consistent key-value stores. The implementation of a key-value store is proved correct with respect to a high-level specification using a program refinement method similar to ours. Although Chapar’s goal isn’t to verify robustness to network faults, node crashes and message losses are modeled by its abstract operational semantics.

IronFleet [18] is a framework and methodology for building verified dis- tributed systems using a mix of TLA-style state machine refinement, Hoare logic, and automated theorem proving. An IronFleet system is comprised of three layers: a high-level state machine specification of the overall system, a more detailed distributed protocol layer which describes the behavior of each agent in the system as a state machine, and the implementation layer in which each agent is programmed using a variant of the Dafny [22] language extended with a trusted set of UDP networking operations. Correctness properties are proved with respect to the high-level specifications, and a series of refinements is used to prove that every behavior in the implementation layer is a refine- ment of some behavior in the high-level specification. IronFleet has been used to prove safety and liveness properties of IronRSL, a Paxos-based replicated state machine, as well as IronKV, a shared key-value store.

Alternative Proofs. Variant proofs of Theorem 1, such as the one via KL- divergence (cf. [1, Section 2.2]), could be formalized in our framework without modifying most parts of the MW implementation. In particular, because we have proved once and for all that our interpreted MW refines a high-level specification of MW, it would be sufficient to formalize the new proof just with respect to the high-level program of Sect.5.6.

References

1. Arora, S., Hazan, E., Kale, S.: The multiplicative weights update method: a meta- algorithm and applications. Theor. Comput.8(1), 121–164 (2012)

2. Awerbuch, B., Azar, Y., Epstein, A.: The price of routing unsplittable flow. In: Pro- ceedings of the thirty-seventh annual ACM Symposium on Theory of Computing, pp. 57–66. ACM (2005)

3. Bachelier, L.: Th´eorie math´ematique du jeu. Annales Scientifiques de l’Ecole Nor- male Sup´erieure18, 143–209 (1901)

4. Bagnall, A., Merten, S., Stewart, G.: Brief announcement: certified multiplicative weights update: verified learning without regret. In: Proceedings of the ACM Sym- posium on Principles of Distributed Computing, PODC 2017. ACM (2017) 5. Bertot, Y., Cast´eran, P.: Interactive Theorem Proving and Program Development:

Coq’Art: The Calculus of Inductive Constructions. Springer, Heidelberg (2013) 6. Bhawalkar, K., Gairing, M., Roughgarden, T.: Weighted congestion games: price of

anarchy, universal worst-case examples, and tightness. In: de Berg, M., Meyer, U.

(eds.) ESA 2010, Part II. LNCS, vol. 6347, pp. 17–28. Springer, Heidelberg (2010).

https://doi.org/10.1007/978-3-642-15781-3 2

7. Blum, A., Monsour, Y.: Learning, regret minimization, and equilibria. In: Nisan, N., Roughgarden, T., Tardos, E., Vazirani, V.V. (eds.) Algorithmic Game Theory.

Cambridge University Press, Cambridge (2007). Chapter 4

8. Borel, E.: La th´eorie du jeu et les ´equations int´egrales `a noyau sym´etrique. Comptes rendus de l’Acad´emie des Sci.173(1304–1308), 58 (1921)

9. Borowski, H., Marden, J.R., Shamma, J.: Learning efficient correlated equilibrium.

Submitted for journal publication (2015)

10. Christodoulou, G., Koutsoupias, E.: The price of anarchy of finite congestion games. In: Proceedings of the 37th Annual ACM Symposium on Theory of Com- puting, pp. 67–73. ACM (2005)

11. Demaine, E.D., Hajiaghayi, M., Mahini, H., Zadimoghaddam, M.: The price of anarchy in network creation games. In: Proceedings of the Twenty-sixth Annual ACM Symposium on Principles of Distributed Computing, pp. 292–298. ACM (2007)

12. Fanelli, A., Moscardelli, L., Skopalik, A.: On the impact of fair best response dynamics. In: Rovan, B., Sassone, V., Widmayer, P. (eds.) MFCS 2012. LNCS, vol. 7464, pp. 360–371. Springer, Heidelberg (2012).https://doi.org/10.1007/978- 3-642-32589-2 33

13. Foster, D.P., Vohra, R.V.: Calibrated learning and correlated equilibrium. Games Econ. Behav.21(1), 40–55 (1997)

14. Freund, Y., Schapire, R.E.: A desicion-theoretic generalization of on-line learning and an application to boosting. In: Vit´anyi, P. (ed.) EuroCOLT 1995. LNCS, vol.

904, pp. 23–37. Springer, Heidelberg (1995).https://doi.org/10.1007/3-540-59119- 2 166

15. Gittins, J.C.: Bandit processes and dynamic allocation indices. J. R. Stat. Soc.

Ser. B (Methodol.)41(2), 148–177 (1979)

16. Gonthier, G., Mahboubi, A., Tassi, E.: A small scale reflection extension for the Coq system. Technical report, INRIA (2015)

17. Hart, S., Mas-Colell, A.: A simple adaptive procedure leading to correlated equi- librium. Econometrica68(5), 1127–1150 (2000)

18. Hawblitzel, C., Howell, J., Kapritsos, M., Lorch, J.R., Parno, B., Roberts, M.L., Setty, S., Zill, B.: IronFleet: proving practical distributed systems correct. In: Pro- ceedings of the 25th Symposium on Operating Systems Principles, pp. 1–17. ACM (2015)

19. Hu, J., Wellman, M.P., et al.: Multiagent reinforcement learning: theoretical frame- work and an algorithm. In: ICML, vol. 98, pp. 242–250. Citeseer (1998)

20. K¨ufner, P., Nestmann, U., Rickmann, C.: Formal verification of distributed algo- rithms. In: Baeten, J.C.M., Ball, T., de Boer, F.S. (eds.) TCS 2012. LNCS, vol.

7604, pp. 209–224. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3- 642-33475-7 15

21. Lamport, L.: Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)

22. Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness.

In: Clarke, E.M., Voronkov, A. (eds.) LPAR 2010. LNCS (LNAI), vol. 6355, pp.

348–370. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17511- 4 20

23. Lesani, M., Bell, C.J., Chlipala, A.: Chapar: certified causally consistent distributed key-value stores. In: ACM SIGPLAN Notices, vol. 51. ACM (2016)

24. Lin, H., Yang, M., Long, F., Zhang, L., Zhou, L.: MODIST: transparent model checking of unmodified distributed systems. In: Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation (2009)

25. Littlestone, N., Warmuth, M.K.: The weighted majority algorithm. In: Proceedings of the 30th Annual Symposium on Foundations of Computer Science. IEEE (1989) 26. Monderer, D., Shapley, L.S.: Potential games. Games Econ. Behav.14(1), 124–143

(1996)

27. Nash, J.: Non-cooperative games. Ann. Math.54(2), 286–295 (1951)

28. Nash, J.F.: Equilibrium in n-player games. Proc. Natl. Acad. Sci. (PNAS) 36(1), 48–49 (1950)

29. von Neumann, J., Morgenstern, O.: Theory of Games and Economic Behavior, vol.

60. Princeton University Press, New Jersey (1944)

30. Nisan, N., Roughgarden, T., Tardos, E., Vazirani, V.V.: Algorithmic Game Theory, vol. 1. Cambridge University Press, New York (2007)

31. Panchekha, P., et al.: Automatically improving accuracy for floating point expres- sions. ACM SIGPLAN Not.50(6), 1–11 (2015)

32. Perakis, G., Roels, G.: The price of anarchy in supply chains: quantifying the efficiency of price-only contracts. Manag. Sci.53(8), 1249–1268 (2007)

33. Rahli, V.: Interfacing with proof assistants for domain specific programming using EventML. In: Proceedings of the 10th International Workshop on User Interfaces for Theorem Provers, Bremen, Germany (2012)

34. Ramananandro, T., et al.: A unified Coq framework for verifying C programs with floating-point computations. In: Proceedings of the 5th ACM SIGPLAN Confer- ence on Certified Programs and Proofs. ACM (2016)

35. Roughgarden, T.: Intrinsic robustness of the price of anarchy. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, pp. 513–522. ACM (2009)

36. Roughgarden, T.: Twenty Lectures on Algorithmic Game Theory. Cambridge University Press, New York (2016)

37. Sergey, I., Wilcox, J.R., Tatlock, Z.: Programming and proving with distributed protocols. In: Proceedings of the ACM on Programming Languages, vol. 2 (POPL), Article 28 (2018)

38. Spitters, B., Van der Weegen, E.: Type classes for mathematics in type theory.

Math. Struct. Comput. Sci.21(04), 795–825 (2011)

39. Sutton, R.S., Barto, A.G.: Reinforcement Learning: An Introduction, vol. 1. MIT press, Cambridge (1998)

40. Vetta, A.: Nash equilibria in competitive societies, with applications to facility location, traffic routing and auctions. In: Proceedings of the 43rd Annual IEEE Symposium on Foundations of Computer Science, pp. 416–425. IEEE (2002) 41. Watkins, C.J., Dayan, P.: Q-learning. Mach. Learn.8(3–4), 279–292 (1992) 42. Wilcox, J.R., Woos, D., Panchekha, P., Tatlock, Z., Wang, X., Ernst, M.D.,

Anderson, T.: Verdi: a framework for implementing and formally verifying dis- tributed systems. In: ACM SIGPLAN Notices, vol. 50, pp. 357–368. ACM (2015) 43. Zermelo, E.: ¨Uber eine anwendung der mengenlehre auf die theorie des schachspiels.

In: Proceedings of the Fifth International Congress of Mathematicians, vol. 2, pp.

501–504. II, Cambridge University Press, Cambridge (1913)

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Brandon Moore¹, Lucas Pe˜na²⁽B⁾, and Grigore Rosu^1,2

1 Runtime Verification, Inc., Urbana, IL, USA

2 University of Illinois at Urbana-Champaign, Urbana, IL, USA lpena7@illinois.edu

Abstract. We present a novel program verification approach based on coinduction, which takes as input an operational semantics. No interme- diates like program logics or verification condition generators are needed.

Specifications can be written using any state predicates. We implement our approach in Coq, giving a certifying language-independent verifi- cation framework. Our proof system is implemented as a single module imported unchanged into language-specific proofs. Automation is reached by instantiating a generic heuristic with language-specific tactics. Man- ual assistance is also smoothly allowed at points the automation can- not handle. We demonstrate the power and versatility of our approach by verifying algorithms as complicated as Schorr-Waite graph marking and instantiating our framework for object languages in several styles of semantics. Finally, we show that our coinductive approach subsumes reachability logic, a recent language-independent sound and (relatively) complete logic for program verification that has been instantiated with operational semantics of languages as complex as C, Java and JavaScript.

1 Introduction

Formal verification is a powerful technique for ensuring program correctness, but it requires a suitable verification framework for the target language. Standard approaches such as Hoare logic [1] (or verification condition generators) require significant effort to adapt and prove sound and relatively complete for a given language, with few or no theorems or tools that can be reused between languages.

To use a software engineering metaphor, Hoare logic is a design pattern rather than a library. This becomes literal when we formalize it in a proof assistant.

We present instead a single language-independent program verification frame- work, to be used with an executable semantics of the target programming lan- guage given as input. The core of our approach is a simple theorem which gives a coinduction principle for proving partial correctness.

To trust a non-executable semantics of a desired language, an equivalence to an executable semantics is typically proved. Executable semantics of pro- gramming languages abound in the literature. Recently, executable semantics of several real languages have been proposed, e.g. of C [2], Java [3], JavaScript [4,5], Python [6], PHP [7], CAML [8], thanks to the development of executable seman- tics engineering frameworks like K [9], PLT-Redex [10], Ott [11], etc., which

c The Author(s) 2018

A. Ahmed (Ed.): ESOP 2018, LNCS 10801, pp. 589–618, 2018.

https://doi.org/10.1007/978-3-319-89884-1_21

make defining a formal semantics for a programming language almost as easy as implementing an interpreter, if not easier. Our coinductive program verification approach can be used with any of these executable semantics or frameworks, and is correct-by-construction: no additional “axiomatic semantics”, “program logic”, or “semantics suitable for verification” with soundness proofs needed.

As detailed in Sect.6, we are not the first to propose a language-independent verification infrastructure that takes an operational semantics as input, nor the first to propose coinduction for proving isolated properties about some pro- grams. However, we believe that coinduction can offer a fresh, promising and general approach as a language-independent verification infrastructure, with a high potential for automation that has not been fully explored yet. In this paper we make two steps in this direction, by addressing the following research ques- tions:

RQ1 Is it feasible to have a sound and (relatively) complete verification infras- tructure based on coinduction, which is language-independent and versa- tile, i.e., takes an arbitrary language as input, given by its operational semantics?

RQ2 Is it possible to match, or even exceed, the capabilities of existing language- independent verification approaches based on operational semantics?

To address RQ1, we make use of a key mathematical result, Theorem1, which has been introduced in more general forms in the literature, e.g., in [12,13] and in [14]. We mechanized it in Coq in a way that allows us to instantiate it with a transition relation corresponding to any target language semantics, hereby producing certifying program verification for that language. Using the resulting coinduction principle to show that a program meets a specification produces a proof which depends only on the operational semantics. We demonstrate our proofs can be effectively automated, on examples including heap data structures and recursive functions, and describe the implemented proof strategy and how it can be reused across languages defined using a variety of operational styles.

To address RQ2, we show that our coinductive approach not only subsumes reachability logic [15], whose practicality has been demonstrated with languages like C, Java, and JavaScript, but also offers several specific advantages. Reacha- bility logic consists of a sound and (relatively) complete proof system that takes a given language operational semantics as atheoryand derives reachability prop- erties about programs in that language. A mechanical procedure can translate any proof using reachability logic into a proof using our coinductive approach.

We first introduce our approach with a simple intuitive example, then prove its correctness. We then discuss mechanical verification experiments across dif- ferent languages, show how reachability logic proofs can be translated into coin- ductive proofs, and conclude with related and future work. Our entire Coq for- malization, proofs and experiments are available at [16].