Norris IPC, Dill DL (1996) Better verification through symmetry. Formal Methods Syst Des 9(1):41–75. https://doi.org/10.1007/BF00625968
Pong F, Dubois M (1995) A new approach for the verification of cache coherence protocols. IEEE Trans Parallel Distrib Syst 6(8):773–787
Godefroid P (1999) Exploiting symmetry when model-checking software. In: Wu J, Chanson ST, Gao Q (eds) Formal methods for protocol engineering and distributed systems. Springer, Boston, pp 257–275. https://doi.org/10.1007/978-0-387-35578-8_15
Sistla AP, Gyuris V, Emerson EA (2000) A symmetry-based model checker for verification of safety and liveness properties. ACM Trans Softw Eng Methodol (TOSEM) 9(2):133–166
Barner S, Grumberg O (2002) Combining symmetry reduction and under-approximation for symbolic model checking. In: International conference on computer aided verification. Springer, pp 93–106
Burch JR, Clarke EM, McMillan KL, Dill DL, Hwang LJ (1990) Symbolic model checking: \(10^{20}\) states and beyond. In: Proceedings of fifth annual IEEE symposium on logic in computer science, pp 428–439
Burch JR, Clarke EM, McMillan KL, Dill DL, Hwang L-J (1992) Symbolic model checking: \(10^{20}\) states and beyond. Inf Comput 98(2):142–170
McMillan KL (1993) Symbolic model checking. Kluwer Academic Publishers, Norwell
Pnueli A, Ruah S, Zuck L (2001) Automatic deductive verification with invisible invariants. In: International conference on tools and algorithms for the construction and analysis of systems. Springer, pp 82–97
Arons T, Pnueli A, Ruah S, Xu Y, Zuck L (2001) Parameterized verification with automatically computed inductive assertions. In: Berry G, Comon H, Finkel A (eds) Computer aided verification. Springer, Berlin, pp 221–234
Zuck L, Pnueli A (2004) Model checking and abstraction to the aid of parameterized systems (a survey). Comput Lang Syst Struct 30(3–4):139–169
Balaban I, Fang Y, Pnueli A, Zuck LD (2005) IIV: an invisible invariant verifier. In: International conference on computer aided verification. Springer, pp 408–412
Dooley M, Somenzi F (2016) Proving parameterized systems safe by generalizing clausal proofs of small instances. In: International conference on computer aided verification. Springer, pp 292–309
Zuck LD, McMillan KL (2019) Invisible invariants are neither. Springer, Berlin, pp 57–72. https://doi.org/10.1007/978-3-030-31514-6_5
Namjoshi KS (2007) Symmetry and completeness in the analysis of parameterized systems. In: International workshop on verification, model checking, and abstract interpretation. Springer, pp 299–313
Marques-Silva JP, Sakallah A (1999) Grasp: a search algorithm for propositional satisfiability. IEEE Trans Comput 48(5):506–521
Moskewicz MW, Madigan CF, Zhao Y, Zhang L, Malik S (2001) Chaff: engineering an efficient SAT solver. In: DAC, pp 530–535
Eén N, Sörensson N (2003) An extensible SAT-solver. In: International conference on theory and applications of satisfiability testing. Springer, pp 502–518
Balyo T, Froleyks N, Heule MJ, Iser M, Järvisalo M, Suda M (2020) Proceedings of SAT competition 2020: solver and benchmark descriptions
Goel A, Sakallah KA (2020) AVR: abstractly verifying reachability. In: 26th International conference on tools and algorithms for the construction and analysis of systems (TACAS 2020), vol LNCS 12078. Dublin, Ireland, pp 413–422. https://doi.org/10.1007/978-3-030-45190-5_23
Goel A, Sakallah K (2019) Model checking of verilog RTL using IC3 with syntax-guided abstraction. In: Badger JM, Rozier KY (eds) NASA formal methods. Springer, Cham, pp 166–185. https://doi.org/10.1007/978-3-030-20652-9_11
Goel A, Sakallah K (2019) Empirical evaluation of IC3-based model checking techniques on verilog RTL designs. In: Design, automation test in Europe conference exhibition (DATE), pp 618–621. https://doi.org/10.23919/DATE.2019.8715289
Ma H, Goel A, Jeannin J-B, Kapritsos M, Kasikci B, Sakallah KA (2019) I4: incremental inference of inductive invariants for verification of distributed protocols. In: Proceedings of the 27th symposium on operating systems principles. ACM
Toy consensus protocol. https://github.com/microsoft/ivy/blob/master/examples/ivy/toy_consensus.ivy
Fraleigh JB (2000) A first course in abstract algebra, 6th edn. Addison Wesley Longman, Reading
Kurshan RP, McMillan K (1989) A structural induction theorem for processes. In: Proceedings of the eighth annual ACM symposium on principles of distributed computing, pp 239–247
German SM, Sistla AP (1992) Reasoning about systems with many processes. J ACM (JACM) 39(3):675–735
Goel A, Sakallah KA (2021) On symmetry and quantification: a new approach to verify distributed protocols. CoRR abs/2103.14831. arXiv:2103.14831
Cimatti A, Roveri M, Griggio A, Irfan A (2011) Verification modulo theories. http://www.vmt-lib.org
pySMT: a library for SMT formulae manipulation and solving. https://github.com/aman-goel/pysmt
Gario M, Micheli A (2015) PySMT: a solver-agnostic library for fast prototyping of SMT-based algorithms. In: SMT workshop, vol 2015
Dutertre B (2014) Yices 2.2. In: Biere A, Bloem R (eds) Computer aided verification. Springer, Cham, pp 737–744
Barrett C, Fontaine P, Tinelli C (2016) The satisfiability modulo theories library (SMT-LIB). http://www.smt-lib.org/
Goel A, Sakallah KA (2021) Towards an automatic proof of Lamport’s Paxos. In: Piskac R, Whalen MW (eds) Formal methods in computer-aided design (FMCAD), New Haven, Connecticut, pp 112–122. https://doi.org/10.34727/2021/isbn.978-3-85448-046-4_20
Koenig JR, Padon O, Immerman N, Aiken A (2020) First-order quantified separators. In: Proceedings of the 41st ACM SIGPLAN conference on programming language design and implementation, pp 703–717
A collection of distributed protocol verification problems. https://github.com/aman-goel/ivybench
Feldman YM, Wilcox JR, Shoham S, Sagiv M (2019) Inferring inductive invariants from phase structures. In: International conference on computer aided verification. Springer, pp 405–425
Berkovits I, Lazić M, Losa G, Padon O, Shoham S (2019) Verification of threshold-based distributed algorithms by decomposition to decidable logics. In: International conference on computer aided verification. Springer, pp 245–266
Feldman YM, Immerman N, Sagiv M, Shoham S (2019) Complexity and information in invariant inference. Proc ACM Program Lang 4(POPL):1–29
Feldman YMY, Sagiv M, Shoham S, Wilcox JR (2020) Learning the boundary of inductive invariants. CoRR abs/2008.09909. arXiv:2008.09909
Hance T, Heule M, Martins R, Parno B (2021) Finding invariants of distributed systems: it’s a small (enough) world after all. In: 18th USENIX symposium on networked systems design and implementation (NSDI 21), pp 115–131
mypyvy on GitHub. https://github.com/wilcoxjay/mypyvy
Yao J, Tao R, Gu R, Nieh J, Jana S, Ryan G (2021) DistAI: data-driven automated invariant learning for distributed protocols. In: 15th USENIX symposium on operating systems design and implementation (OSDI 21), pp 405–421
Ma H, Goel A, Jeannin J-B, Kapritsos M, Kasikci B, Sakallah KA (2019) Towards automatic inference of inductive invariants. In: Proceedings of the workshop on hot topics in operating systems. ACM, pp 30–36
Goel A, Sakallah K. Averroes 2. http://www.github.com/aman-goel/avr
Karbyshev A, Bjørner N, Itzhaky S, Rinetzky N, Shoham S (2017) Property-directed inference of universal invariants or proving their absence. J ACM 64(1):1–33. https://doi.org/10.1145/3022187
De Moura L,Bjørner N (2008) Z3: an efficient SMT solver. In: Proceedings of the theory and practice of software; 14th International conference on tools and algorithms for the construction and analysis of systems. TACAS’08/ETAPS’08. Springer, Berlin, pp 337–340
Barrett C, Conway CL, Deters M, Hadarean L, Jovanović D, King T, Reynolds A, Tinelli C (2011) CVC4. In: International conference on computer aided verification. Springer, pp 171–177
Padon O, Losa G, Sagiv M, Shoham S (2017) Paxos made EPR: decidable reasoning about distributed protocols. Proc ACM Program Lang 1(OOPSLA):1–31
Lamport L (1998) The part-time parliament. ACM Trans Comput Syst (TOCS) 16(2):133–169
Lamport L (2001) Paxos made simple. ACM SIGACT news (Distributed computing column) 32, 4 (Whole number 121, December 2001), pp 51–58
Lamport L (2019) A TLA+ specification of the Paxos Consensus algorithm from Leslie Lamport’s lectures titled: the Paxos algorithm-or how to win a turing award. https://github.com/tlaplus/Examples/blob/master/specifications/PaxosHowToWinATuringAward/Paxos.tla
The Ivy language and verifier. http://microsoft.github.io/ivy
Stoica I, Morris R, Liben-Nowell D, Karger DR, Kaashoek MF, Dabek F, Balakrishnan H (2003) Chord: a scalable peer-to-peer lookup protocol for internet applications. IEEE/ACM Trans Netw (TON) 11(1):17–32
Chakravarty MM, Chapman J, MacKenzie K, Melkonian O, Jones MP, Wadler P (2020) The extended UTXO model. In: International conference on financial cryptography and data security. Springer, pp 525–539
Chakravarty MM, Chapman J, MacKenzie K, Melkonian O, Müller J, Jones MP, Vinogradova P, Wadler P (2020) Native custom tokens in the extended UTXO model. In: International symposium on leveraging applications of formal methods. Springer, pp 89–111
Cardano blockchain platform. https://cardano.org
Newcombe C, Rath T, Zhang F, Munteanu B, Brooker M, Deardeuff M (2015) How Amazon web services uses formal methods. Commun ACM 58(4):66–73
Beers R (2008) Pre-RTL formal verification: an intel experience. In: Proceedings of the 45th annual design automation conference, pp 806–811
Owre S, Rushby JM, Shankar N (1992) PVS: a prototype verification system. In: International conference on automated deduction. Springer, pp 748–752
Chaudhuri K, Doligez D, Lamport L, Merz S (2010) Verifying safety properties with the TLA+ proof system. In: International joint conference on automated reasoning. Springer, pp 142–148
Hoenicke J, Majumdar R (2010) Thread modularity at many levels: a pearl in compositional verification. ACM SIGPLAN Not 52(1):473–485
von Gleissenthall K, Kıcı RG, Bakst A, Stefan D, Jhala R (2019) Pretend synchrony: synchronous verification of asynchronous distributed programs. Proc ACM Program Lang 3(POPL):1–30
Ranise S, Ghilardi S (2010) Backward reachability of array-based systems by SMT solving: termination and invariant synthesis. Log Methods Comput Sci 6
Conchon S, Goel A, Krstić S, Mebsout A, Zaïdi F (2012) Cubicle: a parallel SMT-based model checker for parameterized systems. In: International conference on computer aided verification. Springer, pp 718–724
Li Y, Pang J, Lv Y, Fan D, Cao S, Duan K (2015) Paraverifier: an automatic framework for proving parameterized cache coherence protocols. In: International symposium on automated technology for verification and analysis. Springer, pp 207–213
Abdulla P, Haziza F, Holík L (2016) Parameterized verification through view abstraction. Int J Softw Tools Technol Transf 18(5):495–516
Lamport L (1977) Proving the correctness of multiprocess programs. IEEE Trans Softw Eng 2:125–143
Owicki S, Gries D (1976) Verifying properties of parallel programs: an axiomatic approach. Commun ACM 19(5):279–285
Karbyshev A, Bjørner N, Itzhaky S, Rinetzky N, Shoham S (2017) Property-directed inference of universal invariants or proving their absence. J ACM (JACM) 64(1):1–33. https://doi.org/10.1145/3022187
Gurfinkel A, Shoham S, Vizel Y (2018) Quantifiers on demand. In: International symposium on automated technology for verification and analysis. Springer, pp 248–266
Lamport L (2011) Byzantizing Paxos by refinement. In: International symposium on distributed computing. Springer, pp 211–224
Ongaro D, Ousterhout J (2014) In search of an understandable consensus algorithm. In: USENIX annual technical conference (USENIX ATC 14), pp 305–319
Kuppe MA, Lamport L, Ricketts D (2019) The TLA+ toolbox. Electron Proc Theor Comput Sci 310:50–62. https://doi.org/10.4204/eptcs.310.6
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Goel, A., Sakallah, K.A. Regularity and quantification: a new approach to verify distributed protocols. Innovations Syst Softw Eng 19, 359–377 (2023). https://doi.org/10.1007/s11334-022-00460-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11334-022-00460-8