Skip to main content
SpringerLink
Log in

Regularity and quantification: a new approach to verify distributed protocols

  • S.I. : Selected Extended Papers of NFM 2021
  • Published:
Innovations in Systems and Software Engineering Aims and scope Submit manuscript

Abstract

Proving that an unbounded distributed protocol satisfies a given safety property amounts to finding a quantified inductive invariant that implies the property for all possible instance sizes of the protocol. Existing methods for solving this problem can be described as search procedures for an invariant whose quantification prefix fits a particular template. We propose an alternative constructive approach that does not prescribe, a priori, a specific quantifier prefix. Instead, the required prefix is automatically inferred without any enumerative search by carefully analyzing the spatial and temporal regularity of the protocol. The key insight underlying this approach is that structural regularity and quantification are closely related concepts that express protocol invariance under different re-arrangements of its components and its unbounded evolution over time. We extended the finite-domain IC3/PDR algorithm to use these regularities and boost clause learning to automatically derive the required quantified inductive invariant by exploiting the connection between structural regularities and quantification. We also describe a procedure to automatically find a minimal finite size, the cutoff, that yields a quantified invariant proving safety for any size. Our approach is implemented in IC3PO, a new verifier for distributed protocols that significantly outperforms the state of the art, scales orders of magnitude faster, and robustly derives compact inductive invariants fully automatically.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. An interesting aside is this quote by Ed Clarke [6]: “In any case, it is clear that the claim in [5] regarding the infeasibility of automatically checking the correctness of programs with many processes is unduly pessimistic.”

  2. The description in [36] is in the Ivy [2] language and encodes set operations in relational form with a member relation representing \(\in \).

  3. We assume familiarity with basic notions from group theory including permutation groups, cycle notation, group action on a set, orbits, etc., which can be readily found in standard textbooks on Abstract Algebra [37].

  4. A totally ordered sort is a sort that has a binary relation symbol < defined that satisfies the axioms of a total order.

  5. Sort dependencies, if any, should be considered to ensure that any dependent sort size is also increased when increasing the size of an independent sort.

  6. Future theoretical investigations along these lines have the potential to possibly identify a new subclass of parameterized systems whose safety can be determined in a decidable manner.

  7. Since \(\mathtt{quorum}\) is a dependent sort on \(\mathtt{node}\), it is increased together with the \(\mathtt{node}\) sort.

References

  1. Lamport L (2002) Specifying systems: the TLA+ language and tools for hardware and software engineers. Addison-Wesley Longman Publishing Co., Inc., Boston

    Google Scholar 

  2. Padon O, McMillan KL, Panda A, Sagiv M, Shoham S (2016) Ivy: safety verification by interactive generalization. In: Proceedings of the 37th ACM SIGPLAN conference on programming language design and implementation, pp 614–630

  3. Hawblitzel C, Howell J, Kapritsos M, Lorch JR, Parno B, Roberts ML, Setty S, Zill B (2015) Ironfleet: proving practical distributed systems correct. In: Proceedings of the 25th symposium on operating systems principles. ACM, pp 1–17

  4. Wilcox JR,Woos D, Panchekha P, Tatlock Z, Wang X, Ernst MD, Anderson T (2015) Verdi: a framework for implementing and formally verifying distributed systems. In: Proceedings of the 36th ACM SIGPLAN conference on programming language design and implementation, pp 357–368

  5. Apt KR, Kozen D (1986) Limits for automatic verification of finite-state concurrent systems. Inf Process Lett 22(6):307–309

    Article  MathSciNet  Google Scholar 

  6. Clarke EM, Grumberg O (1987) Avoiding the state explosion problem in temporal logic model checking. In: Proceedings of the sixth annual ACM symposium on principles of distributed computing, pp 294–303

  7. Barras B, Boutin S, Cornes C, Courant J, Filliâtre J-C, Giménez E, Herbelin H, Huet G, Muñoz C, Murthy C, Parent C, Paulin-Mohring C, Saïbi A, Werner B (1997) The Coq proof assistant reference manual: version 6.1. Research report RT-0203, INRIA. Projet COQ. https://hal.inria.fr/inria-00069968

  8. Nipkow T, Wenzel M, Paulson C (2002) Isabelle/HOL: a proof assistant for higher-order logic. Springer, Berlin

    Book  MATH  Google Scholar 

  9. Abel A, Benke M, Bove A, Hughes J, Norell U (2005) Verifying Haskell programs using constructive type theory. In: Proceedings of the 2005 ACM SIGPLAN workshop on Haskell, pp 62–73

  10. Bradley AR (2011) SAT-based model checking without unrolling. In: Proceedings of the 12th international conference on verification, model checking, and abstract interpretation, VMCAI’11. Springer, Berlin, pp 70–87. http://dl.acm.org/citation.cfm?id=1946284.1946291

  11. Een N, Mishchenko A, Brayton R (2011) Efficient implementation of property directed reachability. In: Proceedings of the international conference on formal methods in computer-aided design, FMCAD ’11. FMCAD Inc, Austin, pp 125–134

  12. Emerson EA, Sistla AP (1996) Symmetry and model checking. Formal Methods Syst Des 9(1):105–131

    Article  Google Scholar 

  13. Norris IPC, Dill DL (1996) Better verification through symmetry. Formal Methods Syst Des 9(1):41–75. https://doi.org/10.1007/BF00625968

    Article  Google Scholar 

  14. Pong F, Dubois M (1995) A new approach for the verification of cache coherence protocols. IEEE Trans Parallel Distrib Syst 6(8):773–787

    Article  Google Scholar 

  15. Godefroid P (1999) Exploiting symmetry when model-checking software. In: Wu J, Chanson ST, Gao Q (eds) Formal methods for protocol engineering and distributed systems. Springer, Boston, pp 257–275. https://doi.org/10.1007/978-0-387-35578-8_15

    Chapter  Google Scholar 

  16. Sistla AP, Gyuris V, Emerson EA (2000) A symmetry-based model checker for verification of safety and liveness properties. ACM Trans Softw Eng Methodol (TOSEM) 9(2):133–166

    Article  Google Scholar 

  17. Barner S, Grumberg O (2002) Combining symmetry reduction and under-approximation for symbolic model checking. In: International conference on computer aided verification. Springer, pp 93–106

  18. Burch JR, Clarke EM, McMillan KL, Dill DL, Hwang LJ (1990) Symbolic model checking: \(10^{20}\) states and beyond. In: Proceedings of fifth annual IEEE symposium on logic in computer science, pp 428–439

  19. Burch JR, Clarke EM, McMillan KL, Dill DL, Hwang L-J (1992) Symbolic model checking: \(10^{20}\) states and beyond. Inf Comput 98(2):142–170

    Article  MATH  Google Scholar 

  20. McMillan KL (1993) Symbolic model checking. Kluwer Academic Publishers, Norwell

    Book  MATH  Google Scholar 

  21. Pnueli A, Ruah S, Zuck L (2001) Automatic deductive verification with invisible invariants. In: International conference on tools and algorithms for the construction and analysis of systems. Springer, pp 82–97

  22. Arons T, Pnueli A, Ruah S, Xu Y, Zuck L (2001) Parameterized verification with automatically computed inductive assertions. In: Berry G, Comon H, Finkel A (eds) Computer aided verification. Springer, Berlin, pp 221–234

    Chapter  MATH  Google Scholar 

  23. Zuck L, Pnueli A (2004) Model checking and abstraction to the aid of parameterized systems (a survey). Comput Lang Syst Struct 30(3–4):139–169

    MATH  Google Scholar 

  24. Balaban I, Fang Y, Pnueli A, Zuck LD (2005) IIV: an invisible invariant verifier. In: International conference on computer aided verification. Springer, pp 408–412

  25. Dooley M, Somenzi F (2016) Proving parameterized systems safe by generalizing clausal proofs of small instances. In: International conference on computer aided verification. Springer, pp 292–309

  26. Zuck LD, McMillan KL (2019) Invisible invariants are neither. Springer, Berlin, pp 57–72. https://doi.org/10.1007/978-3-030-31514-6_5

    Book  Google Scholar 

  27. Namjoshi KS (2007) Symmetry and completeness in the analysis of parameterized systems. In: International workshop on verification, model checking, and abstract interpretation. Springer, pp 299–313

  28. Marques-Silva JP, Sakallah A (1999) Grasp: a search algorithm for propositional satisfiability. IEEE Trans Comput 48(5):506–521

    Article  MathSciNet  MATH  Google Scholar 

  29. Moskewicz MW, Madigan CF, Zhao Y, Zhang L, Malik S (2001) Chaff: engineering an efficient SAT solver. In: DAC, pp 530–535

  30. Eén N, Sörensson N (2003) An extensible SAT-solver. In: International conference on theory and applications of satisfiability testing. Springer, pp 502–518

  31. Balyo T, Froleyks N, Heule MJ, Iser M, Järvisalo M, Suda M (2020) Proceedings of SAT competition 2020: solver and benchmark descriptions

  32. Goel A, Sakallah KA (2020) AVR: abstractly verifying reachability. In: 26th International conference on tools and algorithms for the construction and analysis of systems (TACAS 2020), vol LNCS 12078. Dublin, Ireland, pp 413–422. https://doi.org/10.1007/978-3-030-45190-5_23

  33. Goel A, Sakallah K (2019) Model checking of verilog RTL using IC3 with syntax-guided abstraction. In: Badger JM, Rozier KY (eds) NASA formal methods. Springer, Cham, pp 166–185. https://doi.org/10.1007/978-3-030-20652-9_11

    Chapter  Google Scholar 

  34. Goel A, Sakallah K (2019) Empirical evaluation of IC3-based model checking techniques on verilog RTL designs. In: Design, automation test in Europe conference exhibition (DATE), pp 618–621. https://doi.org/10.23919/DATE.2019.8715289

  35. Ma H, Goel A, Jeannin J-B, Kapritsos M, Kasikci B, Sakallah KA (2019) I4: incremental inference of inductive invariants for verification of distributed protocols. In: Proceedings of the 27th symposium on operating systems principles. ACM

  36. Toy consensus protocol. https://github.com/microsoft/ivy/blob/master/examples/ivy/toy_consensus.ivy

  37. Fraleigh JB (2000) A first course in abstract algebra, 6th edn. Addison Wesley Longman, Reading

    MATH  Google Scholar 

  38. Kurshan RP, McMillan K (1989) A structural induction theorem for processes. In: Proceedings of the eighth annual ACM symposium on principles of distributed computing, pp 239–247

  39. German SM, Sistla AP (1992) Reasoning about systems with many processes. J ACM (JACM) 39(3):675–735

    Article  MathSciNet  MATH  Google Scholar 

  40. Goel A, Sakallah KA (2021) On symmetry and quantification: a new approach to verify distributed protocols. CoRR abs/2103.14831. arXiv:2103.14831

  41. Cimatti A, Roveri M, Griggio A, Irfan A (2011) Verification modulo theories. http://www.vmt-lib.org

  42. pySMT: a library for SMT formulae manipulation and solving. https://github.com/aman-goel/pysmt

  43. Gario M, Micheli A (2015) PySMT: a solver-agnostic library for fast prototyping of SMT-based algorithms. In: SMT workshop, vol 2015

  44. Dutertre B (2014) Yices 2.2. In: Biere A, Bloem R (eds) Computer aided verification. Springer, Cham, pp 737–744

    Chapter  Google Scholar 

  45. Barrett C, Fontaine P, Tinelli C (2016) The satisfiability modulo theories library (SMT-LIB). http://www.smt-lib.org/

  46. Goel A, Sakallah KA (2021) Towards an automatic proof of Lamport’s Paxos. In: Piskac R, Whalen MW (eds) Formal methods in computer-aided design (FMCAD), New Haven, Connecticut, pp 112–122. https://doi.org/10.34727/2021/isbn.978-3-85448-046-4_20

  47. Koenig JR, Padon O, Immerman N, Aiken A (2020) First-order quantified separators. In: Proceedings of the 41st ACM SIGPLAN conference on programming language design and implementation, pp 703–717

  48. A collection of distributed protocol verification problems. https://github.com/aman-goel/ivybench

  49. Feldman YM, Wilcox JR, Shoham S, Sagiv M (2019) Inferring inductive invariants from phase structures. In: International conference on computer aided verification. Springer, pp 405–425

  50. Berkovits I, Lazić M, Losa G, Padon O, Shoham S (2019) Verification of threshold-based distributed algorithms by decomposition to decidable logics. In: International conference on computer aided verification. Springer, pp 245–266

  51. Feldman YM, Immerman N, Sagiv M, Shoham S (2019) Complexity and information in invariant inference. Proc ACM Program Lang 4(POPL):1–29

    Article  Google Scholar 

  52. Feldman YMY, Sagiv M, Shoham S, Wilcox JR (2020) Learning the boundary of inductive invariants. CoRR abs/2008.09909. arXiv:2008.09909

  53. Hance T, Heule M, Martins R, Parno B (2021) Finding invariants of distributed systems: it’s a small (enough) world after all. In: 18th USENIX symposium on networked systems design and implementation (NSDI 21), pp 115–131

  54. mypyvy on GitHub. https://github.com/wilcoxjay/mypyvy

  55. Yao J, Tao R, Gu R, Nieh J, Jana S, Ryan G (2021) DistAI: data-driven automated invariant learning for distributed protocols. In: 15th USENIX symposium on operating systems design and implementation (OSDI 21), pp 405–421

  56. Ma H, Goel A, Jeannin J-B, Kapritsos M, Kasikci B, Sakallah KA (2019) Towards automatic inference of inductive invariants. In: Proceedings of the workshop on hot topics in operating systems. ACM, pp 30–36

  57. Goel A, Sakallah K. Averroes 2. http://www.github.com/aman-goel/avr

  58. Karbyshev A, Bjørner N, Itzhaky S, Rinetzky N, Shoham S (2017) Property-directed inference of universal invariants or proving their absence. J ACM 64(1):1–33. https://doi.org/10.1145/3022187

    Article  MathSciNet  MATH  Google Scholar 

  59. De Moura L,Bjørner N (2008) Z3: an efficient SMT solver. In: Proceedings of the theory and practice of software; 14th International conference on tools and algorithms for the construction and analysis of systems. TACAS’08/ETAPS’08. Springer, Berlin, pp 337–340

  60. Barrett C, Conway CL, Deters M, Hadarean L, Jovanović D, King T, Reynolds A, Tinelli C (2011) CVC4. In: International conference on computer aided verification. Springer, pp 171–177

  61. Padon O, Losa G, Sagiv M, Shoham S (2017) Paxos made EPR: decidable reasoning about distributed protocols. Proc ACM Program Lang 1(OOPSLA):1–31

    Article  Google Scholar 

  62. Lamport L (1998) The part-time parliament. ACM Trans Comput Syst (TOCS) 16(2):133–169

    Article  MATH  Google Scholar 

  63. Lamport L (2001) Paxos made simple. ACM SIGACT news (Distributed computing column) 32, 4 (Whole number 121, December 2001), pp 51–58

  64. Lamport L (2019) A TLA+ specification of the Paxos Consensus algorithm from Leslie Lamport’s lectures titled: the Paxos algorithm-or how to win a turing award. https://github.com/tlaplus/Examples/blob/master/specifications/PaxosHowToWinATuringAward/Paxos.tla

  65. The Ivy language and verifier. http://microsoft.github.io/ivy

  66. Stoica I, Morris R, Liben-Nowell D, Karger DR, Kaashoek MF, Dabek F, Balakrishnan H (2003) Chord: a scalable peer-to-peer lookup protocol for internet applications. IEEE/ACM Trans Netw (TON) 11(1):17–32

    Article  Google Scholar 

  67. Chakravarty MM, Chapman J, MacKenzie K, Melkonian O, Jones MP, Wadler P (2020) The extended UTXO model. In: International conference on financial cryptography and data security. Springer, pp 525–539

  68. Chakravarty MM, Chapman J, MacKenzie K, Melkonian O, Müller J, Jones MP, Vinogradova P, Wadler P (2020) Native custom tokens in the extended UTXO model. In: International symposium on leveraging applications of formal methods. Springer, pp 89–111

  69. Cardano blockchain platform. https://cardano.org

  70. Newcombe C, Rath T, Zhang F, Munteanu B, Brooker M, Deardeuff M (2015) How Amazon web services uses formal methods. Commun ACM 58(4):66–73

  71. Beers R (2008) Pre-RTL formal verification: an intel experience. In: Proceedings of the 45th annual design automation conference, pp 806–811

  72. Owre S, Rushby JM, Shankar N (1992) PVS: a prototype verification system. In: International conference on automated deduction. Springer, pp 748–752

  73. Chaudhuri K, Doligez D, Lamport L, Merz S (2010) Verifying safety properties with the TLA+ proof system. In: International joint conference on automated reasoning. Springer, pp 142–148

  74. Hoenicke J, Majumdar R (2010) Thread modularity at many levels: a pearl in compositional verification. ACM SIGPLAN Not 52(1):473–485

    Article  MATH  Google Scholar 

  75. von Gleissenthall K, Kıcı RG, Bakst A, Stefan D, Jhala R (2019) Pretend synchrony: synchronous verification of asynchronous distributed programs. Proc ACM Program Lang 3(POPL):1–30

    Article  Google Scholar 

  76. Ranise S, Ghilardi S (2010) Backward reachability of array-based systems by SMT solving: termination and invariant synthesis. Log Methods Comput Sci 6

  77. Conchon S, Goel A, Krstić S, Mebsout A, Zaïdi F (2012) Cubicle: a parallel SMT-based model checker for parameterized systems. In: International conference on computer aided verification. Springer, pp 718–724

  78. Li Y, Pang J, Lv Y, Fan D, Cao S, Duan K (2015) Paraverifier: an automatic framework for proving parameterized cache coherence protocols. In: International symposium on automated technology for verification and analysis. Springer, pp 207–213

  79. Abdulla P, Haziza F, Holík L (2016) Parameterized verification through view abstraction. Int J Softw Tools Technol Transf 18(5):495–516

    Article  MATH  Google Scholar 

  80. Lamport L (1977) Proving the correctness of multiprocess programs. IEEE Trans Softw Eng 2:125–143

    Article  MathSciNet  MATH  Google Scholar 

  81. Owicki S, Gries D (1976) Verifying properties of parallel programs: an axiomatic approach. Commun ACM 19(5):279–285

    Article  MathSciNet  MATH  Google Scholar 

  82. Karbyshev A, Bjørner N, Itzhaky S, Rinetzky N, Shoham S (2017) Property-directed inference of universal invariants or proving their absence. J ACM (JACM) 64(1):1–33. https://doi.org/10.1145/3022187

    Article  MathSciNet  MATH  Google Scholar 

  83. Gurfinkel A, Shoham S, Vizel Y (2018) Quantifiers on demand. In: International symposium on automated technology for verification and analysis. Springer, pp 248–266

  84. Lamport L (2011) Byzantizing Paxos by refinement. In: International symposium on distributed computing. Springer, pp 211–224

  85. Ongaro D, Ousterhout J (2014) In search of an understandable consensus algorithm. In: USENIX annual technical conference (USENIX ATC 14), pp 305–319

  86. Kuppe MA, Lamport L, Ricketts D (2019) The TLA+ toolbox. Electron Proc Theor Comput Sci 310:50–62. https://doi.org/10.4204/eptcs.310.6

    Article  Google Scholar 

Download references

Acknowledgements

We thank the reviewers for their valuable feedback. We also thank the developers of TLA+ [1, 86], Yices [44], Z3 [59], pySMT [43], and Ivy [2] for making their tools openly available.

Author information

Authors and Affiliations

  1. Computer Science and Engineering, University of Michigan, Ann Arbor, MI, 48109, USA

    Aman Goel & Karem A. Sakallah

Authors
  1. Aman Goel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Karem A. Sakallah
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aman Goel.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Goel, A., Sakallah, K.A. Regularity and quantification: a new approach to verify distributed protocols. Innovations Syst Softw Eng 19, 359–377 (2023). https://doi.org/10.1007/s11334-022-00460-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11334-022-00460-8

Keywords

Search

Navigation