developing correctly replicated databases using formal
play

Developing Correctly Replicated Databases Using Formal Tools Nicolas - PowerPoint PPT Presentation

Aug 02, 2023 •447 likes •813 views

Developing Correctly Replicated Databases Using Formal Tools Nicolas Schiper, Vincent Rahli , Robbert Van Renesse, Mark Bickford, and Robert L. Constable May 30, 2017 Vincent Rahli May 30, 2017 1/35 PRL & System Groups PRL group Mark

  1. Developing Correctly Replicated Databases Using Formal Tools Nicolas Schiper, Vincent Rahli , Robbert Van Renesse, Mark Bickford, and Robert L. Constable May 30, 2017 Vincent Rahli May 30, 2017 1/35

  2. PRL & System Groups PRL group Mark Bickford Robert L. Constable Richard Eaton Vincent Rahli System group Robbert van Renesse Nicolas Schiper Vincent Rahli May 30, 2017 2/35

  3. Goals What we strive for: A platform to develop provably correct programs. Our current interest: Specify, verify, and generate distributed systems using formal tools. (As part of the CRASH project funded by DARPA.) { Today applications are distributed over many machines. { Even critical applications used by governments, banks, armies, etc. Vincent Rahli May 30, 2017 3/35

  4. Goals Correctness? How can we make sure that these applications are correct? Distributed programs are hard to specify, implement, and reason about . { We need to tolerate failures. { It is hard to test all possible scenarios. { State space explosion using model checking. { Model checking often done on abstractions of the code rather than on the code itself. We use a proof assistant (Nuprl) that implements a constructive type theory. Vincent Rahli May 30, 2017 4/35

  5. Achievements { A logic of events implemented in Nuprl. { Specified, verified, and generated consensus protocols (e.g., Paxos). { Aneris : a total ordered broadcast service [RSR + 12]. { ShadowDB : a replicated database with 2 parametrizable replication protocols (PBR & SMR) built on top of Aneris [SRR + 12]. { Improved performance without introducing bugs [RBA13]. { We get decent performance . Vincent Rahli May 30, 2017 5/35

  6. Table of contents ShadowDB Aneris: a provably correct ordered broadcast service Evaluation Conclusion Vincent Rahli May 30, 2017 6/35

  7. The Big Picture Vincent Rahli May 30, 2017 7/35

  8. Primary-Backup Replication Vincent Rahli May 30, 2017 8/35

  9. Primary-Backup Replication Vincent Rahli May 30, 2017 9/35

  10. Primary-Backup Replication Vincent Rahli May 30, 2017 10/35

  11. State Machine Replication Vincent Rahli May 30, 2017 11/35

  12. Aneris A synthesized and verified ordered broadcast service. ensures among other things (properties of atomic broadcast): ◮ agreement : for any slot s , if decisions ( r 1 , s ) and ( r 2 , s ) get delivered then r 1 = r 2. ◮ validity : if decision ( r , s ) is delivered then r was requested. Vincent Rahli May 30, 2017 12/35

  13. Methodology Vincent Rahli May 30, 2017 13/35

  14. Methodology Vincent Rahli May 30, 2017 14/35

  15. Methodology Vincent Rahli May 30, 2017 15/35

  16. Methodology Vincent Rahli May 30, 2017 16/35

  17. Methodology Vincent Rahli May 30, 2017 17/35

  18. Methodology Vincent Rahli May 30, 2017 18/35

  19. Methodology Vincent Rahli May 30, 2017 19/35

  20. EML, LoE, and GPM In LoE [BC08, Bic09, BCR12], we specify distributed programs by combining event handlers (similar to Orc) which are all implementable by simple processes [BCG10]: { base: { parallel composition: A || B λ e . A ( e ) ∪ B ( e ) Vincent Rahli May 30, 2017 20/35

  21. EML, LoE, and GPM { application: { buffer: { delegation: Vincent Rahli May 30, 2017 21/35

  22. EventML 2/3-Consensus: . . c l a s s TT Replica = NewVoters > > = Voter ; ; main TT Replica @ l o c s Paxos Synod: . . . c l a s s Leader = SpawnFirstSc out | | (( LeaderPropose | | LeaderAdopted ) > > = Commander ) | | ( LeaderPreempted > > = Scout ) ; ; main Leader @ l d r s | | Acceptor @ ac c pts Aneris replicas: . . . c l a s s R e p l i c a S t a t e = State ( \ . ( i n i t s t a t e , {} ) , o u t t r p r o p o s e i n l , swap’base , o u t t r p r o p o s e i n r , b c a s t ’ b a s e , o u t t r o n d e c i s i o n , d e c i s i o n ’ b a s e ) ; ; c l a s s R e p l i c a = ( \ . snd ) o R e p l i c a S t a t e ; ; main R e p l i c a @ r e p s Vincent Rahli May 30, 2017 22/35

  23. Code Synthesis Optimized version of the Aneris process: aneris_main-program-opt(Cid;Op;clients;eq_Cid;pax_procs;reps;tt_procs) == λ i.case bag-deq-member( λ a,b.if a=2 b then inl · else (inr · );i;reps) of inl() => fix(( λ mk-hdf,s. (inl ( λ v.let x,y = v in case name_eq(x;[swap]) ∧ b ... of inl(x1) => let v1 ← ... aneris_propose_inl(Cid;Op;...;...;...;...;...) ... in let x,y = v1 in let v2 ← y @ [] in <mk-hdf <x, y>, v2> | inr(y1) => case name_eq(x;[bcast]) ∧ b ... of inl(x1) => let v1 ← ... aneris_propose_inr(Cid;Op;...;...;...;...;...) ... in let x,y = v1 in let v2 ← y @ [] in <mk-hdf <x, y>, v2> | inr(y1) => case name_eq(x;[decision]) ∧ b ... of inl(x1) => let v1 ← ... aneris_on_decision(Cid;Op;...;...;...;...;...;...;...) ... in let x,y = v1 in let v2 ← y @ [] in <mk-hdf <x, y>, v2> | inr(y1) => let v1 ← s in let x,y = v1 in let v2 ← y @ [] in <mk-hdf <x, y>, v2>) ))) <aneris_init_state(Cid;Op), []> | inr() => inr · Vincent Rahli May 30, 2017 23/35

  24. Verification We use causal induction and inductive logical forms (ILFs). Vincent Rahli May 30, 2017 24/35

  25. Verification E.g., logical explanation of why decisions are made by Paxos: ∀ [Cmd:{T:Type| valueall-type(T)} ]. ∀ [accpts,ldrs:bag(Id)]. ∀ [ldrs_uid:Id → Z ]. ∀ [reps:bag(Id)]. ∀ [es:EO’]. ∀ [e:E]. ∀ [i:Id]. ∀ [p:Proposal]. (decision’send(Cmd) i p ∈ pax_mb_main(Cmd;accpts;ldrs;ldrs_uid;reps)(e) decision of p sent to i at e ⇐ ⇒ loc(e) ∈ ldrs e happens at a leader location ∧ (header(e) = ‘‘pax_mb p2b‘‘) the decision is triggered by a p2b message ∧ (msgtype(e) = P2b) ∧ i ∈ reps the recipient of the decision message is a replica ∧ ( ∃ e’:{e’:E| e’ ≤ loc e } ∃ z:PValue proposal p is extracted from a pvalue z ((((header(e’) = [propose]) either pvalue z is made from a proposal and current ballot ∧ (msgtype(e’) = Proposal) ∧ (( ↑ (proposal_slot (proposal_cmd LeaderStateFun(e’)))) ∧ ( ¬↑ (in_domain (proposal_slot msgval(e’)) (proposal_cmd (proposal_cmd LeaderStateFun(e’)))))) ∧ (z = (mk_pvalue (proposal_slot LeaderStateFun(e’)) msgval(e’)))) ∨ ((header(e’) = ‘‘pax_mb adopted‘‘) or either pvalue z received in an adopted message or in leader state ∧ (msgtype(e’) = pax_mb_AState(Cmd)) ∧ ((astate_ballot msgval(e’)) = (proposal_slot LeaderStateFun(e’))) ∧ z ∈ map( λ sp.(mk_pvalue (astate_ballot msgval(e’)) sp); update_proposals (proposal_cmd (proposal_cmd LeaderStateFun(e’))) (pmax(ldrs_uid) (astate_pvals msgval(e’)))))) ∧ (no commander_output(accpts;reps) z@Loc this decision is the first output of the commander o (Loc,p2b’base(), CommanderState(accpts) (pval_ballot z) (proposal_slot (pval_proposal z))) between e’ and e) ∧ ((pval_ballot z) = (bl_ballot (p2b_bl msgval(e)))) ∧ ((proposal_slot (pval_proposal z)) = (p2b_slot msgval(e))) ∧ ((pval_ballot z) = (p2b_ballot msgval(e))) the acceptor that sent the p2b message has accepted pvalue z ∧ (#(CommanderStateFun(pval_ballot z;proposal_slot (pval_proposal z);es.e’;e)) < threshold(accpts)) the commander has received a p2b messages from a majority of acceptors ∧ (p = (pval_proposal z))))) Vincent Rahli May 30, 2017 25/35

  26. Verification EventML LoE GPM opt. GPM correctness correctness spec. spec. prog. prog. properties proofs CLK 79N (1H) 590N 452N 249N 73N (1H) 1A/3M (2H) 2/3 Consensus 646N (4H) 1398N 1343N 1752N 122N (1H) 8A/6M (3D) Paxos-Synod 1729N (2D) 2673N 2625N 3165N 97N (1H) 24A/75M (3W) Aneris 820N (2D) 1434N 1352N 1245N 418N (1H) 0A/22M (1W) That was possible thanks: ◮ to Nuprl’s large library of definitions and facts, ◮ to the powerful logic of events theory developed in Nuprl by Mark Bickford and Robert Constable over the past few years (especially to the delegation combinator), and ◮ to the collaboration between the PRL and system groups at Cornell. Vincent Rahli May 30, 2017 26/35

  27. Table of Contents ShadowDB Aneris: a provably correct ordered broadcast service Evaluation Conclusion Vincent Rahli May 30, 2017 27/35

  28. Evaluation Setup: ◮ Quad-core 3.6 Ghz Xeons with 4GB running RH 5.8 ◮ Gigabit switch ◮ Various embedded and in-memory DBs We evaluate: ◮ Aneris (the broadcast service) ◮ ShadowDB ◮ Micro-benchmark (1 table, single-row update) ◮ TPC-C (9 tables, 5 transaction types, 92% updates) Vincent Rahli May 30, 2017 28/35

  29. Evaluation - Aneris Interpreted –+– Inter.-Opt. – – Compiled – × – 1000 Latency (ms) 100 10 1 1 10 100 1000 10000 Delivered messages per second Vincent Rahli May 30, 2017 29/35

  30. Evaluation - ShadowDB - Micro-benchmark ShadowDB-PBR –+– ShadowDB-SMR – – H2-repl. – – MySQL-repl. – – H2-stdalone – • – 100 Latency (ms) 10 1 0.1 0 2K 4K 6K 8K Committed transactions per second Vincent Rahli May 30, 2017 30/35

  31. Evaluation - ShadowDB - TPC-C ShadowDB-PBR –+– ShadowDB-SMR – – MySQL-repl. – – H2-stdalone – • – 100 Latency (ms) 10 1 0 200 400 600 800 1000 Committed TPC-C transactions per second Vincent Rahli May 30, 2017 31/35

  32. Table of Contents ShadowDB Aneris: a provably correct ordered broadcast service Evaluation Conclusion Vincent Rahli May 30, 2017 32/35

  33. Even More Trustworthy Distributed Systems Vincent Rahli May 30, 2017 33/35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fine-grained Transaction Scheduling in Replicated Databases via Symbolic Execution Pedro

Fine-grained Transaction Scheduling in Replicated Databases via Symbolic Execution Pedro

Fine-grained Transaction Scheduling in Replicated Databases via Symbolic Execution Pedro Raminhas pedro.raminhas@tecnico.ulisboa.pt Stage: 2 nd Year PhD Student Research Area: Dependable and fault-tolerant systems and networks Advisors: Miguel

662 views • 13 slides
First Study of f the Proactive Transmission of Replicated Frames Mechanism over TSN Ins

First Study of f the Proactive Transmission of Replicated Frames Mechanism over TSN Ins

First Study of f the Proactive Transmission of Replicated Frames Mechanism over TSN Ins lvarez, Drago avka , Julin Proenza, Manuel Barranco 2 Introduction Time-Sensitive Networking (TSN) Task Group. Developing a set of standards

906 views • 33 slides
Developing and Using Special Developing and Using Special Developing and Using Special Purpose

Developing and Using Special Developing and Using Special Developing and Using Special Purpose

Developing and Using Special Developing and Using Special Developing and Using Special Purpose Hidden Markov Model Purpose Hidden Markov Model Purpose Hidden Markov Model Databases Databases Databases Martin Gollery Associate Director of

831 views • 81 slides
CS319 : Theory of Databases When developing database applications we usually have to consider

CS319 : Theory of Databases When developing database applications we usually have to consider

CS319: Theory of Databases Data Models CS319 : Theory of Databases When developing database applications we usually have to consider OODBMS, ORDBMS two different data models : Relational Data Model : Used in RDBMS. presented by

516 views • 7 slides
Geo-Replicated Transactions in 1.5RTT Robert Escriva Strangeloop September 30, 2017 @rescrv

Geo-Replicated Transactions in 1.5RTT Robert Escriva Strangeloop September 30, 2017 @rescrv

Geo-Replicated Transactions in 1.5RTT Robert Escriva Strangeloop September 30, 2017 @rescrv Geo-Replicated Transactions in 1.5RTT 1 / 39 Geo-Replication: A 539-Mile-High View Geo-replicated distributed systems have servers in

1.18k views • 63 slides
SY306 Web and Databases for Cyber Operations Set #16: Sessions

SY306 Web and Databases for Cyber Operations Set #16: Sessions

SY306 Web and Databases for Cyber Operations Set #16: Sessions http://cgi.tutorial.codepoint.net/session Logging In Correctly Unique session IDs identify your client No other client who has connected to the website should have the same

492 views • 4 slides
26% 33% % who cannot correctly name even one branch of government % who cannot name one right

26% 33% % who cannot correctly name even one branch of government % who cannot name one right

% of adults who can correctly name all 3 branches of government 26% 33% % who cannot correctly name even one branch of government % who cannot name one right guaranteed under First Amendment 37% Sons of Liberty Continental Army Mayor

833 views • 45 slides
Counting Problems over Incomplete Databases Mikal Monet Formal Methods team seminar at LaBRI

Counting Problems over Incomplete Databases Mikal Monet Formal Methods team seminar at LaBRI

Counting Problems over Incomplete Databases Mikal Monet Formal Methods team seminar at LaBRI Setpember 29th, 2020 About me [20122015] Engineering school in Nancy [20152018] PhD in Paris ( Tlcom ParisTech ) with Pierre Senellart and

1.31k views • 109 slides
Evolution Of Token Sales gbx.gi gsx.gi by Nic ick Cowan CEO History of Databases 2 Present

Evolution Of Token Sales gbx.gi gsx.gi by Nic ick Cowan CEO History of Databases 2 Present

Evolution Of Token Sales gbx.gi gsx.gi by Nic ick Cowan CEO History of Databases 2 Present Distributed and decentralized 2000s database Cloud Database Incentives to 1990s work correctly Centrally controlled

402 views • 13 slides
Thesis Defense: Developing Real-Time Collaborative Editing Using Formal Methods Lars Tveito

Thesis Defense: Developing Real-Time Collaborative Editing Using Formal Methods Lars Tveito

Thesis Defense: Developing Real-Time Collaborative Editing Using Formal Methods Lars Tveito September 9th, 2016 Department of Informatics, University of Oslo Outline Introduction Formal Semantics of Editing Operations Related Work

1.21k views • 101 slides
DEVELOPING YOUR MAJOR DONOR PIPELINE: HOW TO ESTABLISH A FORMAL QUALIFICATION PROGRAM AFP MD

DEVELOPING YOUR MAJOR DONOR PIPELINE: HOW TO ESTABLISH A FORMAL QUALIFICATION PROGRAM AFP MD

DEVELOPING YOUR MAJOR DONOR PIPELINE: HOW TO ESTABLISH A FORMAL QUALIFICATION PROGRAM AFP MD FUNDRAISING DAY June 10, 2019 Chr Chris istin ina Yoo oon, n, PhD Rita Walters Vice President Chief Development Officer Campbell &amp;

315 views • 29 slides
Geo-Replicated Transaction Commit in 3 Message Delays Robert Escriva VMWare June 9, 2017

Geo-Replicated Transaction Commit in 3 Message Delays Robert Escriva VMWare June 9, 2017

Geo-Replicated Transaction Commit in 3 Message Delays Robert Escriva VMWare June 9, 2017 Geo-Replicated Transaction ,Commit in 3 Message Delays 1 / 45 Geo-Replication: A 539-Mile-High View Geo-replicated distributed systems have

606 views • 60 slides
Creating Databases and Tables Introduction to Databases in Python Creating Databases

Creating Databases and Tables Introduction to Databases in Python Creating Databases

INTRODUCTION TO DATABASES IN PYTHON Creating Databases and Tables Introduction to Databases in Python Creating Databases Varies by the database type Databases like PostgreSQL and MySQL have command line tools to initialize

878 views • 31 slides
Databases and PHP Accessing databases from PHP PHP &amp; Databases l PHP can connect to

Databases and PHP Accessing databases from PHP PHP &amp; Databases l PHP can connect to

Databases and PHP Accessing databases from PHP PHP &amp; Databases l PHP can connect to virtually any database l There are specific functions built-into PHP to connect with some DB l There is also generic ODBC functions that will work with many

868 views • 28 slides
Replicated Client-Server Execution to Overcome Unpredictability in Mobile Environment Bing You

Replicated Client-Server Execution to Overcome Unpredictability in Mobile Environment Bing You

Replicated Client-Server Execution to Overcome Unpredictability in Mobile Environment Bing You and Hao Chu Intelligent Space Lab National Taiwan University Outline Problem Related Work Replicated Client-Server Model

546 views • 17 slides
3. Text and document databases Normal databases: formatted records; document databases:

3. Text and document databases Normal databases: formatted records; document databases:

3. Text and document databases Normal databases: formatted records; document databases: free-form or semi-structured data (e.g. XML). Application areas: - Office automation, document archives - Digital libraries - Electronic dictionaries

741 views • 38 slides
Draft EE 8235: Lecture 23 1 Lecture 23: Optimal control of distributed systems Linear

Draft EE 8235: Lecture 23 1 Lecture 23: Optimal control of distributed systems Linear

Draft EE 8235: Lecture 23 1 Lecture 23: Optimal control of distributed systems Linear Quadratic Regulator (LQR) Linear: plant Quadratic: performance index Infinite horizon problem Algebraic Riccati Equation (ARE) Spatially

324 views • 11 slides
On Galois Cohomology, Norm Functions and Cycles Markus Rost Bielefeld, September 2006 Galois

On Galois Cohomology, Norm Functions and Cycles Markus Rost Bielefeld, September 2006 Galois

On Galois Cohomology, Norm Functions and Cycles Markus Rost Bielefeld, September 2006 Galois Cohomology p a prime F a field, char F = p F a separable closure of F G F = Gal( F/F ) the absolute Galois group H n ( F, Z /p ) = H n ( G F

404 views • 14 slides
Formal Specification, Verification, and Implementation of Fault-Tolerant Systems using EventML

Formal Specification, Verification, and Implementation of Fault-Tolerant Systems using EventML

Formal Specification, Verification, and Implementation of Fault-Tolerant Systems using EventML Vincent Rahli, David Guaspari, Mark Bickford and Robert L. Constable http://www.nuprl.org October 7, 2015 Vincent Rahli EventML October 7, 2015

540 views • 24 slides
Continuous Inverse Ranking Queries in Uncertain Streams Thomas Bernecker*, Hans-Peter Kriegel*,

Continuous Inverse Ranking Queries in Uncertain Streams Thomas Bernecker*, Hans-Peter Kriegel*,

LUDWIG- MAXIMILIANS- DEPARTMENT DATABASE UNIVERSITT INSTITUTE FOR SYSTEMS MNCHEN INFORMATICS GROUP Continuous Inverse Ranking Queries in Uncertain Streams Thomas Bernecker*, Hans-Peter Kriegel*, Nikos Mamoulis**, Matthias Renz* and

345 views • 23 slides
Vanity project or serious research? Derek M. Jones &lt;derek@knosof.co.uk&gt; Researchers

Vanity project or serious research? Derek M. Jones &lt;derek@knosof.co.uk&gt; Researchers

Vanity project or serious research? Derek M. Jones &lt;derek@knosof.co.uk&gt; Researchers view of their work Figure 1. My amazing ideas Industry view of academic researchers Figure 2. Who let him in? Is this guy serious? Believable

708 views • 14 slides
Thoth A recommendation engine for Python applications Fridolin Pokorny

Thoth A recommendation engine for Python applications Fridolin Pokorny

Thoth A recommendation engine for Python applications Fridolin Pokorny &lt;fridolin@redhat.com&gt; 2020-02-01 FOSDEM 2020 $ whoami https://fridex.github.io Fridoln fridex Pokorn Senior Software Engineer at Red Hat

853 views • 31 slides
Oil Storage (Surface) Paul Dubois Assistant Director, Technical Permitting July 7, 2020 1

Oil Storage (Surface) Paul Dubois Assistant Director, Technical Permitting July 7, 2020 1

Oil Storage (Surface) Paul Dubois Assistant Director, Technical Permitting July 7, 2020 1 Railroad Commission of Texas | June 27, 2016 (Change Date In First Master Slide) Topics for Discussion Applicable Rules for Crude Oil Storage All

745 views • 35 slides
The iLab Experience a blended learning hands-on course concept you set the focus Your Exercise

The iLab Experience a blended learning hands-on course concept you set the focus Your Exercise

The iLab Experience a blended learning hands-on course concept you set the focus Your Exercise Topic Madness the topic voting round May 23, 2017 25.4. Kick Off, Mini Labs, IPv6 - part I 1 2-3 mini labs IPv6 2.5. IPv6 - part II,

940 views • 48 slides

More recommend