SLIDE 1
James R. Wilcox Zach Tatlock Ilya Sergey
Programming Language Abstractions for Modularly Verified Distributed Systems
Distributed Systems
` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems - - PowerPoint PPT Presentation
` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems - - PowerPoint PPT Presentation
Programming Language Abstractions for Modularly Verified Distributed Systems { P } c { Q } ` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure Distributed Applications Verified Distributed Systems
SLIDE 2
SLIDE 3
Distributed Infrastructure
SLIDE 4
Distributed Applications
SLIDE 5
Verified Distributed Systems
SLIDE 6
Verified Distributed Systems
SLIDE 7
Verified Distributed Infrastructure
SLIDE 8
Verified Distributed Infrastructure
- Cert
Veri- Iron Wow
SLIDE 9
Verified Distributed Applications
SLIDE 10
Verified Distributed Applications
- Cert
Veri- Iron Wow
SLIDE 11
Verified Distributed Applications
- Cert
Veri- Iron Wow
Challenging to verify apps in terms of infra. verify clients by starting over! Indicates deeper problems with composition
- ne node’s client is another’s server!
SLIDE 12
Verified Distributed Applications
- Cert
Veri- Iron Wow
Challenging to verify apps in terms of infra. verify clients by starting over! Indicates deeper problems with composition
- ne node’s client is another’s server!
(Make it possible to) verify clients verify clients without starting over! Will also enable more general composition
SLIDE 13
Composition: A way to make proofs harder
SLIDE 14
Composition: A way to make proofs harder
When distracting language issues are removed and the underlying mathematics is revealed, compositional reasoning is seen to be of little use.
SLIDE 15
Approach
`{P} c {Q}
Distributed Hoare Type Theory
SLIDE 16
Distributed Interactions
Servers and Clients Optimizations Combining Services Horizons
gcc -O3
SLIDE 17
Cloud Compute
S C
21
SLIDE 18
Cloud Compute
SLIDE 19
Cloud Compute
SLIDE 20
Cloud Compute
while True: (from, n) <- recv send (n, factors(n)) to from
: Server
SLIDE 21
Cloud Compute
while True: (from, n) <- recv send (n, factors(n)) to from
: Server
Traditional specification: messages from server have correct factors Proved by finding an invariant of the system
SLIDE 22
Cloud Compute: Server
SLIDE 23
Cloud Compute: Client
SLIDE 24
Cloud Compute: Client
send 21 to server (_, ans) <- recv assert ans == {3, 7}
SLIDE 25
Cloud Compute: Client
send 21 to server (_, ans) <- recv assert ans == {3, 7}
Expand system to include clients Need to reason about client-server interaction introduce protocol
SLIDE 26
Protocols
SLIDE 27
Protocols
SLIDE 28
Protocols
Protocols make it possible to verify clients!
SLIDE 29
Protocols
SLIDE 30
Protocols
State: abstract state of each node
SLIDE 31
Protocols
State: Transitions: abstract state of each node allowed sends and receives
SLIDE 32
Cloud Compute Protocol
State: Transitions:
SLIDE 33
Cloud Compute Protocol
State: Transitions:
permissions: Set<Msg>
SLIDE 34
Cloud Compute Protocol
Send Req Recv Req Send Resp Recv Resp
State: Transitions:
permissions: Set<Msg>
SLIDE 35
Cloud Compute: Protocol
Send Req Recv Req Send Resp Recv Resp
State: Transitions:
perm: Set<Msg>
Effect: add (from, n) to perm
Recv Request n
SLIDE 36
Cloud Compute: Protocol
Send Req Recv Req Send Resp Recv Resp
State: Transitions:
perm: Set<Msg>
Effect: removes (n,to) from perm
Send Response (n,l)
Requires: l == factors(n) (n,to) in perm
SLIDE 37
Cloud Compute: Protocol
Send Req Recv Req Send Resp Recv Resp
State: Transitions:
perm: Set<Msg>
Recv Response l
Ensures: l == factors(n) (n,to) in perm
SLIDE 38
Cloud Compute: Protocol
Send Req Recv Req Send Resp Recv Resp
State: Transitions:
permissions: Set<Msg>
SLIDE 39
Cloud Compute: Protocol
Send Req Recv Req Send Resp Recv Resp
State: Transitions:
permissions: Set<Msg>
Protocols make it possible to verify clients!
SLIDE 40
From Protocols to Types
`{P} c {Q}
SLIDE 41
From Protocols to Types
`{P}
{
}
t
sent ( )
m h
,
send m to h
SLIDE 42
From Protocols to Types
`
send m to h
t
{P}
{
}
t
sent ( )
m h
,
SLIDE 43
From Protocols to Types
`
send m to h
t t ∈
{P}
{
}
t
sent ( )
m h
,
SLIDE 44
From Protocols to Types
`
send m to h
t t ∈
{P}
{
}
t
sent ( )
m h
,
P ⇒ Pre t
SLIDE 45
From Protocols to Types
`
send m to h
t t ∈
{P}
{
}
t
sent ( )
m h
,
P ⇒ Pre t
SLIDE 46
Cloud Compute: Client
send 21 to server (_, ans) <- recv assert ans == {3, 7}
SLIDE 47
Cloud Compute: Client
send 21 to server (_, ans) <- recv assert ans == {3, 7}
recv ensures correct factors
SLIDE 48
Cloud Compute: More Clients
send 21 to server1 send 35 to server2 (_, ans1) <- recv (_, ans2) <- recv assert ans1 ans2 == {3, 5, 7}
∪
SLIDE 49
Cloud Compute: More Clients
send 21 to server1 send 35 to server2 (_, ans1) <- recv (_, ans2) <- recv assert ans1 ans2 == {3, 5, 7}
∪
Same protocol enables verification
SLIDE 50
Cloud Compute: More Clients
send 21 to server1 send 35 to server2 (_, ans1) <- recv (_, ans2) <- recv assert ans1 ans2 == {3, 5, 7}
∪
Same protocol enables verification
SLIDE 51
Cloud Compute
while True: (from, n) <- recv send (n, factors(n)) to from
: Server
SLIDE 52
Cloud Compute
while True: (from, n) <- recv send (n, factors(n)) to from
: Server
Precondition on send requires correct factors
SLIDE 53
Cloud Compute
cache = {} while True: (from, n) <- recv ans = if n cache then cache[n] else factors(n) cache[n] = ans send (n, ans) to from
: More Servers
∈
SLIDE 54
Cloud Compute
cache = {} while True: (from, n) <- recv ans = if n cache then cache[n] else factors(n) cache[n] = ans send (n, ans) to from
: More Servers
∈
Still follows protocol!
SLIDE 55
Cloud Compute
while True: (from, n) <- recv send n to backend (_, ans) <- recv send (n, ans) to from
: More Servers
SLIDE 56
Cloud Compute
while True: (from, n) <- recv send n to backend (_, ans) <- recv send (n, ans) to from
: More Servers
Still follows protocol!
SLIDE 57
Cloud Compute
while True: (from, n) <- recv send n to backend (_, ans) <- recv send (n, ans) to from
: More Servers
Still follows protocol! One node’s client is another’s server! Any combination of transitions follows protocol Well-typed programs don’t go wrong!
SLIDE 58
Horizons
Adding other effects Sophisticated protocol composition
e.g. computation uses separate database e.g. mutable heap, threads, failure…
Fault tolerance
what do Verdi’s VSTs look like here?
SLIDE 59
Verified Distributed Applications
SLIDE 60
Verified Distributed Applications
- Cert
Veri- Iron Wow
SLIDE 61
Verified Distributed Applications
- Cert
Veri- Iron Wow
Challenging to verify apps in terms of infra. verify clients by starting over! Indicates deeper problems with composition
- ne node’s client is another’s server!
SLIDE 62
Verified Distributed Applications
- Cert
Veri- Iron Wow
Challenging to verify apps in terms of infra. verify clients by starting over! Indicates deeper problems with composition
- ne node’s client is another’s server!
Protocols make it possible to verify clients reason about client-server interaction Also enable more general composition
Any combination of transitions follows protocol Well-typed programs don’t go wrong!
SLIDE 63
Verified Distributed Applications
- Cert
Veri- Iron Wow
Protocols make it possible to verify clients reason about client-server interaction Also enable more general composition
Any combination of transitions follows protocol Well-typed programs don’t go wrong!
SLIDE 64
Verified Distributed Applications
- Cert
Veri- Iron Wow
Composition is hard but important for infrastructure Achieve with types syntactic theory of composition
Protocols make it possible to verify clients reason about client-server interaction Also enable more general composition
Any combination of transitions follows protocol Well-typed programs don’t go wrong!