Database transaction isolation anomalies—particularly those arising from design flaws—are prevalent in production systems, yet existing approaches lack a mathematically rigorous, systematic, and tool-supported formal verification framework. This paper introduces the first fully automated verification framework for transaction isolation, built in Isabelle/HOL. It enables full-path formal verification of core isolation properties—including strict serializability—for the first time. The framework precisely models concurrent transaction semantics, defines formal isolation specifications, and integrates counterexample generation. Applied during protocol design, it uncovers deep correctness flaws: it formally verifies that Strict Two-Phase Locking satisfies strict serializability, and—critically—identifies for the first time that the TAPIR protocol violates atomic visibility, automatically generating an executable counterexample. This work establishes a verifiable, reusable theoretical foundation and practical toolset for database isolation assurance.

Isolation bugs, stemming especially from design-level defects, have been repeatedly found in carefully designed and extensively tested production databases over decades. In parallel, various frameworks for modeling database transactions and reasoning about their isolation guarantees have been developed. What is missing however is a mathematically rigorous and systematic framework with tool support for formally verifying a wide range of such guarantees for all possible system behaviors. We present the first such framework, VerIso, developed within the theorem prover Isabelle/HOL. To showcase its use in verification, we model the strict two-phase locking concurrency control protocol and verify that it provides strict serializability isolation guarantee. Moreover, we show how VerIso helps identify isolation bugs during protocol design. We derive new counterexamples for the TAPIR protocol from failed attempts to prove its claimed strict serializability. In particular, we show that it violates a much weaker isolation level, namely, atomic visibility.