SLIDE 1
1
Towards Automatic Inference of Inductive Invariants Haojun Ma , Aman - - PowerPoint PPT Presentation
Towards Automatic Inference of Inductive Invariants Haojun Ma , Aman - - PowerPoint PPT Presentation
Towards Automatic Inference of Inductive Invariants Haojun Ma , Aman Goel, Jean-Baptiste Jeannin Manos Kapritsos, Baris Kasikci, Karem A. Sakallah University of Michigan Distributed systems are subtle 1 The alternative: formal verification
SLIDE 2
SLIDE 3
The alternative: formal verification
Formal specification or property Proving the system maintains the property Successful on distributed systems Drawback: Manual effort
2
SLIDE 4
Existing verification approaches
All existing approaches require the human to find an inductive invariant We want to automatically find inductive invariants
3
Manual Effort Verdi(Coq) IronFleet(Dafny) Ivy I4 Automated Person-hours Person-months Person-years
SLIDE 5
Formal verification in 2 minutes
. . .
4
1 2 k k+1
Goal: prove that the safety property holds at all times
Initial state
Inductive proof
- Base case: prove initial state is safe
- Inductive step: if state k is safe, prove state k+1 is safe
An execution:
SLIDE 6
Safety property vs. inductive invariant
All states Reachable states
5
Safe states Inductive invariant
SLIDE 7
Lock server protocol
6
Server1 Client2
Safety property: no two clients can be linked to the same server
Server0 Client1 Client0
SLIDE 8
Finding an inductive invariant using Ivy
7 lock_hold
Safety property Strengthening assertion Automatically checks if an invariant is inductive Requires the human to find an inductive invariant
(Screenshot from Ivy)
Existing approaches rely on manual effort and human intuition
SLIDE 9
Outline
I4: a new approach Design of I4 Evaluation Future work
8
SLIDE 10
I4: a new approach
Goal: Find an inductive invariant without relying on human intuition. Insight: Distributed protocols exhibit regularity. Implication: We can use inductive invariants from small instances to infer a generalized inductive invariant that holds for all instances.
9
- Behavior doesn’t fundamentally change as the size increases
- E.g. lock server, Paxos, …
SLIDE 11
Leveraging model checking
Model checking I4 applies model checking to small, finite instances … … and then generalizes the result to all instances.
10
J Fully automated L Doesn’t scale to distributed systems
SLIDE 12
Outline
Design of I4 Evaluation Future work
11
SLIDE 13
Overview
12
Protocol.ivy Correct ✓
Invariant generalization
(Ivy)
Increase Size
Invariant generation on a finite instance
(Model Checking)
SLIDE 14
Invariant generation on a finite instance
13
Protocol.finv Create Small (Finite) Instance Protocol.v Model Checker Counterexample
Debug (manually)
Protocol.ivy Correct ✓
Invariant generalization
(Ivy)
Increase Size
SLIDE 15
Invariant Generalization
14
Protocol.finv Protocol.v Counterexample Protocol.ivy Correct ✓ Generalize Protocol_inv.ivy Ivy Weaken Strengthening Assertion Violation Increase Size Safety Property Violation Create Small (Finite) Instance
Debug (manually)
Model Checker
SLIDE 16
Outline
Evaluation Future work
15
SLIDE 17
Evaluation
16
Lock Server Leader Election Distributed lock 1 server 2 clients 3 nodes 3 IDs 2 nodes 4 epochs ~3s ~8s ~12s
✓ ✓ ✓
SLIDE 18
Outline
Future work
17
SLIDE 19
Future work
More automation Scalability to larger protocols Verification of Implementations
18