Skip to main content
Log in

Verifying safety of synchronous fault-tolerant algorithms by bounded model checking

International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript


Threshold automata are a formalism introduced for modeling, verification, and synthesis of fault-tolerant distributed algorithms for asynchronous systems, that is, in interleaving semantics. Owing to well-known limitations of what can be achieved in purely asynchronous systems, many fault-tolerant distributed algorithms are designed for synchronous or round-based semantics. In this paper, we introduce the synchronous variant of threshold automata and study their applicability and limitations for the verification of synchronous fault-tolerant distributed algorithms. We show that the parameterized reachability problem for synchronous threshold automata is undecidable. Still, we show that many synchronous fault-tolerant distributed algorithms have a bounded diameter, even though the algorithms are parameterized by the number of processes. Hence, bounded model checking can be used for verifying these algorithms. The existence of bounded diameters is the main conceptual insight in this paper. We compute the diameter of several algorithms and check their safety properties, using SMT queries that contain quantifiers for dealing with the parameters symbolically. Surprisingly, performance of the SMT solvers on these queries is very good, reflecting the recent progress in dealing with quantified queries. We found that the diameter bounds of synchronous algorithms in the literature are tiny (from 1 to 8), which makes our approach applicable in practice. For a specific class of algorithms, we also establish a theoretical result on the existence of a diameter, providing a first explanation for our experimental results.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4


  1. Stoilkovska, I., Konnov, I., Widder, J., Zuleger, F.: Verifying safety of synchronous fault-tolerant algorithms by bounded model checking. In: T. Vojnar, L. Zhang (eds.) Tools and Algorithms for the Construction and Analysis of Systems - 25th International Conference, TACAS 2019, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2019, Prague, Czech Republic, April 6-11, 2019, Proceedings, Part II, Lecture Notes in Computer Science, vol. 11428, pp. 357–374. Springer (2019)

  2. Hawblitzel, C., Howell, J., Kapritsos, M., Lorch, J.R., Parno, B., Roberts, M.L., Setty, S.T.V., Zill, B.: Ironfleet: proving safety and liveness of practical distributed systems. Commun. ACM 60(7), 83–92 (2017)

    Article  Google Scholar 

  3. Wilcox, J.R., Woos, D., Panchekha, P., Tatlock, Z., Wang, X., Ernst, M.D., Anderson, T.E.: Verdi: a framework for implementing and formally verifying distributed systems. In: PLDI, pp. 357–368 (2015)

  4. Sergey, I., Wilcox, J.R., Tatlock, Z.: Programming and proving with distributed protocols. In: PACMPL 2(POPL), pp. 28:1–28:30 (2018)

  5. Desai, A., Garg, P., Madhusudan, P.: Natural proofs for asynchronous programs using almost-synchronous reductions. In: Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA 2014, part of SPLASH 2014, Portland, OR, USA, October 20-24, 2014, pp. 709–725 (2014)

  6. Berkovits, I., Lazic, M., Losa, G., Padon, O., Shoham, S.: Verification of threshold-based distributed algorithms by decomposition to decidable logics. In: I. Dillig, S. Tasiran (eds.) Computer Aided Verification - 31st International Conference, CAV 2019, New York City, NY, USA, July 15-18, 2019, Proceedings, Part II, Lecture Notes in Computer Science, vol. 11562, pp. 245–266. Springer (2019)

  7. Padon, O., McMillan, K.L., Panda, A., Sagiv, M., Shoham, S.: Ivy: safety verification by interactive generalization. In: PLDI, pp. 614–630 (2016)

  8. Drăgoi, C., Henzinger, T.A., Veith, H., Widder, J., Zufferey, D.: A Logic-Based Framework for Verifying Consensus Algorithms. In: VMCAI, LNCS 8318, 161–181 (2014)

  9. Drăgoi, C., Henzinger, T.A., Zufferey, D.: Psync: a partially synchronous language for fault-tolerant distributed algorithms. In: POPL, pp. 400–415 (2016)

  10. Bouajjani, A., Enea, C., Ji, K., Qadeer, S.: On the completeness of verifying message passing programs under bounded asynchrony. In: CAV, pp. 372–391 (2018)

  11. Kragl, B., Qadeer, S., Henzinger, T.A.: Synchronizing the asynchronous. In: CONCUR, pp. 21:1–21:17 (2018)

  12. Bakst, A., von Gleissenthall, K., Kici, R.G., Jhala, R.: Verifying distributed programs via canonical sequentialization. In: PACMPL 1(OOPSLA), 110:1-110:27 (2017)

  13. Konnov, I., Lazić, M., Veith, H., Widder, J.: A short counterexample property for safety and liveness verification of fault-tolerant distributed algorithms. In: POPL, pp. 719–734 (2017)

  14. Gleissenthall, K.V., Kici, R.G., Bakst, A., Stefan, D., Jhala, R.: Pretend synchrony: synchronous verification of asynchronous distributed programs. Proc. ACM Program. Lang. 3(POPL), 59:1–59:30 (2019).

  15. Kopetz, H., Grünsteidl, G.: TTP - a protocol for fault-tolerant real-time systems. IEEE Computer 27(1), 14–23 (1994)

    Article  Google Scholar 

  16. Elrad, T., Francez, N.: Decomposition of distributed programs into communication-closed layers. Sci. Comput. Progr. 2(3), 155–173 (1982)

    Article  Google Scholar 

  17. Chou, C., Gafni, E.: Understanding and verifying distributed algorithms using stratified decomposition. In: PODC, pp. 44–65 (1988)

  18. Chaouch-Saad, M., Charron-Bost, B., Merz, S.: A reduction theorem for the verification of round-based distributed algorithms. In: RP, LNCS 5797, 93–106 (2009)

  19. Damian, A., Dragoi, C., Militaru, A., Widder, J.: Communication-closed asynchronous protocols. In: Computer Aided Verification - 31st International Conference, CAV 2019, New York City, NY, USA, July 15-18, 2019, Proceedings, Part II, pp. 344–363 (2019).

  20. Konnov, I.V., Veith, H., Widder, J.: On the completeness of bounded model checking for threshold-based distributed algorithms: reachability. Inf. Comput. 252, 95–109 (2017).

    Article  MathSciNet  MATH  Google Scholar 

  21. Lazić, M., Konnov, I., Widder, J., Bloem, R.: Synthesis of Distributed Algorithms with Parameterized Threshold Guards. In: OPODIS, LIPIcs 95, pp. 32:1–32:20 (2017)

  22. Fischer, M.J., Lynch, N.A., Paterson, M.S.: Impossibility of distributed consensus with one faulty process. J. ACM 32(2), 374–382 (1985)

    Article  MathSciNet  Google Scholar 

  23. Srikanth, T., Toueg, S.: Simulating authenticated broadcasts to derive simple fault-tolerant algorithms. Dist. Comp. 2, 80–94 (1987)

    Article  Google Scholar 

  24. Biere, A., Cimatti, A., Clarke, E.M., Zhu, Y.: Symbolic Model Checking without BDDs. In: TACAS, LNCS 1579, 193–207 (1999)

  25. Kroening, D., Strichman, O.: Efficient Computation of Recurrence Diameters. In: VMCAI, LNCS 2575, pp. 298–309 (2003)

  26. Clarke, E.M., Kroening, D., Ouaknine, J., Strichman, O.: Completeness and complexity of bounded model checking. In: VMCAI, LNCS 2937, 85–96 (2004)

  27. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: TACAS, pp. 337–340 (2008)

  28. Barrett, C., Conway, C.L., Deters, M., Hadarean, L., Jovanovic, D., King, T., Reynolds, A., Tinelli, C.: CVC4. In: CAV, pp. 171–177 (2011)

  29. Biely, M., Schmid, U., Weiss, B.: Synchronous consensus under hybrid process and link failures. Theor. Comput. Sci. 412(40), 5602–5630 (2011)

    Article  MathSciNet  Google Scholar 

  30. Berman, P., Garay, J.A., Perry, K.J.: Towards optimal distributed consensus (Extended Abstract). In: FOCS, pp. 410–415 (1989)

  31. Berman, P., Garay, J.A., Perry, K.J.: Asymptotically Optimal Distributed Consensus. Tech. rep., Bell Labs (1989)

  32. Lynch, N.: Distributed Algorithms. Morgan Kaufman, Massachusetts (1996)

    MATH  Google Scholar 

  33. Chaudhuri, S., Herlihy, M., Lynch, N.A., Tuttle, M.R.: Tight bounds for k-set agreement. J. ACM 47(5), 912–943 (2000)

    Article  MathSciNet  Google Scholar 

  34. Raynal, M.: Fault-Tolerant Agreement in Synchronous Message-Passing Systems. Synthesis Lectures on Distributed Computing Theory, Morgan & Claypool Publishers, California (2010)

    Book  Google Scholar 

  35. Aminof, B., Rubin, S., Stoilkovska, I., Widder, J., Zuleger, F.: Parameterized model checking of synchronous distributed algorithms by abstraction. In: VMCAI, LNCS, vol. 10747, pp. 1–24. Springer (2018)

  36. Minsky, M.L.: Computation: Finite and Infinite Machines. Prentice-Hall Inc, Upper Saddle River (1967)

    MATH  Google Scholar 

  37. Bloem, R., Jacobs, S., Khalimov, A., Konnov, I., Rubin, S., Veith, H., Widder, J.: Decidability of Parameterized Verification. Synthesis Lectures on Distributed Computing Theory, Morgan & Claypool Publishers, California (2015)

    Book  Google Scholar 

  38. Emerson, E.A., Namjoshi, K.S.: On reasoning about rings. Int. J. Found. Comput. Sci. 14(4), 527–550 (2003)

    Article  MathSciNet  Google Scholar 

  39. Konnov, I., Veith, H., Widder, J.: SMT and POR beat counter abstraction: parameterized model checking of threshold-based distributed algorithms. In: CAV (Part I), LNCS, vol. 9206, pp. 85–102 (2015)

  40. Experiments.

  41. Reynolds, A., King, T., Kuncak, V.: Solving quantified linear arithmetic by counterexample-guided instantiation. Form. Methods Syst. Des. 51(3), 500–532 (2017)

    Article  Google Scholar 

  42. Bjørner, N., Janota, M.: Playing with quantified satisfaction. In: A. Fehnker, A. McIver, G. Sutcliffe, A. Voronkov (eds.) 20th International Conferences on Logic for Programming, Artificial Intelligence and Reasoning - Short Presentations, LPAR 2015, Suva, Fiji, November 24-28, 2015, EPiC Series in Computing, vol. 35, pp. 15–27. EasyChair (2015)

  43. Marić, O., Sprenger, C., Basin, D.A.: cutoff bounds for consensus algorithms. In: CAV, pp. 217–237 (2017)

  44. Kukovec, J., Konnov, I., Widder, J.: Reachability in parameterized systems: all flavors of threshold automata. In: CONCUR, pp. 19:1–19:17 (2018)

  45. Stoilkovska, I., Konnov, I., Widder, J., Zuleger, F.: Eliminating message counters in synchronous threshold automata. In: Henglein, F., Shoham, S., Vizel, Y. (eds.) Verification, Model Checking, and Abstract Interpretation—22nd International Conference, VMCAI 2021, Copenhagen, Denmark, 17–19 January 2021, Proceedings. Lecture Notes in Computer Science, vol. 12597, pp. 196–218. Springer (2021).

  46. Emerson, E.A., Namjoshi, K.S.: Automatic verification of parameterized synchronous systems, In: CAV, LNCS, (ed.) vol. 1102, pp. 87–98. Springer (1996)

  47. Abdulla, P.A., Cerans, K., Jonsson, B., Tsay, Y.: General decidability theorems for infinite-state systems. In: LICS, pp. 313–321 (1996)

  48. Aminof, B., Rubin, S., Zuleger, F., Spegni, F.: Liveness of parameterized timed networks. In: ICALP, pp. 375–387 (2015)

  49. Leroux, J., Sutre, G.: Flat Counter Automata Almost Everywhere! . In: ATVA, LNCS 3707, pp. 489–503 (2005)

  50. Bardin, S., Leroux, J., Point, G.: FAST Extended Release. In: CAV, LNCS 4144, 63–66 (2006)

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Ilina Stoilkovska.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Partially supported by: Austrian Science Fund (FWF) via NFN RiSE (S11403, S11405), project PRAVDA (P27722), and doctoral college LogiCS W1255; Vienna Science and Technology Fund (WWTF) grant APALACHE (ICT15-103), and Interchain Foundation, Switzerland.

This manuscript is an extended version of a paper [1] that appeared in the proceedings of TACAS 2019. In addition to the conference version, we provide the complete mathematical proofs (Sects. 4 and 5.2 ) and report experiments with an extended set of benchmarks (Sect. 7), extended several discussions, and added examples to make the arguments more accessible.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Stoilkovska, I., Konnov, I., Widder, J. et al. Verifying safety of synchronous fault-tolerant algorithms by bounded model checking. Int J Softw Tools Technol Transfer 24, 33–48 (2022).

Download citation

  • Published:

  • Issue Date:

  • DOI: