Ivy: safety verification by interactive generalization

Padon, Oded; McMillan, Kenneth L.; Panda, Aurojit; Sagiv, Mooly; Shoham, Sharon

doi:10.1145/2908080.2908118

Cited by 130 publications

(150 citation statements)

References 17 publications

Supporting

Mentioning

149

Contrasting

Order By: Relevance

“…Leader election in a ring [13,50], in which nodes are organized in a directional ring topology with unique IDs, and the safety property is that an elected leader is a node with the highest ID. Phase structure: for a view of two nodes n 1 , n 2 , in the first phase, messages with the ID of n 1 are yet to advance in the ring past n 2 , while in the second phase, a message advertising n 1 has advanced past n 2 .…”

Section: Results and Discussion Measurements For These Examples Appementioning

confidence: 99%

“…In this section we apply invariant inference guided by phase structures to distributed protocols modeled in EPR, motivated by previous deductive approachesto safety of distributed protocols [50,49,59]. The work-flow for our approach is illustrated in Fig.…”

Section: Implementation and Evaluationmentioning

confidence: 99%

“…EPR. Our procedure handles transition systems expressed using the extended Effectively PRopositional fragment (EPR) of first order logic [51,50], and infers universally quantified phase characterizations. Satisfiability of (extended) EPR formulas is decidable, enjoys the finite-model property, and supported by existing SMT solvers such as Z3 [45] and first order logic provers such as iProver [40].…”

Section: Phase-pdr ∀ For Inferring Universally Quantified Characterizmentioning

confidence: 99%

See 2 more Smart Citations

Inferring Inductive Invariants from Phase Structures

Feldman

Wilcox

Shoham

et al. 2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Infinite-state systems such as distributed protocols are challenging to verify using interactive theorem provers or automatic verification tools. Of these techniques, deductive verification is highly expressive but requires the user to annotate the system with inductive invariants. To relieve the user from this laborintensive and challenging task, invariant inference aims to find inductive invariants automatically. Unfortunately, when applied to infinite-state systems such as distributed protocols, existing inference techniques often diverge, which limits their applicability. This paper proposes user-guided invariant inference based on phase invariants, which capture the different logical phases of the protocol. Users conveys their intuition by specifying a phase structure, an automaton with edges labeled by program transitions; the tool automatically infers assertions that hold in the automaton's states, resulting in a full safety proof. The additional structure from phases guides the inference procedure towards finding an invariant. Our results show that user guidance by phase structures facilitates successful inference beyond the state of the art. We find that phase structures are pleasantly well matched to the intuitive reasoning routinely used by domain experts to understand why distributed protocols are correct, so that providing a phase structure reuses this existing intuition. 1 type key 2 type value 3 type node 4 type sequnum 5 6 relation owner: node, key 7 relation table: node, key, value 8 relation transfer_msg: node, node, 9 key, value, seqnum 10 relation ack_msg: node, node, seqnum 11 relation seqnum_sent: node, seqnum 12 relation unacked: node, node, 13 key, value, seqnum 14 relation seqnum_recvd: node, node, seqnum 15 16 init ∀n1, n2, k. owner(n1,k)∧owner(n2,k) 17 → n1 = n2 18 init // all other relations are empty 19 20 action reshard(n_old:node, n_new:node, 21 k:key, value:sequnum) 22 require table(n_old, k, v)23 ∧¬seqnum_sent(n_old, s) 24 seqnum_sent(n_old, s) := true 25 table(n_old, k, v) := false 26 owner(n_old, k) := false 27 transfer_msg(n_old, n_new, k, v, s) := true 28 unacked(n_old, n_new, k, v, s) := true 29 30 action drop_transfer_msg(src:node, dst:node, 31 k:key, v:value, s:seqnum) 32 require transfer_msg(src, dst, k, v, s) 33 transfer_msg(src, dst, k, v, s) := false 34 35 action retransmit(src:node, dst:node, 36 k:key, v:value, s:seqnum) 37 require unacked(src, dst, k, v, s) 38 transfer_msg(src, dst, k, v, s) := true 39 action recv_transfer_msg(src:node, n:node, 40 k:key, v:value, s:seqnum) 41 require transfer_msg(src, n, k, v, s) 42 ∧¬seqnum_recvd(n, src, s) 43 seqnum_recvd(n, src, s) := true 44 table(n, k, v) := true 45 owner(n, k) := true 46 47 action send_ack(src:node, n:node, 48

show abstract

Section: Results and Discussion Measurements For These Examples Appementioning

confidence: 99%

Section: Implementation and Evaluationmentioning

confidence: 99%

Section: Phase-pdr ∀ For Inferring Universally Quantified Characterizmentioning

confidence: 99%

See 1 more Smart Citation

Inferring Inductive Invariants from Phase Structures

Feldman

Wilcox

Shoham

et al. 2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Under the new notion of coherence, we first study axioms on relations. The EPR (effectively propositional reasoning) [36] fragment of first order logic is one of the few fragments of first order logic that is decidable, and has been exploited for bounded model-checking and verification condition validation in the literature [33,32,31]. We study axioms written in EPR (i.e., universally quantified formulas involving only relations) and show that verification for even coherent programs, modulo EPR axioms, is undecidable.…”

Section: Main Contributionsmentioning

confidence: 99%

“…The class of EPR formulas that consist of universally quantified formulas over relational signatures is a well-known decidable class of first-order logic [36]. EPR-based reasoning has been proved powerful for verification of large-scale systems [32,28,38] and the Ivy [33,29] system is one of the most notable framework that exploits EPR based reasoning for verifying program snippets without recursion. EPR encoding of order axioms such as reflexivity, symmetry, transitivity and total orders has been used in proving programs working over heaps [20].…”

Section: Related Workmentioning

confidence: 99%

What’s Decidable About Program Verification Modulo Axioms?

Mathur

Madhusudan

Viswanathan

2020

Tools and Algorithms for the Construction and Analysis of Systems

View full text Add to dashboard Cite

We consider the decidability of the verification problem of programs modulo axioms -automatically verifying whether programs satisfy their assertions, when the function and relation symbols are interpreted as arbitrary functions and relations that satisfy a set of first-order axioms. Though verification of uninterpreted programs (with no axioms) is already undecidable, a recent work introduced a subclass of coherent uninterpreted programs, and showed that they admit decidable verification [26]. We undertake a systematic study of various natural axioms for relations and functions, and study the decidability of the coherent verification problem. Axioms include relations being reflexive, symmetric, transitive, or total order relations, functions restricted to being associative, idempotent or commutative, and combinations of such axioms as well. Our comprehensive results unearth a rich landscape that shows that though several axiom classes admit decidability for coherent programs, coherence is not a panacea as several others continue to be undecidable. 1 We adapt the definition in a way that preserves the spirit of the definition of coherence. Moreover, if we do not adapt the definition, essentially all axioms classes we study in this paper would be undecidable.

show abstract

Local Reasoning for Parameterized First Order Protocols

Ashmore

Gurfinkel

Trefler

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

First Order Logic (FOL) is a powerful reasoning tool for program verification. Recent work on Ivy shows that FOL is well suited for verification of parameterized distributed systems. However, specifying many natural objects, such as a ring topology, in FOL is unexpectedly inconvenient. We present a framework based on FOL for specifying distributed multi-process protocols in a process-local manner together with an implicit network topology. In the specification framework, we provide an auto-active analysis technique to reason about the protocols locally, in a process-modular way. Our goal is to mirror the way designers often describe and reason about protocols. By hiding the topology behind the FOL structure, we simplify the modelling, but complicate the reasoning. To deal with that, we use an oracle for the topology to develop a sound and relatively complete proof rule that reduces reasoning about the implicit topology back to pure FOL. This completely avoids the need to axiomatize the topology. Using the rule, we establish a property that reduces verification to a fixed number of processes bounded by the size of local neighbourhoods. We show how to use the framework on two examples, including leader election on a ring.

show abstract

Ivy: safety verification by interactive generalization

Cited by 130 publications

References 17 publications

Inferring Inductive Invariants from Phase Structures

Inferring Inductive Invariants from Phase Structures

What’s Decidable About Program Verification Modulo Axioms?

Local Reasoning for Parameterized First Order Protocols

Contact Info

Product

Resources

About