Skip to main content
SpringerLink
Log in

On Symmetry and Quantification: A New Approach to Verify Distributed Protocols

  • Conference paper
  • First Online:
NASA Formal Methods (NFM 2021)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 12673))

Included in the following conference series:

Abstract

Proving that an unbounded distributed protocol satisfies a given safety property amounts to finding a quantified inductive invariant that implies the property for all possible instance sizes of the protocol. Existing methods for solving this problem can be described as search procedures for an invariant whose quantification prefix fits a particular template. We propose an alternative constructive approach that does not prescribe, a priori, a specific quantifier prefix. Instead, the required prefix is automatically inferred without any search by carefully analyzing the structural symmetries of the protocol. The key insight underlying this approach is that symmetry and quantification are closely related concepts that express protocol invariance under different re-arrangements of its components. We propose symmetric incremental induction, an extension of the finite-domain IC3/PDR algorithm, that automatically derives the required quantified inductive invariant by exploiting the connection between symmetry and quantification. While various attempts have been made to exploit symmetry in verification applications, to our knowledge, this is the first demonstration of a direct link between symmetry and quantification in the context of clause learning during incremental induction. We also describe a procedure to automatically find a minimal finite size, the cutoff, that yields a quantified invariant proving safety for any size.

Our approach is implemented in IC3PO, a new verifier for distributed protocols that significantly outperforms the state-of-the-art, scales orders of magnitude faster, and robustly derives compact inductive invariants fully automatically.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The description in [5] is in the Ivy [63] language and encodes set operations in relational form with a member relation representing \(\in \).

  2. 2.

    We assume familiarity with basic notions from group theory including permutation groups, cycle notation, group action on a set, orbits, etc., which can be readily found in standard textbooks on Abstract Algebra [32].

  3. 3.

    Sort dependencies, if any, should be considered when increasing a sort size.

  4. 4.

    Since \(\mathtt{quorum}\) is a dependent sort on \(\mathtt{node}\), it is increased together with the \(\mathtt{node}\) sort.

References

  1. Client server protocol in ivy. http://microsoft.github.io/ivy/examples/client_server_example.html

  2. A collection of distributed protocol verification problems. https://github.com/aman-goel/ivybench

  3. mypyvy (github). https://github.com/wilcoxjay/mypyvy

  4. pySMT: A library for SMT formulae manipulation and solving. https://github.com/aman-goel/pysmt

  5. Toy consensus protocol. https://github.com/microsoft/ivy/blob/master/examples/ivy/toy_consensus.ivy

  6. Abdulla, P., Haziza, F., Holík, L.: Parameterized verification through view abstraction. Int. J. Softw. Tools Technol. Transfer 18(5), 495–516 (2016)

    Article  Google Scholar 

  7. Apt, K.R., Kozen, D.: Limits for automatic verification of finite-state concurrent systems. Inf. Process. Lett. 22(6), 307–309 (1986)

    Article  MathSciNet  Google Scholar 

  8. Arons, T., Pnueli, A., Ruah, S., Xu, Y., Zuck, L.: Parameterized verification with automatically computed inductive assertions? In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 221–234. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44585-4_19

    Chapter  MATH  Google Scholar 

  9. Balaban, I., Fang, Y., Pnueli, A., Zuck, L.D.: IIV: an invisible invariant verifier. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 408–412. Springer, Heidelberg (2005). https://doi.org/10.1007/11513988_39

    Chapter  Google Scholar 

  10. Balyo, T., Froleyks, N., Heule, M.J., Iser, M., Järvisalo, M., Suda, M.: Proceedings of SAT Competition 2020: Solver and Benchmark Descriptions (2020)

    Google Scholar 

  11. Barner, S., Grumberg, O.: Combining symmetry reduction and under-approximation for symbolic model checking. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 93–106. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45657-0_8

    Chapter  Google Scholar 

  12. Barrett, C., et al.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_14

    Chapter  Google Scholar 

  13. Barrett, C., Fontaine, P., Tinelli, C.: The Satisfiability Modulo Theories Library (SMT-LIB). www.SMT-LIB.org (2016)

  14. Beers, R.: Pre-RTL formal verification: an intel experience. In: Proceedings of the 45th Annual Design Automation Conference, pp. 806–811 (2008)

    Google Scholar 

  15. Berkovits, I., Lazic, M., Losa, G., Padon, O., Shoham, S.: Verification of threshold-based distributed algorithms by decomposition to decidable logics. CoRR abs/1905.07805 (2019). http://arxiv.org/abs/1905.07805

  16. Bloem, R.: Decidability of parameterized verification. Synth. Lect. Distrib. Comput. Theory 6(1), 1–170 (2015). https://doi.org/10.2200/S00658ED1V01Y201508DCT013

    Article  MathSciNet  MATH  Google Scholar 

  17. Bradley, A.R.: SAT-based model checking without unrolling. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 70–87. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18275-4_7

    Chapter  Google Scholar 

  18. Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L., Hwang, L.J.: Symbolic model checking: \(10^{20}\) states and beyond. In: Proceedings Fifth Annual IEEE Symposium on Logic in Computer Science, pp. 428–439 (1990)

    Google Scholar 

  19. Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L., Hwang, L.J.: Symbolic model checking: \(10^{20}\) states and beyond. Inf. Comput. 98(2), 142–170 (1992)

    Article  Google Scholar 

  20. Chaudhuri, K., Doligez, D., Lamport, L., Merz, S.: Verifying safety properties with the TLA\(^+\) proof system. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS (LNAI), vol. 6173, pp. 142–148. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14203-1_12

    Chapter  Google Scholar 

  21. Cimatti, A., Roveri, M., Griggio, A., Irfan, A.: Verification Modulo Theories (2011). http://www.vmt-lib.org

  22. Conchon, S., Goel, A., Krstić, S., Mebsout, A., Zaïdi, F.: Cubicle: a parallel SMT-based model checker for parameterized systems. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 718–724. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31424-7_55

    Chapter  Google Scholar 

  23. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24

    Chapter  Google Scholar 

  24. Dooley, M., Somenzi, F.: Proving parameterized systems safe by generalizing clausal proofs of small instances. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 292–309. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41528-4_16

    Chapter  Google Scholar 

  25. Dutertre, B.: Yices 2.2. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 737–744. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_49

    Chapter  Google Scholar 

  26. Een, N., Mishchenko, A., Brayton, R.: Efficient implementation of property directed reachability. In: Formal Methods in Computer Aided Design (FMCAD 2011), pp. 125–134, October 2011

    Google Scholar 

  27. Eén, N., Sörensson, N.: An extensible SAT-solver. In: Giunchiglia, E., Tacchella, A. (eds.) SAT 2003. LNCS, vol. 2919, pp. 502–518. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24605-3_37

    Chapter  Google Scholar 

  28. Emerson, E.A., Sistla, A.P.: Symmetry and model checking. Formal Methods Syst. Des. 9(1–2), 105–131 (1996)

    Article  Google Scholar 

  29. Feldman, Y.M.Y., Sagiv, M., Shoham, S., Wilcox, J.R.: Learning the boundary of inductive invariants. CoRR abs/2008.09909 (2020). https://arxiv.org/abs/2008.09909

  30. Feldman, Y.M., Immerman, N., Sagiv, M., Shoham, S.: Complexity and information in invariant inference. In: Proceedings of the ACM on Programming Languages, vol. 4, no. POPL, pp. 1–29 (2019)

    Google Scholar 

  31. Feldman, Y.M.Y., Wilcox, J.R., Shoham, S., Sagiv, M.: Inferring inductive invariants from phase structures. In: Dillig, I., Tasiran, S. (eds.) CAV 2019. LNCS, vol. 11562, pp. 405–425. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25543-5_23

    Chapter  Google Scholar 

  32. Fraleigh, J.B.: A First Course in Abstract Algebra, 6th edn. Addison Wesley Longman, Reading (2000)

    MATH  Google Scholar 

  33. Gario, M., Micheli, A.: PySMT: a solver-agnostic library for fast prototyping of SMT-based algorithms. In: SMT Workshop, vol. 2015 (2015)

    Google Scholar 

  34. German, S.M., Sistla, A.P.: Reasoning about systems with many processes. J. ACM (JACM) 39(3), 675–735 (1992)

    Article  MathSciNet  Google Scholar 

  35. Gleissenthall, K.v., Kıcı, R.G., Bakst, A., Stefan, D., Jhala, R.: Pretend synchrony: synchronous verification of asynchronous distributed programs. In: Proceedings of the ACM on Programming Languages, vol. 3, no. POPL, pp. 1–30 (2019)

    Google Scholar 

  36. Godefroid, P.: Exploiting symmetry when model-checking software. In: Wu, J., Chanson, S.T., Gao, Q. (eds.) Formal Methods for Protocol Engineering and Distributed Systems. IAICT, vol. 28, pp. 257–275. Springer, Boston, MA (1999). https://doi.org/10.1007/978-0-387-35578-8_15

    Chapter  Google Scholar 

  37. Goel, A., Sakallah, K.A.: On Symmetry and Quantification: A New Approach to Verify Distributed Protocols. CoRR. abs/2103.14831 (2021). https://arxiv.org/abs/2103.14831

  38. Goel, A., Sakallah, K.: Model checking of Verilog RTL using IC3 with syntax-guided abstraction. In: Badger, J.M., Rozier, K.Y. (eds.) NFM 2019. LNCS, vol. 11460, pp. 166–185. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-20652-9_11

    Chapter  Google Scholar 

  39. Goel, A., Sakallah, K.: AVR: abstractly verifying reachability. TACAS 2020. LNCS, vol. 12078, pp. 413–422. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45190-5_23

    Chapter  Google Scholar 

  40. Goel, A., Sakallah, K.A.: Empirical evaluation of IC3-based model checking techniques on Verilog RTL designs. In: Proceedings of the Design, Automation and Test in Europe Conference (DATE), Florence, Italy, March 2019, pp. 618–621 (2019)

    Google Scholar 

  41. Gurfinkel, A., Shoham, S., Vizel, Y.: Quantifiers on demand. In: Lahiri, S.K., Wang, C. (eds.) ATVA 2018. LNCS, vol. 11138, pp. 248–266. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01090-4_15

    Chapter  Google Scholar 

  42. Hawblitzel, C., et al.: IronFleet: proving practical distributed systems correct. In: Proceedings of the 25th Symposium on Operating Systems Principles, pp. 1–17. ACM (2015)

    Google Scholar 

  43. Hoenicke, J., Majumdar, R., Podelski, A.: Thread modularity at many levels: a pearl in compositional verification. ACM SIGPLAN Not. 52(1), 473–485 (2017)

    Article  Google Scholar 

  44. Karbyshev, A., Bjørner, N., Itzhaky, S., Rinetzky, N., Shoham, S.: Property-directed inference of universal invariants or proving their absence. J. ACM 64(1) (2017). https://doi.org/10.1145/3022187

  45. Karbyshev, A., Bjørner, N., Itzhaky, S., Rinetzky, N., Shoham, S.: Property-directed inference of universal invariants or proving their absence. J. ACM (JACM) 64(1), 1–33 (2017)

    Article  MathSciNet  Google Scholar 

  46. Koenig, J.R., Padon, O., Immerman, N., Aiken, A.: First-order quantified separators. In: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2020, pp. 703–717. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3385412.3386018

  47. Kurshan, R.P., McMillan, K.: A structural induction theorem for processes. In: Proceedings of the Eighth Annual ACM Symposium on Principles of Distributed Computing, pp. 239–247 (1989)

    Google Scholar 

  48. Lamport, L.: Proving the correctness of multiprocess programs. IEEE Trans. Softw. Eng. 2, 125–143 (1977)

    Article  MathSciNet  Google Scholar 

  49. Lamport, L.: Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)

    Google Scholar 

  50. Lamport, L.: The part-time parliament. In: Concurrency: The Works of Leslie Lamport, pp. 277–317 (2019)

    Google Scholar 

  51. Lamport, L., et al.: Paxos made simple. ACM Sigact News 32(4), 18–25 (2001)

    Google Scholar 

  52. Li, Y., Pang, J., Lv, Y., Fan, D., Cao, S., Duan, K.: ParaVerifier: an automatic framework for proving parameterized cache coherence protocols. In: Finkbeiner, B., Pu, G., Zhang, L. (eds.) ATVA 2015. LNCS, vol. 9364, pp. 207–213. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24953-7_15

    Chapter  Google Scholar 

  53. Ma, H., Goel, A., Jeannin, J.B., Kapritsos, M., Kasikci, B., Sakallah, K.A.: I4: incremental inference of inductive invariants for verification of distributed protocols. In: Proceedings of the 27th Symposium on Operating Systems Principles. ACM (2019)

    Google Scholar 

  54. Ma, H., Goel, A., Jeannin, J.B., Kapritsos, M., Kasikci, B., Sakallah, K.A.: Towards automatic inference of inductive invariants. In: Proceedings of the Workshop on Hot Topics in Operating Systems, pp. 30–36. ACM (2019)

    Google Scholar 

  55. Marques-Silva, J.P., Sakallah, K.A.: GRASP: a search algorithm for propositional satisfiability. IEEE Trans. Comput. 48(5), 506–521 (1999)

    Article  MathSciNet  Google Scholar 

  56. McMillan, K.L.: Symbolic Model Checking. Kluwer Academic Publishers, Norwell (1993)

    Book  Google Scholar 

  57. Moskewicz, M.W., Madigan, C.F., Zhao, Y., Zhang, L., Malik, S.: Chaff: engineering an efficient SAT solver. In: DAC, pp. 530–535 (2001)

    Google Scholar 

  58. Namjoshi, K.S.: Symmetry and completeness in the analysis of parameterized systems. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 299–313. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-69738-1_22

    Chapter  MATH  Google Scholar 

  59. Newcombe, C., Rath, T., Zhang, F., Munteanu, B., Brooker, M., Deardeuff, M.: How amazon web services uses formal methods. Commun. ACM 58(4), 66–73 (2015)

    Article  Google Scholar 

  60. Ip, C.N., Dill, D.L.: Better verification through symmetry. Formal Methods Syst. Des. 9(1), 41–75 (1996). https://doi.org/10.1007/BF00625968

  61. Owicki, S., Gries, D.: Verifying properties of parallel programs: an axiomatic approach. Commun. ACM 19(5), 279–285 (1976)

    Article  MathSciNet  Google Scholar 

  62. Owre, S., Rushby, J.M., Shankar, N.: PVS: a prototype verification system. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 748–752. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-55602-8_217

    Chapter  Google Scholar 

  63. Padon, O., McMillan, K.L., Panda, A., Sagiv, M., Shoham, S.: Ivy: safety verification by interactive generalization. In: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2016, pp. 614–630. ACM, New York (2016). https://doi.org/10.1145/2908080.2908118

  64. Pnueli, A., Ruah, S., Zuck, L.: Automatic deductive verification with invisible invariants. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 82–97. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45319-9_7

    Chapter  Google Scholar 

  65. Pong, F., Dubois, M.: A new approach for the verification of cache coherence protocols. IEEE Trans. Parallel Distrib. Syst. 6(8), 773–787 (1995)

    Article  Google Scholar 

  66. Ranise, S., Ghilardi, S.: Backward reachability of array-based systems by SMT solving: termination and invariant synthesis. Logical Methods Comput. Sci. 6(4) (2010). https://doi.org/10.2168/LMCS-6(4:10)2010

  67. Sistla, A.P., Gyuris, V., Emerson, E.A.: SMC: a symmetry-based model checker for verification of safety and liveness properties. ACM Trans. Softw. Eng. Methodol. (TOSEM) 9(2), 133–166 (2000)

    Article  Google Scholar 

  68. Wilcox, J.R., et al.: Verdi: a framework for implementing and formally verifying distributed systems. In: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2015, pp. 357–368. ACM, New York (2015). https://doi.org/10.1145/2737924.2737958

  69. Zuck, L., Pnueli, A.: Model checking and abstraction to the aid of parameterized systems (a survey). Comput. Lang. Syst. Struct. 30(3–4), 139–169 (2004)

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Michigan, Ann Arbor, MI, 48105, USA

    Aman Goel & Karem Sakallah

Authors
  1. Aman Goel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Karem Sakallah
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aman Goel .

Editor information

Editors and Affiliations

  1. NASA Langley Research Center, Hampton, VA, USA

    Aaron Dutle

  2. National Institute of Aerospace, Hampton, VA, USA

    Mariano M. Moscato

  3. National Institute of Aerospace, Hampton, VA, USA

    Laura Titolo

  4. NASA Langley Research Center, Hampton, VA, USA

    César A. Muñoz

  5. National Institute of Aerospace, Hampton, VA, USA

    Ivan Perez

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Goel, A., Sakallah, K. (2021). On Symmetry and Quantification: A New Approach to Verify Distributed Protocols. In: Dutle, A., Moscato, M.M., Titolo, L., Muñoz, C.A., Perez, I. (eds) NASA Formal Methods. NFM 2021. Lecture Notes in Computer Science(), vol 12673. Springer, Cham. https://doi.org/10.1007/978-3-030-76384-8_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-76384-8_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-76383-1

  • Online ISBN: 978-3-030-76384-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation