Using simulated execution in verifying distributed algorithms

  • Toh Ne WinEmail author
  • Michael D. Ernst
  • Stephen J. Garland
  • Dilsun Kırlı
  • Nancy A. Lynch
Special section on verification, model checking, and abstract interpretation


This paper presents a methodology for using simulated execution to assist a theorem prover in verifying safety properties of distributed systems. Execution-based techniques such as testing can increase confidence in an implementation, provide intuition about behavior, and detect simple errors quickly. They cannot by themselves demonstrate correctness. However, they can aid theorem provers by suggesting necessary lemmas and providing tactics to structure proofs. This paper describes the use of these techniques in a machine-checked proof of correctness of the Paxos algorithm for distributed consensus .


Theorem proving Invariant detection Static analysis Dynamic analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alur R, Henzinger TA, Mang FYC, Qadeer S, Rajamani SK, Tasiran S (1998) Mocha: Exploiting modularity in model checking. In: Proceedings of the 10th international conference on computer-aided verification, Vancouver, BC, Canada, 28 June–2 July 1998. Lecture notes in computer science, vol 1427. Springer, Berlin Heidelberg New York, pp 521–525Google Scholar
  2. 2.
    Bogdanov A (2000) Formal verification of simulations between I/O automata. Master of engineering thesis, Massachusetts Institute of Technology, Cambridge, MAGoogle Scholar
  3. 3.
    De Prisco R, Lampson B, Lynch N (2000) Fundamental study: revisiting the Paxos algorithm. Theor Comput Sci 243:35–91CrossRefGoogle Scholar
  4. 4.
    Ernst MD, Cockrell J, Griswold WG, Notkin D (1999) Dynamically discovering likely program invariants to support program evolution. IEEE Trans Softw Eng 27(2):1–25. A previous version appeared in: Proceedings of the 21st international conference on software engineering (ICSE ’99), Los Angeles, 19–21 May 1999, pp 213–224Google Scholar
  5. 5.
    Ernst MD, Czeisler A, Griswold WG, Notkin D (2000) Quickly detecting relevant program invariants. In: Proceedings of the 22nd international conference on software engineering (ICSE 2000), Limerick, Ireland, 7–9 June 2000, pp 449–458Google Scholar
  6. 6.
    Garland S, Guttag J (1991) A guide to LP, the Larch Prover. Technical report, DEC Systems Research Center, Palo Alto, CA, December 31. Updated version available at: Scholar
  7. 7.
    Garland SJ, Lynch NA (1998) The IOA language and toolset: support for designing, analyzing, and building distributed systems. Technical Report MIT/LCS/TR-762, Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA, August 1998. Scholar
  8. 8.
    Gordon MJC (1989) HOL: a proof generating system for higher order logic. In: Birtwistle G, Subrahmanyam PA (eds) Current trends in hardware verification and automated theorem proving. Springer, Berlin Heidelberg New York, pp 73–128Google Scholar
  9. 9.
    Gurevich Y, Schulte W, Veanes M (2001) Toward industrial strength abstract state machines. Technical Report MSR-TR-2001-98, Microsoft Research, 2001. Software available at: Scholar
  10. 10.
    Guttag JV, Horning JJ, Garland SJ, Jones KD, Modet A, Wing JM (1993) Larch: languages and tools for formal specification. In: Texts and monographs in computer science. Springer, Berlin Heidelberg New YorkGoogle Scholar
  11. 11.
    Kırlı D, Chefter A, Dean L, Garland SJ, Lynch NA, Ne Win T, Ramirez-Robredo A (2002a) The IOA simulator. Technical Report MIT-LCS-TR-843, MIT Laboratory for Computer Science, Cambridge, MA, July 2002Google Scholar
  12. 12.
    Kırlı D, Chefter A, Dean L, Garland SJ, Lynch NA, Ne Win T, Ramirez-Robredo A (2002b) Simulating nondeterministic systems at multiple levels of abstraction. In: Proceedings of Tools Day 2002, Brno, Czech Republic, August 2002, pp 44–59. Also available as Masaryk University Technical Report FI MU-RS-2002-05Google Scholar
  13. 13.
    Lamport L (1998) The part-time parliament. ACM Trans Comput Sys 16(2):133–169CrossRefGoogle Scholar
  14. 14.
    Lamport L, Yu Y (2001) TLC – The TLA+ model checker. Compaq Systems Research Center, Palo Alto, CA, 2001. Scholar
  15. 15.
    Lynch N (1996) Distributed algorithms. Morgan Kaufmann, San Mateo, CAGoogle Scholar
  16. 16.
    Lynch NA, Tuttle MR (1989) An introduction to Input/Output automata. CWI-Q 2(3):219–246Google Scholar
  17. 17.
    Lynch N, Vaandrager F (1995) Forward and backward simulations: Part I. Untimed systems. Inf Comput 121(2):214–233MathSciNetCrossRefGoogle Scholar
  18. 18.
    McMillan KL (1998) The SMV language. Cadence Berkeley Labs, 2001 Addison Street, Berkeley, CA. Scholar
  19. 19.
    Nimmer JW, Ernst MD (2002a) Automatic generation of program specifications. In: Proceedings of the 2002 international symposium on software testing and analysis (ISSTA), Rome, Italy, 22–24 July 2002, pp 232–242Google Scholar
  20. 20.
    Nimmer JW, Ernst MD (2002b) Invariant inference for static checking: An empirical evaluation. In: Proceedings of the ACM SIGSOFT 10th international symposium on the foundations of software engineering (FSE 2002), Charleston, SC, 20–22 November 2002, pp 11–20Google Scholar
  21. 21.
    Paulson LC (1993) The Isabelle reference manual. Technical Report 283, Cambridge University, Computer Laboratory, Cambridge, UKGoogle Scholar
  22. 22.
    Pnueli A, Ruah S, Zuck L (2001) Automatic deductive verification with invisible invariants. In: Proceedings of the conference on tools and algorithms for the analysis and construction of systems (TACAS), Genoa, Italy, 2–6 April 2001. Lecture notes in computer science, vol 2031. Springer, Berlin Heidelberg New York, pp 82–97Google Scholar
  23. 23.
    Rintanen J (2000) An iterative algorithm for synthesizing invariants. In: Proceedings of the 17th national conference on artificial intelligence and the 12th conference on innovative applications of artificial intelligence, Austin, TX, 30 July–3 August 2000, pp 806–811Google Scholar

Copyright information

© Springer-Verlag 2004

Authors and Affiliations

  • Toh Ne Win
    • 1
    Email author
  • Michael D. Ernst
    • 1
  • Stephen J. Garland
    • 1
  • Dilsun Kırlı
    • 1
  • Nancy A. Lynch
    • 1
  1. 1.MIT CSAIL, the Stata CenterCambridgeUSA

Personalised recommendations