Lamport's celebrated Paxos consensus protocol is generally viewed as a complex hard-to-understand algorithm. Notwithstanding its complexity, in this paper, we take a step towards automatically proving the safety of Paxos by taking advantage of three structural features in its specification: spatial regularity in its unordered domains, temporal regularity in its totally-ordered domain, and its hierarchical composition. By carefully integrating these structural features in IC3PO, a novel model checking algorithm, we were able to infer an inductive invariant that identically matches the human-written one previously derived with significant manual effort using interactive theorem proving. While various attempts have been made to verify different versions of Paxos, to the best of our knowledge, this is the first demonstration of an automatically-inferred inductive invariant for Lamport's original Paxos specification. We note that these structural features are not specific to Paxos and that IC3PO can serve as an automatic general-purpose protocol verification tool.

中文翻译：

---

迈向 Lamport 的 Paxos 的自动证明

Lamport 著名的 Paxos 共识协议通常被视为一种复杂的难以理解的算法。尽管它很复杂，但在本文中，我们通过利用其规范中的三个结构特征自动证明 Paxos 的安全性迈出了一步：无序域中的空间规律性、全序域中的时间规律性和层次结构. 通过在 IC3PO（一种新型模型检查算法）中仔细集成这些结构特征，我们能够推断出一个归纳不变量，该归纳不变量与之前使用交互式定理证明通过大量人工努力推导出的人类编写的不变量完全匹配。虽然已经进行了各种尝试来验证不同版本的 Paxos，但据我们所知，这是针对 Lamport 的原始 Paxos 规范自动推断的归纳不变量的首次演示。我们注意到这些结构特征不是 Paxos 特有的，IC3PO 可以作为自动通用协议验证工具。