Abstract
We develop a new technique for verifying temporal properties of infinite-state (distributed) systems. The main idea is to reduce the temporal verification problem to the problem of verifying the safety of infinite-state systems expressed in first-order logic. This allows to leverage existing techniques for safety verification to verify temporal properties of interesting distributed protocols, including some that have not been mechanically verified before. We model infinite-state systems using first-order logic, and use first-order temporal logic (FO-LTL) to specify temporal properties. This general formalism allows to naturally model distributed systems, while supporting both unbounded-parallelism (where the system is allowed to dynamically create processes), and infinite-state per process.
The traditional approach for verifying temporal properties of infinite-state systems employs well-founded relations (e.g. using linear arithmetic ranking functions). In contrast, our approach is based the idea of fair cycle detection. In finite-state systems, temporal verification can always be reduced to fair cycle detection (a system contains a fair cycle if it revisits a state after satisfying all fairness constraints). However, with both infinitely many states and infinitely many fairness constraints, a straightforward reduction to fair cycle detection is unsound. To regain soundness, we augment the infinite-state transition system by a dynamically computed finite set, that exploits the locality of transitions. This set lets us define a form of fair cycle detection that is sound in the presence of both infinitely many states, and infinitely many fairness constraints. Our approach allows a new style of temporal verification that does not explicitly involve ranking functions. This fits well with pure first-order verification which does not explicitly reason about numerical values. In particular, it can be used with effectively propositional first-order logic (EPR), in which case checking verification conditions is decidable. We applied our technique to verify temporal properties of several interesting protocols. To the best of our knowledge, we have obtained the first mechanized liveness proof for both TLB Shootdown, and Stoppable Paxos.
Supplemental Material
Available for Download
The artifact is provided by a VirtualBox virtual machine that contains IVy and Z3 installed, and contains IVy files for the benchmarks described in the paper. This allows to examine the IVy source files and also check them with IVy (which internally uses Z3). The IVy source files contain transition systems after applying the liveness to safety reduction, and a suitable inductive invariant.
- Martín Abadi. 1989. The Power of Temporal Proofs. Theor. Comput. Sci. 65, 1 (1989), 35–83. Google Scholar
Digital Library
- Parosh Aziz Abdulla, Bengt Jonsson, Ahmed Rezine, and Mayank Saksena. 2006. Proving Liveness by Backwards Reachability. In CONCUR (Lecture Notes in Computer Science), Vol. 4137. Springer, 95–109. Google Scholar
Digital Library
- Kyungmin Bae and José Meseguer. 2011. State/Event-Based LTL Model Checking under Parametric Generalized Fairness. In Computer Aided Verification: 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, Ganesh Gopalakrishnan and Shaz Qadeer (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 132–148. Google Scholar
Cross Ref
- Kyungmin Bae and José Meseguer. 2014. Infinite-State Model Checking of LTLR Formulas Using Narrowing. In Rewriting Logic and Its Applications - 10th International Workshop, WRLA 2014, Held as a Satellite Event of ETAPS, Grenoble, France, April 5-6, 2014, Revised Selected Papers. 113–129. Google Scholar
Cross Ref
- Kyungmin Bae and José Meseguer. 2015. Model checking linear temporal logic of rewriting formulas under localized fairness. Science of Computer Programming 99, Supplement C (2015), 193 – 234. Google Scholar
Digital Library
- Amir M. Ben-Amram. 2002. General Size-Change Termination and Lexicographic Descent. In The Essence of Computation (Lecture Notes in Computer Science), Vol. 2566. Springer, 3–17. Google Scholar
Cross Ref
- Armin Biere, Cyrille Artho, and Viktor Schuppan. 2002. Liveness Checking as Safety Checking. Electr. Notes Theor. Comput. Sci. 66, 2 (2002), 160–177. Google Scholar
Cross Ref
- D. L. Black, R. F. Rashid, D. B. Golub, and C. R. Hill. 1989. Translation Lookaside Buffer Consistency: A Software Approach. In Proceedings of the Third International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS III). ACM, New York, NY, USA, 113–122. Google Scholar
Digital Library
- Roderick Bloem, Swen Jacobs, Ayrat Khalimov, Igor Konnov, Sasha Rubin, Helmut Veith, and Josef Widder. 2015. Decidability of Parameterized Verification. Morgan & Claypool Publishers. Google Scholar
Cross Ref
- B. Cook, A. Gotsman, A. Podelski, A. Rybalchenko, and M. Y. Vardi. 2007. Proving that programs eventually do something good. In POPL, Martin Hofmann and Matthias Felleisen (Eds.). 265–276. Google Scholar
Digital Library
- B. Cook, A. Podelski, and A. Rybalchenko. 2006. Termination proofs for systems code. In PLDI. 415–426. Google Scholar
Digital Library
- Jonathan Corbet. 2008. Ticket spinlocks. https://lwn.net/Articles/267968/ . (2008).Google Scholar
- P. Cousot and R. Cousot. 2012. An abstract interpretation framework for termination. In POPL. 245–258. Google Scholar
Digital Library
- Jakub Daniel, Alessandro Cimatti, Alberto Griggio, Stefano Tonetta, and Sergio Mover. 2016. Infinite-State Liveness-to-Safety via Implicit Abstraction and Well-Founded Relations. In Computer Aided Verification - 28th International Conference, CAV 2016, Toronto, ON, Canada, July 17-23, 2016, Proceedings, Part I (Lecture Notes in Computer Science), Swarat Chaudhuri and Azadeh Farzan (Eds.), Vol. 9779. Springer, 271–291. Google Scholar
Cross Ref
- Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings (Lecture Notes in Computer Science), Vol. 4963. Springer, 337–340.Google Scholar
Digital Library
- Daniel Dietsch, Matthias Heizmann, Vincent Langenfeld, and Andreas Podelski. 2015. Fairness Modulo Theory: A New Approach to LTL Software Model Checking. In CAV (Lecture Notes in Computer Science), Vol. 9206. Springer, 49–66. Google Scholar
Cross Ref
- Clare Dixon, Michael Fisher, Boris Konev, and Alexei Lisitsa. 2008. Practical First-Order Temporal Reasoning. In TIME. IEEE Computer Society, 156–163. Google Scholar
Digital Library
- Cezara Dragoi, Thomas A. Henzinger, and Damien Zufferey. 2016. PSync: A Partially Synchronous Language for FaultTolerant Distributed Algorithms. ACM SIGPLAN Notices 51, 1 (2016), 400–415. Google Scholar
Digital Library
- Yi Fang, Kenneth L. McMillan, Amir Pnueli, and Lenore D. Zuck. 2006. Liveness by Invisible Invariants. In Formal Techniques for Networked and Distributed Systems - FORTE 2006, 26th IFIP WG 6.1 International Conference, Paris, France, September 26-29, 2006. (Lecture Notes in Computer Science), Elie Najm, Jean-François Pradat-Peyre, and Véronique Donzeau-Gouge (Eds.), Vol. 4229. Springer, 356–371. Google Scholar
Digital Library
- Azadeh Farzan, Zachary Kincaid, and Andreas Podelski. 2016. Proving Liveness of Parameterized Programs. In LICS. ACM, 185–196. Google Scholar
Digital Library
- Michael J. Fischer, Nancy A. Lynch, and Michael S. Paterson. 1985. Impossibility of Distributed Consensus with One Faulty Process. J. ACM 32, 2 (April 1985), 374–382. Google Scholar
Digital Library
- Alexey Gotsman, Byron Cook, Matthew J. Parkinson, and Viktor Vafeiadis. 2009. Proving that non-blocking algorithms don’t block. In POPL. 16–28. Google Scholar
Digital Library
- Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R. Lorch, Bryan Parno, Michael L. Roberts, Srinath T. V. Setty, and Brian Zill. 2015. IronFleet: proving practical distributed systems correct. In Proceedings of the 25th Symposium on Operating Systems Principles, SOSP. 1–17. Google Scholar
Digital Library
- Matthias Heizmann, Jochen Hoenicke, and Andreas Podelski. 2014. Termination Analysis by Learning Terminating Programs. CoRR abs/1405.4189 (2014).Google Scholar
- Jochen Hoenicke, Rupak Majumdar, and Andreas Podelski. 2017. Thread modularity at many levels: a pearl in compositional verification. In POPL. ACM, 473–485. Google Scholar
Digital Library
- Aleksandr Karbyshev, Nikolaj Bjørner, Shachar Itzhaky, Noam Rinetzky, and Sharon Shoham. 2015. Property-Directed Inference of Universal Invariants or Proving Their Absence. In Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part I. 583–602. Google Scholar
Cross Ref
- Igor Konnov, Marijana Lazic, Helmut Veith, and Josef Widder. 2017. A Short Counterexample Property for Safety and Liveness Verification of Fault-Tolerant Distributed Algorithms. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2017). ACM, 719–734. Google Scholar
Digital Library
- Igor Konnov, Helmut Veith, and Josef Widder. 2015a. SMT and POR Beat Counter Abstraction: Parameterized Model Checking of Threshold-Based Distributed Algorithms. In Computer Aided Verification. Springer, Cham, 85–102. Google Scholar
Cross Ref
- Igor V. Konnov, Helmut Veith, and Josef Widder. 2015b. What You Always Wanted to Know About Model Checking of Fault-Tolerant Distributed Algorithms. In Perspectives of System Informatics - 10th International Andrei Ershov Informatics Conference, PSI 2015, in Memory of Helmut Veith, Kazan and Innopolis, Russia, August 24-27, 2015, Revised Selected Papers (Lecture Notes in Computer Science), Manuel Mazzara and Andrei Voronkov (Eds.), Vol. 9609. Springer, 6–21. Google Scholar
Cross Ref
- Konstantin Korovin. 2008. iProver - An Instantiation-Based Theorem Prover for First-Order Logic (System Description). In Automated Reasoning, 4th International Joint Conference, IJCAR 2008, Sydney, Australia, August 12-15, 2008, Proceedings. 292–298.Google Scholar
- Daniel Kroening, Natasha Sharygina, Aliaksei Tsitovich, and Christoph M. Wintersteiger. 2010. Termination Analysis with Compositional Transition Invariants. In CAV (Lecture Notes in Computer Science), Vol. 6174. Springer, 89–103. Google Scholar
Digital Library
- Takuya Kuwahara, Tachio Terauchi, Hiroshi Unno, and Naoki Kobayashi. 2014. Automatic Termination Verification for Higher-Order Functional Programs. In ESOP (Lecture Notes in Computer Science), Vol. 8410. Springer, 392–411. Google Scholar
Digital Library
- Leslie Lamport. 1974. A New Solution of Dijkstra’s Concurrent Programming Problem. Commun. ACM 17, 8 (Aug. 1974), 453–455. Google Scholar
Digital Library
- Leslie Lamport. 1998. The Part-Time Parliament. ACM Trans. Comput. Syst. 16, 2 (1998), 133–169. Google Scholar
Digital Library
- Leslie Lamport. 2001. Paxos Made Simple. (December 2001), 51–58. https://www.microsoft.com/en- us/research/publication/ paxos- made- simple/Google Scholar
- Leslie Lamport. 2006. Fast Paxos. Distributed Computing 19, 2 (2006), 79–103. Google Scholar
Digital Library
- Leslie Lamport, Dahlia Malkhi, and Lidong Zhou. 2008. Stoppable Paxos. Technical Report. TechReport, Microsoft Research. https://www.microsoft.com/en- us/research/publication/stoppable- paxos/Google Scholar
- Leslie Lamport, Dahlia Malkhi, and Lidong Zhou. 2010. Reconfiguring a State Machine. SIGACT News 41, 1 (03 2010), 63–73.Google Scholar
Digital Library
- Chin Soon Lee, Neil D. Jones, and Amir M. Ben-Amram. 2001. The size-change principle for program termination. In POPL. ACM, 81–92. Google Scholar
Digital Library
- Wonchan Lee, Bow-Yaw Wang, and Kwangkeun Yi. 2012. Termination Analysis with Algorithmic Learning. In CAV (Lecture Notes in Computer Science), Vol. 7358. Springer, 88–104. Google Scholar
Digital Library
- Roman Manevich, Boris Dogadov, and Noam Rinetzky. 2016. From Shape Analysis to Termination Analysis in Linear Time. In CAV (1) (Lecture Notes in Computer Science), Vol. 9779. Springer, 426–446. Google Scholar
Cross Ref
- Zohar Manna and Amir Pnueli. 1983. Verification of Concurrent Programs: A Temporal Proof System. In Foundations of Computer Science: Distributed Systems, J. W. de Bakker and J. van Leeuwen (Eds.). Mathematisch Centrum, Amsterdam, 163–255.Google Scholar
- Zohar Manna and Amir Pnueli. 1995. Temporal verification of reactive systems - safety. Springer. Google Scholar
Cross Ref
- Kenneth L. McMillan. 2016. Modular specification and verification of a cache-coherent interface. In 2016 Formal Methods in Computer-Aided Design, FMCAD 2016, Mountain View, CA, USA, October 3-6, 2016, Ruzica Piskac and Muralidhar Talupur (Eds.). IEEE, 109–116. Google Scholar
Cross Ref
- José Meseguer. 1992. Conditional rewriting logic as a unified model of concurrency. Theoretical Computer Science 96, 1 (1992), 73–155. Google Scholar
Digital Library
- José Meseguer. 2008. The Temporal Logic of Rewriting: A Gentle Introduction. In Concurrency, Graphs and Models, Essays Dedicated to Ugo Montanari on the Occasion of His 65th Birthday (Lecture Notes in Computer Science), Pierpaolo Degano, Rocco De Nicola, and José Meseguer (Eds.), Vol. 5065. Springer, 354–382. Google Scholar
Digital Library
- José Meseguer. 2012. Twenty years of rewriting logic. J. Log. Algebr. Program. 81, 7-8 (2012), 721–781. Google Scholar
Cross Ref
- Akihiro Murase, Tachio Terauchi, Naoki Kobayashi, Ryosuke Sato, and Hiroshi Unno. 2016. Temporal verification of higher-order functional programs. In POPL. ACM, 57–68. Google Scholar
Digital Library
- Oded Padon, Giuliano Losa, Mooly Sagiv, and Sharon Shoham. 2017. Paxos Made EPR: Decidable Reasoning About Distributed Protocols. Proc. ACM Program. Lang. 1, OOPSLA, Article 108 (Oct. 2017), 31 pages. Google Scholar
Digital Library
- Oded Padon, Kenneth L. McMillan, Aurojit Panda, Mooly Sagiv, and Sharon Shoham. 2016. Ivy: safety verification by interactive generalization. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2016, Santa Barbara, CA, USA, June 13-17, 2016. 614–630. Google Scholar
Digital Library
- Ruzica Piskac, Leonardo Mendonça de Moura, and Nikolaj Bjørner. 2010. Deciding Effectively Propositional Logic Using DPLL and Substitution Sets. J. Autom. Reasoning 44, 4 (2010), 401–424. Google Scholar
Digital Library
- Amir Pnueli, Andreas Podelski, and Andrey Rybalchenko. 2005. Separating Fairness and Well-Foundedness for the Analysis of Fair Discrete Systems. In TACAS (Lecture Notes in Computer Science), Vol. 3440. Springer, 124–139. Google Scholar
Digital Library
- Amir Pnueli, Sitvanit Ruah, and Lenore D. Zuck. 2001. Automatic Deductive Verification with Invisible Invariants. In Tools and Algorithms for the Construction and Analysis of Systems, 7th International Conference, TACAS 2001 Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2001 Genova, Italy, April 2-6, 2001, Proceedings (Lecture Notes in Computer Science), Tiziana Margaria and Wang Yi (Eds.), Vol. 2031. Springer, 82–97. Google Scholar
- Amir Pnueli and Elad Shahar. 2000. Liveness and Acceleration in Parameterized Verification. In CAV (Lecture Notes in Computer Science), Vol. 1855. Springer, 328–343. Google Scholar
Cross Ref
- Andreas Podelski and Andrey Rybalchenko. 2004a. A Complete Method for the Synthesis of Linear Ranking Functions. In VMCAI (Lecture Notes in Computer Science), Vol. 2937. Springer, 239–251. Google Scholar
Cross Ref
- Andreas Podelski and Andrey Rybalchenko. 2004b. Transition Invariants. In LICS. IEEE Computer Society, 32–41. Google Scholar
Cross Ref
- Andreas Podelski and Andrey Rybalchenko. 2011. Transition Invariants and Transition Predicate Abstraction for Program Termination. In TACAS (Lecture Notes in Computer Science), Vol. 6605. Springer, 3–10. Google Scholar
Cross Ref
- F. Ramsey. 1930. On a problem in formal logic. In Proc. London Math. Soc. Google Scholar
Cross Ref
- Alexandre Riazanov and Andrei Voronkov. 2002. The Design and Implementation of VAMPIRE. AI Commun. 15, 2,3 (Aug. 2002), 91–110. http://dl.acm.org/citation.cfm?id=1218615.1218620Google Scholar
- Shmuel Sagiv, Thomas W. Reps, and Reinhard Wilhelm. 2002. Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24, 3 (2002), 217–298. Google Scholar
Digital Library
- Viktor Schuppan and Armin Biere. 2006. Liveness Checking as Safety Checking for Infinite State Spaces. Electr. Notes Theor. Comput. Sci. 149, 1 (2006), 79–96. Google Scholar
Digital Library
- Caterina Urban and Antoine Miné. 2017. Inference of ranking functions for proving temporal properties by abstract interpretation. Computer Languages, Systems & Structures 47 (2017), 77–103. Google Scholar
Cross Ref
- M.Y. Vardi and P. Wolper. 1986. An Automata-Theoretic Approach to Automatic Program Verification. In Proc. 1st Symp. on Logic in Computer Science. Cambridge, 332–344. http://www.cs.rice.edu/~vardi/papers/lics86.pdf.gzGoogle Scholar
- Christoph Weidenbach, Dilyana Dimova, Arnaud Fietzke, Rohit Kumar, Martin Suda, and Patrick Wischnewski. 2009. SPASS Version 3.5. In Automated Deduction - CADE-22, 22nd International Conference on Automated Deduction, Montreal, Canada, August 2-7, 2009. Proceedings. 140–145.Google Scholar
Digital Library
- James R. Wilcox, Doug Woos, Pavel Panchekha, Zachary Tatlock, Xi Wang, Michael D. Ernst, and Thomas E. Anderson. 2015. Verdi: a framework for implementing and formally verifying distributed systems. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, Portland, OR, USA, June 15-17, 2015. 357–368. Google Scholar
Digital Library
- Pierre Wolper. 2000. Constructing Automata from Temporal Logic Formulas: A Tutorial. In Lectures on Formal Methods and Performance Analysis, First EEF/Euro Summer School on Trends in Computer Science, Berg en Dal, The Netherlands, July 3-7, 2000, Revised Lectures (Lecture Notes in Computer Science), Ed Brinksma, Holger Hermanns, and Joost-Pieter Katoen (Eds.), Vol. 2090. Springer, 261–277. Google Scholar
Cross Ref
Index Terms
Reducing liveness to safety in first-order logic
Recommendations
First-Order Temporal Verification in Practice
First-order temporal logic, the extension of first-order logic with operators dealing with time, is a powerful and expressive formalism with many potential applications. This expressive logic can be viewed as a framework in which to investigate problems ...
Reducing CTL-live Model Checking to First-Order Logic Validity Checking
FMCAD '14: Proceedings of the 14th Conference on Formal Methods in Computer-Aided DesignTemporal logic model checking of infinite state systems without the use of iteration or abstraction is usually considered beyond the realm of first-order logic (FOL) reasoners because of the need for a fixpoint computation. In this paper, we show that ...






Comments