Reducing liveness to safety in first-order logic

We develop a new technique for verifying temporal properties of infinite-state (distributed) systems. The main idea is to reduce the temporal verification problem to the problem of verifying the safety of infinite-state systems expressed in first-order logic. This allows to leverage existing techniques for safety verification to verify temporal properties of interesting distributed protocols, including some that have not been mechanically verified before. We model infinite-state systems using first-order logic, and use first-order temporal logic (FO-LTL) to specify temporal properties. This general formalism allows to naturally model distributed systems, while supporting both unbounded-parallelism (where the system is allowed to dynamically create processes), and infinite-state per process. The traditional approach for verifying temporal properties of infinite-state systems employs well-founded relations (e.g. using linear arithmetic ranking functions). In contrast, our approach is based the idea of fair cycle detection. In finite-state systems, temporal verification can always be reduced to fair cycle detection (a system contains a fair cycle if it revisits a state after satisfying all fairness constraints). However, with both infinitely many states and infinitely many fairness constraints, a straightforward reduction to fair cycle detection is unsound. To regain soundness, we augment the infinite-state transition system by a dynamically computed finite set, that exploits the locality of transitions. This set lets us define a form of fair cycle detection that is sound in the presence of both infinitely many states, and infinitely many fairness constraints. Our approach allows a new style of temporal verification that does not explicitly involve ranking functions. This fits well with pure first-order verification which does not explicitly reason about numerical values. In particular, it can be used with effectively propositional first-order logic (EPR), in which case checking verification conditions is decidable. We applied our technique to verify temporal properties of several interesting protocols. To the best of our knowledge, we have obtained the first mechanized liveness proof for both TLB Shootdown, and Stoppable Paxos.

[1]  MeseguerJosé Conditional rewriting logic as a unified model of concurrency , 1992 .

[2]  Andreas Podelski,et al.  Transition invariants , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[3]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[4]  Nikolaj Bjørner,et al.  Property-Directed Inference of Universal Invariants or Proving Their Absence , 2015, CAV.

[5]  Andreas Podelski,et al.  Transition Invariants and Transition Predicate Abstraction for Program Termination , 2011, TACAS.

[6]  Leslie Lamport,et al.  Fast Paxos , 2006, Distributed Computing.

[7]  Christoph Weidenbach,et al.  SPASS Version 3.5 , 2009, CADE.

[8]  Andreas Podelski,et al.  Fairness Modulo Theory: A New Approach to LTL Software Model Checking , 2015, CAV.

[9]  Viktor Vafeiadis,et al.  Proving that non-blocking algorithms don't block , 2009, POPL '09.

[10]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[11]  Andrei Voronkov,et al.  The design and implementation of VAMPIRE , 2002, AI Commun..

[12]  Alberto Griggio,et al.  Infinite-State Liveness-to-Safety via Implicit Abstraction and Well-Founded Relations , 2016, CAV.

[13]  Neil D. Jones,et al.  The size-change principle for program termination , 2001, POPL '01.

[14]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[15]  L. Lamport,et al.  Stoppable Paxos , 2008 .

[16]  Kenneth L. McMillan,et al.  Modular specification and verification of a cache-coherent interface , 2016, 2016 Formal Methods in Computer-Aided Design (FMCAD).

[17]  José Meseguer,et al.  Twenty years of rewriting logic , 2010, J. Log. Algebraic Methods Program..

[18]  Viktor Schuppan,et al.  Liveness Checking as Safety Checking , 2002, FMICS.

[19]  Noam Rinetzky,et al.  From Shape Analysis to Termination Analysis in Linear Time , 2016, CAV.

[20]  Amir Pnueli,et al.  Liveness and Acceleration in Parameterized Verification , 2000, CAV.

[21]  Helmut Veith,et al.  SMT and POR Beat Counter Abstraction: Parameterized Model Checking of Threshold-Based Distributed Algorithms , 2015, CAV.

[22]  Pierre Wolper,et al.  Constructing Automata from Temporal Logic Formulas: A Tutorial , 2002, European Educational Forum: School on Formal Methods and Performance Analysis.

[23]  Helmut Veith,et al.  A short counterexample property for safety and liveness verification of fault-tolerant distributed algorithms , 2016, POPL.

[24]  Clare Dixon,et al.  Practical First-Order Temporal Reasoning , 2008, 2008 15th International Symposium on Temporal Representation and Reasoning.

[25]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[26]  Jean-François Pradat-Peyre,et al.  Formal Techniques for Networked and Distributed Systems - FORTE 2006, 26th IFIP WG 6.1 International Conference, Paris, France, September 26-29, 2006 , 2006, FORTE.

[27]  Thomas A. Henzinger,et al.  PSync: a partially synchronous language for fault-tolerant distributed algorithms , 2016, POPL.

[28]  Jochen Hoenicke,et al.  Termination Analysis by Learning Terminating Programs , 2014, CAV.

[29]  Xi Wang,et al.  Verdi: a framework for implementing and formally verifying distributed systems , 2015, PLDI.

[30]  Leslie Lamport,et al.  Reconfiguring a state machine , 2010, SIGA.

[31]  Naoki Kobayashi,et al.  Automatic Termination Verification for Higher-Order Functional Programs , 2014, ESOP.

[32]  José Meseguer,et al.  State/Event-Based LTL Model Checking under Parametric Generalized Fairness , 2011, CAV.

[33]  Armin B. Cremers,et al.  Learning of plan execution policies for indoor navigation , 2002, AI Commun..

[34]  Patrick Cousot,et al.  An abstract interpretation framework for termination , 2012, POPL '12.

[35]  Parosh Aziz Abdulla,et al.  Proving Liveness by Backwards Reachability , 2006, CONCUR.

[36]  Amir M. Ben-Amram General Size-Change Termination and Lexicographic Descent , 2002, The Essence of Computation.

[37]  Konstantin Korovin,et al.  iProver - An Instantiation-Based Theorem Prover for First-Order Logic (System Description) , 2008, IJCAR.

[38]  Naoki Kobayashi,et al.  Temporal verification of higher-order functional programs , 2016, POPL.

[39]  Jochen Hoenicke,et al.  Thread modularity at many levels: a pearl in compositional verification , 2017, POPL.

[40]  José Meseguer,et al.  Model checking linear temporal logic of rewriting formulas under localized fairness , 2015, Sci. Comput. Program..

[41]  Andreas Podelski,et al.  A Complete Method for the Synthesis of Linear Ranking Functions , 2004, VMCAI.

[42]  Zohar Manna,et al.  Temporal Verification of Reactive Systems , 1995, Springer New York.

[43]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[44]  Amir Pnueli,et al.  Automatic Deductive Verification with Invisible Invariants , 2001, TACAS.

[45]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[46]  Helmut Veith,et al.  Decidability of Parameterized Verification , 2015, Synthesis Lectures on Distributed Computing Theory.

[47]  José Meseguer,et al.  Infinite-State Model Checking of LTLR Formulas Using Narrowing , 2014, WRLA.

[48]  G. S. Graham A New Solution of Dijkstra ' s Concurrent Programming Problem , 2022 .

[49]  Andreas Podelski,et al.  Proving that programs eventually do something good , 2007, POPL '07.

[50]  Kwangkeun Yi,et al.  Termination Analysis with Algorithmic Learning , 2012, CAV.

[51]  Antoine Miné,et al.  Inference of ranking functions for proving temporal properties by abstract interpretation , 2017, Comput. Lang. Syst. Struct..

[52]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[53]  Martín Abadi,et al.  The Power of Temporal Proofs , 1989, Theor. Comput. Sci..

[54]  David L. Black,et al.  Translation lookaside buffer consistency: a software approach , 1989, ASPLOS III.

[55]  Amir Pnueli,et al.  Separating Fairness and Well-Foundedness for the Analysis of Fair Discrete Systems , 2005, TACAS.

[56]  Viktor Schuppan,et al.  Liveness Checking as Safety Checking for Infinite State Spaces , 2006, INFINITY.

[57]  Frank Plumpton Ramsey,et al.  On a Problem of Formal Logic , 1930 .

[58]  Shmuel Sagiv,et al.  Paxos made EPR: decidable reasoning about distributed protocols , 2017, Proc. ACM Program. Lang..

[59]  Helmut Veith,et al.  What You Always Wanted to Know About Model Checking of Fault-Tolerant Distributed Algorithms , 2015, Ershov Memorial Conference.

[60]  Ruzica Piskac,et al.  Deciding Effectively Propositional Logic Using DPLL and Substitution Sets , 2010, Journal of Automated Reasoning.

[61]  Andreas Podelski,et al.  Proving Liveness of Parameterized Programs , 2016, 2016 31st Annual ACM/IEEE Symposium on Logic in Computer Science (LICS).

[62]  Leslie Lamport,et al.  Paxos Made Simple , 2001 .

[63]  RoderickBloem,et al.  Decidability of Parameterized Verification , 2015 .

[64]  Daniel Kroening,et al.  Termination Analysis with Compositional Transition Invariants , 2010, CAV.

[65]  Amir Pnueli,et al.  Liveness by Invisible Invariants , 2006, FORTE.

[66]  José Meseguer,et al.  The Temporal Logic of Rewriting: A Gentle Introduction , 2008, Concurrency, Graphs and Models.

[67]  Andreas Podelski,et al.  Termination proofs for systems code , 2006, PLDI '06.

[68]  Kenneth L. McMillan,et al.  Ivy: safety verification by interactive generalization , 2016, PLDI.

[69]  Z. Manna,et al.  Verification of concurrent programs: a temporal proof system , 1983 .