Simplifying Safety Proofs with Forward-Backward Reasoning and Prophecy

TL;DR

This paper introduces an incremental safety proof method combining forward, backward, and prophecy reasoning to simplify invariants and reduce proof complexity.

Contribution

It presents a novel proof system that decomposes safety proofs into simpler steps, increasing proof power and reducing invariant complexity.

Findings

Incremental approach simplifies safety proofs for Paxos, Raft, and variants.

Forward-backward reasoning reduces Boolean complexity of invariants.

Prophecy steps eliminate quantifiers and quantifier alternations.

Abstract

We propose an incremental approach for safety proofs that decomposes a proof with a complex inductive invariant into a sequence of simpler proof steps. Our proof system combines rules for (i) forward reasoning using inductive invariants, (ii) backward reasoning using inductive invariants of a time-reversed system, and (iii) prophecy steps that add witnesses for existentially quantified properties. We prove each rule sound and give a construction that recovers a single safe inductive invariant from an incremental proof. The construction of the invariant demonstrates the increased complexity of a single inductive invariant compared to the invariant formulas used in an incremental proof, which may have simpler Boolean structures and fewer quantifiers and quantifier alternations. Under natural restrictions on the available invariant formulas, each proof rule strictly increases proof power. That is, each rule allows to prove more safety problems with the same set of formulas. Thus, the incremental approach is able to reduce the search space of invariant formulas needed to prove safety of a given system. A case study on Paxos, several of its variants, and Raft demonstrates that forward-backward steps can remove complex Boolean structure while prophecy eliminates quantifiers and quantifier alternations.