| 10:30-10:45 |
On the Complexity of Checking Soundness of Natural Reductions (abstract) 15 min
1 LIX - CNRS - Ecole Polytechnique
2 University of Toronto
ABSTRACT. The verification of \emph{reductions}, representative subsets of interleavings, simplifies correctness proofs of parameterized concurrent programs. We introduce an expressive class of syntactic reductions, which we call \emph{natural reductions}. Natural reductions are specified by introducing atomic blocks and global rendezvous points in the parameterized program's thread template. We study the problem of deciding whether a given natural reduction is sound wrt.\ a given (semi-)commutativity relation. In the case that there is no synchronization between threads, we present a sound and complete polynomial-time algorithm. In the case where synchronization is considered, we provide a general lower bound for the problem (parametric in the synchronization mechanism), and show that the problem is coNP-hard already for a simple mechanism like locking. |
| 10:45-11:00 |
Deadlock Verification via Ordering-Constrained Mutex Modeling (abstract) 15 min
1 Tsinghua University
ABSTRACT. Mutexes are fundamental synchronization primitives in concurrent programming, but their improper use can lead to deadlocks. Conventional assume-based modeling abstracts mutex semantics via assumptions, simplifying safety verification but hindering deadlock verification. Although prior efforts have aimed to address this limitation, we show that state-of-the-art methods remain inaccurate. In this paper, we propose a novel modeling approach that captures mutex semantics using ordering constraints, enabling accurate deadlock verification within partial-order-based verification frameworks. We formally prove the correctness of our method and implement it in a prototype tool, DEAGLE-DL. We evaluate DEAGLE-DL against a state-of-the-art bounded model checker ESBMC that employs the conventional modeling approach, and a state-of-the-art static analysis tool for deadlock detection. Our experiments show that DEAGLE-DL significantly outperforms both tools in terms of precision, while maintaining substantial efficiency. |
| 11:00-11:15 |
Complete Local Reasoning About Parameterized Programs Over Topologies (Distinguished Paper) (abstract) 15 min
1 University of Toronto
ABSTRACT. This paper investigates the algorithmic safety verification problem of infinite-state parameterized concurrent programs over a rich set of communication topologies. The goal is to automatically produce a proof of correctness for them in the form of a universally quantified inductive invariant, where the quantification is over the nodes in the topology. We illustrate that under reasonable assumptions on the underlying topology, the problem can be reduced to and solved as a compositional scheme in which the verification of the parameterized family is reduced to a set of local proofs, in a complete manner. We propose a verification algorithm, which is implemented as a tool, and demonstrate through a set of benchmarks over several different topologies that our approach is effective in proving parameterized programs safe. |
| 11:15-11:30 |
Scalable Deductive Verification of Data-Level Parallel Programs (abstract) 15 min
1 Eindhoven University of Technology
2 University of Twente
ABSTRACT. This paper introduces several techniques that improve the scalability of the deductive verification of data-level programs working on arrays and matrices. First of all, we introduce a technique to rewrite expressions with (nested) quantifiers, so suitable triggers can be generated for these expressions. We have proven this rewrite technique correct in a theorem prover. Second, we make reasoning about potentially overlapping arrays easier, by providing specification constructs to indicate and verify that two arrays are not aliases, or that they are immutable, so they can be modelled as mathematical sequences. All our techniques are implemented in the \vercors program verifier. We illustrate how our techniques improve scalability on a large number of experiments. Using our techniques on a set of typical GPU kernels, we achieve a reduction of verification time by, on average, a factor of 9, with outliers being up to 150 times faster. Additionally, applying these techniques to earlier experiments and an earlier case study of a radio telescope pipeline permitted the verification of results which were previously unobtainable and significantly reduced the verification time. |
| 11:30-11:45 |
On the Verification Problem of Remote Direct Memory Access programs (abstract) 15 min
1 Uppsala University
2 The Institute of Mathematical Sciences, Chennai
ABSTRACT. Remote Direct Memory Access (RDMA) is a technology that allows direct memory access from the memory of one computer into that of another without involving either one’s operating system. This enables high-throughput, low-latency networking, which is especially useful in massively parallel computer clusters. In this paper, we study the reachability and robustness problems for RDMA programs. We show that reachability is undecidable in general, even for a restricted fragment of the model. We then focus on robustness, which asks whether a program exhibits the same behaviours under the RDMA and sequential consistency (SC) semantics, and prove that this problem is decidable. Our central technical result establishes a normal form for robustness violations, showing that any non-robust program admits a violating execution of a specific form. We then leverage this normal form to obtain a decision procedure that reduces robustness to reachability in finite-state programs with counters, yielding an EXPSPACE upper bound in the general case, and a PSPACE upper bound in the absence of poll operations. Finally, we also show that both of these bounds are optimal. |
| 11:45-11:55 |
Model Checking for Flexible Network Protocols (abstract) 10 min
1 Princeton University
2 Google, Inc
ABSTRACT. Operating a network is a daunting task. Operating one at a global scale, with stringent service objectives and requirements to be available during maintenance and failures, is even more so. At Google, we operate such a network. This paper details our experience applying formal methods to some of the networking protocols that are developed and maintained by in-house engineers. These protocols centrally route network traffic to respond to changes in demand, react to network failures, and allow for maintenance and upgrades. We used formal methods to target a class of bugs stemming from unclear specifications, unintended system interactions, and logical errors at the specification level. We show how we modeled our protocols using an off-the-shelf model checker and a custom harness to scale the model horizontally. We were able to recreate several recent bugs and verify that the fixes implemented were correct. Finally, we present a method called state projection that we used to increase confidence in the coverage of our models, which we added to the TLC model checker for TLA+. We created 7 different TLA+ models and showed that they were effective at recreating bugs and verifying our fixes to those bugs. |
| 11:55-12:05 |
The TLA+ Model Checker Apalache (abstract) 10 min
1 University of Groningen
2 Tarides
3 Independent Researcher
4 Informal Systems
5 Université Paris-Saclay, CEA, List
ABSTRACT. The TLA+ language has been widely used, both in academia and industry, to specify and reason about distributed systems. This paper presents Apalache, an efficient and flexible symbolic model checker for TLA+. Apalache's engine is based on bounded model checking, with symbolic transitions being extracted from TLA+ specifications and verification conditions suitable for satisfiability modulo theories (SMT) solvers being generated from them. Reasoning can be done in terms of safety and liveness properties, with liveness checking realised via a liveness-to-safety reduction. Apalache's flexibility lies in its three complementary functionalities: bounded exhaustive verification, for bounded guarantees, randomised symbolic execution, for prototyping and bug detection, and inductiveness checking, for unbounded guarantees. The paper describes Apalache's architecture and features, including its support for PlusCal and Quint, two languages that share the same semantic foundation as TLA+. Industrial usage of Apalache is also presented, together with a case study which illustrates how Apalache can be used to verify the agreement property of a consensus protocol. |
| 12:05-12:15 |
PSF: A Generic and Extensible Framework for Protocol State Fuzzing (abstract) 10 min
1 Uppsala University & National Technical University of Athens
2 Yale University & National Technical University of Athens
ABSTRACT. In recent years, protocol state fuzzing has emerged as an effective technique to analyze and test network protocol implementations, uncovering numerous security vulnerabilities, bugs, and non-conformance issues in them. This tool paper presents ProtocolState-Fuzzer (PSF for short), an open source, generic, modular, and extensible framework for state machine learning and testing of network protocol implementations. We describe the distinctive features and support that PSF offers, its system architecture, and briefly overview the protocol-specific state fuzzers that currently use PSF as their basis. |
| 12:15-12:25 |
Kofola 1.0: A Modular Approach to 𝝎-Regular Complementation and Inclusion Checking (abstract) 10 min
1 Brno University of Technology
2 Brno University of Technology and Aalborg University
3 Institute of Software, Chinese Academy of Sciences
4 Slovak University of Technology in Bratislava
ABSTRACT. We present Kofola, an efficient tool for complementing and inclusion checking over Büchi automata. Complementation and inclusion checking for Büchi automata are the cornerstones of many verification problems such as model checking, monitoring, and theorem proving. Kofola implements the state-of-the-art modular complementation framework that partitions the input Büchi automata to apply, for each strongly connected component, the complementation algorithm leveraging the most its structural properties. Inspired by the modular complementation, Kofola also supports modular inclusion checking along with new heuristics. Notably, to allow termination as soon as possible, we have developed a new on-the-fly emptiness checking algorithm for the simple generalized Rabin pair condition, which is the acceptance condition used by our complementation. Empirical evaluation shows that Kofola is highly competitive against the state-of-the-art complementation and inclusion checking tools, being the most robust of the tools that we evaluated and outrunning them often by several orders of magnitude on many benchmarks obtained from practical applications. |
| 12:25-12:35 |
Octopus: Practical Equivalence Checking of P4 Packet Parsers (abstract) 10 min
1 LIACS, Leiden University
ABSTRACT. P4 is a domain-specific language for programming protocol-independent packet processors, where packet parsers describe how incoming bit streams are structured into headers and fields. Building on work by Doenges et al. (2022), we present Octopus, a tool that translates P4 packet parsers into automata and then attempts to (symbolically) check their equivalence. Octopus produces evidence, either in the form of a bisimulation demonstrating equivalence, or a counterexample packet witnessing a behavioral difference between the two parsers. In contrast with earlier work, our tool can check equivalence between non-trivial parsers within minutes on consumer hardware. We report on the tool’s implementation and evaluate its usability in networking contexts. |
| 14:00-14:15 |
Randomise Alone, Reach Together (abstract) 15 min
1 Institute of Science and Technology Austria
ABSTRACT. We study concurrent graph games where $n$ players cooperate against an opponent to reach a set of target states. Unlike traditional settings, we study distributed randomisation: team players do not share a source of randomness, and their private random sources are hidden from the opponent and from each other. We show that memoryless strategies are sufficient for the threshold problem (deciding whether there is a strategy for the team that ensures winning with probability that exceeds a threshold), a result that not only places the problem in the Existential Theory of the Reals ($\exists\mathbb{R}$) but also enables the construction of value iteration algorithms. We additionally show that the threshold problem is $\NP$-hard. For the almost-sure reachability problem, we prove $\NP$-completeness. We introduce Individually Randomised Alternating-time Temporal Logic (IRATL). This logic extends the standard ATL framework to reason about probability thresholds, with semantics explicitly designed for coalitions that lack a shared source of randomness. On the practical side, we implement and evaluate a solver for the threshold and almost-sure problem based on the algorithms that we develop. |
| 14:15-14:30 |
Decoupled Planning for Multiple Omega-Regular Objectives (abstract) 15 min
1 University of Haifa, Israel
2 Institute of Science and Technology, Austria
3 IMDEA Software Institute, Spain
4 TU Clausthal, Germany
ABSTRACT. We study the problem of generating paths on a graph that satisfy a collection of $\omega$-regular objectives. We propose a decoupled framework in which each objective is assigned to an independent agent that selects a local policy, while a scheduler---oblivious to the graph and objective---dynamically composes these policies into a single path. We ask when such a composition satisfies all objectives, assuming their conjunction is realizable. The framework enables modular policy design but raises fundamental compositional challenges. We show that even extremely fair deterministic schedulers do not ensure correctness, and that stochastic schedulers, while necessary, are insufficient without coordination. For safety objectives, we demonstrate that fully decentralized implementations are impossible, and we introduce a protocol for synchronizing on maximal safe actions. For non-safety objectives, we introduce conventions---simple, a priori restrictions agreed upon before the graph or objectives are revealed---that guarantee satisfaction of all objectives when followed by all agents. We characterize minimally restrictive conventions for major subclasses of $\omega$-regular objectives. In particular, B\"uchi objectives admit universal composition of finite-memory policies without scheduler communication; co-B\"uchi objectives require only knowledge of whether the agent was scheduled; and parity objectives additionally require knowledge of which agent was scheduled. |
| 14:30-14:45 |
Repairing Regex-Dependent String-Manipulation Programs (abstract) 15 min
1 NTT Social Informatics Laboratories
2 Waseda University
ABSTRACT. We present a new Programming-by-Examples (PBE) approach to repairing regex-dependent string-manipulation programs. Our approach has the following key features: (1) the support for a {\em wide range of functions} including regex-dependent functions such as {\tt replaceAll}, {\tt match}, {\tt split}, list manipulation functions such as {\tt map}, {\tt reduce}, {\tt filter}, and numerical functions such as {\tt max}, {\tt min}, {\tt pow}, (2) the support for {\em real-world regexes} with non-standard semantics such as greedy/lazy Kleene star and extensions such as lookarounds and backreferences, (3) the focus on a {\em method-chaining style} that starts the chain of calls with a regex-dependent function, reflecting a code style used in the real-world, and (4) novel {\em origin-enriched} examples that allow users to communicate {\em intensional} behavior of programs in addition to the standard extension behavior communicated via ordinary input-output examples, and a novel {\em origin-tracking} semantics that formally defines when a program conforms to the behavior stipulated by such examples. We have implemented our approach as a tool named R3-S3 and evaluated it on real-world benchmarks collected from GitHub and StackOverflow. The results show that R3-S3 finds high-quality repairs efficiently. |
| 14:45-15:00 |
Liquid Tree Automata (abstract) 15 min
1 Indian Institute of Technology Hyderabad
2 Purdue University
ABSTRACT. Component-based synthesis (CBS) aims to generate loop- free programs from a set of libraries whose methods are annotated with specifications and whose output must satisfy a set of logical constraints, expressed as a query. The effectiveness of a CBS algorithm critically de- pends on the severity of the constraints imposed by the query. The more exact these constraints are, the sparser the space of feasible solutions. This maxim also applies when we enrich the expressivity of the specifi- cations affixed to library methods. In both cases, the search must now contend with constraints that may only hold over a small number of the possible execution paths that can be enumerated by a CBS procedure. In this paper, we address this challenge by equipping CBS search with the ability to reason about logical similarities among the paths it explores. Our setting considers library methods equipped with refinement-type specifications that enrich ordinary base types with a set of rich logical qualifiers to constrain the set of values accepted by that type. For efficient representation and enumeration of this space, we introduce a novel tree automata variant called Liquid Tree Automata (LTA) whose construction is driven by the typing rules of a refinement type system. This allows us to leverage subtyping constraints over the refinement types associated with enumerated terms to enable reasoning about similarity among candidate solutions as search proceeds, using this notion of simi- larity to eagerly merge LTA states. By doing so, we avoid exploration of semantically similar paths, leading to a significantly improved search pro- cedure. We present an implementation of this idea in a tool called Hegel and provide a comprehensive evaluation that demonstrates Hegel’s abil- ity to synthesize solutions to complex CBS queries that go well-beyond the capabilities of the existing state-of-the-art. |
| 15:00-15:10 |
SemML 2.0: Synthesizing Controllers from LTL (abstract) 10 min
1 TU Munich
2 Lancaster University Leipzig
3 Masaryk University Brno
ABSTRACT. Synthesizing a reactive system from specifications given in linear temporal logic (LTL) is a classical problem, finding its applications in safety-critical systems design. These systems are typically represented using either Mealy machines or AIGER circuits. We present the second version of SemML, which outperforms all state-of-the-art tools for finding either solution. Aside from implementing the classical automata-theoretic approach, our tool utilizes partial exploration and machine-learning guid- ance for obtaining solutions efficiently, and numerous heuristics and improvements of classic algorithms for extracting small representations of these solutions. We evaluate our tool against the existing state-of-the-art tools (in particular Strix, LtlSynt, and the previous version of SemML) on the dataset of the synthesis competition SYNTCOMP. We show that we solve significantly more instances and do so much faster than other tools, while maintaining state-of-the-art solution quality. |
| 15:10-15:20 |
Fast Obligation Translation and Synthesis (Distinguished Paper) (abstract) 10 min
1 LRE
2 University of Oxford
3 DIMAP, University of Warwick
4 University of Gothenburg & Chalmers University of Technology
5 Rice University
6 University of Liverpool
7 EPITA
ABSTRACT. Syntactic obligations is a fragment of LTL formulas that translate to deterministic weak ω-automata (DWA). We show that syntactic obligations can be very efficiently converted to minimal DWA represented using multi-terminal binary decision diagrams (MTBDDs), and that synthesis of such specifications can be solved directly on the MTBDD representation on the fly. Our implementation in Spot shows huge runtime improvements in translation and synthesis. |
| 15:20-15:30 |
sweap: Reactive Synthesis for Infinite-State Integer Problems (abstract) 10 min
1 Dedaub
2 TU Wien
3 University of Gothenburg, Chalmers University of Technology
ABSTRACT. Recent years have seen a significant increase in the interest in reactive synthesis from specifications that relate to infinite state spaces. We present sweap, a tool for synthesis of infinite-state Linear Integer Arithmetic reactive systems. sweap implements a CEGAR approach, relying on state-of-the-art finite-state synthesis tools as black boxes to solve abstract synthesis problems. sweap supports most common input formalisms for infinite-state reactive-synthesis problems: Temporal Stream Logic Modulo Theories, Reactive Program Games, the bespoke input of the Issy tool, and our own bespoke input. We present a mature version of sweap with novel features: a dual abstraction approach that improves its capabilities in proving unrealisability, support for nondeterministic and unbounded updates, more general initialization of variables, and equirealisable reductions for optimisation. Experimental evaluation shows that sweap outperforms its only competitor in this domain. |
| 16:00-16:15 |
A-IC3: Learning-Guided Adaptive Inductive Generalization for Hardware Model Checking (abstract) 15 min
1 Hong Kong University of Science and Technology
2 Hong Kong University of Science and Technology (Guangzhou)
ABSTRACT. The IC3 algorithm represents the state-of-the-art (SOTA) hardware model checking technique,owing to its robust performance and scalability. A significant body of research has focused on enhancing the solving efficiency of the IC3 algorithm, with particular attention to the inductive generalization process—a critical phase wherein the algorithm attempts to generalize a counterexample to inductiveness (CTI), which typically is a state leading to a bad state, into a broader set of states. This inductive generalization is a primary source of clauses in IC3 and thus plays a pivotal role in determining the overall effectiveness of the algorithm. Despite its importance, existing approaches often rely on fixed inductive generalization strategies, overlooking the dynamic and context-sensitive nature of the verification environment in which spurious counterexamples arise. This rigidity can limit the quality of generated clauses and, consequently, the performance of IC3. To address this limitation, we propose a lightweight machine-learning-based framework that dynamically selects appropriate inductive generalization strategies in response to the evolving verification context. Specifically, we employ a multi-armed bandit (MAB) algorithm to adaptively choose inductive generalization strategies based on real-time feedback from the verification process. The agent is updated by evaluating the quality of generalization outcomes, thereby refining its strategy selection over time. Empirical evaluation on a benchmark suite comprising 2,957 instances, primarily drawn from the HWMCC collection, demonstrates the efficacy of our approach. When implemented on rIC3, our method solves 28 more cases than the baseline, and on IC3Ref, it achieves an improvement of 14 additional solved instances. Our method improves the PAR-2 score by 170.04 and 71.43 seconds for rIC3 and IC3Ref, respectively. |
| 16:15-16:30 |
A Multi-Width Parametric Equivalence Solver (abstract) 15 min
1 University College London
2 Imperial College London
ABSTRACT. At the core of modern electronic design automation (EDA) tools is rewriting: a mechanism by which local transformations are iteratively applied to circuits to make them faster and more efficient. These rewrites are crucial for producing high-quality hardware, and they often depend on extremely delicate conditions, relating, for example, to the widths of the various bitvectors involved. As such, it is both desirable and difficult to prove them correct. Prior work has studied the correctness of parametric-bitwidth rewrites in the context of software compilers and SMT solvers, but those approaches struggle to handle rewrites that have multiple bitwidth parameters, as are commonplace in EDA. We propose a language for expressing these multi-width parametric rewrites and provide a translation into equivalences in modular arithmetic. We then show how these equivalences can be automatically and efficiently proved using equality saturation over a set of carefully chosen axioms, and finally reconstructed automatically as theorems in Isabelle. This process is implemented in a tool called ParaBit. Using benchmarks from prior compilers work and from industrial EDA tools, we demonstrate that ParaBit can solve a class of problems that are intractable using existing techniques. |
| 16:30-16:45 |
Massively Parallel Mining of Specifications for Hardware Designs (abstract) 15 min
1 University of Edinburgh
ABSTRACT. Formal hardware verification ensures that a design satisfies its specifications, but writing these specifications requires substantial manual effort. Specification mining automates this process, and existing work has their own merits. The classic approaches rely on pre-defined templates, which have limited expressiveness and lack formal correctness guarantees. But recent years have seen the emergence of using formal program synthesis for specification mining, which provides general and correct specifications but struggles to scale to complex designs. In this work, we present MAPminer, a parallel framework for synthesis-based hardware specification mining. MAPminer exploits its novel algorithm based on the Maximum Universal Subset and partitions the synthesis problem into efficient sub-problems. These sub-problems are automatically scheduled across multiple threads for parallel synthesis. Experimental results show that \name produces more effective assertions, improving verification coverage while reducing assertion size. |
| 16:45-17:00 |
A mechanised, bidirectional type system for bit-width determination in SystemVerilog (abstract) 15 min
1 École normale supérieure – PSL
2 Imperial College London
ABSTRACT. SystemVerilog remains one of the most widely used languages for designing and verifying digital circuits. Despite its importance, the SystemVerilog standard suffers from ambiguities, which can lead to inconsistent implementations and portability challenges. Formal methods can provide precise semantics to address these issues. We focus on SystemVerilog's mechanism for determining the bit-width of each expression that appears in a design. This is surprisingly subtle because an expression's bit-width can depend on both its children \emph{and} its parents. First, we develop a Rocq formalization of the current SystemVerilog specification. We then construct a bidirectional type system that captures the context-dependent nature of SystemVerilog expressions and prove it equivalent to our formalization of the existing IEEE standard using Rocq. We provide a reference implementation that determines bit-widths in linear time and prove its correspondence to our system, also in Rocq. Based on these results, we propose revisions to the text of the standard that reduce redundancy and improve precision. |


