Structural Temporal Logic for Mechanized Program Verification

TL;DR

This paper introduces Ticl, a structural temporal logic that enables modular, high-level, compositional proofs of liveness and safety properties in infinite programs with effects, improving mechanized verification processes.

Contribution

Ticl provides a novel framework for reasoning about temporal properties at the program construct level, bridging the verification gap and simplifying proofs in proof assistants.

Findings

Mechanized proofs of safety and liveness for concurrent and distributed programs.

Ticl enables high-level, compositional reasoning at the program structure level.

Proof-to-code ratio is significantly reduced in verified programs.

Abstract

Mechanized verification of liveness properties for infinite programs with effects and nondeterminism is challenging. Existing temporal reasoning frameworks operate at the level of models such as traces and automata. Reasoning happens at a very low-level, requiring complex nested (co-)inductive proof techniques and familiarity with proof assistant mechanics (e.g., the guardedness checker). Further, reasoning at the level of models instead of program constructs creates a verification gap that loses the benefits of modularity and composition enjoyed by structural program logics such as Hoare Logic. To address this verification gap, and the lack of compositional proof techniques for temporal specifications, we propose Ticl, a new structural temporal logic. Using ticl, we encode complex (co-)inductive proof techniques as structural lemmas and focus our reasoning on variants and invariants. We show that it is possible to perform compositional proofs of general temporal properties in a proof assistant, while working at a high level of abstraction. We demonstrate the benefits of Ticl by giving mechanized proofs of safety and liveness properties for programs with scheduling, concurrent shared memory, and distributed consensus, demonstrating a low proof-to-code ratio.