Formal Specification, Verification, and Implementation of - - PowerPoint PPT Presentation

formal specification verification and implementation of
SMART_READER_LITE
LIVE PREVIEW

Formal Specification, Verification, and Implementation of - - PowerPoint PPT Presentation

Dec 25, 2023 280 likes •542 views

Formal Specification, Verification, and Implementation of Fault-Tolerant Systems using EventML Vincent Rahli, David Guaspari, Mark Bickford and Robert L. Constable http://www.nuprl.org October 7, 2015 Vincent Rahli EventML October 7, 2015

slide-1
SLIDE 1

Formal Specification, Verification, and Implementation of Fault-Tolerant Systems using EventML

Vincent Rahli, David Guaspari, Mark Bickford and Robert

  • L. Constable

http://www.nuprl.org October 7, 2015

Vincent Rahli EventML October 7, 2015 1/24

slide-2
SLIDE 2

Distributed Systems are Ubiquitous

Vincent Rahli EventML October 7, 2015 2/24

slide-3
SLIDE 3

Correctness What evidence do we have that these systems are correct?

Vincent Rahli EventML October 7, 2015 3/24

slide-4
SLIDE 4

Correctness What evidence do we have that these systems are correct? Type checking Testing

Vincent Rahli EventML October 7, 2015 4/24

slide-5
SLIDE 5

Correctness What evidence do we have that these systems are correct? Type checking Testing

Model checking

Vincent Rahli EventML October 7, 2015 5/24

slide-6
SLIDE 6

Correctness What evidence do we have that these systems are correct? Type checking Testing

Model checking Theorem proving

Vincent Rahli EventML October 7, 2015 6/24

slide-7
SLIDE 7

New Challenges Distributed systems are hard to specify, implement and verify.

We need to tolerate failures. It is hard to test all possible scenarios. State space explosion using model checking. Model checking often done on abstractions of the code rather than on the code itself.

Vincent Rahli EventML October 7, 2015 7/24

slide-8
SLIDE 8

Contributions We use Nuprl as a specification, programming and verification language for asynchronous distributed systems.

Programming interface: a constructive specification language called EventML Verification methodology

Vincent Rahli EventML October 7, 2015 8/24

slide-9
SLIDE 9

Nuprl?

Similar to Coq and Agda Extensional Intuitionistic Type Theory for partial functions Consistency proof in Coq Cloud based & virtual machines: http://www.nuprl.org JonPRL: http://www.jonprl.org

Vincent Rahli EventML October 7, 2015 9/24

slide-10
SLIDE 10

Contributions

A logic of events (LoE) and a general process model (GPM) implemented in Nuprl. Specified, verified, and generated consensus protocols (e.g., 2/3-Consensus & Paxos) using EventML. Aneris: a total ordered broadcast service. ShadowDB: a replicated database with 2 parametrizable replication protocols (PBR & SMR) built on top of Aneris. Improved performance without introducing bugs. We get decent performance.

Vincent Rahli EventML October 7, 2015 10/24

slide-11
SLIDE 11

Our Methodology

Vincent Rahli EventML October 7, 2015 11/24

slide-12
SLIDE 12

Our Methodology

Vincent Rahli EventML October 7, 2015 12/24

slide-13
SLIDE 13

Event Orderings (or Message Sequence Diagrams)

Vincent Rahli EventML October 7, 2015 13/24

slide-14
SLIDE 14

Event Orderings

A dependent record EO =            Event : Type loc : Event → Loc (e.g., N) info : Event → Info (e.g., input message) pred : Event → Event < : Event → Event → P            plus some axioms E.g., < is well-founded

Vincent Rahli EventML October 7, 2015 14/24

slide-15
SLIDE 15

Processes and Observers

Process (GPM) corec(λP.(A → P × Bag(B))+Unit) (Programmable) Observer (LoE) eo:EO → e:Event(eo) → Bag(B)

Vincent Rahli EventML October 7, 2015 15/24

slide-16
SLIDE 16

Observers

Vincent Rahli EventML October 7, 2015 16/24

slide-17
SLIDE 17

Observers

Vincent Rahli EventML October 7, 2015 17/24

slide-18
SLIDE 18

Observers

Vincent Rahli EventML October 7, 2015 18/24

slide-19
SLIDE 19

Observers in EventML

(∗ = = = = = = = = = = = = Quorum : a s t a t e machine = = = = = = = = = = = = ∗) (∗ − − f i l t e r − − ∗) l e t new vote (n , r ) ( ( ( n’ , r ’ ) , cmd) , se nde r ) (cmds , l o c s ) = (n , r ) = ( n’ , r ’ ) & ! ( deq−member ( op =) se nde r l o c s ) ; ; (∗ − − update − − ∗) l e t upd quorum (n , r ) l o c (( nr , c ) , sndr ) ( cmds , l o c s ) = i f new vote (n , r ) (( nr , c ) , sndr ) (cmds , l o c s ) then ( c . cmds , sndr . l o c s ) e l s e ( cmds , l o c s ) ; ; (∗ − − output − − ∗) l e t roundout l o c ( ( ( n , r ) , cmd) , se nde r ) (cmds , l o c s ) = i f l e n g t h cmds = 2 ∗ F then l e t (k , cmd’ ) = poss−maj cmdeq (cmd . cmds ) cmd i n i f k = 2 ∗ F + 1 then d e c i d e d ’ b c a s t r e p s (n , cmd’ ) e l s e { r e t r y ’ s e n d l o c (( n , r +1) , cmd’ ) } e l s e {} ; ; l e t when quorum (n , r ) l o c vt s t a t e = i f new vote (n , r ) vt s t a t e then roundout l o c vt s t a t e e l s e {} ; ; (∗ − − s t a t e machine − − ∗)

  • b s e r v e r

QuorumState (n , r ) = Memory (\ l o c . ( [ ] , [ ] ) , upd quorum (n , r ) , v o t e ’ b a s e ) ; ;

  • b s e r v e r

Quorum (n , r ) = ( when quorum (n , r ))

  • ( vote ’base ,

QuorumState (n , r )) ; ; Vincent Rahli EventML October 7, 2015 19/24

slide-20
SLIDE 20

Observer Relation

v ∈ (X eo e) written as v ∈ X(e) v ∈ X||Y (e) ⇐ ⇒ ↓(v ∈ X(e) ∨ v ∈ Y (e)) v ∈ X >>= Y (e) ⇐ ⇒ ↓∃e′ : {e′ : E | e′ ≤loc e}. ∃u : A. u ∈ X(e′) ∧ v ∈ (Y u eo.e′ e)

Vincent Rahli EventML October 7, 2015 20/24

slide-21
SLIDE 21

Automated Verification

We use causal induction + inductive logical forms (ILFs) + state machine invariants + our brain

Vincent Rahli EventML October 7, 2015 21/24

slide-22
SLIDE 22

State Machines

import n o r e p e a t s l ength i n v a r i a n t quorum inv

  • n

( cmds , l o c s ) i n ( QuorumState ni ) == n o r e p e a t s : : Loc l o c s /\ l ength ( cmds ) = l ength ( l o c s ) ; ; import f s e g

  • r d e r i n g

quorum fseg

  • n

( cmds1 , l o c s 1 ) then ( cmds2 , l o c s 2 ) i n QuorumState ni == f s e g : : Cmd cmds1 cmds2 /\ f s e g : : Loc l o c s 1 l o c s 2 ; ; p r o g r e s s r o u n d s s t r i c t i n c

  • n

round1 then round2 i n ( NewRoundsState n ) with (( n’ , round’ ) , cmd) i n RoundInfo and round = > n’ = n /\ round < round’ == round1 < round2 ; ; memory rounds mem on round1 then round2 i n ( NewRoundsState n ) with (( n’ , round’ ) , cmd) i n RoundInfo == ( n = n’ ) = > round’ <= round2 ; ;

Vincent Rahli EventML October 7, 2015 22/24

slide-23
SLIDE 23

Inductive Logical Forms

∀[Cmd:{T:Type| valueall-type(T)}]. ∀[clients,reps:bag(Id)]. ∀[cmdeq:EqDecider(Cmd)]. ∀[F:Z]. ∀[f:headers_type{i:l}(Cmd)]. ∀[es:EO]. ∀[e:E]. ∀[i,sender:Id]. ∀[d,n,r:Z]. ∀[v:Cmd]. (<d, i, make-Msg(‘‘vote‘‘;<<<n, r>, c>, sender>)> ∈ main(Cmd;clients;cmdeq;F;reps;f)(e) ⇐ ⇒ loc(e) ↓∈ reps ∧ i ↓∈ reps ∧ (d = 0) ∧ (↓∃n’:Z. ∃c’:Cmd. ∃e’:{e’:E| e’ ≤loc e }. ((((header(e’) = ‘‘propose‘‘) ∧ <n’, c’> = body(e’)) ∨ (has-es-info-type(es;e’;f;Z × Z × Cmd × Id) ∧ (header(e’) = ‘‘vote‘‘) ∧ (n’ = (fst(fst(fst(msgval(e’)))))) ∧ (c’ = (snd(fst(msgval(e’))))))) ∧ (((fst(ReplicaStateFun(Cmd;f;es;e’))) < n’) ∨ (n’ ∈ snd(ReplicaStateFun(Cmd;f;es;e’)))) ∧ (no Notify(Cmd;clients;f) n’ between e’ and e) ∧ (((<<<n, r>, c>, sender> = <<<n’, 0>, c’>, loc(e)>) ∧ (e = e’)) ∨ (∃r’:Z. ∃c’’:Cmd. ((<<<n, r>, c>, sender> = <<<n’, r’>, c’’>, loc(e)>) ∧ (∃e1:{e1:E| e1 ≤loc e } ((((header(e1) = ‘‘retry‘‘) ∧ <<n’, r’>, c’’> = body(e1)) ∨ (has-es-info-type(es.e’;e1;f;Z × Z × Cmd × Id) ∧ (header(e1) = ‘‘vote‘‘) ∧ (n’ = (fst(fst(fst(msgval(e1)))))) ∧ (r’ = (snd(fst(fst(msgval(e1)))))) ∧ (c’’ = (snd(fst(msgval(e1))))))) ∧ (NewRoundsStateFun(Cmd;f;n’;es.e’;e1) < r’) ∧ (e = e1))))))))) 1 2 3 4 5 6 7 8 Vincent Rahli EventML October 7, 2015 23/24

slide-24
SLIDE 24

What next

Vincent Rahli EventML October 7, 2015 24/24