Erschienen in:

Open Access 2025 | OriginalPaper | Buchkapitel

Implicit Rankings for Verifying Liveness Properties in First-Order Logic

verfasst von : Raz Lotan, Sharon Shoham

Erschienen in: Tools and Algorithms for the Construction and Analysis of Systems

Verlag: Springer Nature Switzerland

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Patentsuche

Aus

Abstract

Das Kapitel geht der Verifizierung von Lebenseigenschaften in der Logik erster Ordnung nach, einem entscheidenden Aspekt, um sicherzustellen, dass wünschenswertes Verhalten letztlich bei Systemausführungen auftritt. Traditionelle Methoden beruhen auf gut fundierten Rankings, die aufgrund von Beschränkungen bei der Erfassung fundierter und komplexer Ranking-Funktionen schwierig direkt in Logik erster Ordnung auszudrücken sein können. Die Autoren führen das Konzept impliziter Rankings ein, die die Reduktion und Erhaltung von Ranking-Funktionen kodieren, ohne diese explizit zu definieren. Dieser Ansatz überwindet Hindernisse beim Ausdruck wohlfundierter und komplexer Ranking-Funktionen, wie etwa Kardinalitäten von Mengen und Summen über unbegrenzte Bereiche hinweg. Das Kapitel stellt eine Reihe von Konstrukteuren für implizite Rankings vor, die auf vertrauten Vorstellungen aus der Ordnungstheorie beruhen, die instanziiert und zusammengesetzt werden können, um eine reiche Familie impliziter Rankings auszulösen. Diese Konstruktoren sind besonders leistungsstark für endliche, aber unbegrenzte Bereiche, die in verteilten Protokollen und gleichzeitigen Systemen üblich sind. Die Autoren demonstrieren die Wirksamkeit ihres Ansatzes anhand bemerkenswerter Beispiele, darunter die Verifizierung von Dijkstras selbststabilisierenden Protokollen, die die Einfachheit und Effizienz impliziter Rankings in Liveness Proofs aufzeigen. Das Kapitel diskutiert auch verwandte Arbeiten und schließt mit einer Diskussion über das Potenzial zukünftiger Automatisierung und Erweiterungen des impliziten Ranking-Ansatzes.

KI-Generiert

Diese Zusammenfassung des Fachinhalts wurde mit Hilfe von KI generiert.

1 Introduction

Liveness properties of a system assert that some desirable behavior eventually happens in all executions of the system. The most common approach to proving liveness properties is based on the notion of a well-founded ranking. Such a proof goes by finding a ranking function f from the set of states of the system to some well-founded set $(A, <)$ such that for any transition of the system from state $s$ to state $s'$ where the desired behavior does not yet occur, the ranking is reduced, i.e., $f(s') < f(s)$. Thus, well-foundedness of A ensures that there is no infinite execution that does not eventually satisfy the property.

Many recent works use first-order logic (FOL) for verifying safety and liveness properties [26, 31, 35‐37, 39, 43, 48]. FOL has been established as a useful tool for modeling and verifying systems, mostly due to the success of automatic solvers that answer complicated satisfiability queries in seconds. One challenge that arises when proving liveness properties in FOL is that well-foundedness is not directly expressible in FOL. Additionally, many common primitives that are useful for defining ranking functions, such as cardinality of sets, and sums over unbounded domains, cannot be directly captured in FOL.

We present an approach that overcomes these hurdles and facilitates carrying out proofs based on ranking functions in FOL. Our approach utilizes the observation that it suffices to encode the reduction in the ranking function without explicitly encoding the ranking function itself. Furthermore, the reduction need not be encoded precisely, but can be soundly approximated. For this purpose, we define the notion of an implicit ranking, which can be soundly used in liveness proofs in place of explicit ranking functions. An implicit ranking consists of a reduction formula, $\varphi _{<}$, and a conservation formula, $\varphi _{\le }$. These are two-state first-order formulas for which there exists some ranking function f mapping the states to elements of some well-founded set $(A,<)$ such that whenever states s and $s'$ satisfy $\varphi _{<}$ we have $f(s')<f(s)$ and whenever s, $s'$ satisfy $\varphi _{\le }$ we have $f(s') \le f(s)$. Conservation is needed, for example, in proof rules for verifying liveness under fairness assumptions.

We then introduce recursive constructors for implicit rankings that can be instantiated and composed to induce a rich family of implicit rankings. Our constructors are based on familiar notions from order theory, such as pointwise ordering and lexicographic ordering, which can be used to lift and aggregate orders in various ways, adapted to the first-order setting. A key component of our approach is the introduction of domain-based constructors that use quantification over the domain of a state to express aggregation of rankings. For example we can express a pointwise aggregation of given rankings, or a lexicographic aggregation based on a given order on the elements in the domain. When composed, such aggregations can capture complex ranking arguments that are unattainable by existing methods.

Implicit rankings produced by domain-based constructors are sound for finite, albeit unbounded, domains. Such domains are common when reasoning about distributed protocols, concurrent systems, arrays, etc. where the set of nodes, array indices, etc. is finite but not fixed. In fact, liveness of such systems often depends on the finiteness of the domain. Thus, such constructors allow us to utilize finiteness of the domain in liveness proofs, even though finiteness itself is not definable in FOL.

As notable examples, we use our constructors to produce implicit rankings for the self-stabilization property of Dijkstra’s k-state, 4-state and 3-state protocols [13]. In these examples, domain-based constructors are able to replace reasoning about unbounded sums and set cardinalities in novel ways. We use the implicit rankings within a sound proof rule to verify the examples, where the premises of the rule are discharged automatically by an SMT solver. To the best of our knowledge, this is the first SMT-based verification of the more challenging 3-state and 4-state protocols, and it is simpler than existing proofs for such protocols [1, 3, 8, 12, 14, 19, 20, 23, 25, 34].

Contributions.

We define implicit rankings, which soundly approximate reduction and conservation of some ranking function in FOL, and show how these implicit rankings can be used in liveness proofs (Section 4).
We introduce constructors of implicit rankings based on familiar notions from order theory, including domain-based constructors that are sound for finite but unbounded domains and can sometimes replace reasoning about unbounded summations and set cardinalities (Section 5).
We implement the proposed constructors in a tool for verifying liveness properties of first-order transition systems, and demonstrate the power of our constructors by verifying a set of examples of liveness properties, including Dijkstra’s self-stabilizing protocols (Section 6).

In the next section we present two examples that motivate our approach. Section 3 then provides the necessary background for Sections 4 to 6 and Section 7 discusses related work and concludes the paper.

Full Version. The full version of the paper is available at [27].

2 Motivating Examples

Example 1

As a first motivating example (Figure 1), we consider an abstraction of a self-stabilizing protocol. In a self-stabilizing protocol privileges are initially distributed arbitrarily in a network, but eventually the protocol converges to a stable state where only one machine holds a privilege. The protocol we consider abstracts the movement of privileges in Dijkstra’s k-state protocol [13]. While the abstraction does not enjoy stabilization, it suffices for showing a property that is used in the proof of stabilization for Dijkstra’s protocol.

In this protocol, the network consists of a finite number of machines, arranged in a ring, with one machine, called the bottom machine ($\textsf{bot}$), being distinguished. Every machine i has a field $i.\textsf{next}$ which directs to its right-hand neighbor in the ring. At any moment any machine may be privileged or not. Initially, privileges are assigned arbitrarily, with the guarantee that at least one machine is privileged. At each iteration, an arbitrary privileged machine is scheduled, the scheduled machine loses its privilege and its right-hand neighbor becomes privileged (whether it was already privileged or not). The property we wish to prove is that machine $\textsf{bot}$ is eventually scheduled: $\lozenge (\textsf{skd}= \textsf{bot})$. In the original protocol, the steps of machine $\textsf{bot}$ are different from all other machines (this difference is lost in the abstraction) and, in particular, they take the state of the network closer to stabilization.

Next, we describe a ranking function for proving the liveness property. To present the ranking function we denote the number of machines by n and think of the machines as indexed by $0,1,\ldots ,n-1$ according to their order in the ring, with $\textsf{bot}=0$. Now, a natural ranking function is: $\textrm{Rk}=\sum _{i\ne 0 : \textsf{priv}(i)} n-i$. Intuitively, the value $n-i$ can be seen as the number of steps required for the privilege of machine i to reach machine 0 (if no other privileges are present). We can now verify that in any transition from s to $s'$, if the eventuality does not occur in either $s$ or $s'$, the rank is reduced. Indeed, for any transition, if $\textsf{skd}= 0$ the eventuality is satisfied in $s$; otherwise, $\textsf{skd}$ loses its privilege, decreasing $\textrm{Rk}$ by $n-\textsf{skd}$, and $\textsf{skd}+1$ gains a privilege, (possibly) increasing $\textrm{Rk}$ by $n-(\textsf{skd}+1)$, ultimately decreasing $\textrm{Rk}$ by 1 (or more, if $\textsf{skd}+1$ was already privileged).

Fig. 1.

Toy Stabilization

Fig. 2.

Binary Counter

While this ranking function is natural, it is not clear how to reason about it with existing automated solvers due to the unbounded sum operation which is not directly expressible in FOL (without induction). Next, we show how we can express this ranking argument in FOL by an implicit ranking which encodes a sound approximation of the reduction in the ranking function. To do this, we show that we can replace reasoning about set cardinalities and unbounded sums by reasoning about other aggregations that are expressible in FOL.

To avoid combining arithmetic reasoning with quantifiers, we use an uninterpreted sort to model the machines, and instead of relying on numbers, we model the ring structure with a strict order on machines, $\textsf{lt}$, such that $\textsf{bot}$ is minimal in that order, and the next field corresponds to the successor function in the order $\textsf{lt}$, except for the maximal element which points to bot.

Now, we observe that in our model, the expression $n-i$ used in the ranking function above for a privileged machine i is the cardinality of the set of machines that are greater or equal to i in the order $\textsf{lt}$. Further, we can sum over all machines by pushing the condition on i into the set definition. Thus, $\textrm{Rk}= \sum _i |\{j : \textsf{priv}(i) \wedge i\ne 0 \wedge (\textsf{lt}(i,j)\vee i=j)\}|$. In order to express reduction in the sum, we recall that in a transition, the summands are unchanged for all machines except for $\textsf{skd}$, $\textsf{skd}+1$; the contribution of $\textsf{skd}+1$ to the sum after the transition is smaller than the contribution of $\textsf{skd}$ before the transition and the contribution of $\textsf{skd}$ to the sum after the transition is 0 (because it loses its privilege) and therefore, smaller or equal to that of $\textsf{skd}+1$ before the transition. Therefore we can use an adaption of a pointwise argument which “permutes” $\textsf{skd}$ and $\textsf{skd}+1$ to capture the reduction in the sum over all machines.

Next, we need to express reduction (or conservation) in the summands (either of the same machine i or of different machines) along transitions. The summands are cardinalities of sets of machines j. Thus, we observe that it suffices to show strict set inclusion. This amounts to a pointwise argument over all machines j, showing reduction (or conservation) in the binary predicate $\alpha (i,j)=\textsf{priv}(i) \wedge i\ne 0 \wedge (\textsf{lt}(i,j)\vee i=j)$ that defines membership of j in the set of i. The reduction in the binary predicate, the pointwise reduction and the permuted-pointwise reduction, can all be encoded in FOL. Thus, the overall approximation of the reduction in the ranking function can be expressed (and hence verified automatically) by the following first-order formula, where unprimed symbols represent the pre-state of a transition and primed variables represent the post-state:

$$\begin{aligned} &\forall j.\ (\alpha '(\textsf{next}(\textsf{skd}),j)\rightarrow \alpha (\textsf{skd},j))\wedge \exists j.\ ( \lnot \alpha '(\textsf{next}(\textsf{skd}),j)\wedge \alpha (\textsf{skd},j))\ \wedge \\ &\forall j. \ (\alpha '(\textsf{skd},j)\rightarrow \alpha (\textsf{next}(\textsf{skd}),j)) \ \wedge \\ & \forall i. \ ((i\ne \textsf{skd}\wedge i\ne \textsf{next}({\textsf{skd}}) \rightarrow \forall j. \ (\alpha '(i,j)\rightarrow \alpha (i,j)) ) \end{aligned}$$

Example 2

As a second motivating example (Figure 2), we look at a binary counter implemented in an array, taken from [24]. For simplicity of the presentation, we consider a version of the counter that counts down. The counter is implemented by an array $a[0],\ldots ,a[n-1]$ with $a[0]$ as the most significant bit and $a[n-1]$ as the least significant bit, initialized with all 1s. A pointer $\textsf{ptr}$ traverses the array starting at index $n-1$ (the lsb) until it sees the first 1, replacing at each step any 0 it sees with a 1. When reaching the first cell with a 1, it sets that cell to a 0 and returns $\textsf{ptr}$ to index $n-1$. We wish to prove that eventually the array holds all 0s: $\lozenge (\forall x. a[x]=0)$.

To find a ranking function, we notice that the reduction in the counter value happens between states of the program where $\textsf{ptr}=n-1$. Such states partition the execution to “intervals”. For a state inside an interval, we can derive the value of the counter at the beginning of the interval (i.e., when $\textsf{ptr}$ was last $n-1$) by $a_{\textsf{old}}[i]=0 \iff a[i]=0 \vee i > \textsf{ptr}$. Within an interval, the counter values stored by $a_{\textsf{old}}$ do not change but $\textsf{ptr}$ is reduced; and when a new interval starts, the value of $a_{\textsf{old}}$ is reduced (and $\textsf{ptr}$ is set back to $n-1$). This lends itself to a ranking function in the form of a lexicographic pair $\textrm{Rk}= (\textrm{val}(a_{\textsf{old}}), \textsf{ptr})$.

Unfortunately, it is not clear how to encode the value of the counter in FOL. In fact, most existing techniques for encoding ranking functions in FOL are limited to polynomial ranking functions, while the counter requires an exponential ranking function. Fortunately, we realize that a reduction in the counter value corresponds to a lexicographic reduction in the sequence of bits stored in the array representing the counter based on the order on array indices.

To encode the ranking argument in FOL we model the indices of the array, as in Example 1, by an uninterpreted index sort and a strict order $\textsf{lt}$ on it, with the maximal index acting as $n-1$. The content of the array is modeled using a unary relation $a(\cdot )$ that records the cells with value 1. Then, $a_{\textsf{old}}$ is recorded by $a_{\textsf{old}}(i) =a(i) \wedge (\textsf{lt}(i,\textsf{ptr})\vee i=\textsf{ptr})$. With this encoding, reduction in $\textsf{ptr}$ is measured by the order on indices $\textsf{lt}$ and reduction in $a_{\textsf{old}}$ is measured lexicographically, based on the same order $\textsf{lt}$ on indices, where for every index i, the values of cell i are ordered by implication on the derived predicate $a_{\textsf{old}}(i)$. Overall, the reduction in rank can be encoded in FOL by the formula:

$$\begin{aligned} & \exists i. \ ( \lnot a_{\textsf{old}}'(i) \wedge a_{\textsf{old}}(i) \wedge \forall j. \ \textsf{lt}(j,i) \rightarrow ( a_{\textsf{old}}'(j) \rightarrow a_{\textsf{old}}(j))) \ \vee \\ & ((\forall i. \ a'_{\textsf{old}}(i) \leftrightarrow a_{\textsf{old}}(i)) \wedge \textsf{lt}(\textsf{ptr}',\textsf{ptr})) \end{aligned}$$

Section 4 formally defines the notion of an implicit ranking which the reduction formulas above exemplify. The crux of our work is in Section 5, where we present constructors of implicit rankings. As we show in Section 6, the implicit rankings for both motivating examples can be built using our constructors.

3 Preliminaries

First-Order Logic. We consider uninterpreted FOL with equality, without theories. For simplicity, we present our results for a single-sorted version of FOL. The extension of the results to many-sorted logic, which we use in practice, is natural. A first-order signature $\varSigma $ contains relation, constant and function symbols. A term t over $\varSigma $ is a variable x, a constant c, the application of a function on a sequence of terms $f({\textbf{t}})$ or an if-then-else term $\textrm{ite}(\alpha ,t_1,t_2)$. Formulas $\alpha $ over $\varSigma $ are defined recursively: atomic formulas are either $t_1=t_2$ or $r({\textbf{t}})$ where r is a relation symbol. Non-atomic formulas are built using connectives $\lnot ,\wedge ,\vee ,\rightarrow $ and quantifiers $\forall ,\exists $. We write $\alpha ({\mathbf {x_1}},\ldots ,{\mathbf {x_k}})$ to denote that the free variables in $\alpha $ are contained in ${\mathbf {x_1}}, \ldots ,{\mathbf {x_k}}$. Given sequences of terms ${\mathbf {t_1}},\ldots , {\mathbf {t_k}}$ we then use the notation $\alpha ({\mathbf {t_1}},\ldots ,{\mathbf {t_k}})$ to denote the formula obtained from $\alpha $ by substituting each ${\mathbf {x_j}}$ with ${\mathbf {t_j}}$. For a signature $\varSigma $ we use subscripts and superscripts $\ddag $ to denote disjoint copies of $\varSigma $ defined by $\varSigma \ddag = \{a\ddag \mid a\in \varSigma \}$, assumed to satisfy $\varSigma \cap \varSigma \ddag = \emptyset $. For a formula $\alpha $ over $\varSigma $, we denote by $\alpha \ddag $ the formula over $\varSigma \ddag $ obtained by substituting each symbol $a\in \varSigma $ with $a\ddag \in \varSigma \ddag $.

First-order formulas are evaluated over pairs of structures and assignments. A structure for $\varSigma $ is a pair $s=(\mathcal {D},\mathcal {I})$ where $\mathcal {D}$ is a non-empty set called the domain, and $\mathcal {I}$ is an interpretation that maps each relation, constant and function symbol to an appropriate construct over $\mathcal {D}$. We denote by $\textrm{struct}(\varSigma ,\mathcal {D})$ the set of all structures over $\mathcal {D}$. An assignment $v$ from a sequence of variables ${\textbf{x}}$ to a domain $\mathcal {D}$ is a function $v: {\textbf{x}} \rightarrow \mathcal {D}$. We denote the set of all assignments from ${\textbf{x}}$ to $\mathcal {D}$ by $\textrm{assign}({\textbf{x}},\mathcal {D})$. We denote the concatenation of two sequences of variables ${\textbf{x}}$, ${\textbf{y}}$ by ${\textbf{x}}{\cdot }{\textbf{y}}$. For two assignments $u,v$ without shared variables, we denote by $u{\cdot }v$ the disjoint union of $u$ and $v$. We call a pair $(s,v)$ of a structure and an assignment an a-structure. For a domain $\mathcal {D}$ and a sequence of variables ${\textbf{x}}$ we denote the set of all a-structures by $\mathrm {a\text{- }struct}(\varSigma ,{\textbf{x}}, \mathcal {D})$. For a formula $\alpha $ and an a-structure $(s,v)$ we write $(s,v)\models \alpha $ to denote that $(s,v)$ satisfies $\alpha $.

Transition Systems in First-Order Logic. We consider transition systems given by a first-order specification $\mathcal {T}= (\varSigma ,\iota ,\tau )$ where $\varSigma $ is a signature, $\iota $ is a closed formula over $\varSigma $ that specifies initial states, and $\tau $ is a formula over a double signature $\varSigma \uplus \varSigma '$ that specifies transitions, where the symbols in $\varSigma $ represent the pre-state and the symbols in $\varSigma '$ represent the post-state of a transition. A trace of $\mathcal {T}$ is an infinite sequence of structures $(s_i)_{i=0}^\infty $ over the same domain such that $s_0$ is an initial state and for all $i\in \mathbb {N}$, there is a transition from $s_i$ to $s_{i+1}$.

Well-Founded Partial Orders. A binary relation $\le $ on a set A is a partial order if it is reflexive, antisymmetric and transitive. For a partial order we write $a_1 < a_2$ for $a_1\le a_2$ and $a_1 \ne a_2$. A partial order $\le $ is called well-founded if there is no sequence $a_0,a_1,\ldots $ such that $a_{i+1} < a_i$ for all $i\in \mathbb {N}$. We then refer to $\le $ as a wfpo for short¹. If $\le $ is a partial order on A and A is finite, then $\le $ is a wfpo.

4 Expressing Ranking in First-Order Logic

In this section we introduce the notion of implicit ranking. To motivate our definition, we start by considering the way rankings are typically used.

4.1 Using Ranking for Liveness Proofs

Well-founded rankings are useful for proving liveness properties of transition systems. A typical proof rule that uses rankings is based on two notions: a conservation of the ranking, corresponding to $\le $, and a reduction in the ranking, corresponding to <. As an example, we examine proving liveness properties of the form $\mathcal {P}= \square \lozenge r \rightarrow \lozenge q$. A transition system $\mathcal {T}=(\varSigma ,\iota ,\tau )$ satisfies $\mathcal {P}$ if every trace of $\mathcal {T}$ that satisfies r infinitely often eventually satisfies q (r can be understood as a fairness assumption). We can prove such a property by finding a ranking function f from states of the system to a set A with a wfpo $\le $ and a formula $\phi $, and validating the following premises: (i) $\iota \wedge \lnot q \rightarrow \phi $ (ii) $\phi \wedge \tau \wedge \lnot q' \rightarrow \phi '$ (iii) $ \phi \wedge \tau \wedge \lnot q' \rightarrow \varphi _{\le }$ (iv) $\phi \wedge \tau \wedge \lnot q' \wedge r \rightarrow \varphi _{<}$, where $\varphi _{\le },\varphi _{<}$ are formulas that encode conservation and reduction of f. (i) and (ii) assert that $\phi $ holds in all states in a trace as long as q does not hold. (iii) guarantees that in every transition that does not visit q we have conservation of f. (iv) states that in every transition following a visit to r we have a reduction in f. If all premises are valid, r cannot be visited infinitely often without eventually satisfying q, as that would induce an infinitely decreasing chain in f. We use a similar proof rule for more general liveness properties in our evaluation (Section 6).

The structure of the proof rule above reveals that for soundness, $\varphi _{\le }$ and $\varphi _{<}$ do not need to precisely capture conservation and reduction in the ranking. Instead, because $\varphi _{\le },\varphi _{<}$ appear only positively, it suffices that they underapproximate them, such that whenever a pair of states satisfies $\varphi _{\le }$, the value of f is conserved between them, and whenever a pair of states satisfies $\varphi _{<}$, the value of f is reduced between them. The implication in the other direction is not needed for soundness. This observation is key for encoding complex ranking arguments in FOL. It allows flexibility in encoding conservation and reduction, which is crucial in cases where these relations (as well as the ranking function itself) are not directly expressible in FOL, but their underapproximations are.

4.2 Implicit Ranking

This section formalizes the notion of an implicit ranking — a pair of formulas $\varphi _{\le },\varphi _{<}$ which, for every domain $\mathcal {D}$, encode underapproximations of conservation and reduction of some implicitly defined ranking function on structures with domain $\mathcal {D}$. For compositionality, we generalize this concept to pairs of a-structures.

Notation. The definition of an implicit ranking uses formulas that reason about a pair of a-structures. To that end, given a signature $\varSigma $ and a sequence of variables ${\textbf{x}} = ({x_{i}})_{i=1}^m$, we consider a double signature $\varSigma _0\uplus \varSigma _1$ and two copies of the variables ${\textbf{x}}_b = ({x_{b,i}})_{i=1}^m$ for $b \in \{0, 1\}$. Intuitively, $\varSigma _0$ and ${\textbf{x}}_0$ represent a “lower ranked” a-structure and $\varSigma _1$ and ${\textbf{x}}_1$ represent a “higher ranked” a-structure. For a term t with variables ${\textbf{x}}$, we denote by $t_b$ the term obtained by substituting $\varSigma _b$ for $\varSigma $ and ${\mathbf {x_b}}$ for ${\textbf{x}}$. With abuse of notation, we consider a structure $s= (\mathcal {D},\mathcal {I})$ for $\varSigma $ as a structure for $\varSigma _b$ where $\mathcal {I}(a_b) = \mathcal {I}(a)$ for every $a_b \in \varSigma _b$ and an assignment to ${\textbf{x}}$ as an assignment to ${\mathbf {x_b}}$ by defining $v(x_{b,i}) = v(x_i)$. For a formula $\varphi $ over $\varSigma _0\uplus \varSigma _1$ with free variables ${\mathbf {x_0}},{\mathbf {x_1}}$ and a-structures $(s_0,v_0),(s_1,v_1)\in \mathrm {a\text{- }struct}(\varSigma ,{\textbf{x}},\mathcal {D})$, we write $(s_0,v_0),(s_1,v_1)\models \varphi $ to denote satisfaction of $\varphi $ when for $b \in \{0,1\}$, the interpretation of $\varSigma _b$ is taken from $s_b$, and the assignment to ${\mathbf {x_b}}$ is taken from $v_b$.

Definition 1

(Implicit Ranking). Let $\varphi _{\le },{\varphi _{<}}$ be two formulas over $\varSigma _0\uplus \varSigma _1$. We say that $\textrm{Rk}=({\varphi _{\le }},{\varphi _{<}})$ is an implicit ranking with parameters ${\textbf{x}}$, if the free variables in $\varphi _{\le }$ and $\varphi _{<}$ are confined to ${{\textbf{x}}_0},{\mathbf {x_1}}$ and for any domain $\mathcal {D}$, there exist a set A, a wfpo $\le $ on A and a function $f: \mathrm {a\text{- }struct}(\varSigma ,{\textbf{x}},\mathcal {D}) \rightarrow A$, such that:

$$\begin{aligned} &(s_0,v_0),(s_1,v_1)\models \varphi _{\le }({\mathbf {x_0}},{\mathbf {x_1}}) \implies f(s_0,v_0) \le f(s_1,v_1)\\ &(s_0,v_0),(s_1,v_1)\models \varphi _{<}({\mathbf {x_0}},{\mathbf {x_1}}) \implies f(s_0,v_0) < f(s_1,v_1) \end{aligned}$$

For an implicit ranking $\textrm{Rk}$ and a domain $\mathcal {D}$, we call $(A,\le )$ a ranking range for $\mathcal {D}$ and f a ranking function for $\mathcal {D}$. If ${\textbf{x}}$ is empty, we call $\textrm{Rk}$ a closed implicit ranking. If the existence of $A,\le $ and f is ensured only for finite domains $\mathcal {D}$, we call $\textrm{Rk}$ an implicit ranking for finite domains.

The formulas $\varphi _{\le },\varphi _{<}$ encode relations between a-structures, which means that they let us compare specific elements in one state with possibly different elements in another state. Technically, this is achieved by the free variables in $\varphi _{\le }$ and $\varphi _{<}$. In proof rules, we only need to compare structures and thus only allow the use of closed implicit rankings. The use of free variables is needed for the construction of these rankings. In Section 5 we introduce constructors that create new implicit rankings from existing rankings, some of which eliminate free variables.

Definition 1 ensures that for each domain $\mathcal {D}$, the formulas $\varphi _{\le }$ and $\varphi _{<}$ underapproximate conservation and reduction of some ranking function over a-structures. The ranking function f and the corresponding ranking range are not explicitly encoded. As explained above, this allows us to find such formulas even if the exact conservation and reduction of f are not readily expressible in FOL. For example, for a function f that maps $s$ to the number of elements in $\mathcal {D}$ that satisfy a predicate $\alpha (x)$, there is no formula that precisely captures the conservation of f, but it can be approximated, say, by the formula $\forall x. \alpha _0(x)\rightarrow \alpha _1(x)$.

Closed implicit rankings can be used in proof rules such as the one above by substituting $\varSigma '$ (the post-state signature) for $\varSigma _0$ and $ \varSigma $ (the pre-state signature) for $\varSigma _1$. While implicit rankings ensure reduction/conservation in a possibly different function for each domain, they are sound to use as all states along a trace of a transition system share a domain. In the case of implicit rankings for finite domains, soundness is guaranteed for systems where the domain is finite in each trace, but still unbounded.

5 Constructions of Implicit Rankings

We introduce several constructors for implicit rankings, that can be instantiated and composed to create a rich family of implicit rankings. Our constructors essentially encode standard constructions of partial orders. Each constructor has its own arguments, which may themselves be implicit rankings. Some constructors only construct implicit rankings for finite domains. These are called finite-domain constructors. For other constructors, whether the constructed implicit ranking is for arbitrary or finite domains is inherited from the implicit rankings used as arguments for the constructor. We provide the following guarantees.

Theorem 1

All constructors defined in this section are sound in the sense that (i) if the arguments of a constructor satisfy their assumptions, then the output of the constructor is an implicit ranking (for finite domains if the constructor is finite-domain), and (ii) for constructors that receive implicit rankings as arguments, if at least one of the arguments is an implicit ranking for finite domains, so is the constructed implicit ranking.

Due to space considerations we defer soundness proofs to [27]. We give only the crux of the proofs: the definitions of ranking range and ranking function for the constructed implicit ranking given these notions for the arguments of the constructor.

5.1 Base Constructors

We start by introducing two non-recursive constructors, which are used as the base in recursive constructions of implicit rankings.

Binary Constructor. The first constructor we define captures a binary ranking function, mapping each a-structure $(s,v)$ to 0 or 1 (ordered $0 \le 1$) by checking whether $(s,v)$ satisfies a formula $\alpha $. In this case, reduction is obtained if $\alpha $ holds in the higher-ranked a-structure and does not hold in the lower-ranked a-structure. Conservation also includes the case where $\alpha $ holds in both or in neither.

Constructor 1

The binary constructor receives a formula $\alpha ({\textbf{x}})$ over $\varSigma $. It returns an implicit ranking $\textrm{Bin}(\alpha )=(\varphi _{\le },\varphi _{<})$ with parameters ${\textbf{x}}$ defined by:

$$\begin{aligned} \varphi _{\le }({\mathbf {x_0}},{\mathbf {x_1}}) = \alpha _0({\mathbf {x_0}}) \rightarrow \alpha _1({\mathbf {x_1}}) \qquad {\varphi _{<}}({\mathbf {x_0}},{\mathbf {x_1}}) = \alpha _1({\mathbf {x_1}}) \wedge \lnot \alpha _0({\mathbf {x_0}}) \end{aligned}$$

Example 3

Continuing with Example 1, for $\alpha (i,j)=\textrm{priv}(i) \wedge \textrm{lt}(i,j)$, $\textrm{Bin} (\alpha )$ is an implicit ranking with parameters i, j, capturing reduction and conservation in the ranking between a pair of machines $(i_1,j_1)$ in the higher-ranked structure and a potentially different pair $(i_0,j_0)$ in the lower-ranked structure. The need for comparing different pairs in different structures is demonstrated in Example 1.

Position-in-Order Constructor. The second base constructor, which is a finite-domain constructor, utilizes an already existing (possibly derived) partial order in the system itself, building on the observation that a partial order over a finite domain is always well-founded. The order is defined by a single signature formula $\ell ({\mathbf {y_0}},{\mathbf {y_1}})$, which allows comparing two (tuples of) elements. To guarantee soundness we must verify that $\ell ({\mathbf {y_0}},{\mathbf {y_1}})$ defines a strict order, and that it is immutable, i.e., does not change between the ranked structures , encoded by:

$$\begin{aligned} \textrm{order}(\ell ) := \ & (\forall {\mathbf {y^1}},{\mathbf {y^2}}. \ell _0({\mathbf {y^1}},{\mathbf {y^2}})\leftrightarrow \ell _1({\mathbf {y^1}},{\mathbf {y^2}})) \ \wedge \\ &(\forall {\mathbf {y^1}},{\mathbf {y^2}}. \ell _0({\mathbf {y^1}},{\mathbf {y^2}})\rightarrow \lnot \ell _0({\mathbf {y^2}},{\mathbf {y^1}})) \wedge \\ &(\forall {\mathbf {y^1}},{\mathbf {y^2}},{\mathbf {y^3}} . \ell _0({\mathbf {y^1}},{\mathbf {y^2}}) \wedge \ell _0({\mathbf {y^2}},{\mathbf {y^3}}) \rightarrow \ell _0({\mathbf {y^1}}, {\mathbf {y^3}})) \end{aligned}$$

If $s_0,s_1\models \textrm{order}(\ell )$ the interpretation of $\ell $ in $s_0$ coincides with its interpretation in $s_1$ and both define a strict partial order on the set $\textrm{assign}({\textbf{y}},\mathcal {D})$, where $\mathcal {D}$ is the domain of $s_0$ and $s_1$. Then, if $\mathcal {D}$ is finite, this order is a wfpo. The position-in-order constructor uses $\ell $ to create an implicit ranking that compares the valuation of the same term (or sequence of terms) ${\textbf{t}}$ in the two structures. The term may include free variables, allowing to compare valuations under different assignments in the two structures. The underlying ranking function maps an a-structure to its interpretation of $\ell $ together with the valuation it assigns to ${\textbf{t}}$.

Constructor 2

The position-in-order constructor receives a formula $\ell ({\mathbf {y_0}},{\mathbf {y_1}})$ over $\varSigma $ and a sequence of terms ${\textbf{t}}({\textbf{y}})$ over $\varSigma $ with $|{\textbf{t}}|=|{\textbf{y}}|$. It returns an implicit ranking for finite domains $\textrm{Pos}({\textbf{t}},\ell )=(\varphi _{\le },\varphi _{<})$ with parameters ${\textbf{y}}$ defined by:

$$\textstyle {\varphi _{\le }}({\mathbf {y_0}} ,{\mathbf {y_1}}) = \textrm{order}(\ell ) \ \wedge \ (\ell _0({\mathbf {t_0}},{\mathbf {t_1}}) \ \vee \ {\mathbf {t_0}} = {\mathbf {t_1}}) \qquad {\varphi _{<}}({\mathbf {y_0}} ,{\mathbf {y_1}}) = \textrm{order}(\ell ) \ \wedge \ \ell _0({\mathbf {t_0}},{\mathbf {t_1}}) $$

Example 4

Continuing with Example 2, define $\ell (i_0,i_1) = \textrm{lt}(i_0,i_1)$, and $t = \textrm{ptr}$. Then $\textrm{Pos}(t,\ell )$ is a closed implicit ranking for finite domains, where the ranking is based on the position of the pointer in the different structures.

5.2 Constructors for Aggregation of Finitely Many Rankings

We now present constructors which receive as input a finite number of implicit rankings and create an implicit ranking that mimics aggregation of the underlying ranking ranges and functions. These constructors are based on standard ways to lift partial orders on sets to a partial order on their Cartesian product.

Pointwise Constructor. For partially-ordered sets $A_1,\ldots ,A_m$ with partial orders $\le _1,\ldots ,\le _m$ respectively, the pointwise partial order $\le _{\text {pw}}$ on the set $A_1\times \cdots \times A_m$ is defined by $(a_1,\ldots ,a_m)\le _{\text {pw}} (b_1,\ldots ,b_m) \iff \bigwedge _i a_i\le _i b_i$. If the orders $\le _1,\ldots ,\le _m$ are wfpos then so is $\le _{\text {pw}}$. The following constructor encodes this in FOL to aggregate rankings. A corresponding ranking function is defined by $f(s,v) = (f_1(s,v),\ldots ,f_m(s,v))$, where $f_i$ is a ranking function to $A_i$.

Constructor 3

The pointwise constructor receives implicit rankings $\textrm{Rk}^i=(\varphi _{\le }^{i},\varphi _{<}^{i})$ for $i=1,\ldots ,m$, each with parameters ${\textbf{x}}$. It returns an implicit ranking $\textrm{PW}(\textrm{Rk}^1,\ldots ,\textrm{Rk}^m) = ({\varphi _{\le }},{\varphi _{<}})$ with parameters ${\textbf{x}}$ defined by:

$ {\varphi _{\le }}({\mathbf {x_0}},{\mathbf {x_1}}) = \bigwedge _{i} \varphi _{\le }^{i}({\mathbf {x_0}},{\mathbf {x_1}}) \qquad {\varphi _{<}}({\mathbf {x_0}},{\mathbf {x_1}}) = {\varphi _{\le }}({\mathbf {x_0}},{\mathbf {x_1}}) \wedge \bigvee _{i} \varphi _{<}^{i}({\mathbf {x_0}},{\mathbf {x_1}}) $

Lexicographic Constructor. A different partial order on $A=A_1\times \cdots \times A_m$ can be defined by the lexicographic ordering: $(a_1,\ldots ,a_m)\le _{\text {lex}} (b_1,\ldots ,b_m) \iff \bigvee _i (a_i <_i b_i \wedge \bigwedge _{j<i} (a_j \le _j b_j)) \vee (\bigwedge _i a_i \le _i b_i)$. Again, if $\le _i$ are all wfpos, then so is $\le _{\text {lex}}$. The Lexicographic Constructor encodes this idea in FOL. A corresponding ranking function is defined as for the pointwise constructor.

Constructor 4

The lexicographic constructor receives implicit rankings $\textrm{Rk}^i=(\varphi _{\le }^{i},\varphi _{<}^{i})$ for $i=1,\ldots ,m$, each with parameters ${\textbf{x}}$. It returns an implicit ranking $\textrm{Lex}(\textrm{Rk}^1,\ldots ,\textrm{Rk}^m) = ({\varphi _{\le }},{\varphi _{<}})$ with parameters ${\textbf{x}}$ defined by:

$$\begin{aligned} \begin{array}{rl} {\varphi _{<}}({\mathbf {x_0}},{\mathbf {x_1}}) & = \bigvee \nolimits _{i} (\varphi _{<}^{i}({\mathbf {x_0}},{\mathbf {x_1}}) \wedge \bigwedge \nolimits _{j<i} \varphi _{\le }^{j}({\mathbf {x_0}},{\mathbf {x_1}}) ) \\ \varphi _{\le }({\mathbf {x_0}},{\mathbf {x_1}}) & ={\varphi _{<}}({\mathbf {x_0}},{\mathbf {x_1}}) \vee \bigwedge \nolimits _{i} \varphi _{\le }^{i}({\mathbf {x_0}},{\mathbf {x_1}}) \end{array} \end{aligned}$$

5.3 Constructors for Domain-Based Aggregations of Rankings

We now turn to present constructors that encode domain-based aggregations of rankings. As demonstrated in Example 1, such aggregations can sometimes replace summations and cardinalities of sets in ranking arguments. These are constructors that receive as input an implicit ranking $(\varphi _{\le },\varphi _{<})$ with parameters ${\textbf{x}}$, partitioned to ${\textbf{x}} = {\textbf{y}} {\cdot }{\textbf{z}}$. and return an implicit ranking with parameters ${\textbf{z}}$, for which the conservation and reduction depend on the aggregation of the results of $\varphi _{\le }$ and $\varphi _{<}$ for different values of ${\textbf{y}}$ in the domain. This is established by quantifying over ${\textbf{y}}$. To do so, we use generalizations of the partial-order constructions we saw in Section 5.2 to sets of functions. Due to the nature of these constructions, the soundness of the produced rankings depends on the finiteness of the domain, so these constructors are finite-domain constructors.

Domain-Pointwise Constructor. For a partially-ordered set $(A, \le _A)$ and a set Y, we can lift $\le _A$ to a pointwise partial order on the set of functions $Y\rightarrow A$: for any $a,b\in Y\rightarrow A$ we have $a\le _{\text {pw}} b \iff \forall y\in Y. a(y)\le _A b(y)$. If the order $\le _A$ is a wfpo and Y is finite then $\le _{\text {pw}}$ is a wfpo. In our case the set Y is the set of assignments to ${\textbf{y}}$ over some finite domain. The next constructor encodes this idea in FOL in a straight-forward way: conservation of the aggregated ranking occurs when we have conservation of the input ranking for all values of ${\textbf{y}}$, and reduction is achieved when, additionally, there is some value of ${\textbf{y}}$ for which we have reduction of the input rank. A corresponding ranking function to $\textrm{assign}({\textbf{y}},\mathcal {D})\rightarrow A$ is defined by $f(s,v)=\lambda u\in \textrm{assign}({\textbf{y}}, \mathcal {D}). f_A(s,u{\cdot }v)$ where $f_A$ is a ranking function to A.

Constructor 5

The domain-pointwise constructor receives an implicit ranking $\textrm{Rk}^\circ =(\varphi _{\le }^{\circ },\varphi _{<}^{\circ })$ with parameters ${\textbf{x}} = {\textbf{y}}{\cdot }{\textbf{z}}$. It returns an implicit ranking for finite domains $\textrm{DomPW}(\textrm{Rk}^{\circ },{\textbf{y}}) = ({\varphi _{\le }},{\varphi _{<}})$ with parameters ${\textbf{z}}$ defined by:

$$\begin{aligned} \begin{array}{ll} & {\varphi _{\le }}({\mathbf {z_0}},{\mathbf {z_1}}) = \forall {{\textbf{y}}}. \varphi _{\le }^{\circ }({\textbf{y}} {\cdot }{\mathbf {z_0}}, {\textbf{y}} {\cdot }{\mathbf {z_1}})\\ & {\varphi _{<}}({\mathbf {z_0}},{\mathbf {z_1}}) = {\varphi _{\le }}({\mathbf {z_0}}, {\mathbf {z_1}}) \wedge (\exists {\textbf{y}}. {\varphi _{<}^{\circ }}( {\textbf{y}} {\cdot }{\mathbf {z_0}}, {\textbf{y}} {\cdot }{\mathbf {z_1}} )) \end{array} \end{aligned}$$

Next we demonstrate how DomPW can be used to approximate set cardinalities.

Example 5

For a formula with one free variable $\alpha (x)$, if we take $\textrm{Rk}^{\circ }=\textrm{Bin}(\alpha )$, the implicit ranking for finite domains $\textrm{Rk}= \textrm{DomPW}(\textrm{Rk}^{\circ },x)=(\varphi _{\le },\varphi _{<})$ approximates the cardinality of the set of elements that satisfy $\alpha $: if structures $s_0,s_1$ are such that $s_0,s_1\models \varphi _{<}$, we have that the set of elements that satisfy $\alpha $ in $s_0$ is a strict subset of that in $s_1$, and so we have reduction in cardinality. This does not capture cardinality precisely, and we can encode a more precise approximation using Const. 6.

Example 6

Taking $\textrm{Rk}^{\circ } = \textrm{Bin}(\textrm{priv}(i)\wedge \textrm{lt}(i,j))$ from Example 3, the implicit ranking for finite domains $\textrm{DomPW}(\textrm{Rk}^\circ ,j)=(\varphi _{\le },\varphi _{<})$ aggregates over j but still has i as a parameter. This lets us compare cardinalities of the sets of machines associated with two different machines described by $i_0$ and $i_1$.

Domain Permuted-Pointwise Constructor. The following constructor is a relaxation of Const. 5, based on the notion of a permuted pointwise order, meant to capture cases where two functions are almost pointwise-ordered but some permutation of the inputs is required. For a set Y, a partially-ordered set A, and two functions $a,b\in Y\rightarrow A$, we say that $a \le _{\text {perm}} b$ if there exists a bijection $\sigma $ on Y such that $a \le _{\text {pw}} b\circ \sigma $. The result, $\le _{\text {perm}}$, is a preorder on $Y\rightarrow A$. It induces a partial order on the quotient set of $Y\rightarrow A$ w.r.t. $\equiv _{\text {perm}}$ in the usual way. If $(A,\le _A)$ is a wfpo and Y is finite, $\le _{\text {perm}}$ is a wfpo on the quotient set of $Y\rightarrow A$ . In our case $Y = \textrm{assign}({\textbf{y}}, \mathcal {D})$ and a ranking function $f_A$ to A can be lifted to a ranking function to the quotient set of $\textrm{assign}({\textbf{y}}, \mathcal {D}) \rightarrow A$ by defining $f(s,v)= [\lambda u\in \textrm{assign}({\textbf{y}}, \mathcal {D}). f_A(s,u{\cdot }v)]_{\equiv _{\text {perm}}}$.

The above order is not directly first-order definable — we cannot capture the existence of a permutation $\sigma $ as this would require second order quantification. Instead, the permuted-pointwise constructor under-approximates and encodes only the cases where $\sigma $ is composed of transpositions of at most a constant number k of pairs of elements ${\mathbf {y^1_{\scriptstyle \rightarrow }}},{\mathbf {y^1_{\scriptstyle \leftarrow }}},\ldots ,{\mathbf {y^k_{{\scriptstyle \rightarrow }}}},{\mathbf {y^k_{\scriptstyle \leftarrow }}}$ as follows: $\sigma ({\mathbf {y^i_{\scriptstyle \rightarrow }}})={\mathbf {y^i_{\scriptstyle \leftarrow }}}$ and $\sigma ({\mathbf {y^i_{\scriptstyle \leftarrow }}})={\mathbf {y^i_{\scriptstyle \rightarrow }}}$ for $i=1,\ldots ,k$ and $\sigma ({\textbf{y}})={\textbf{y}}$ for any other ${\textbf{y}}$. To ensure that $\sigma $ is a well-defined permutation we require that for every $i\ne j$ we have ${{\textbf{y}}^i_{\scriptstyle \rightarrow }}\ne {{\textbf{y}}^j_{\scriptstyle \rightarrow }}$,${{\textbf{y}}^i_{\scriptstyle \leftarrow }}\ne {{\textbf{y}}^j_{\scriptstyle \leftarrow }} $ and $ {{\textbf{y}}^i_{\scriptstyle \rightarrow }}\ne {{\textbf{y}}^j_{\scriptstyle \leftarrow }}$. We can then capture $\sigma ({\textbf{y}})$ for any ${\textbf{y}}$ by a term ${\textbf{y}}_\sigma $ (see below), and encode reduction or conservation according to $\sigma $ by comparing ${\textbf{y}}$ to ${\textbf{y}}_\sigma $ with the input implicit ranking. (Notably, this is the only constructor that uses the input implicit ranking to compare different elements.) While this is only an approximation, we have found it captures several interesting cases, such as the one needed to verify Example 1.

Constructor 6

The domain permuted-pointwise constructor receives an implicit ranking $\textrm{Rk}^\circ =(\varphi _{\le }^{\circ },\varphi _{<}^{\circ })$ with parameters ${\textbf{x}} = {\textbf{y}}{\cdot }{\textbf{z}}$, and $k\in \mathbb {N}$. It returns an implicit ranking for finite domains $\textrm{DomPerm}(\textrm{Rk}^\circ ,{\textbf{y}},k)=({\varphi _{\le }},{\varphi _{<}})$ with parameters ${\textbf{z}}$ defined by:

$$\begin{aligned} \begin{array}{l} \varphi _{\le }({\mathbf {z_0}},{\mathbf {z_1}}) = \tilde{\exists }\sigma . \ \forall {\textbf{y}}. \ \varphi _{\le }^{\circ }({\textbf{y}} {\cdot }{\mathbf {z_0}}, {\mathbf {y_\sigma }} {\cdot }{\mathbf {z_1}} )\\ \varphi _{<}({\mathbf {z_0}},{\mathbf {z_1}}) = \tilde{\exists }\sigma . \ \forall {\textbf{y}}. \ \varphi _{\le }^{\circ }({\textbf{y}} {\cdot }{\mathbf {z_0}}, {\mathbf {y_\sigma }} {\cdot }{\mathbf {z_1}} ) \wedge \exists {\textbf{y}}. \ \varphi _{<}^{\circ }({\textbf{y}} {\cdot }{\mathbf {z_0}}, {\mathbf {y_\sigma }} {\cdot }{\mathbf {z_1}} ) \end{array} \end{aligned}$$

where:

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-031-90643-5_20/MediaObjects/648515_1_En_20_Figc_HTML.gif

Next, we demonstrate how DomPerm can approximate sums over unbounded sets and weighted set cardinalities. We expand on the relation to sums in [27].

Example 7

Continuing with Example 6, taking $\textrm{Rk}^{\circ } = \textrm{DomPW}(\textrm{Bin}(\textrm{priv}(i)\wedge \textrm{lt}(i,j)),j)$, $\textrm{Rk}= \textrm{DomPerm}(\textrm{Rk}^{\circ },i,1)$ is an implicit ranking that captures the reduction argument described in Example 1. In particular, the aggregation captured by the permuted-pointwise constructor replaces an unbounded summation. The reduction formula listed in Example 1 is slightly simplified compared to $\textrm{Rk}$ produced by $\textrm{DomPerm}$ above: it includes only the nontrivial disjuncts of the $\textrm{ite}$ expressions, and it uses $\textrm{skd},\textrm{skd}+1$ in place of the existential quantifier.

Example 8

Consider a ranking function $|\{x\mid \alpha (x)\}|+2|\{x\mid \beta (x)\}|$, where $\alpha $ and $\beta $ are two predicates, and consider the case where conservation of ranking between states $s_0,s_1$ holds due to ‘mixing’ of the predicates, for example “exchanging” one element $x^0$ that satisfies $\beta $ in $s_0$ with two elements $x^1,x^2$ that satisfy $\alpha $ in $s_1$. We can use the DomPerm constructor to capture such a ranking argument. We first add to the signature of the transition system an enumerated sort type with three values: $\textrm{type}_\alpha ,\textrm{type}_\beta ^1,\textrm{type}_\beta ^2$. We then define the unified predicate $\gamma (x,ty)=(ty=\textrm{type}_\alpha \wedge \alpha (x))\vee ( (ty=\textrm{type}_\beta ^1 \vee ty=\textrm{type}_\beta ^2 )\wedge \beta (x) )$. This can be understood as introducing one copy of the domain for $\alpha $ and two copies for $\beta $, and interpreting each of $\alpha $ and $\beta $ over the copies relevant to them. Finally, we consider $\textrm{Rk}= \textrm{DomPerm}(\textrm{Bin}(\gamma ),(x,ty),2)=(\varphi _{\le },\varphi _{<})$. To see that the aforementioned pair of states indeed satisfies the resulting conservation formula, i.e., $(s_0,s_1)\models \varphi _{\le }$, consider the permutation defined by ${\mathbf {y^1_{\scriptstyle \leftarrow }}}=(x^0,\textrm{type}^1_\beta ), {\mathbf {y^2_{\scriptstyle \leftarrow }}}=(x^0,\textrm{type}^2_\beta ), {\mathbf {y^1_{\scriptstyle \rightarrow }}}=(x^1,\textrm{type}_\alpha ), {\mathbf {y^2_{\scriptstyle \rightarrow }}}=(x^2,\textrm{type}_\alpha )$.

Remark 1

Our decision to focus on permutations obtained by transpositions in our first-order encoding was motivated by examples such as Example 8. There are of course other classes of permutations that can be encoded in first-order logic and would also result in a sound approximation of $\le _{\text {perm}}$.

Note that Const. 5 (domain-pointwise) can be understood as a special case of Const. 6 obtained by considering the degenerate case $k=0$.

Domain-Lexicographic Constructor. The following constructor is an analog of Const. 4, where instead of aggregation based on the order of indices of the given rankings, we aggregate based on a partial order on $\textrm{assign}({\textbf{y}},\mathcal {D})$. To that end we rely on an already-existing order in the system, encoded by a single signature formula $\ell ({\mathbf {y_0}},{\mathbf {y_1}})$, and axiomatized as in Const. 2.

For a partially-ordered set A with a partial order $\le _A$ and a set Y with a wfpo $\le _Y$, the set of functions $Y\rightarrow A$ can be ordered by the lexicographic partial order: for any $a,b\in Y\rightarrow A$ we have $a\le _{\text {lex}}~b \iff a(y) \le _A b(y)$ for all minimal elements of the set $\{y\in Y \mid a(y)\ne b(y)\}$ (for $a\ne b$, this set is not empty, because $\le _{Y}$ is a wfpo). Equivalently, for every $y\in Y$ such that $a(y)\not \le _A b(y)$ there exists $y^*$ such that $y^* <_Y y$ with $a(y^*) <_A b(y^*)$. Additionally, if $\le _A$ is a wfpo and Y is finite, $\le _{\text {lex}}$ is a wfpo. The constructor encodes this in a straight-forward way: the set Y is $\textrm{assign}({\textbf{y}}, \mathcal {D})$ and $<_Y$ is given by $\ell $. A corresponding ranking function can be defined by the interpretation of $\ell $ as in Const. 2 combined with $\lambda u\in \textrm{assign}({\textbf{y}}, \mathcal {D}). f_A(s,u{\cdot }v)$ as in Const. 5.

Constructor 7

The domain-lexicographic constructor receives an implicit ranking $\textrm{Rk}^\circ =(\varphi _{\le }^{\circ },\varphi _{<}^{\circ })$ with parameters ${\textbf{x}} = {\textbf{y}}{\cdot }{\textbf{z}}$, and a formula $\ell ({\mathbf {y_0}},{\mathbf {y_1}})$ over $\varSigma $. It returns an implicit ranking for finite domains $\textrm{DomLex}(\textrm{Rk}^\circ ,{\textbf{y}}, \ell )=({\varphi _{\le }},{\varphi _{<}})$ with parameters ${\textbf{z}}$ defined by:

$$\begin{aligned} {\varphi _{\le }}({\mathbf {z_0}},{\mathbf {z_1}}) & = \textrm{order}(\ell )\wedge \forall {\textbf{y}}. (\varphi _{\le }^{\circ }({\textbf{y}}{\cdot }{\mathbf {z_0}}, {\textbf{y}}{\cdot }{\mathbf {z_1}}) \vee \exists {\mathbf {y^*}}. ( \ell _0({\mathbf {y^*}},{\textbf{y}}) \wedge \varphi _{<}^{\circ }({\mathbf {y^*}}{\cdot }{\mathbf {z_0}}, {\mathbf {y^*}}{\cdot }{\mathbf {z_1}}) ) ) \\ {\varphi _{<}}({\mathbf {z_0}},{\mathbf {z_1}}) & = {\varphi _{\le }}({\mathbf {z_0}}, {\mathbf {z_1}}) \wedge (\exists {\textbf{y}}. {\varphi _{<}^{\circ }}( {\textbf{y}} {\cdot }{\mathbf {z_0}}, {\textbf{y}} {\cdot }{\mathbf {z_1}} )) \end{aligned}$$

Example 9

Continuing with Example 2, define a formula $\alpha (i)$ which is set to true if the array holds a 1 in index i, and take $\textrm{Rk}^{\circ } = \textrm{Bin}(\alpha )$. Take, as in Example 4, $\ell (i_0,i_1) = \textrm{lt}(i_0,i_1)$. Then, $\textrm{Rk}= \textrm{DomLex}(\textrm{Rk}^{\circ },i,\ell )$ captures lexicographic reduction of values in the array, akin to reduction in a binary counter. Compared to the formula given above, the reduction formula in Example 2 is simplified by the fact that the order given by $\ell $ is total, which need not be the case in general.

Note that Const. 5 (domain-pointwise) can be understood as a special case of Const. 7 obtained by considering the degenerate case $\ell ({\mathbf {y_0}},{\mathbf {y_1}}) = \textrm{false}$.

6 Implementation and Evaluation

To explore the power of the implicit rankings defined by our constructors we implemented a deductive verification procedure for liveness properties of the form $(\bigwedge _i \forall {\textbf{x}}. \square \lozenge r_i(\textbf{x})) \rightarrow \square (p \rightarrow \lozenge q)$ where $r_i$ are parameterized fairness assumptions, based on a proof rule given in [27]. Our implementation, available at [28], is based on the Z3 [32] Python API. It takes as input a first-order transition system, a liveness property, a closed implicit ranking defined using the constructors of Section 5 and the other formulas required for applying the proof rule. Given the above, we automatically construct the implicit ranking formulas $\varphi _{<},\varphi _{\le }$ defined by the constructors and use Z3 to validate the premises of the rule. Some of the domain-based constructors create formulas with quantifier alternations, which may be challenging for solvers. We thus allow the user to provide hint terms for the existential quantifiers in the declaration of such constructors. We replace the existential quantification with disjunction over formulas substituted with these terms in the solver queries (this is sound since the implicit ranking formulas appear only positively in the proof rule and in recursive constructors).

Results. We evaluate our tool on a suite of examples from previous works, listed below. We use Z3 version 4.12.2.0, run on a laptop running Windows with a Core-i7 2.8 GHz CPU. All examples are successfully verified within 10 minutes. Below we describe the examples. For each, we note whether the validation of the premises required user-provided hint terms for the existential quantifiers introduced by the constructors. In all examples we use finite-domain constructors, which assume a finite (but unbounded) semantics for the domain of the relevant sorts. In some examples, such as our two motivating examples, there are no fairness assumptions, in which case we use $\square \lozenge \textrm{true}$ as a fairness assumption; this amounts to assuming totality of the transition relation, which indeed holds in these examples. Some of the more complicated examples additionally require some abstraction techniques. We expand more on each example and these technical details in the full version of the paper [27].

Toy Stabilization (Example 1). The ranking argument described in Section 2 is captured by an implicit ranking defined by DomPerm(DomPW(Bin)).

Binary Counter (Example 2). The ranking argument described in Section 2 is captured by an implicit ranking defined using Lex(DomLex(Bin),Pos).

Token Ring. A mutual exclusion protocol [15] where a token moves around a ring, allowing its holder to enter the critical section. We show that every machine that tries to enter the critical section eventually does. We use an implicit ranking defined by DomLex(Lex(Bin,Bin,Bin)) capturing the linear movement of the token along the ring and changes in local state of the token’s holder.

Leader Ring. The Chang-Roberts algorithm for leader election in a ring [5], with first-order modeling and invariants based on [17, 38]. The liveness property is that eventually a leader is elected. We use an implicit ranking defined by Lex(DomPW(Bin),DomLex(Bin)), where DomPW(Bin) is used to track the cardinality of the set of machines that did not yet send their id, and DomLex(Bin) tracks the movement of messages around the ring.

SAT Backtracking. We verify termination of a naive backtracking search algorithm for solving boolean satisfiability. The implicit ranking is given by Lex(DomLex(Bin),PW(DomPW(Bin),DomPW(Bin))) keeping track of the current assignment that is reduced lexicographically when we change assignment, and the number of steps required until progressing to the next assignment which corresponds to the number of variables that are yet to be assigned true, and those that are yet to be assigned false.

SAT Backjumping. Termination of an abstraction of the CDCL algorithm for solving boolean satisfiability [2, 30], taken from [33]. The algorithm non-deterministically applies decisions, unit propagations, backjumping and learning. We use an implicit ranking, based on the proof in [33] defined by $\mathrm {Lex(\textrm{Rk}^1,\textrm{Rk}^2)}$ where $\textrm{Rk}^1 = \mathrm {DomLex(DomPW(Bin)))}$ tracks for each decision level the number of assignments made in it, and $\textrm{Rk}^2 = \mathrm {DomPW(Bin)}$ tracks the number of assigned variables.

Self-Stabilization Protocols. We verify several self-stabilizing protocols [13]. In these protocols, a set of machines is organized in a line/ring. Each machine holds some local value(s). Privileges are assigned to machines according to relations between a machine’s values and its neighbors’ values. In every transition a privileged machine changes its local values, such that it loses its privilege and a new privilege may be created for one of its neighbors. The protocols differ in how the privileges are defined and updated. For each protocol we show that eventually a unique privilege is present (stabilization) and that starting with a unique privilege, every machine gets a privilege infinitely often (fairness).

Dijkstra’s k-State Protocol. In this protocol a designated machine $\textrm{bot}$ can introduce new values into the ring. We prove stabilization by proving three lemmas (based on [19, 23]): (1) machine $\textrm{bot}$ is eventually scheduled, (2) if $\textrm{bot}$ is scheduled infinitely often then eventually $\textrm{bot}$ holds a unique value in the ring and (3) if $\textrm{bot}$ holds a unique value in the ring eventually there is a unique privilege in the ring. The implicit ranking required for properties (1) and (3) is the same and has structure DomLex(Bin), tracking the movement of privileges towards $\textrm{bot}$ according to the ring order. The implicit ranking for property (2) has structure DomPW(Bin), aggregating over values to capture the distance between $\textrm{bot}$’s value and a new value. Fairness is proven similarly to (1).

Dijkstra’s 4-State Protocol. In this protocol two kinds of privileges can be derived for every machine. The different privileges move in different directions. We base our proof on [12]. The implicit ranking for proving stabilization is given by a lexicographic pair $\textrm{Lex}(\textrm{Rk}^1,\textrm{Rk}^2)$ where $\textrm{Rk}^1$ has structure DomPerm(Bin), capturing the number of privileges of both kinds. $\textrm{Rk}^2$ has structure DomPerm(PW(DomPW(Bin),DomPW(Bin))) which captures a bound on the number of moves required from all machines until a privilege is lost. For this implicit ranking we used simple hint terms as described above, replacing existential quantification with instantiation of $\textrm{skd},\mathrm {skd.next}$ or $\mathrm {skd.prev}$. The structure of implicit ranking we use for fairness is $\textrm{Lex}(\textrm{Rk}^1,\textrm{Rk}^2,\textrm{Rk}^3)$ with each $\textrm{Rk}^i$ tracking a movement of some privilege in some direction using $\mathrm {DomLex(Bin)}$.

Ghosh’s 4-State Protocol. A simplification of Dijkstra’s 4-state protocol [20]. The implicit ranking we use is an appropriate modification of the above.

Dijkstra’s 3-State Protocol. The implicit ranking we use for proving stabilization is a direct encoding of the ranking function given in [25] (See also [14]) This ranking is a 4-argument lexicographic ranking $\textrm{Lex}(a,b,c,d)$. a captures a weighted sum of set cardinalities by $\textrm{DomPerm}(\textrm{Bin})$ with $k=4$ as in Example 8. This generates premises with 18 existential quantifiers requiring complicated hints to validate. b and c are $\textrm{DomPerm}(\textrm{Bin})$ capturing set cardinalities and d captures the number of steps until reduction in either a, b, or c, encoded using composition of DomPerm and DomPW. The ranking for fairness is similar.

Numerous approaches for liveness verification have been proposed in the literature, including abstraction techniques [6, 23], liveness to safety reductions [4, 10, 35, 36], rich proof structures [11, 16, 39, 47], and more [21, 42]. Our work considers verification based on the classical notion of ranking functions [18, 44]. Many proof rules based on ranking functions have been suggested, e,g., [7, 15, 29, 31, 41]. As explained in Section 4.1, our constructions of implicit rankings can be used in any rule that requires conservation and reduction of rank. In contrast to [9, 22, 40, 45, 46, 48] which automate the search for ranking functions, we focus on expanding the class of ranking functions that can be used and leave automation for future work. We now turn to expand on the most relevant recent works.

The closest work to ours is [31], which uses relational rankings or fixed-size lexicographic tuples of them as ranking functions in liveness proofs for first-order transition systems. Relational rankings count the number of elements that satisfy some predicate, and their reduction and conservation are measured approximately in a pointwise fashion. Relational rankings can be captured by our constructors, specifically $\textrm{DomPW}(\textrm{Bin})$, but our constructors induce a richer family of rankings and offer more expressiveness, sometimes, at the expense of more complex quantifier structure. On the other hand, [31] does not assume finiteness, but proves that the set considered is finite at any time. Generalizing our finite-domain constructors to this setting is not trivial, and is a subject for future work. The proof rule of [31] also allows modular temporal reasoning. The definition of implicit ranking we offer can also be used in such a proof rule.

The approach of [48] focuses on automating the search for a ranking function for protocols modeled in FOL. They automatically synthesize integer-valued polynomial ranking functions from integer variables that appear in the protocol specification, fairness variables and cardinalities of sets defined by predicates (some of which are user-provided). Similarly to our domain-based aggregations, they assume finiteness of certain domains. While we use the assumption implicitly, they introduce integer variables that bound the finite cardinalities. In both [31] and [48], only rankings that are polynomial in the cardinality of the domain can be used, which cannot capture Example 2. Additionally, their domain-based aggregations, which are limited to cardinalities of sets, cannot be recursively composed, which is needed for examples such as Example 1.

The approach of [35, 36] is based on a liveness-to-safety reduction that uses a dynamic finite abstraction to reduce liveness to acyclicity of traces. The reduction is encoded via a monitor that augments the original system. Liveness is established by showing an arbitrary monitored state called the saved state is never revisited. While very general, the approach is difficult to use since one has to find an invariant of the augmented system that justifies that the current state is never equal to the saved state. Our implicit rankings can be understood as a natural way to describe such two-state invariants instead of reasoning about an augmented system. This also makes them more amenable to automation.

Acknowledgement

We thank Neta Elad and Eden Frenkel for helpful discussions. The research leading to these results has received funding from the European Research Council under the European Union’s Horizon 2020 research and innovation programme (grant agreement No [759102-SVIS]). This research was partially supported by the Israeli Science Foundation (ISF) grant No. 2117/23.

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Vorheriges Kapitel Extracting Linear Relations from Gröbner Bases for Formal Verification of And-Inverter Graphs

This is a different (weaker) notion from a partial-well-order (an antisymmetric well-quasi-order), which requires no infinite decreasing chains and no infinite antichains.

Altisen, K., Corbineau, P., Devismes, S.: Certification of an exact worst-case self-stabilization time. Theor. Comput. Sci. 941, 262–277 (2023), https://doi.org/10.1016/j.tcs.2022.11.019

Bayardo Jr, R.J., Schrag, R.: Using csp look-back techniques to solve real-world sat instances. In: Aaai/iaai. pp. 203–208. Citeseer (1997)

Beauquier, J., Bérard, B., Fribourg, L., Magniette, F.: Proving convergence of self-stabilizing systems using first-order rewriting and regular languages. Distributed Comput. 14(2), 83–95 (2001). https://doi.org/10.1007/PL00008931

Biere, A., Artho, C., Schuppan, V.: Liveness checking as safety checking. In: Cleaveland, R., Garavel, H. (eds.) 7th International ERCIM Workshop in Formal Methods for Industrial Critical Systems, FMICS 2002, ICALP 2002 Satellite Workshop, Málaga, Spain, July 12-13, 2002. Electronic Notes in Theoretical Computer Science, vol. 66, pp. 160–177. Elsevier (2002), https://doi.org/10.1016/S1571-0661(04)80410-9

Chang, E.J.H., Roberts, R.: An improved algorithm for decentralized extrema-finding in circular configurations of processes. Commun. ACM 22(5), 281–283 (1979), https://doi.org/10.1145/359104.359108

Cook, B., Podelski, A., Rybalchenko, A.: Abstraction refinement for termination. In: Hankin, C., Siveroni, I. (eds.) Static Analysis, 12th International Symposium, SAS 2005, London, UK, September 7-9, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3672, pp. 87–101. Springer (2005), https://doi.org/10.1007/11547662_8

Cook, B., Podelski, A., Rybalchenko, A.: Termination proofs for systems code. In: Schwartzbach, M.I., Ball, T. (eds.) Proceedings of the ACM SIGPLAN 2006 Conference on Programming Language Design and Implementation, Ottawa, Ontario, Canada, June 11–14, 2006. pp. 415–426. ACM (2006). https://doi.org/10.1145/1133981.1134029

Courtieu, P.: Proving self-stabilization with a proof assistant. In: 16th International Parallel and Distributed Processing Symposium (IPDPS 2002), 15-19 April 2002, Fort Lauderdale, FL, USA, CD-ROM/Abstracts Proceedings. IEEE Computer Society (2002).https://doi.org/10.1109/IPDPS.2002.1016619

Cousot, P.: Proving program invariance and termination by parametric abstraction, lagrangian relaxation and semidefinite programming. In: Cousot, R. (ed.) Verification, Model Checking, and Abstract Interpretation, 6th International Conference, VMCAI 2005, Paris, France, January 17-19, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3385, pp. 1–24. Springer (2005). https://doi.org/10.1007/978-3-540-30579-8_1

10.

Daniel, J., Cimatti, A., Griggio, A., Tonetta, S., Mover, S.: Infinite-state liveness-to-safety via implicit abstraction and well-founded relations. In: Chaudhuri, S., Farzan, A. (eds.) Computer Aided Verification - 28th International Conference, CAV 2016, Toronto, ON, Canada, July 17-23, 2016, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9779, pp. 271–291. Springer (2016), https://doi.org/10.1007/978-3-319-41528-4_15

11.

Dietsch, D., Heizmann, M., Langenfeld, V., Podelski, A.: Fairness modulo theory: A new approach to LTL software model checking. In: Kroening, D., Pasareanu, C.S. (eds.) Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9206, pp. 49–66. Springer (2015). https://doi.org/10.1007/978-3-319-21690-4_4

12.

Dijkstra, E.W.: Self-stabilization with four-state machines (Oct 1973), http://www.cs.utexas.edu/users/EWD/ewd03xx/EWD392.PDF, circulated privately

13.

Dijkstra, E.W.: Self-stabilizing systems in spite of distributed control. Commun. ACM 17(11), 643-644 (nov 1974), https://doi.org/10.1145/361179.361202

14.

Dijkstra, E.W.: A belated proof of self-stabilization. Distributed Comput. 1(1), 5–6 (1986), https://doi.org/10.1007/BF01843566

15.

Fang, Y., Piterman, N., Pnueli, A., Zuck, L.D.: Liveness with invisible ranking. Int. J. Softw. Tools Technol. Transf. 8(3), 261–279 (2006). https://doi.org/10.1007/S10009-005-0193-X

16.

Farzan, A., Kincaid, Z., Podelski, A.: Proving liveness of parameterized programs. In: Grohe, M., Koskinen, E., Shankar, N. (eds.) Proceedings of the 31st Annual ACM/IEEE Symposium on Logic in Computer Science, LICS ’16, New York, NY, USA, July 5-8, 2016. pp. 185–196. ACM (2016). https://doi.org/10.1145/2933575.2935310

17.

Feldman, Y.M.Y., Padon, O., Immerman, N., Sagiv, M., Shoham, S.: Bounded quantifier instantiation for checking inductive invariants. Log. Methods Comput. Sci. 15(3) (2019), https://doi.org/10.23638/LMCS-15(3:18)2019

18.

Floyd, R.W.: Assigning Meanings to Programs, pp. 65–81. Springer Netherlands, Dordrecht (1993).https://doi.org/10.1007/978-94-011-1793-7_4

19.

Fokkink, W.J., Hoepman, J., Pang, J.: A note on k-state self-stabilization in a ring with k=n. Nord. J. Comput. 12(1), 18–26 (2005)

20.

Ghosh, S.: An alternative solution to a problem on self-stabilization. ACM Trans. Program. Lang. Syst. 15(4), 735–742 (1993), https://doi.org/10.1145/155183.155228

21.

Hawblitzel, C., Howell, J., Kapritsos, M., Lorch, J.R., Parno, B., Roberts, M.L., Setty, S.T.V., Zill, B.: Ironfleet: proving safety and liveness of practical distributed systems. Commun. ACM 60(7), 83–92 (2017), https://doi.org/10.1145/3068608

22.

Heizmann, M., Hoenicke, J., Leike, J., Podelski, A.: Linear ranking for linear lasso programs. In: Hung, D.V., Ogawa, M. (eds.) Automated Technology for Verification and Analysis - 11th International Symposium, ATVA 2013, Hanoi, Vietnam, October 15-18, 2013. Proceedings. Lecture Notes in Computer Science, vol. 8172, pp. 365–380. Springer (2013). https://doi.org/10.1007/978-3-319-02444-8_26

23.

Hong, C., Lin, A.W.: Regular abstractions for array systems. Proc. ACM Program. Lang. 8(POPL), 638–666 (2024), https://doi.org/10.1145/3632864

24.

Ish-Shalom, O., Itzhaky, S., Rinetzky, N., Shoham, S.: Run-time complexity bounds using squeezers. In: Programming Languages and Systems. pp. 320–347. Springer International Publishing, Cham (2021)

25.

Kessels, J.L.W.: An exercise in proving self-stabilization with a variant function. Inf. Process. Lett. 29(1), 39–42 (1988), https://doi.org/10.1016/0020-0190(88)90131-7

26.

Lotan, R., Frenkel, E., Shoham, S.: Proving cutoff bounds for safety properties in first-order logic. In: Akshay, S., Niemetz, A., Sankaranarayanan, S. (eds.) Automated Technology for Verification and Analysis. ATVA 2024. LNCS, vol. 15054, pp. 135–159. Springer, Cham (2025). https://doi.org/10.1007/978-3-031-78709-6_7

27.

Lotan, R., Shoham, S.: Implicit rankings for verifying liveness properties in first-order logic (full version) (2024), https://arxiv.org/abs/2412.13996

28.

Lotan, R., Shoham, S.: Implicit-rankings-fol (2025). https://doi.org/10.5281/zenodo.14584594

29.

Manna, Z., Pnueli, A.: Completing the temporal picture. Theor. Comput. Sci. 83(1), 91–130 (1991). https://doi.org/10.1016/0304-3975(91)90041-Y

30.

Marques Silva, J., Sakallah, K.: Grasp-a new search algorithm for satisfiability. In: Proceedings of International Conference on Computer Aided Design. pp. 220–227 (1996).https://doi.org/10.1109/ICCAD.1996.569607

31.

McMillan, K.L.: Toward liveness proofs at scale. In: Gurfinkel, A., Ganesh, V. (eds.) Computer Aided Verification - 36th International Conference, CAV 2024, Montreal, QC, Canada, July 24-27, 2024, Proceedings, Part I. Lecture Notes in Computer Science, vol. 14681, pp. 255–276. Springer (2024).https://doi.org/10.1007/978-3-031-65627-9_13

32.

de Moura, L.M., Bjørner, N.S.: Z3: an efficient SMT solver. In: Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings. Lecture Notes in Computer Science, vol. 4963, pp. 337–340. Springer (2008). https://doi.org/10.1007/978-3-540-78800-3_24

33.

Nieuwenhuis, R., Oliveras, A., Tinelli, C.: Abstract DPLL and abstract DPLL modulo theories. In: Baader, F., Voronkov, A. (eds.) Logic for Programming, Artificial Intelligence, and Reasoning, 11th International Conference, LPAR 2004, Montevideo, Uruguay, March 14-18, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3452, pp. 36–50. Springer (2004).https://doi.org/10.1007/978-3-540-32275-7_3, https://doi.org/10.1007/978-3-540-32275-7_3

34.

Oehlerking, J., Dhama, A., Theel, O.E.: Towards automatic convergence verification of self-stabilizing algorithms. In: Herman, T., Tixeuil, S. (eds.) Self-Stabilizing Systems, 7th International Symposium, SSS 2005, Barcelona, Spain, October 26-27, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3764, pp. 198–213. Springer (2005). https://doi.org/10.1007/11577327_14

35.

Padon, O., Hoenicke, J., Losa, G., Podelski, A., Sagiv, M., Shoham, S.: Reducing liveness to safety in first-order logic. Proc. ACM Program. Lang. 2(POPL), 26:1–26:33 (2018).https://doi.org/10.1145/3158114

36.

Padon, O., Hoenicke, J., McMillan, K.L., Podelski, A., Sagiv, M., Shoham, S.: Temporal prophecy for proving temporal properties of infinite-state systems. Formal Methods Syst. Des. 57(2), 246–269 (2021). https://doi.org/10.1007/S10703-021-00377-1

37.

Padon, O., Losa, G., Sagiv, M., Shoham, S.: Paxos made epr: decidable reasoning about distributed protocols. Proc. ACM Program. Lang. 1(OOPSLA) (oct 2017).https://doi.org/10.1145/3140568

38.

Padon, O., McMillan, K.L., Panda, A., Sagiv, M., Shoham, S.: Ivy: Safety verification by interactive generalization. In: PLDI ’16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation. pp. 614–630 (Jun 2016).https://doi.org/10.1145/2908080.2908118

39.

Peyras, Q., Bodeveix, J., Brunel, J., Chemouil, D.: Sound verification procedures for temporal properties of infinite-state systems. In: Silva, A., Leino, K.R.M. (eds.) Computer Aided Verification - 33rd International Conference, CAV 2021, Virtual Event, July 20-23, 2021, Proceedings, Part II. Lecture Notes in Computer Science, vol. 12760, pp. 337–360. Springer (2021). https://doi.org/10.1007/978-3-030-81688-9_16, https://doi.org/10.1007/978-3-030-81688-9_16

40.

Podelski, A., Rybalchenko, A.: A complete method for the synthesis of linear ranking functions. In: Steffen, B., Levi, G. (eds.) Verification, Model Checking, and Abstract Interpretation, 5th International Conference, VMCAI 2004, Venice, Italy, January 11-13, 2004, Proceedings. Lecture Notes in Computer Science, vol. 2937, pp. 239–251. Springer (2004). https://doi.org/10.1007/978-3-540-24622-0_20

41.

Podelski, A., Rybalchenko, A.: Transition invariants. In: 19th IEEE Symposium on Logic in Computer Science (LICS 2004), 14-17 July 2004, Turku, Finland, Proceedings. pp. 32–41. IEEE Computer Society (2004). https://doi.org/10.1109/LICS.2004.1319598

42.

Sun, X., Ma, W., Gu, J.T., Ma, Z., Chajed, T., Howell, J., Lattuada, A., Padon, O., Suresh, L., Szekeres, A., Xu, T.: Anvil: Verifying liveness of cluster management controllers. In: Gavrilovska, A., Terry, D.B. (eds.) 18th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2024, Santa Clara, CA, USA, July 10-12, 2024. pp. 649–666. USENIX Association (2024), https://www.usenix.org/conference/osdi24/presentation/sun-xudong

43.

Taube, M., Losa, G., McMillan, K.L., Padon, O., Sagiv, M., Shoham, S., Wilcox, J.R., Woos, D.: Modularity for decidability of deductive verification with applications to distributed systems. SIGPLAN Not. 53(4), 662-677 (jun 2018).https://doi.org/10.1145/3296979.3192414

44.

Turing, A.: Checking a large routine, p. 70-72. MIT Press, Cambridge, MA, USA (1989)

45.

Urban, C., Gurfinkel, A., Kahsai, T.: Synthesizing ranking functions from bits and pieces. In: Chechik, M., Raskin, J. (eds.) Tools and Algorithms for the Construction and Analysis of Systems - 22nd International Conference, TACAS 2016, Eindhoven, The Netherlands, April 2-8, 2016, Proceedings. Lecture Notes in Computer Science, vol. 9636, pp. 54–70. Springer (2016). https://doi.org/10.1007/978-3-662-49674-9_4

46.

Urban, C., Miné, A.: An abstract domain to infer ordinal-valued ranking functions. In: Shao, Z. (ed.) Programming Languages and Systems - 23rd European Symposium on Programming, ESOP 2014, Grenoble, France, April 5-13, 2014, Proceedings. Lecture Notes in Computer Science, vol. 8410, pp. 412–431. Springer (2014). https://doi.org/10.1007/978-3-642-54833-8_22

47.

Vardi, M.Y.: An automata-theoretic approach to linear temporal logic. In: Moller, F., Birtwistle, G.M. (eds.) Logics for Concurrency - Structure versus Automata (8th Banff Higher Order Workshop, Banff, Canada, August 27 - September 3, 1995, Proceedings). Lecture Notes in Computer Science, vol. 1043, pp. 238–266. Springer (1995).https://doi.org/10.1007/3-540-60915-6_6

48.

Yao, J., Tao, R., Gu, R., Nieh, J.: Mostly automated verification of liveness properties for distributed protocols with ranking functions. Proc. ACM Program. Lang. 8(POPL), 1028–1059 (2024).https://doi.org/10.1145/3632877

Titel: Implicit Rankings for Verifying Liveness Properties in First-Order Logic
verfasst von: Raz Lotan
Sharon Shoham
Verlag: Springer Nature Switzerland
Buch: Tools and Algorithms for the Construction and Analysis of Systems
Print ISBN: 978-3-031-90642-8

Electronic ISBN: 978-3-031-90643-5

Copyright-Jahr: 2025
DOI: https://doi.org/10.1007/978-3-031-90643-5_20

Premium Partner

Bildnachweise

Rittal/© Rittal, NTT Data/© NTT Data, Wildix/© Wildix, Ceyoniq Technology GmbH/© Ceyoniq Technology GmbH, arvato Systems GmbH/© arvato Systems GmbH, Ninox Software GmbH/© Ninox Software GmbH, Everyday Software S.L./© Everyday Software S.L., Redgate/© Redgate, CELONIS Labs GmbH, DC-Datacenter-Group GmbH/© DC-Datacenter-Group GmbH, all for one/© all for one, G Data CyberDefense/© G Data CyberDefense, FAST LTA/© FAST LTA, Vendosoft/© Vendosoft, Kumavision/© Kumavision, Noriis Network AG/© Noriis Network AG, WSW Software GmbH/© WSW Software GmbH, tts GmbH/© tts GmbH, Asseco Solutions AG/© Asseco Solutions AG