Despite several decades of research, the problem of formal verification of infinite-state systems has resisted effective automation. We describe a system, Ivy, for interactively verifying safety of infinite-state systems. Ivy’s key principle is that whenever verification fails, Ivy graphically displays a concrete counterexample to induction. The user then interactively guides generalization from this counterexample. This process continues until an inductive invariant is found. Ivysearches for universally quantified invariants, and uses a restricted modeling language. This ensures that all verification conditions can be checked algorithmically. All user interactions are performed using graphical models, easing the user’s task. We describe our initial experience with verifying several distributed protocols.

Joint work with Oded Padon, Ken McMillan, Aurojit Panda, and Sharon Shoham. Preliminary version appeared at PLDI'16.