pith. sign in

arxiv: 2604.10186 · v3 · submitted 2026-04-11 · 💻 cs.DC

Verifying In-Network Computing Systems for Design Risks

Tianyu Bai , Ying Zhang , Xiaoxi Zhang , Wenfei Wu This is my paper

Pith reviewed 2026-05-10 15:32 UTC · model grok-4.3

classification 💻 cs.DC
keywords in-network computingprogrammable switchessystem verificationmodel checkingdesign risksnetwork exceptionsINCGuard
0
0 comments X

The pith

INCGuard translates in-network computing systems into state transition models to detect risks from packet loss and reordering.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

In-network computing places computation inside network switches to cut latency and bandwidth use, but packet loss and out-of-order delivery can break application guarantees such as cache consistency or lock mutual exclusion. Exhaustive testing cannot cover every combination of these exceptions, so developers lack assurance that their designs are safe. INCGuard supplies a compact specification language, lets users define network behaviors, and accepts INC-specific properties. It converts the description into a state machine, runs model checking with targeted optimizations, and returns concrete traces of any property violation. The authors applied it to seven existing INC systems and located risks that later appeared when the same systems ran on real hardware.

Core claim

INCGuard is the first general-purpose verifier for INC systems. It accepts high-level system descriptions, configurable network environments, and correctness properties, converts them to state transition representations, performs model checking, and reports violation traces. Optimizations tailored to INC scenarios keep the state space manageable. Seven INC systems were modeled and checked in seconds; the reported risks were then reproduced in actual deployments.

What carries the argument

State transition representation of the INC system together with model checking under configurable network exceptions and INC-specific property checks.

If this is right

  • Developers can specify INC systems in far fewer lines of code than before.
  • Verification of complete INC designs finishes in seconds rather than requiring exhaustive manual testing.
  • Risks affecting application-level properties such as consistency or exclusion can be identified before deployment.
  • Violation traces give concrete sequences of packets and exceptions that expose the flaw.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same modeling approach could be reused to check other programmable data-plane programs that interact with unreliable networks.
  • Embedding INCGuard-style checks into the INC development toolchain might catch errors earlier than post-deployment testing.
  • The reported speed for seven systems suggests that modest further reductions in state space could handle larger production INC applications.

Load-bearing premise

The state machines and network configurations inside INCGuard must include every relevant real-world exception and timing behavior so that reported violations actually occur in deployed systems.

What would settle it

Model an INC system already known to be safe under all exceptions, run INCGuard, and observe whether it reports a violation that never appears when the same system runs on real switches.

Figures

Figures reproduced from arXiv: 2604.10186 by Tianyu Bai, Wenfei Wu, Xiaoxi Zhang, Ying Zhang.

Figure 1
Figure 1. Figure 1: The workflow of INCGuard. The left half deals with nodes and links, while the right deals with states and transitions. network, specify the INC protocol, and express correctness properties. The user submits its INC system specification to the INC￾Guard compiler, which converts it into a low-level state tran￾sition representation. The model checker then reads the con￾verted specification and performs verifi… view at source ↗
Figure 2
Figure 2. Figure 2: The grammar of INCGuard’s specification language, simplified to highlight the core structure. 4 [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: An example thread. • Breakpoint. Interpreting every statement as a transition would lead to an overwhelming expansion of the state space. INCGuard runs model checking in a coarser granularity by requiring users to explicitly designate breakpoints in threads. Thread suspension and switch only occur at breakpoints. Wait, Exit, Send, Multicast, and Receive are mandatory break￾points. To expose all intermediat… view at source ↗
Figure 4
Figure 4. Figure 4: The specification of NetCache. the latter case, all threads within the same node also termi￾nate. A terminated thread is permanently blocked. The system terminates when every thread terminates. Specific network abstractions in INCGuard are realized with additional states. INCGuard maintains a dictionary that maps each node to a sequence of packets, denoting its receive buffer. INCGuard also maintains a rou… view at source ↗
Figure 5
Figure 5. Figure 5: The verification time, state space diameter, and state space size of NetCache [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: The effect of symmetry reduction. 0 1 2 3 4 Maximum Packet Loss 0 5 10 15 20 Time (s) Time Found States 0 1 2 3 4 Found States 1e6 (a) Loss. 0 2 4 Maximum Packet Out-of-Order 0 5 10 Time (s) Time Found States 0 1 2 Found States 1e6 (b) Out-of-order. 0 1 2 3 Maximum Packet Duplication 0 50 100 150 Time (s) Time Found States 0 1 2 3 Found States 1e7 (c) Duplication [PITH_FULL_IMAGE:figures/full_fig_p008_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: The overhead of property checking. 7 Verification Result This section describes how we model three INC applications involving seven protocols, the property violations identified within these protocols, and their possible fixes [PITH_FULL_IMAGE:figures/full_fig_p008_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: An example of cache consistency. All operations per￾form on the same item. W(n) means writing its value to n. R1,R2 are two reads. In INCGuard, an operation starts when the client sends a request and ends when it receives a reply. Each operation is assigned a unique ID. Retransmitted requests are treated as new operations. We propose Algorithm 1 to check cache consistency. This algorithm is implemented as … view at source ↗
Figure 10
Figure 10. Figure 10: An execution trace of cache consistency violation in NetCache. All operations perform on the same item, which is initially V0 and cached in the switch. Dashed lines represent packet loss. Important events are marked in red. invalid, the switch forwards it to the server. The server blocks it, as the previous update has not yet completed. After a time￾out, the server retransmits the previous update. The swi… view at source ↗
Figure 12
Figure 12. Figure 12: An execution trace of lock exclusion violation in FISSLOCK. All operations perform on the same lock, which is initially free and cached in the switch. Important events are marked in red. considers the lock free. At this point, if a client on another machine attempts to acquire the lock at this point, the switch will directly grant it. This will violate lock exclusion if one of the two clients holds the lo… view at source ↗
read the original abstract

The emergence of programmable switches has brought in-network computing (INC) into the spotlight in recent years. By offloading computation directly onto the data transmission process, INC improves network utilization, reduces latency to sub-RTT levels, saves link bandwidth, and maintains throughput. However, INC disrupts the transparency of traditional networks, forcing developers to consider network exceptions like packet loss and out-of-order. If not properly handled, these exceptions can lead to violations of application properties, such as cache consistency and lock exclusion. Usual testing cannot exhaustively cover these exceptions, raising doubts about the correctness of INC systems and hindering their deployment in the industry. This paper presents INCGuard, the first general-purpose tool for verifying INC systems. INCGuard provides a high-level specification language and saves developers 67.2% lines of code on average. To help better understand the behavior of the system, INCGuard offers configurable network environments. INCGuard enables developers to express INC-specific correctness properties. INCGuard translates developer-specified systems into state transition representations, performs model checking to detect potential design risks, and reports violation traces to developers. We propose optimizations for INC-specific scenarios to address the challenge of state space explosion. We modeled seven INC systems and identified their risks with INCGuard in seconds. We further reproduce them in real systems to confirm the validity of our verification result.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The manuscript presents INCGuard as the first general-purpose tool for verifying in-network computing (INC) systems. It provides a high-level specification language (saving 67.2% lines of code on average), configurable network environments, support for INC-specific correctness properties, translation of systems into state transition representations, model checking to detect design risks from exceptions like packet loss and reordering, and optimizations for state space explosion. The authors model seven INC systems, identify risks in seconds, and reproduce the violations in real systems.

Significance. If the state transition models and configurable environments faithfully represent real INC behaviors and exceptions, the work could meaningfully advance verification practices for programmable networks, where exhaustive testing is infeasible and correctness properties like cache consistency are critical. The reproduction of detected violations in real systems provides concrete validation for the traces found, and the claimed code savings and speed are practical strengths. However, the overall significance hinges on the completeness of the abstraction.

major comments (3)
  1. [State transition representations and configurable network environments] The central claim that INCGuard identifies actual design risks rests on the state transition representations and configurable network environments accurately capturing all relevant real-world exceptions and behaviors (including packet loss, reordering, hardware timing, and P4-specific pipeline effects). The abstract states that violations are reproduced in real systems, but this only confirms the found traces; it does not establish model completeness or rule out omitted exceptions. This is load-bearing for the verification results and the mapping from detected violations to real failures.
  2. [Optimizations for INC-specific scenarios] The optimizations for INC-specific scenarios to address state space explosion are described as necessary, but without an explicit argument or proof that they preserve the original semantics of the modeled systems, they risk introducing false negatives or altering violation detection. This directly affects the soundness of the model checking results reported for the seven systems.
  3. [Evaluation on seven INC systems] The evaluation models seven INC systems and reports risks identified in seconds with real-system reproduction, but provides no details on modeling fidelity, coverage of exceptions, or how each violation maps to actual failures. This information is required to assess whether the approach is robust or whether the results could be incomplete due to abstraction gaps.
minor comments (2)
  1. [Introduction] The claim of being the 'first general-purpose tool' should be supported by a more detailed comparison to prior model-checking work on networks or programmable switches, including any domain-specific limitations of existing tools.
  2. [Evaluation] The 67.2% average lines-of-code savings is a useful metric; include the per-system breakdown and the baseline (e.g., direct P4 or other specification) in the evaluation to allow readers to interpret the figure.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. We address each major comment point-by-point below. Where the comments identify gaps in the original manuscript, we have revised the paper to incorporate additional explanations, details, and discussions of limitations.

read point-by-point responses

  1. Referee: The central claim that INCGuard identifies actual design risks rests on the state transition representations and configurable network environments accurately capturing all relevant real-world exceptions and behaviors (including packet loss, reordering, hardware timing, and P4-specific pipeline effects). The abstract states that violations are reproduced in real systems, but this only confirms the found traces; it does not establish model completeness or rule out omitted exceptions. This is load-bearing for the verification results and the mapping from detected violations to real failures.

    Authors: We agree that the fidelity of the state transition models and configurable environments is central to the claims. The revised manuscript expands Section 3 to explicitly enumerate all modeled exceptions (packet loss, reordering, duplication, and bounded delays drawn from P4 pipeline semantics) and describes how the configurable environments allow users to instantiate them. We have also added a new limitations subsection that openly discusses the abstraction boundaries, noting that while we cannot claim exhaustive coverage of every conceivable hardware timing or pipeline effect, the modeled behaviors are derived from standard INC literature and validated through reproduction experiments. The real-system reproductions provide concrete evidence that the detected traces correspond to observable failures, thereby supporting the mapping from model to practice. revision: yes

  2. Referee: The optimizations for INC-specific scenarios to address state space explosion are described as necessary, but without an explicit argument or proof that they preserve the original semantics of the modeled systems, they risk introducing false negatives or altering violation detection. This directly affects the soundness of the model checking results reported for the seven systems.

    Authors: We acknowledge that the original manuscript described the optimizations without a dedicated semantic-preservation argument. In the revision we have added Section 4.3 containing an informal but rigorous equivalence argument: each optimization (INC-specific state abstraction for cache and lock operations, and symmetry reduction over network configurations) is shown to preserve the set of reachable states relevant to the checked properties. We prove that no violating trace is eliminated by demonstrating that the reduced model simulates the original for the INC-specific correctness properties. This addition directly addresses soundness concerns for the reported results on the seven systems. revision: yes

  3. Referee: The evaluation models seven INC systems and reports risks identified in seconds with real-system reproduction, but provides no details on modeling fidelity, coverage of exceptions, or how each violation maps to actual failures. This information is required to assess whether the approach is robust or whether the results could be incomplete due to abstraction gaps.

    Authors: We agree that additional detail is required for readers to evaluate robustness. The revised manuscript includes a new appendix (Appendix B) that provides, for each of the seven systems: (1) the precise modeling choices and fidelity level, (2) the specific exceptions instantiated in the configurable environment for that case, and (3) a table explicitly mapping each reported violation trace to the corresponding real-system reproduction, including the observed failure behavior. These additions allow direct assessment of coverage and the link between model-detected risks and practical failures. revision: yes

Circularity Check

0 steps flagged

No circularity: INCGuard is a tool built on standard model checking

full rationale

The paper presents INCGuard as an engineering artifact: a high-level specification language, translation to state-transition systems, model checking with INC-specific optimizations, and reporting of traces. No equations, predictions, fitted parameters, or first-principles derivations appear in the provided text; the workflow is a direct implementation of model checking applied to developer-specified INC systems. Claims rest on concrete modeling of seven systems plus external reproduction in real hardware, not on any self-referential reduction. The only potential concern is model fidelity (an external assumption), which does not constitute circularity under the defined patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The work relies on standard assumptions of model checking (finite state spaces, exhaustive exploration) and domain assumptions about network exceptions; no free parameters, invented entities, or ad-hoc axioms are introduced in the abstract.

axioms (1)
  • domain assumption Model checking can exhaustively explore all possible network exception scenarios for the modeled INC systems.
    Invoked when claiming that risks are identified and that real-system reproduction confirms the results.

pith-pipeline@v0.9.0 · 5538 in / 1152 out tokens · 22868 ms · 2026-05-10T15:32:41.043820+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

64 extracted references · 64 canonical work pages

  1. [1]

    What consistency does your key-value store actually provide?HP Laboratories Technical Re- port, 01 2010

    Eric Anderson, Xiaozhou Li, Mehul Shah, Joseph Tucek, and Jay Wylie. What consistency does your key-value store actually provide?HP Laboratories Technical Re- port, 01 2010. 12

    work page 2010

  2. [2]

    A generalized mutual exclusion problem and its algorithm

    Aoxueluo, Weigang Wu, Jiannong Cao, and Michel Ray- nal. A generalized mutual exclusion problem and its algorithm. InProceedings of the 2013 42nd Interna- tional Conference on Parallel Processing, ICPP ’13, page 300–309, USA, 2013. IEEE Computer Society

    work page 2013

  3. [3]

    The MIT Press, 2008

    Christel Baier and Joost-Pieter Katoen.Principles of model checking (representation and mind series). The MIT Press, 2008

    work page 2008

  4. [4]

    Modeling distributed algorithms by ab- stract state machines compared to Petri nets

    Egon Börger. Modeling distributed algorithms by ab- stract state machines compared to Petri nets. In Michael Butler, Klaus-Dieter Schewe, Atif Mashkoor, and Mik- los Biro, editors,Abstract State Machines, Alloy, B, TLA, VDM, and Z, pages 3–34, Cham, 2016. Springer Inter- national Publishing

    work page 2016

  5. [5]

    P4: Programming protocol-independent packet processors.SIGCOMM Comput

    Pat Bosshart, Dan Daly, Glen Gibb, Martin Izzard, Nick McKeown, Jennifer Rexford, Cole Schlesinger, Dan Talayco, Amin Vahdat, George Varghese, and David Walker. P4: Programming protocol-independent packet processors.SIGCOMM Comput. Commun. Rev., 44(3):87–95, July 2014

    work page 2014

  6. [6]

    Broadcom trident, 2025

    Broadcom. Broadcom trident, 2025

    work page 2025

  7. [7]

    Liu, and Scott D

    Saksham Chand, Yanhong A. Liu, and Scott D. Stoller. Formal verification of multi-paxos for distributed con- sensus. In John Fitzgerald, Constance Heitmeyer, Stefa- nia Gnesi, and Anna Philippou, editors,FM 2016: For- mal Methods, pages 119–136, Cham, 2016. Springer International Publishing

    work page 2016

  8. [8]

    Academic Press, Inc., USA, 1st edition, 1997

    Chin-Liang Chang and Richard Char-Tung Lee.Sym- bolic logic and mechanical theorem proving. Academic Press, Inc., USA, 1st edition, 1997

    work page 1997

  9. [9]

    Cisco Silicon One

    Cisco. Cisco Silicon One. https://blogs.cisco. com/sp/one-silicon-one-experience-multipl e-roles, 2019

    work page 2019

  10. [10]

    E. M. Clarke, E. A. Emerson, and A. P. Sistla. Auto- matic verification of finite-state concurrent systems us- ing temporal logic specifications.ACM Transactions on Programming Languages and Systems, page 244–263, April 1986

    work page 1986

  11. [11]

    Cooper, Adam Silberstein, Erwin Tam, Raghu Ramakrishnan, and Russell Sears

    Brian F. Cooper, Adam Silberstein, Erwin Tam, Raghu Ramakrishnan, and Russell Sears. Benchmarking cloud serving systems with YCSB. InProceedings of the 1st ACM Symposium on Cloud Computing, SoCC ’10, page 143–154, New York, NY , USA, 2010. Association for Computing Machinery

    work page 2010

  12. [12]

    Muthukrishnan

    Graham Cormode and S. Muthukrishnan. An improved data stream summary: The Count-Min sketch and its applications.Journal of Algorithms, 55(1):58–75, 2005

    work page 2005

  13. [13]

    P4xos: Consensus as a network service.IEEE/ACM Transac- tions on Networking, 28(4):1726–1738, 2020

    Huynh Tu Dang, Pietro Bressana, Han Wang, Ki Suh Lee, Noa Zilberman, Hakim Weatherspoon, Marco Canini, Fernando Pedone, and Robert Soulé. P4xos: Consensus as a network service.IEEE/ACM Transac- tions on Networking, 28(4):1726–1738, 2020

    work page 2020

  14. [14]

    NetPaxos: Consensus at network speed

    Huynh Tu Dang, Daniele Sciascia, Marco Canini, Fer- nando Pedone, and Robert Soulé. NetPaxos: Consensus at network speed. InProceedings of the 1st ACM SIG- COMM Symposium on Software Defined Networking Research, SOSR ’15, New York, NY , USA, 2015. Asso- ciation for Computing Machinery

    work page 2015

  15. [15]

    Satisfiability modulo theories: Introduction and applications.Com- mun

    Leonardo De Moura and Nikolaj Bjørner. Satisfiability modulo theories: Introduction and applications.Com- mun. ACM, 54(9):69–77, September 2011

    work page 2011

  16. [16]

    Docker, Inc. Docker. https://www.docker.com/, 2013

    work page 2013

  17. [17]

    bf4: Towards bug-free P4 programs

    Dragos Dumitrescu, Radu Stoenescu, Lorina Negreanu, and Costin Raiciu. bf4: Towards bug-free P4 programs. InProceedings of the Annual Conference of the ACM Special Interest Group on Data Communication on the Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM ’20, page 571–585, New York, NY , USA, 2020. Association...

    work page 2020

  18. [18]

    Allen Emerson and A

    E. Allen Emerson and A. Prasad Sistla. Symme- try and model checking.Form. Methods Syst. Des., 9(1–2):105–131, August 1996

    work page 1996

  19. [19]

    Uncovering bugs in P4 programs with assertion-based verification

    Lucas Freire, Miguel Neves, Lucas Leal, Kirill Levchenko, Alberto Schaeffer-Filho, and Marinho Barcellos. Uncovering bugs in P4 programs with assertion-based verification. InProceedings of the Symposium on SDN Research, SOSR ’18, New York, NY , USA, 2018. Association for Computing Machinery

    work page 2018

  20. [20]

    Splendid isolation: A slice abstraction for software-defined networks

    Stephen Gutz, Alec Story, Cole Schlesinger, and Nate Foster. Splendid isolation: A slice abstraction for software-defined networks. InProceedings of the First Workshop on Hot Topics in Software Defined Networks, HotSDN ’12, page 79–84, New York, NY , USA, 2012. Association for Computing Machinery

    work page 2012

  21. [21]

    Holzmann

    G.J. Holzmann. The model checker SPIN.IEEE Trans- actions on Software Engineering, page 279–295, May 1997

    work page 1997

  22. [22]

    Huawei netengine, 2025

    Huawei. Huawei netengine, 2025

    work page 2025

  23. [23]

    Barefoot Tofino

    Intel. Barefoot Tofino. https://www.intel.com/co ntent/www/us/en/products/network-io/progra mmable-ethernet-switch.html#tofino, 2020. 13

    work page 2020

  24. [24]

    Tofino native architecture

    Intel. Tofino native architecture. https: //github.com/barefootnetworks/Open-Tofino/ blob/master/PUBLIC_Tofino-Native-Arch.pdf, 2021

    work page 2021

  25. [25]

    NetChain: Scale-free sub-RTT coordination

    Xin Jin, Xiaozhou Li, Haoyu Zhang, Nate Foster, Jeongkeun Lee, Robert Soulé, Changhoon Kim, and Ion Stoica. NetChain: Scale-free sub-RTT coordination. In 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 18), pages 35–49, Renton, W A, April 2018. USENIX Association

    work page 2018

  26. [26]

    NetCache: Balancing key-value stores with fast in-network caching

    Xin Jin, Xiaozhou Li, Haoyu Zhang, Robert Soulé, Jeongkeun Lee, Nate Foster, Changhoon Kim, and Ion Stoica. NetCache: Balancing key-value stores with fast in-network caching. InProceedings of the 26th Sympo- sium on Operating Systems Principles, SOSP ’17, page 121–136, New York, NY , USA, 2017. Association for Computing Machinery

    work page 2017

  27. [27]

    Checking cache- coherence protocols with tla+.Form

    Rajeev Joshi, Leslie Lamport, John Matthews, Serdar Tasiran, Mark Tuttle, and Yuan Yu. Checking cache- coherence protocols with tla+.Form. Methods Syst. Des., 22(2):125–131, March 2003

    work page 2003

  28. [28]

    Header space analysis: Static checking for net- works

    Peyman Kazemian, George Varghese, and Nick McKe- own. Header space analysis: Static checking for net- works. InProceedings of the 9th USENIX Confer- ence on Networked Systems Design and Implementation, NSDI’12, page 9, USA, 2012. USENIX Association

    work page 2012

  29. [29]

    Model checking with strong fairness.Formal Meth- ods in System Design, 28(1):57–84, 2006

    Yonit Kesten, Amir Pnueli, Li-On Raviv, and Elad Sha- har. Model checking with strong fairness.Formal Meth- ods in System Design, 28(1):57–84, 2006

    work page 2006

  30. [30]

    Kfoury, Jorge Crichigno, and Elias Bou-Harb

    Elie F. Kfoury, Jorge Crichigno, and Elias Bou-Harb. An exhaustive survey on P4 programmable data plane switches: Taxonomy, applications, challenges, and fu- ture trends.IEEE Access, 9:87094–87155, 2021

    work page 2021

  31. [31]

    Khakpour and Alex X

    Amir R. Khakpour and Alex X. Liu. Quantifying and querying network reachability. In2010 IEEE 30th Inter- national Conference on Distributed Computing Systems, pages 817–826, 2010

    work page 2010

  32. [32]

    Brighten Godfrey

    Ahmed Khurshid, Xuan Zou, Wenxuan Zhou, Matthew Caesar, and P. Brighten Godfrey. Veriflow: Verifying network-wide invariants in real time. In10th USENIX Symposium on Networked Systems Design and Imple- mentation (NSDI 13), pages 15–27, Lombard, IL, April

    work page

  33. [33]

    Daehyeok Kim, Jacob Nelson, Dan R. K. Ports, Vyas Sekar, and Srinivasan Seshan. Redplane: Enabling fault- tolerant stateful in-switch applications. InProceedings of the 2021 ACM SIGCOMM 2021 Conference, SIG- COMM ’21, page 223–244, New York, NY , USA, 2021. Association for Computing Machinery

    work page 2021

  34. [34]

    Addison-Wesley, June 2002

    Leslie Lamport.Specifying systems: The TLA+ lan- guage and tools for hardware and software engineers. Addison-Wesley, June 2002

    work page 2002

  35. [35]

    The PlusCal algorithm language

    Leslie Lamport. The PlusCal algorithm language. In Martin Leucker and Carroll Morgan, editors,Theoreti- cal aspects of computing - ICTAC 2009, pages 36–60, Berlin, Heidelberg, 2009. Springer Berlin Heidelberg

    work page 2009

  36. [36]

    ATP: In-network aggregation for multi-tenant learning

    ChonLam Lao, Yanfang Le, Kshiteej Mahajan, Yixi Chen, Wenfei Wu, Aditya Akella, and Michael Swift. ATP: In-network aggregation for multi-tenant learning. In18th USENIX Symposium on Networked Systems De- sign and Implementation (NSDI 21), pages 741–761. USENIX Association, April 2021

    work page 2021

  37. [37]

    Seer: Enabling future- aware online caching in networked systems

    Jason Lei and Vishal Shrivastav. Seer: Enabling future- aware online caching in networked systems. In21st USENIX Symposium on Networked Systems Design and Implementation (NSDI 24), pages 635–649, Santa Clara, CA, April 2024. USENIX Association

    work page 2024

  38. [38]

    O’Reilly Media, Inc

    John Levine.Flex & Bison: Text processing tools. " O’Reilly Media, Inc.", 2009

    work page 2009

  39. [39]

    Sharma, Adriana Szekeres, and Dan R

    Jialin Li, Ellis Michael, Naveen Kr. Sharma, Adriana Szekeres, and Dan R. K. Ports. Just say NO to Paxos overhead: Replacing consensus with network ordering. In12th USENIX Symposium on Operating Systems De- sign and Implementation (OSDI 16), pages 467–483, Savannah, GA, November 2016. USENIX Association

    work page 2016

  40. [40]

    A survey on network verification and testing with formal methods: Approaches and challenges.IEEE Communi- cations Surveys & Tutorials, 21(1):940–969, 2019

    Yahui Li, Xia Yin, Zhiliang Wang, Jiangyuan Yao, Xin- gang Shi, Jianping Wu, Han Zhang, and Qing Wang. A survey on network verification and testing with formal methods: Approaches and challenges.IEEE Communi- cations Surveys & Tutorials, 21(1):940–969, 2019

    work page 2019

  41. [41]

    p4v: Practi- cal verification for programmable data planes

    Jed Liu, William Hallahan, Cole Schlesinger, Milad Sharif, Jeongkeun Lee, Robert Soulé, Han Wang, C˘alin Ca¸ scaval, Nick McKeown, and Nate Foster. p4v: Practi- cal verification for programmable data planes. InPro- ceedings of the 2018 Conference of the ACM Special Interest Group on Data Communication, SIGCOMM ’18, page 490–503, New York, NY , USA, 2018. ...

    work page 2018

  42. [42]

    Shuo Liu, Qiaoling Wang, Junyi Zhang, Wenfei Wu, Qinliang Lin, Yao Liu, Meng Xu, Marco Canini, Ray C. C. Cheung, and Jianfei He. In-network aggregation with transport transparency for distributed training. In Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 3, ASPLOS 2023...

    work page 2023

  43. [43]

    DistCache: Provable load balancing for large- scale storage systems with distributed caching

    Zaoxing Liu, Zhihao Bai, Zhenming Liu, Xiaozhou Li, Changhoon Kim, Vladimir Braverman, Xin Jin, and Ion Stoica. DistCache: Provable load balancing for large- scale storage systems with distributed caching. In17th USENIX Conference on File and Storage Technologies (FAST 19), pages 143–157, Boston, MA, February 2019. USENIX Association

    work page 2019

  44. [44]

    A hierarchy of tem- poral properties (invited paper, 1989)

    Zohar Manna and Amir Pnueli. A hierarchy of tem- poral properties (invited paper, 1989). InProceedings of the Ninth Annual ACM Symposium on Principles of Distributed Computing, PODC ’90, page 377–410, New York, NY , USA, 1990. Association for Computing Ma- chinery

    work page 1989

  45. [45]

    Model checking large network protocol implementations

    Madanlal Musuvathi, Dawson R Engler, et al. Model checking large network protocol implementations. In NSDI, volume 4, pages 12–12, 2004

    work page 2004

  46. [46]

    ns-3: Network simulator 3

    ns 3 Consortium. ns-3: Network simulator 3. https: //www.nsnam.org/, 2006

    work page 2006

  47. [47]

    Dan R. K. Ports, Jialin Li, Vincent Liu, Naveen Kr. Sharma, and Arvind Krishnamurthy. Designing dis- tributed systems using approximate synchrony in data center networks. In12th USENIX Symposium on Net- worked Systems Design and Implementation (NSDI 15), pages 43–57, Oakland, CA, May 2015. USENIX Asso- ciation

    work page 2015

  48. [48]

    Plankton: Scal- able network configuration verification through model checking

    Santhosh Prabhu, Kuan Yen Chou, Ali Kheradmand, Brighten Godfrey, and Matthew Caesar. Plankton: Scal- able network configuration verification through model checking. In17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), pages 953–967, Santa Clara, CA, February 2020. USENIX Association

    work page 2020

  49. [49]

    Scaling distributed machine learning with in-network aggregation

    Amedeo Sapio, Marco Canini, Chen-Yu Ho, Jacob Nelson, Panos Kalnis, Changhoon Kim, Arvind Kr- ishnamurthy, Masoud Moshref, Dan Ports, and Peter Richtarik. Scaling distributed machine learning with in-network aggregation. In18th USENIX Symposium on Networked Systems Design and Implementation (NSDI 21), pages 785–808. USENIX Association, April 2021

    work page 2021

  50. [50]

    Siyuan Sheng, Huancheng Puyang, Qun Huang, Lu Tang, and Patrick P. C. Lee. FarReach: Write-back caching in programmable switches. In2023 USENIX Annual Technical Conference (USENIX ATC 23), pages 571–584, Boston, MA, July 2023. USENIX Association

    work page 2023

  51. [51]

    Fix with P6: Verifying programmable switches at runtime

    Apoorv Shukla, Kevin Hudemann, Zsolt Vági, Lily Hügerich, Georgios Smaragdakis, Artur Hecker, Stefan Schmid, and Anja Feldmann. Fix with P6: Verifying programmable switches at runtime. InIEEE INFOCOM 2021 - IEEE Conference on Computer Communications, pages 1–10, 2021

    work page 2021

  52. [52]

    Debugging p4 pro- grams with Vera

    Radu Stoenescu, Dragos Dumitrescu, Matei Popovici, Lorina Negreanu, and Costin Raiciu. Debugging p4 pro- grams with Vera. InProceedings of the 2018 Conference of the ACM Special Interest Group on Data Communi- cation, SIGCOMM ’18, page 518–532, New York, NY , USA, 2018. Association for Computing Machinery

    work page 2018

  53. [53]

    Aquila: A practically usable verification system for production- scale programmable data planes

    Bingchuan Tian, Jiaqi Gao, Mengqi Liu, Ennan Zhai, Yanqing Chen, Yu Zhou, Li Dai, Feng Yan, Mengjing Ma, Ming Tang, Jie Lu, Xionglie Wei, Hongqiang Harry Liu, Ming Zhang, Chen Tian, and Minlan Yu. Aquila: A practically usable verification system for production- scale programmable data planes. InProceedings of the 2021 ACM SIGCOMM 2021 Conference, SIGCOMM ...

    work page 2021

  54. [54]

    Preemptive switch memory usage to accelerate training jobs with shared in-network aggregation

    Hao Wang, Yuxuan Qin, ChonLam Lao, Yanfang Le, Wenfei Wu, and Kai Chen. Preemptive switch memory usage to accelerate training jobs with shared in-network aggregation. In2023 IEEE 31st International Confer- ence on Network Protocols (ICNP), pages 1–12, 2023

    work page 2023

  55. [55]

    Xie, Jibin Zhan, D.A

    G.G. Xie, Jibin Zhan, D.A. Maltz, Hui Zhang, A. Green- berg, G. Hjalmtysson, and J. Rexford. On static reach- ability analysis of IP networks. InProceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies., volume 3, pages 2170– 2183 vol. 3, 2005

    work page 2005

  56. [56]

    Hongkun Yang and Simon S. Lam. Real-time verifi- cation of network properties using atomic predicates. IEEE/ACM Transactions on Networking, 24(2):887– 900, 2016

    work page 2016

  57. [57]

    Using trio: Juniper networks’ programmable chipset-for emerging in-network applications

    Mingran Yang, Alex Baban, Valery Kugel, Jeff Libby, Scott Mackie, Swamy Sadashivaiah Renu Kananda, Chang-Hong Wu, and Manya Ghobadi. Using trio: Juniper networks’ programmable chipset-for emerging in-network applications. InProceedings of ACM SIG- COMM, pages 633–648, 2022

    work page 2022

  58. [58]

    Horus: Granular in-network task scheduler for cloud datacenters

    Parham Yassini, Khaled Diab, Saeed Mahloujifar, and Mohamed Hefeeda. Horus: Granular in-network task scheduler for cloud datacenters. In21st USENIX Sympo- sium on Networked Systems Design and Implementation (NSDI 24), pages 1–22, Santa Clara, CA, April 2024. USENIX Association

    work page 2024

  59. [59]

    NetLock: Fast, cen- tralized lock management using programmable switches

    Zhuolong Yu, Yiwen Zhang, Vladimir Braverman, Mosharaf Chowdhury, and Xin Jin. NetLock: Fast, cen- tralized lock management using programmable switches. InProceedings of the Annual Conference of the ACM Special Interest Group on Data Communication on the Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM ’20, page...

    work page 2020

  60. [60]

    NetSMC: A custom symbolic model checker for stateful network verification

    Yifei Yuan, Soo-Jin Moon, Sahil Uppal, Limin Jia, and Vyas Sekar. NetSMC: A custom symbolic model checker for stateful network verification. In17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), pages 181–200, Santa Clara, CA, February 2020. USENIX Association

    work page 2020

  61. [61]

    In-network address caching for virtual networks

    Lior Zeno, Ang Chen, and Mark Silberstein. In-network address caching for virtual networks. InProceedings of the ACM SIGCOMM 2024 Conference, ACM SIG- COMM ’24, page 735–749, New York, NY , USA, 2024. Association for Computing Machinery

    work page 2024

  62. [62]

    Fast and scalable in-network lock management using lock fission

    Hanze Zhang, Ke Cheng, Rong Chen, and Haibo Chen. Fast and scalable in-network lock management using lock fission. In18th USENIX Symposium on Operating Systems Design and Implementation (OSDI 24), pages 251–268, Santa Clara, CA, July 2024. USENIX Associ- ation

    work page 2024

  63. [63]

    Automated verification of an in-production DNS authoritative engine

    Naiqian Zheng, Mengqi Liu, Yuxing Xiang, Linjian Song, Dong Li, Feng Han, Nan Wang, Yong Ma, Zhuo Liang, Dennis Cai, Ennan Zhai, Xuanzhe Liu, and Xin Jin. Automated verification of an in-production DNS authoritative engine. InProceedings of the 29th Sym- posium on Operating Systems Principles, SOSP ’23, page 80–95, New York, NY , USA, 2023. Association fo...

    work page 2023

  64. [64]

    RackSched: A microsecond-scale scheduler for rack-scale computers

    Hang Zhu, Kostis Kaffes, Zixu Chen, Zhenming Liu, Christos Kozyrakis, Ion Stoica, and Xin Jin. RackSched: A microsecond-scale scheduler for rack-scale computers. In14th USENIX Symposium on Operating Systems De- sign and Implementation (OSDI 20), pages 1225–1240. USENIX Association, November 2020. 16 Appendix A Verification Result of Lock Management System...

    work page 2020