research-article

Open access

Mostly Automated Verification of Liveness Properties for Distributed Protocols with Ranking Functions

Authors:

Jason NiehAuthors Info & Claims

Proceedings of the ACM on Programming Languages, Volume 8, Issue POPL

Article No.: 35, Pages 1028 - 1059

https://doi.org/10.1145/3632877

Published: 05 January 2024 Publication History

Abstract

Distributed protocols have long been formulated in terms of their safety and liveness properties. Much recent work has focused on automatically verifying the safety properties of distributed protocols, but doing so for liveness properties has remained a challenging, unsolved problem. We present LVR, the first framework that can mostly automatically verify liveness properties for distributed protocols. Our key insight is that most liveness properties for distributed protocols can be reduced to a set of safety properties with the help of ranking functions. Such ranking functions for practical distributed protocols have certain properties that make them straightforward to synthesize, contrary to conventional wisdom. We prove that verifying a liveness property can then be reduced to a simpler problem of verifying a set of safety properties, namely that the ranking function is strictly decreasing and nonnegative for any protocol state transition, and there is no deadlock. LVR automatically synthesizes ranking functions by formulating a parameterized function of integer protocol variables, statically analyzing the lower and upper bounds of the variables as well as how much they can change on each state transition, then feeding the constraints to an SMT solver to determine the coefficients of the ranking function. It then uses an off-the-shelf verification tool to find inductive invariants to verify safety properties for both ranking functions and deadlock freedom. We show that LVR can mostly automatically verify the liveness properties of several distributed protocols, including various versions of Paxos, with limited user guidance.

References

[1]

Mohamed Faouzi Atig, Ahmed Bouajjani, Michael Emmi, and Akash Lal. 2012. Detecting fair non-termination in multithreaded programs. In Proceedings of 24th International Conference on Computer Aided Verification (CAV ’12). 210–226. https://doi.org/10.1007/978-3-642-31424-7_19

[2]

Pascal Baumann, Rupak Majumdar, Ramanathan S Thinniyam, and Georg Zetzsche. 2021. Context-bounded verification of liveness properties for multithreaded shared-memory programs. Proceedings of the ACM on Programming Languages, 5, POPL (2021), 1–31. https://doi.org/10.1145/3434325

[3]

Amir M Ben-Amram and Samir Genaim. 2017. On multiphase-linear ranking functions. In Proceedings of the 29th International Conference on Computer Aided Verification (CAV ’17). 601–620. https://doi.org/10.1007/978-3-319-63390-9_32

[4]

Armin Biere, Cyrille Artho, and Viktor Schuppan. 2002. Liveness checking as safety checking. Electronic Notes in Theoretical Computer Science, 66, 2 (2002), 160–177. https://doi.org/10.1016/S1571-0661(04)80410-9

[5]

Benjamin Y. Chan and Elaine Shi. 2020. Streamlet: Textbook streamlined blockchains. In Proceedings of the 2nd ACM Conference on Advances in Financial Technologies (AFT ’20). 1–11. isbn:9781450381390 https://doi.org/10.1145/3419614.3423256

[6]

Michael A. Colón and Henny B. Sipma. 2002. Practical methods for proving program termination. In Proceedings of 14th International Conference on Computer Aided Verification (CAV ’02). 442–454. https://doi.org/10.1007/3-540-45657-0_36

[7]

Byron Cook, Alexey Gotsman, Andreas Podelski, Andrey Rybalchenko, and Moshe Y. Vardi. 2007. Proving that programs eventually do something good. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’07). 265–276. https://doi.org/10.1145/1190216.1190257

[8]

Byron Cook, Andreas Podelski, and Andrey Rybalchenko. 2007. Proving thread termination. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’07). 320–330. https://doi.org/10.1145/1273442.1250771

[9]

Byron Cook, Abigail See, and Florian Zuleger. 2013. Ramsey vs. lexicographic termination proving. In Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS ’13). 47–61. https://doi.org/10.1007/978-3-642-36742-7_4

[10]

Azadeh Farzan, Zachary Kincaid, and Andreas Podelski. 2016. Proving liveness of parameterized programs. In Proceedings of the 31st Annual ACM/IEEE Symposium on Logic in Computer Science (LICS ’16). 185–196. https://doi.org/10.1145/2933575.2935310

[11]

Marie Fortin, Anca Muscholl, and Igor Walukiewicz. 2017. Model-checking linear-time properties of parametrized asynchronous shared-memory pushdown systems. In Proceedings of 29th International Conference on Computer Aided Verification (CAV ’17). 155–175. https://doi.org/10.1007/978-3-319-63390-9_9

[12]

Aman Goel and Karem Sakallah. 2021. On symmetry and quantification: A new approach to verify distributed protocols. In Proceedings of the 13th NASA Formal Methods Symposium (NFM ’21). 131–150. https://doi.org/10.1007/978-3-030-76384-8_9

[13]

Aman Goel and Karem A Sakallah. 2021. Towards an automatic proof of Lamport’s Paxos. In Proceedings of the 21st Conference on Formal Methods in Computer Aided Design (FMCAD ’21). 112–122. https://doi.org/10.34727/2021/isbn.978-3-85448-046-4_20

[14]

Laure Gonnord, David Monniaux, and Gabriel Radanne. 2015. Synthesis of ranking functions using extremal counterexamples. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’15). 608–618. https://doi.org/10.1145/2737924.2737976

[15]

Travis Hance, Marijn Heule, Ruben Martins, and Bryan Parno. 2021. Finding invariants of distributed systems: It’s a small (enough) world after all. In Proceedings of the 18th USENIX Symposium on Networked Systems Design and Implementation (NSDI ’21). 115–131.

[16]

Travis Hance, Andrea Lattuada, Chris Hawblitzel, Jon Howell, Rob Johnson, and Bryan Parno. 2020. Storage systems are distributed systems (so verify them that way!). In Proceedings of the 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’20). 99–115.

[17]

Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R Lorch, Bryan Parno, Michael L Roberts, Srinath Setty, and Brian Zill. 2015. IronFleet: Proving practical distributed systems correct. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP ’15). 1–17. https://doi.org/10.1145/2815400.2815428

[18]

Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R Lorch, Bryan Parno, Michael L Roberts, Srinath Setty, and Brian Zill. 2015. The IronFleet repository. https://github.com/microsoft/Ironclad/tree/main/ironfleet

[19]

Matthias Heizmann and Jan Leike. 2015. Ranking templates for linear loops. Logical Methods in Computer Science, 11 (2015), https://doi.org/10.2168/LMCS-11(1:16)2015

[20]

Jochen Hoenicke, Rupak Majumdar, and Andreas Podelski. 2017. Thread modularity at many levels: A pearl in compositional verification. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL ’17). 473–485. https://doi.org/10.1145/3009837.3009893

[21]

Aleksandr Karbyshev, Nikolaj Bjørner, Shachar Itzhaky, Noam Rinetzky, and Sharon Shoham. 2017. Property-directed inference of universal invariants or proving their absence. J. ACM, 64, 1 (2017), Article 7, 33 pages. https://doi.org/10.1145/3022187

[22]

Matt Kaufmann, Panagiotis Manolios, and J Strother Moore. 2013. Computer-aided reasoning: ACL2 case studies. 4, Springer Science & Business Media. https://doi.org/10.1007/978-1-4757-3188-0

[23]

Jason R. Koenig, Oded Padon, Neil Immerman, and Alex Aiken. 2020. First-order quantified separators. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’20). 703–717. https://doi.org/10.1145/3385412.3386018

[24]

Jason R. Koenig, Oded Padon, Sharon Shoham, and Alex Aiken. 2022. Inferring invariants with quantifier alternations: Taming the search space explosion. In Proceedings of the 28th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS ’22). 338–356. https://doi.org/10.1007/978-3-030-99524-9_18

[25]

Bernhard Kragl, Constantin Enea, Thomas A Henzinger, Suha Orhun Mutluergil, and Shaz Qadeer. 2020. Inductive sequentialization of asynchronous programs. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’20). 227–242. https://doi.org/10.1145/3385412.3385980

[26]

Leslie Lamport. 1998. The part-time parliament. ACM Transactions on Computer Systems, 16, 2 (1998), 133–169. https://doi.org/10.1145/279227.279229

[27]

Leslie Lamport. 2001. Paxos made simple. ACM Sigact News, 32, 4 (2001), 18–25.

[28]

Haojun Ma, Hammad Ahmad, Aman Goel, Eli Goldweber, Jean-Baptiste Jeannin, Manos Kapritsos, and Baris Kasikci. 2022. Sift: Using refinement-guided automation to verify complex distributed systems. In 2022 USENIX Annual Technical Conference (USENIX ATC ’22). 151–166. isbn:978-1-939133-29-64

[29]

Haojun Ma, Aman Goel, Jean-Baptiste Jeannin, Manos Kapritsos, Baris Kasikci, and Karem A Sakallah. 2019. I4: Incremental inference of inductive invariants for verification of distributed protocols. In Proceedings of the 27th ACM Symposium on Operating Systems Principles (SOSP ’19). 370–384. https://doi.org/10.1145/3341301.3359651

[30]

Dahlia Malkhi, Leslie Lamport, and Lidong Zhou. 2008. Stoppable Paxos. https://www.microsoft.com/en-us/research/publication/stoppable-paxos/

[31]

Eike Neumann, Joël Ouaknine, and James Worrell. 2020. On ranking function synthesis and termination for polynomial programs. In Proceedings of the 31st International Conference on Concurrency Theory (CONCUR ’20).

[32]

Oded Padon. 2021. Source file of the ticket lock protocol in Ivy. https://github.com/kenmcmil/ivy/blob/master/examples/liveness/ticket_nested.ivy

[33]

Oded Padon, Jochen Hoenicke, Giuliano Losa, Andreas Podelski, Mooly Sagiv, and Sharon Shoham. 2017. Reducing liveness to safety in first-order logic. Proceedings of the ACM on Programming Languages, 2, POPL (2017), 1–33. https://doi.org/10.1145/3158114

[34]

Oded Padon, Jochen Hoenicke, Kenneth L McMillan, Andreas Podelski, Mooly Sagiv, and Sharon Shoham. 2021. Temporal prophecy for proving temporal properties of infinite-state systems. Formal Methods in System Design, 57, 2 (2021), 246–269. https://doi.org/10.1007/s10703-021-00377-1

[35]

Oded Padon, Kenneth L McMillan, Aurojit Panda, Mooly Sagiv, and Sharon Shoham. 2016. Ivy: Safety verification by interactive generalization. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’16). 614–630. https://doi.org/10.1145/2908080.2908118

[36]

Oded Padon, James R Wilcox, Jason R Koenig, Kenneth L McMillan, and Alex Aiken. 2022. Induction duality: Primal-dual search for invariants. Proceedings of the ACM on Programming Languages, 6, POPL (2022), Article 50, Jan., 29 pages. https://doi.org/10.1145/3498712

[37]

Andreas Podelski and Andrey Rybalchenko. 2004. A complete method for the synthesis of linear ranking functions. In Proceedings of the 5th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI ’04). 239–251. https://doi.org/10.1007/978-3-540-24622-0_20

[38]

Kerry Raymond. 1989. A tree-based algorithm for distributed mutual exclusion. ACM Transactions on Computer Systems (TOCS), 7, 1 (1989), 61–77. https://doi.org/10.1145/58564.59295

[39]

Gerard Tel. 2000. Introduction to distributed algorithms. Cambridge university press. https://doi.org/10.1017/CBO9781139168724

[40]

James Wilcox, Oded Padon, Yotam Feldman, and other contributors. 2018. The mypyvy language. https://github.com/wilcoxjay/mypyvy

[41]

James R Wilcox, Doug Woos, Pavel Panchekha, Zachary Tatlock, Xi Wang, Michael D Ernst, and Thomas Anderson. 2015. Verdi: A framework for implementing and formally verifying distributed systems. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’15). 357–368. https://doi.org/10.1145/2737924.2737958

[42]

Doug Woos, James R Wilcox, Steve Anton, Zachary Tatlock, Michael D Ernst, and Thomas Anderson. 2016. Planning for change in a formal verification of the Raft consensus protocol. In Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs (CCP ’16). 154–165. https://doi.org/10.1145/2854065.2854081

[43]

Jianan Yao, Runzhou Tao, Ronghui Gu, and Jason Nieh. 2022. DuoAI: Fast, automated inference of inductive invariants for verifying distributed protocols. In Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’22). 485–501.

[44]

Jianan Yao, Runzhou Tao, Ronghui Gu, and Jason Nieh. 2023. Mostly Automated Verification of Liveness Properties for Distributed Protocols with Ranking Functions (Artifact). https://doi.org/10.5281/zenodo.10039066

[45]

Jianan Yao, Runzhou Tao, Ronghui Gu, Jason Nieh, Suman Jana, and Gabriel Ryan. 2021. DistAI: Data-driven automated invariant learning for distributed protocols. In Proceedings of the 15th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’21). 405–421.

Cited By

Wilcox JFeldman YPadon OShoham S(2024)mypyvy: A Research Platform for Verification of Transition Systems in First-Order LogicComputer Aided Verification10.1007/978-3-031-65630-9_4(71-85)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1007/978-3-031-65630-9_4
McMillan K(2024)Toward Liveness Proofs at ScaleComputer Aided Verification10.1007/978-3-031-65627-9_13(255-276)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65627-9_13

Index Terms

Mostly Automated Verification of Liveness Properties for Distributed Protocols with Ranking Functions

Recommendations

Towards Automated Verification of Distributed Consensus Protocols
APSEC '09: Proceedings of the 2009 16th Asia-Pacific Software Engineering Conference

This paper presents an approach to facilitating model checking of consensus protocols, a class of distributed protocols. Model checking is a successful formal verification method. However its application to these protocols is still not a common practice ...
Verifying liveness properties of multifunction composite protocols

In protocol composition techniques, component protocols are combined in various ways to obtain a complex protocol whose execution sequences consist of interleaved execution sequences of the component protocols. In this paper, we investigate the problem ...
On the refinement of liveness properties of distributed systems

We present a new approach, based on simulation relations, for reasoning about liveness properties of distributed systems. Our contribution consists of (1) a formalism for defining liveness properties, (2) a proof method for liveness properties based on ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Programming Languages

Proceedings of the ACM on Programming Languages Volume 8, Issue POPL

January 2024

2820 pages

EISSN:2475-1421

DOI:10.1145/3554315

Editor:
Michael Hicks
Amazon, USA

Issue’s Table of Contents

Copyright © 2024 Owner/Author.

This work is licensed under a Creative Commons Attribution 4.0 International License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 January 2024

Published in PACMPL Volume 8, Issue POPL

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
629
Total Downloads

Downloads (Last 12 months)629
Downloads (Last 6 weeks)42

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wilcox JFeldman YPadon OShoham S(2024)mypyvy: A Research Platform for Verification of Transition Systems in First-Order LogicComputer Aided Verification10.1007/978-3-031-65630-9_4(71-85)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1007/978-3-031-65630-9_4
McMillan K(2024)Toward Liveness Proofs at ScaleComputer Aided Verification10.1007/978-3-031-65627-9_13(255-276)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65627-9_13

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents