This work addresses the vulnerability of In-Network Computing (INC) systems to network anomalies—such as packet loss and reordering—which can compromise critical correctness properties like cache coherence and mutual exclusion, yet remain difficult to expose through conventional testing. To tackle this challenge, we present INCGuard, the first general-purpose formal verification framework tailored for INC systems. INCGuard models system behavior using a high-level specification language, constructs state-transition models within configurable network environments, and incorporates domain-specific optimizations to mitigate state-space explosion in model checking. Empirical evaluation demonstrates that INCGuard reduces specification code by 67.2% compared to manual approaches, detects design flaws in seven real-world INC systems within seconds, and is empirically validated for its efficacy and practicality.

The emergence of programmable switches has brought in-network computing (INC) into the spotlight in recent years. By offloading computation directly onto the data transmission process, INC improves network utilization, reduces latency to sub-RTT levels, saves link bandwidth, and maintains throughput. However, INC disrupts the transparency of traditional networks, forcing developers to consider network exceptions like packet loss and out-of-order. If not properly handled, these exceptions can lead to violations of application properties, such as cache consistency and lock exclusion. Usual testing cannot exhaustively cover these exceptions, raising doubts about the correctness of INC systems and hindering their deployment in the industry. This paper presents INCGuard, the first general-purpose tool for verifying INC systems. INCGuard provides a high-level specification language and saves developers 67.2% lines of code on average. To help better understand the behavior of the system, INCGuard offers configurable network environments. INCGuard enables developers to express INC-specific correctness properties. INCGuard translates developer-specified systems into state transition representations, performs model checking to detect potential design risks, and reports violation traces to developers. We propose optimizations for INC-specific scenarios to address the challenge of state space explosion. We modeled seven INC systems and identified their risks with INCGuard in seconds. We further reproduce them in real systems to confirm the validity of our verification result.