Using Simulated Execution in Verifying Distributed Algorithms

  • Toh Ne Win
  • Michael D. Ernst
  • Stephen J. Garland
  • Dilsun Kýrlý
  • Nancy A. Lynch
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2575)


This paper presents a methodology for proving properties of distributed systems in which simulated execution assists and enhances formal proofs. It is well known that techniques such as testing can increase confidence in an implementation, but cannot by themselves demonstrate correctness. In addition to detecting simple errors quickly and to providing intuition about behavior, execution-based techniques can also reveal unexpected properties, suggest necessary lemmas, and provide information to structure proofs. This paper also describes the use of these techniques in a machine-checked proof of correctness of the Paxos algorithm for distributed consensus.


Test Suite Forward Simulation Simulation Relation Simulated Execution Mutual Exclusion Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [AHM+98]
    Rajeev Alur, Thomas A. Henzinger, F.Y.C. Mang, Shaz Qadeer, SriramK. Rajamani, and Serdar Tasiran. Mocha: Exploiting modularity in model checking. In Proceedings of the Tenth International Conference on Computer-aided Verification, volume 1427 of Lecture Notes in Computer Science 1427, pages 521–525, 1998.Google Scholar
  2. [Bog01]
    Andrej Bogdanov. Formal verification of simulations between I/O automata. Master’s thesis, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, Cambridge, MA, 2001.Google Scholar
  3. [ECGN01]
    Michael Ernst, Jake Cokrell, William G. Grisworld, and David Notkin. Dynamically discovering likely program invariants to support program evolution. IEEE Transactions on Software Engineering, 27(2):1–25, 2001.CrossRefGoogle Scholar
  4. [GG91]
    Stephen Garland and John Guttag. A guide to LP, the Larch Prover. Technical report, DEC Systems Research Center, 1991. Updated version avaliable at URL
  5. [GHG+93]
    John V. Guttag, James J. Horning, S. J. Garland, K. D. Jones, A. Modet, and J. M. Wing. Larch: Languages and Tools for Formal Specification. Texts and Monographs in Computer Science. Springer-Verlag, New York, 1993.Google Scholar
  6. [GL98]
    Stephen J. Garland and Nancy A. Lynch. The IOA language and toolset: Support for designing, analyzing, and building distributed systems. Technical Report MIT/LCS/TR-762, Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA, August 1998. URL Scholar
  7. [GSV01]
    Yuri Gurevich, Wolfram Schulte, and Margus Veanes. Toward industrial strength abstract state machines. Technical Report MSR-TR-2001-98, Microsoft Research, 2001. URL for software
  8. [KCD+02a]
    Dilsun Kýrlý, Anna Chefter, Laura Dean, Stephen J. Garland, Nancy A. Lynch, Toh Ne Win, and Antonio Ramirez-Robredo. The IOA simulator. Technical Report MIT-LCS-TR-843, MIT Laboratory for Computer Science, July 2002.Google Scholar
  9. [KCD+02b]
    Dilsun Kýrlý, Anna Chefter, Laura Dean, Stephen J. Garland, Nancy A. Lynch, Toh Ne Win, and Antonio Ramirez-Robredo. Simulating nondeterministic systems at multiple levels of abstraction. In Proceedings of Tools Day 2002, pages 44–59, Brno, Czech Republic, August 2002. Also available as Masaryk University Technical Report FI MU-RS-2002-05.Google Scholar
  10. [Lam98]
    Leslie Lamport. The part-time parliament. ACM Transactions on Computer Systems, 16(2):133–169, May 1998.CrossRefGoogle Scholar
  11. [LT89]
    Nancy A. Lynch and Mark R. Tuttle. An introduction to Input/Output automata. CWI-Quarterly, 2(3):219–246, September 1989.zbMATHMathSciNetGoogle Scholar
  12. [LY01]
    Leslie Lamport and Yuan Yu. TLC-The TLA+ Model Checker. Compaq Systems Research Center, Palo Alto, California, 2001. URL Scholar
  13. [Lyn96]
    Nancy Lynch. Distributed Algorithms. Morgan Kaufmann Publishers, Inc., San Mateo, CA, March 1996.zbMATHGoogle Scholar
  14. [McM]
    Kenneth L. McMillan. The SMV Language. Cadence Berkeley Labs, 2001 Addison Street, Berkeley, CA 94 704, USA. URL
  15. [NE02]
    Jeremy W. Nimmer and Michael D. Ernst. Automatic generation of program specifications. In Proceedings of the 2002 International Symposium on Software Testing and Analysis (ISSTA), pages 232–242, Rome, Italy, July 22-24, 2002.Google Scholar
  16. [PLL00]
    Roberto De Prisco, Butler Lampson, and Nancy Lynch. Fundamental study: Revisiting the Paxos algorithm. Theoretical Computer Science, 243:35–91, 2000.zbMATHCrossRefMathSciNetGoogle Scholar
  17. [PRZ01]
    Amir Pnueli, Sitvanit Ruah, and Lenore Zuck. Automatic deductive verification with invisible invariants. In Tools and Algorithms for the Analysis and Construction of Systems (TACAS), volume 2031 of LNCS, pages 82–97, Genova, Italy, April 2-6, 2001.CrossRefGoogle Scholar
  18. [Rin00]
    Jussi Rintanen. An iterative algorithm for synthesizing invariants. In Proceedings of the Seventeenth National Conference on Artificial Intelligence and Twelfth Conference on Innovative Applications of Artificial Intelligence, pages 806–811, Austin, TX, July 30-August 3, 2000.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Toh Ne Win
    • 1
  • Michael D. Ernst
    • 1
  • Stephen J. Garland
    • 1
  • Dilsun Kýrlý
    • 1
  • Nancy A. Lynch
    • 1
  1. 1.MIT Laboratory for Computer ScienceUSA

Personalised recommendations