Verifying safety of synchronous fault-tolerant algorithms by bounded model checking

Abstract

Threshold automata are a formalism introduced for modeling, verification, and synthesis of fault-tolerant distributed algorithms for asynchronous systems, that is, in interleaving semantics. Owing to well-known limitations of what can be achieved in purely asynchronous systems, many fault-tolerant distributed algorithms are designed for synchronous or round-based semantics. In this paper, we introduce the synchronous variant of threshold automata and study their applicability and limitations for the verification of synchronous fault-tolerant distributed algorithms. We show that the parameterized reachability problem for synchronous threshold automata is undecidable. Still, we show that many synchronous fault-tolerant distributed algorithms have a bounded diameter, even though the algorithms are parameterized by the number of processes. Hence, bounded model checking can be used for verifying these algorithms. The existence of bounded diameters is the main conceptual insight in this paper. We compute the diameter of several algorithms and check their safety properties, using SMT queries that contain quantifiers for dealing with the parameters symbolically. Surprisingly, performance of the SMT solvers on these queries is very good, reflecting the recent progress in dealing with quantified queries. We found that the diameter bounds of synchronous algorithms in the literature are tiny (from 1 to 8), which makes our approach applicable in practice. For a specific class of algorithms, we also establish a theoretical result on the existence of a diameter, providing a first explanation for our experimental results.