` http://distributedcomponents.net Ilya Sergey James R. Wilcox - - PowerPoint PPT Presentation

http distributedcomponents net ilya sergey james r wilcox
SMART_READER_LITE
LIVE PREVIEW

` http://distributedcomponents.net Ilya Sergey James R. Wilcox - - PowerPoint PPT Presentation

Apr 10, 2023 35 likes •438 views

Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic { P } c { Q } ` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed Systems Distributed Infrastructure Distributed

slide-1
SLIDE 1

Programming and Proving with Distributed Protocols

{P} c {Q}

`

James R. Wilcox Zach Tatlock Ilya Sergey

http://distributedcomponents.net

Disel: Distributed Separation Logic

slide-2
SLIDE 2

Distributed Systems

slide-3
SLIDE 3

Distributed Infrastructure

slide-4
SLIDE 4

Distributed Applications

slide-5
SLIDE 5

Verified Distributed Systems

slide-6
SLIDE 6

Verified Distributed Infrastructure

  • Cert

Veri- Iron Wow

slide-7
SLIDE 7

Verified Distributed Applications

  • Cert

Veri- Iron Wow

slide-8
SLIDE 8

Verified Distributed Applications

  • Cert

Veri- Iron Wow

Challenging to verify apps in terms of infra. starting from scratch is unacceptable Indicates deeper problems with composition

  • ne node’s client is another’s server!
slide-9
SLIDE 9

Verified Distributed Applications

  • Cert

Veri- Iron Wow

Client reasoning Invariants Separation Challenges Protocols rule rule/Hooks Solutions

WithInv Frame

`{P} c {Q}

Disel:

slide-10
SLIDE 10

Outline

Protocols and running example Logical mechanisms programming with protocols invariants framing and hooks

`{P} c {Q}

Implementation and future work

slide-11
SLIDE 11

Cloud Compute

S C

21

slide-12
SLIDE 12

Cloud Compute

slide-13
SLIDE 13

Cloud Compute

while true: (from, n) <- recv Req send Resp(n, factors(n)) to from

: Server

Traditional specification: messages from server have correct factors Proved by finding an invariant of the system

slide-14
SLIDE 14

Cloud Compute: Server

slide-15
SLIDE 15

Cloud Compute: Client

slide-16
SLIDE 16

Cloud Compute: Client

send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7}

Start over with clients in system? In Disel: use protocol to describe client interface

slide-17
SLIDE 17

Protocols

slide-18
SLIDE 18

Protocols

A protocol is an interface among nodes Enables compositional verification

slide-19
SLIDE 19

Cloud Compute Protocol

State: Transitions: Messages: Sends: precondition and effect Receives: effect

slide-20
SLIDE 20

Cloud Compute Protocol

Req

State: Transitions:

  • utstanding: Set<Msg>

Messages: Req(n) | Resp(n,s) Sends: Receives:

Resp Req Resp

slide-21
SLIDE 21

Cloud Compute

S C

Req(21)

Effect: none

Send Req(n)

Precondition: none

slide-22
SLIDE 22

Cloud Compute

S C

Req(21)

Effect:

Receive Req(n)

add (from, n) to out

{ }

(C,21)

slide-23
SLIDE 23

Cloud Compute

S C

Resp({3,7})

Effect: removes (n,to) from out

Send Resp(n,l)

Requires: l == factors(n) (n,to) in out

{ }

slide-24
SLIDE 24

Cloud Compute

S C

Resp({3,7})

Recv Resp(n,l)

Effect: none

{ }

slide-25
SLIDE 25

Cloud Compute Protocol

Req

State: Transitions:

  • utstanding: Set<Msg>

Messages: Req(n) | Resp(n,s) Sends: Receives:

Resp Req Resp

slide-26
SLIDE 26

Outline

Protocols and running example Logical mechanisms programming with protocols invariants framing and hooks

`{P} c {Q}

Implementation and future work

slide-27
SLIDE 27

Cloud Compute

while true: (from, n) <- recv Req send Resp(n, factors(n)) to from

: Server

Precondition on send requires correct factors

slide-28
SLIDE 28

Cloud Compute: Server

Precondition on send requires correct factors

`

send m to h

t t ∈

{

}

t

sent ( )

m h

,

send m to h

{Pre }

t

while true: (from, n) <- recv Req send Resp(n, factors(n)) to from

slide-29
SLIDE 29

Cloud Compute: Client

send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7}

recv doesn’t ensure correct factors

slide-30
SLIDE 30

Cloud Compute: Client

t ∈

`

recv

t

{>}

m {recvd( )} m

send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7}

recv doesn’t ensure correct factors

slide-31
SLIDE 31

Protocol Invariants

`{P} c {Q}

`{P ∧ I} c {Q ∧ I}

I inductive

Protocol where every state satisfies I

slide-32
SLIDE 32

Cloud Compute: Client

t ∈

Now recv ensures correct factors

`

recv

t

{>}

m {recvd( )} m

send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7}

slide-33
SLIDE 33

Cloud Compute: More Clients

send Req(21) to server1 send Req(35) to server2 (_, ans1) <- recv Resp (_, ans2) <- recv Resp assert ans1 ans2 == {3, 5, 7}

Same protocol enables verification

slide-34
SLIDE 34

Frame rule

`{P} c {Q}

R stable

` {P R} c {Q R}

∗ ∗

Reuse invariants from component protocols independent protocols

slide-35
SLIDE 35

`{P} c {Q}

R stable

` {P R} c {Q R}

∗ ∗

Frame rule: Hooks

Allows one protocol to restrict another

slide-36
SLIDE 36

Outline

Protocols and running example Logical mechanisms programming with protocols invariants framing and hooks

`{P} c {Q}

Implementation and future work

slide-37
SLIDE 37

Implementation

Executable via extraction to OCaml Shallowly embedded in Coq

with full power of functional programming via trusted shim to implement semantics

Case study: two-phase commit

exercises all features of the logic

slide-38
SLIDE 38

Related and Future Work

Adding other effects

e.g. mutable heap, threads, failure…

Concurrent separation logics

Iris, FCSL, CAP, …

slide-39
SLIDE 39

Composition: A way to make proofs harder

“In 1997, the unfortunate reality is that engineers rarely specify and reason formally about the systems they build. It seems unlikely that reasoning about the composition of open-system specifications will be a practical concern within the next 15 years.”

slide-40
SLIDE 40

Verified Distributed Applications

  • Cert

Veri- Iron Wow

Client reasoning Invariants Separation Challenges Protocols rule rule/Hooks Solutions

WithInv Frame

`{P} c {Q}

Disel: