16 research outputs found
An Infinite Needle in a Finite Haystack: Finding Infinite Counter-Models in Deductive Verification
First-order logic, and quantifiers in particular, are widely used in
deductive verification. Quantifiers are essential for describing systems with
unbounded domains, but prove difficult for automated solvers. Significant
effort has been dedicated to finding quantifier instantiations that establish
unsatisfiability, thus ensuring validity of a system's verification conditions.
However, in many cases the formulas are satisfiable: this is often the case in
intermediate steps of the verification process. For such cases, existing tools
are limited to finding finite models as counterexamples. Yet, some quantified
formulas are satisfiable but only have infinite models. Such infinite
counter-models are especially typical when first-order logic is used to
approximate inductive definitions such as linked lists or the natural numbers.
The inability of solvers to find infinite models makes them diverge in these
cases. In this paper, we tackle the problem of finding such infinite models.
These models allow the user to identify and fix bugs in the modeling of the
system and its properties. Our approach consists of three parts. First, we
introduce symbolic structures as a way to represent certain infinite models.
Second, we describe an effective model finding procedure that symbolically
explores a given family of symbolic structures. Finally, we identify a new
decidable fragment of first-order logic that extends and subsumes the
many-sorted variant of EPR, where satisfiable formulas always have a model
representable by a symbolic structure within a known family. We evaluate our
approach on examples from the domains of distributed consensus protocols and of
heap-manipulating programs. Our implementation quickly finds infinite
counter-models that demonstrate the source of verification failures in a simple
way, while SMT solvers and theorem provers such as Z3, cvc5, and Vampire
diverge
Leaf: Modularity for Temporary Sharing in Separation Logic (Extended Version)
In concurrent verification, separation logic provides a strong story for
handling both resources that are owned exclusively and resources that are
shared persistently (i.e., forever). However, the situation is more complicated
for temporarily shared state, where state might be shared and then later
reclaimed as exclusive. We believe that a framework for temporarily-shared
state should meet two key goals not adequately met by existing techniques. One,
it should allow and encourage users to verify new sharing strategies. Two, it
should provide an abstraction where users manipulate shared state in a way
agnostic to the means with which it is shared.
We present Leaf, a library in the Iris separation logic which accomplishes
both of these goals by introducing a novel operator, which we call guarding,
that allows one proposition to represent a shared version of another. We
demonstrate that Leaf meets these two goals through a modular case study: we
verify a reader-writer lock that supports shared state, and a hash table built
on top of it that uses shared state
Counterexample-Guided Prophecy for Model Checking Modulo the Theory of Arrays
We develop a framework for model checking infinite-state systems by
automatically augmenting them with auxiliary variables, enabling
quantifier-free induction proofs for systems that would otherwise require
quantified invariants. We combine this mechanism with a counterexample-guided
abstraction refinement scheme for the theory of arrays. Our framework can thus,
in many cases, reduce inductive reasoning with quantifiers and arrays to
quantifier-free and array-free reasoning. We evaluate the approach on a wide
set of benchmarks from the literature. The results show that our implementation
often outperforms state-of-the-art tools, demonstrating its practical
potential.Comment: 23 pages, 1 figure, 1 table, extended version of paper to be
published in International Conference on Tools and Algorithms for the
Construction and Analysis of Systems 202
Paxos Consensus, Deconstructed and Abstracted (Extended Version)
Lamport's Paxos algorithm is a classic consensus protocol for state machine
replication in environments that admit crash failures. Many versions of Paxos
exploit the protocol's intrinsic properties for the sake of gaining better
run-time performance, thus widening the gap between the original description of
the algorithm, which was proven correct, and its real-world implementations. In
this work, we address the challenge of specifying and verifying complex
Paxos-based systems by (a) devising composable specifications for
implementations of Paxos's single-decree version, and (b) engineering
disciplines to reason about protocol-aware, semantics-preserving optimisations
to single-decree Paxos. In a nutshell, our approach elaborates on the
deconstruction of single-decree Paxos by Boichat et al. We provide novel
non-deterministic specifications for each module in the deconstruction and
prove that the implementations refine the corresponding specifications, such
that the proofs of the modules that remain unchanged can be reused across
different implementations. We further reuse this result and show how to obtain
a verified implementation of Multi-Paxos from a verified implementation of
single-decree Paxos, by a series of novel protocol-aware transformations of the
network semantics, which we prove to be behaviour-preserving.Comment: Accepted for publication in the 27th European Symposium on
Programming (ESOP'18
How to Win First-Order Safety Games
First-order (FO) transition systems have recently attracted attention for the verification of parametric systems such as network protocols, software-defined networks or multi-agent workflows like conference management systems. Functional correctness or noninterference of these systems have conveniently been formulated as safety or hypersafety properties, respectively. In this article, we take the step from verification to synthesis---tackling the question whether it is possible to automatically synthesize predicates to enforce safety or hypersafety properties like noninterference. For that, we generalize FO transition systems to FO safety games. For FO games with monadic predicates only, we provide a complete classification into decidable and undecidable cases. For games with non-monadic predicates, we concentrate on universal first-order invariants, since these are sufficient to express a large class of properties---for example noninterference. We identify a non-trivial sub-class where invariants can be proven inductive and FO winning strategies be effectively constructed. We also show how the extraction of weakest FO winning strategies can be reduced to SO quantifier elimination itself. We demonstrate the usefulness of our approach by automatically synthesizing nontrivial FO specifications of messages in a leader election protocol as well as for paper assignment in a conference management system to exclude unappreciated disclosure of reports