57 research outputs found
Bounded Quantifier Instantiation for Checking Inductive Invariants
We consider the problem of checking whether a proposed invariant
expressed in first-order logic with quantifier alternation is inductive, i.e.
preserved by a piece of code. While the problem is undecidable, modern SMT
solvers can sometimes solve it automatically. However, they employ powerful
quantifier instantiation methods that may diverge, especially when is
not preserved. A notable difficulty arises due to counterexamples of infinite
size.
This paper studies Bounded-Horizon instantiation, a natural method for
guaranteeing the termination of SMT solvers. The method bounds the depth of
terms used in the quantifier instantiation process. We show that this method is
surprisingly powerful for checking quantified invariants in uninterpreted
domains. Furthermore, by producing partial models it can help the user diagnose
the case when is not inductive, especially when the underlying reason
is the existence of infinite counterexamples.
Our main technical result is that Bounded-Horizon is at least as powerful as
instrumentation, which is a manual method to guarantee convergence of the
solver by modifying the program so that it admits a purely universal invariant.
We show that with a bound of 1 we can simulate a natural class of
instrumentations, without the need to modify the code and in a fully automatic
way. We also report on a prototype implementation on top of Z3, which we used
to verify several examples by Bounded-Horizon of bound 1
An Infinite Needle in a Finite Haystack: Finding Infinite Counter-Models in Deductive Verification
First-order logic, and quantifiers in particular, are widely used in
deductive verification. Quantifiers are essential for describing systems with
unbounded domains, but prove difficult for automated solvers. Significant
effort has been dedicated to finding quantifier instantiations that establish
unsatisfiability, thus ensuring validity of a system's verification conditions.
However, in many cases the formulas are satisfiable: this is often the case in
intermediate steps of the verification process. For such cases, existing tools
are limited to finding finite models as counterexamples. Yet, some quantified
formulas are satisfiable but only have infinite models. Such infinite
counter-models are especially typical when first-order logic is used to
approximate inductive definitions such as linked lists or the natural numbers.
The inability of solvers to find infinite models makes them diverge in these
cases. In this paper, we tackle the problem of finding such infinite models.
These models allow the user to identify and fix bugs in the modeling of the
system and its properties. Our approach consists of three parts. First, we
introduce symbolic structures as a way to represent certain infinite models.
Second, we describe an effective model finding procedure that symbolically
explores a given family of symbolic structures. Finally, we identify a new
decidable fragment of first-order logic that extends and subsumes the
many-sorted variant of EPR, where satisfiable formulas always have a model
representable by a symbolic structure within a known family. We evaluate our
approach on examples from the domains of distributed consensus protocols and of
heap-manipulating programs. Our implementation quickly finds infinite
counter-models that demonstrate the source of verification failures in a simple
way, while SMT solvers and theorem provers such as Z3, cvc5, and Vampire
diverge
Regular Abstractions for Array Systems
Verifying safety and liveness over array systems is a highly challenging
problem. Array systems naturally capture parameterized systems such as
distributed protocols with an unbounded number of processes. Such distributed
protocols often exploit process IDs during their computation, resulting in
array systems whose element values range over an infinite domain. In this
paper, we develop a novel framework for proving safety and liveness over array
systems. The crux of the framework is to overapproximate an array system as a
string rewriting system (i.e. over a finite alphabet) by means of a new
predicate abstraction that exploits the so-called indexed predicates. This
allows us to tap into powerful verification methods for string rewriting
systems that have been heavily developed in the last few decades (e.g. regular
model checking). We demonstrate how our method yields simple, automatically
verifiable proofs of safety and liveness properties for challenging examples,
including Dijkstra's self-stabilizing protocol and the Chang-Roberts leader
election protocol
IST Austria Thesis
Designing and verifying concurrent programs is a notoriously challenging, time consuming, and error prone task, even for experts. This is due to the sheer number of possible interleavings of a concurrent program, all of which have to be tracked and accounted for in a formal proof. Inventing an inductive invariant that captures all interleavings of a low-level implementation is theoretically possible, but practically intractable. We develop a refinement-based verification framework that provides mechanisms to simplify proof construction by decomposing the verification task into smaller subtasks.
In a first line of work, we present a foundation for refinement reasoning over structured concurrent programs. We introduce layered concurrent programs as a compact notation to represent multi-layer refinement proofs. A layered concurrent program specifies a sequence of connected concurrent programs, from most concrete to most abstract, such that common parts of different programs are written exactly once. Each program in this sequence is expressed as structured concurrent program, i.e., a program over (potentially recursive) procedures, imperative control flow, gated atomic actions, structured parallelism, and asynchronous concurrency. This is in contrast to existing refinement-based verifiers, which represent concurrent systems as flat transition relations. We present a powerful refinement proof rule that decomposes refinement checking over structured programs into modular verification conditions. Refinement checking is supported by a new form of modular, parameterized invariants, called yield invariants, and a linear permission system to enhance local reasoning.
In a second line of work, we present two new reduction-based program transformations that target asynchronous programs. These transformations reduce the number of interleavings that need to be considered, thus reducing the complexity of invariants. Synchronization simplifies the verification of asynchronous programs by introducing the fiction, for proof purposes, that asynchronous operations complete synchronously. Synchronization summarizes an asynchronous computation as immediate atomic effect. Inductive sequentialization establishes sequential reductions that captures every behavior of the original program up to reordering of coarse-grained commutative actions. A sequential reduction of a concurrent program is easy to reason about since it corresponds to a simple execution of the program in an idealized synchronous environment, where processes act in a fixed order and at the same speed.
Our approach is implemented the CIVL verifier, which has been successfully used for the verification of several complex concurrent programs. In our methodology, the overall correctness of a program is established piecemeal by focusing on the invariant required for each refinement step separately. While the programmer does the creative work of specifying the chain of programs and the inductive invariant justifying each link in the chain, the tool automatically constructs the verification conditions underlying each refinement step
Guard Automata for the Verification of Safety and Liveness of Distributed Algorithms
Distributed algorithms typically run over arbitrary many processes and may involve unboundedly many rounds, making the automated verification of their correctness challenging. Building on domain theory, we introduce a framework that abstracts infinite-state distributed systems that represent distributed algorithms into finite-state guard automata. The soundness of the approach corresponds to the Scott-continuity of the abstraction, which relies on the assumption that the distributed algorithms are layered. Guard automata thus enable the verification of safety and liveness properties of distributed algorithms
- …