Structural temporal logic for mechanized program verification

Eleftherios Ioannidis,Yannick Zakowski,Steve Zdancewic,Sebastian Angel
2024-10-23
Abstract:Mechanized verification of liveness properties for programs with effects, nondeterminism, and nontermination is difficult. Existing temporal reasoning frameworks operate on the level of models (traces, automata) not executable code, creating a verification gap and losing the benefits of modularity and composition enjoyed by structural program logics. Reasoning about infinite traces and automata requires complex (co-)inductive proof techniques and familiarity with proof assistant mechanics (e.g., guardedness checker). We propose a structural approach to the verification of temporal properties with a new temporal logic that we call Ticl. Using Ticl, we internalize complex (co-)inductive proof techniques to structural lemmas and reasoning about variants and invariants. We show that it is possible to perform mechanized proofs of general temporal properties, while working in a high-level of abstraction. We demonstrate the benefits of ticl by giving short, structural proofs of safety and liveness properties for programs with queues, secure memory, and distributed consensus.
Programming Languages,Logic in Computer Science
What problem does this paper attempt to address?
The main problem that this paper attempts to solve is **how to perform mechanized verification on programs with side effects, non - determinism and non - termination, especially verifying the liveness properties of these programs**. Specifically: 1. **Limitations of existing methods**: - Existing temporal logic reasoning frameworks mainly focus on the model level (such as traces, automata), rather than executable code, which leads to verification gaps and loses the modular and compositional advantages brought by structured program logic. - Reasoning about infinite traces and automata requires complex (co -)inductive proof techniques and requires users to be familiar with the mechanisms of proof assistants (such as guard checkers). 2. **Proposed new method**: - The authors propose a structured temporal logic Ticl (Temporal Interaction and Choice Logic) for verifying the temporal properties of programs. - Using Ticl, complex (co -)inductive proof techniques can be internalized into structural lemmas, thus simplifying the proof process. - Ticl allows mechanized proofs at a high - level of abstraction while maintaining strong expressive power. 3. **Specific goals**: - Provide a general method to verify the safety and liveness properties of programs, especially in scenarios involving queues, secure memory and distributed consensus. - Demonstrate the application of Ticl in formal verification and prove its effectiveness and practicality through specific examples (such as the rotating queue program). 4. **Contributions**: - Introduce a new structured program logic Ticl, which can prove rich temporal properties in a compositional way. - Develop a framework containing more than 15,000 lines of nested (co -)inductive proofs and definitions, encapsulated in about 50 high - level lemmas, which is easy to use. - Implement Ticl in the Coq proof assistant, relying on the eq_rect_eq axiom (also known as the unique identity proof). Through these contributions, the authors aim to fill the gaps in existing methods in verifying liveness properties and provide an efficient and scalable tool to support the mechanized verification of complex programs.