mechanical verification of a constructive proof for flp
play

Mechanical Verification of a Constructive Proof for FLP according - PowerPoint PPT Presentation

Oct 30, 2023 •463 likes •947 views

Mechanical Verification of a Constructive Proof for FLP according to Hagen V olzer Bisping Brodmann Jungnickel Rickmann St uber Wilhelm-Weidner Seidler Peters Nestmann 24 August 2016 Models and Theory of Distributed Systems

  1. Mechanical Verification of a Constructive Proof for FLP according to Hagen V¨ olzer Bisping Brodmann Jungnickel Rickmann St¨ uber Wilhelm-Weidner Seidler Peters Nestmann 24 August 2016 Models and Theory of Distributed Systems Bisping et al. FLP Constructive Proof 24 August 2016 1 / 15

  2. Introduction Consensus – Motivation Example • distributed database • each at different state • decide whether to apply transaction Bisping et al. FLP Constructive Proof 24 August 2016 2 / 15

  3. Introduction Consensus – Motivation Example • distributed database • each at different state • decide whether to apply transaction • exchange messages • all have to arrive at same decision Bisping et al. FLP Constructive Proof 24 August 2016 2 / 15

  4. Introduction Consensus – Motivation Example • distributed database • each at different state • decide whether to apply transaction • exchange messages • all have to arrive at same decision Problem processes may crash Bisping et al. FLP Constructive Proof 24 August 2016 2 / 15

  5. Introduction The FLP Theorem Theorem (Fischer, Lynch, Paterson, 1985) impossible to ensure consensus, if processes may crash Bisping et al. FLP Constructive Proof 24 August 2016 3 / 15

  6. Introduction The FLP Theorem Theorem (Fischer, Lynch, Paterson, 1985) impossible to ensure consensus, if processes may crash Theorem (V¨ olzer, 2004) more constructive proof of FLP Bisping et al. FLP Constructive Proof 24 August 2016 3 / 15

  7. Introduction The FLP Theorem Theorem (Fischer, Lynch, Paterson, 1985) impossible to ensure consensus, if processes may crash Theorem (V¨ olzer, 2004) more constructive proof of FLP Our Work • based on the more constructive paper of V¨ olzer • formalizing this proof in Isabelle/HOL • . . . including “fairness”, which was just stated Bisping et al. FLP Constructive Proof 24 August 2016 3 / 15

  8. Introduction Consensus Model • finite set of sequential processes • asynchronous communication channels between all pairs p 0 1 p 3 p 1 1 0 p 2 0 Bisping et al. FLP Constructive Proof 24 August 2016 4 / 15

  9. Introduction Consensus Model • finite set of sequential processes • asynchronous communication channels between all pairs Definition: Binary Consensus p 0 Each process gets an input value from { 0 , 1 } and 1 may irrevocably decide on a final output value such that: p 3 p 1 • Agreement : No two processes decide 1 0 differently. • Validity : The output value is the input value p 2 of some process. 0 • Termination : Each process eventually decides or crashes. Bisping et al. FLP Constructive Proof 24 August 2016 4 / 15

  10. Introduction Consensus Model • finite set of sequential processes • asynchronous communication channels between all pairs Definition: Binary Consensus p 0 Each process gets an input value from { 0 , 1 } and 1 may irrevocably decide on a final output value such that: p 3 p 1 • Agreement : No two processes decide 1 0 differently. • Validity : The output value is the input value p 2 of some process. 0 • Termination : Each process eventually decides or crashes. Bisping et al. FLP Constructive Proof 24 August 2016 4 / 15

  11. Introduction Fairness • easy to obtain undesired behaviour • “block” process by not processing its messages Bisping et al. FLP Constructive Proof 24 August 2016 5 / 15

  12. Introduction Fairness • easy to obtain undesired behaviour • “block” process by not processing its messages Definition: Fair Execution Each message is processed (as long as receiver not crashed). Bisping et al. FLP Constructive Proof 24 August 2016 5 / 15

  13. Introduction Fairness • easy to obtain undesired behaviour • “block” process by not processing its messages Definition: Fair Execution Each message is processed (as long as receiver not crashed). • unfair execution practically irrelevant Bisping et al. FLP Constructive Proof 24 August 2016 5 / 15

  14. Introduction The FLP Theorem Theorem (V¨ olzer, 2004) There is no consensus algorithm such that • a process may crash • validity • agreement • every fair execution terminates Bisping et al. FLP Constructive Proof 24 August 2016 6 / 15

  15. Introduction The FLP Theorem Theorem (V¨ olzer, 2004) There is no consensus algorithm such that • a process may crash • validity • agreement • every fair execution terminates fundamental result in distributed computing Bisping et al. FLP Constructive Proof 24 August 2016 6 / 15

  16. Introduction The FLP Theorem Theorem (V¨ olzer, 2004) Every consensus algorithm such that • a process may crash • validity • agreement has an infinite fair execution that does not decide. Bisping et al. FLP Constructive Proof 24 August 2016 7 / 15

  17. Introduction The FLP Theorem Theorem (V¨ olzer, 2004) Every consensus algorithm such that • a process may crash • validity • agreement has an infinite fair execution that does not decide. � constructive Bisping et al. FLP Constructive Proof 24 August 2016 7 / 15

  18. Introduction The FLP Theorem Theorem (V¨ olzer, 2004) Every consensus algorithm such that • a process may crash • validity • agreement has an infinite fair execution that does not decide. � constructive Idea of proof • find invariant that ensures non-decided • find proper way to extend finite execution, keeping the invariant • infinite fair run Bisping et al. FLP Constructive Proof 24 August 2016 7 / 15

  19. Our proof in Isabelle/HOL Initial Lemma Non-uniform There are processes p , q such that • crash of p allows decision 0 • crash of q allows decision 1 Bisping et al. FLP Constructive Proof 24 August 2016 8 / 15

  20. Our proof in Isabelle/HOL Initial Lemma Non-uniform There are processes p , q such that • crash of p allows decision 0 • crash of q allows decision 1 Initial Lemma There is a non-uniform initial configuration. Bisping et al. FLP Constructive Proof 24 August 2016 8 / 15

  21. Our proof in Isabelle/HOL Initial Lemma Non-uniform There are processes p , q such that • crash of p allows decision 0 • crash of q allows decision 1 Initial Lemma There is a non-uniform initial configuration. Small error in V¨ olzer’s proof • used same symbol for different configurations • required adaption in proof Bisping et al. FLP Constructive Proof 24 August 2016 8 / 15

  22. Our proof in Isabelle/HOL Extension Lemma Extension Lemma - V¨ olzer’s version For each non-uniform configuration c and each process p there is a configuration c ′ such that c ⇒ ∗ c ′ and crash of p in c ′ allows for both decisions. Bisping et al. FLP Constructive Proof 24 August 2016 9 / 15

  23. Our proof in Isabelle/HOL Extension Lemma Extension Lemma - V¨ olzer’s version For each non-uniform configuration c and each process p there is a configuration c ′ such that c ⇒ ∗ c ′ and crash of p in c ′ allows for both decisions. Extension Lemma – our version • choose message ( p , m ) – receiver p , content m • apply Extension Lemma for this p • can safely consume message (keeping invariant) all put into single extension Bisping et al. FLP Constructive Proof 24 August 2016 9 / 15

  24. Our proof in Isabelle/HOL Extension – Picture 0 • c 1 Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

  25. Our proof in Isabelle/HOL Extension – Picture 0 p • • c 1 Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

  26. Our proof in Isabelle/HOL Extension – Picture 0 p Extension • • c c ′ 1 Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

  27. Our proof in Isabelle/HOL Extension – Picture 0 p Extension • • c c ′ 1 Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

  28. Our proof in Isabelle/HOL Extension – Picture 0 p Extension • • c c ′ 1 Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

  29. Our proof in Isabelle/HOL FLP-Theorem FLP-Theorem Each possible consensus algorithm has a fair infinite execution that does not decide. Bisping et al. FLP Constructive Proof 24 August 2016 11 / 15

  30. Our proof in Isabelle/HOL FLP-Theorem FLP-Theorem Each possible consensus algorithm has a fair infinite execution that does not decide. Proof by V¨ olzer • start with non-uniform initial configuration • take message with minimal enabling time • extend execution using Extension Lemma, ending with non-uniform configuration • repeat this process Bisping et al. FLP Constructive Proof 24 August 2016 11 / 15

  31. Our proof in Isabelle/HOL Proof Idea 0 • Initial 1 Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

  32. Our proof in Isabelle/HOL Proof Idea 0 • • Initial ( p 1 , m 1 ) • 1 Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

  33. Our proof in Isabelle/HOL Proof Idea 0 Extension • • Initial ( p 1 , m 1 ) • 1 Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

  34. Our proof in Isabelle/HOL Proof Idea 0 Extension • • Initial ( p 1 , m 1 ) • 1 Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

  35. Our proof in Isabelle/HOL Proof Idea 0 • ( p 2 , m 2 ) Extension • • • Initial ( p 1 , m 1 ) • 1 Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Constructive decision via redundancy-free proof-search Dominique Larchey-Wendling TYPES team,

Constructive decision via redundancy-free proof-search Dominique Larchey-Wendling TYPES team,

Constructive decision via redundancy-free proof-search Dominique Larchey-Wendling TYPES team, ANR TICAMORE LORIA CNRS Nancy, France Second TICAMORE meeting Marseille, Nov. 2017 1 Constructive termination of

517 views • 19 slides
Constructive Verification, Empirical Induction, and Falibilist Deduction: A Threefold Contrast

Constructive Verification, Empirical Induction, and Falibilist Deduction: A Threefold Contrast

Constructive Verification, Empirical Induction, and Falibilist Deduction: A Threefold Contrast Interpretation of Bayesian e -values Julio Michael Stern , Institute of Mathematics and Statistics of the University of Sao Paulo

371 views • 36 slides
An Almost Constructive Proof of Classical First-Order Completeness First Bachelor Seminar Talk

An Almost Constructive Proof of Classical First-Order Completeness First Bachelor Seminar Talk

An Almost Constructive Proof of Classical First-Order Completeness First Bachelor Seminar Talk Dominik Wehr Advisors: Dominik Kirst, Yannick Forster Saarland University 14th December 2018 Syntax, Deduction, and Semantics Model Existence

489 views • 19 slides
Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic Andreas Abel, Bor-Yuh

Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic Andreas Abel, Bor-Yuh

Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic Andreas Abel, Bor-Yuh Evan Chang, and Frank Pfenning Workshop on Proof Transformations, Proof Presentations and Complexity of Proofs International Joint Conference on

578 views • 23 slides
TOURNAMENT PAPER WORK REVIEW TOURNAMENT PLAYER VERIFICATION FORM Proof of Age Proof of

TOURNAMENT PAPER WORK REVIEW TOURNAMENT PLAYER VERIFICATION FORM Proof of Age Proof of

TOURNAMENT PAPER WORK REVIEW TOURNAMENT PLAYER VERIFICATION FORM Proof of Age Proof of Residency School Enrollment Player Information Proof of Age (BC) Proof of Residency OR School Enrollment Waivers Signatures Proof of Residency:

480 views • 32 slides
+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an

+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an

+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an Vanzetto LPAR-18, M erida, Venezuela March 12th, 2012 1 + language The TLA Specification and verification language for (concurrent and

735 views • 27 slides
Program Extraction in Constructive Analysis Helmut Schwichtenberg Mathematisches Institut,

Program Extraction in Constructive Analysis Helmut Schwichtenberg Mathematisches Institut,

Program Extraction in Constructive Analysis Helmut Schwichtenberg Mathematisches Institut, Universit at M unchen 1 Program extraction from proofs Every constructive existence proof contains an algorithm. Bishop 1970 Mathematics as a

868 views • 45 slides
A Constructive Proof of Dependent Choice, Compatible with Classical Logic Hugo Herbelin INRIA -

A Constructive Proof of Dependent Choice, Compatible with Classical Logic Hugo Herbelin INRIA -

A Constructive Proof of Dependent Choice, Compatible with Classical Logic Hugo Herbelin INRIA - PPS - Univ. Paris Diderot Paris, France e-mail: Hugo.Herbelin@inria.fr and P ( t 2 ) in the right-hand side, leading to an unexpected de- Abstract

271 views • 10 slides
KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems Safety-critical Verification Proof assistance Proof assistants Proof experience 2/10 Proof Experience Issues High iteration cost

339 views • 10 slides
iCoq : Regression Proof Selection for Large-Scale Verification Projects Karl Palmskog University

iCoq : Regression Proof Selection for Large-Scale Verification Projects Karl Palmskog University

iCoq : Regression Proof Selection for Large-Scale Verification Projects iCoq : Regression Proof Selection for Large-Scale Verification Projects Karl Palmskog University of Illinois at Urbana-Champaign Joint work with Ahmet Celik and Milos

837 views • 45 slides
A Simple Framework for Program Verification and its Mechanical Certification in Theorema Tudor

A Simple Framework for Program Verification and its Mechanical Certification in Theorema Tudor

A Simple Framework for Program Verification and its Mechanical Certification in Theorema Tudor Jebelean M ad alina Era scu Research Institute for Symbolic Computation, Johannes Kepler University, Linz, Austria October 2012 1/25

430 views • 26 slides
Logosphere A Digital Library of Formal Proof Carsten Schrmann Processor Verification

Logosphere A Digital Library of Formal Proof Carsten Schrmann Processor Verification

Logosphere A Digital Library of Formal Proof Carsten Schrmann Processor Verification INTEL (HOL/HOL light). [John Harrison] $500mio Pentium bug. AMD (ACL2, Nqthm). [Matt Kaufmann] Siemens, Microsoft (ASM). [Yuri

502 views • 32 slides
Formal verification of an optimizing compiler or: a software-proof codesign approach to the

Formal verification of an optimizing compiler or: a software-proof codesign approach to the

Formal verification of an optimizing compiler or: a software-proof codesign approach to the development of trusted compilers Xavier Leroy INRIA Rocquencourt MEMOCODE 2007 X. Leroy (INRIA) Formal compiler verification MEMOCODE 2007 1 / 61

969 views • 62 slides
A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20

A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20

A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20 th 2010 Cocktail Derive programs from their specifications Does not scale and nobody programs like this Create proofs interactively with an

342 views • 7 slides
Local proof transformations for flexible interpolation and proof reduction N. Sharygina Formal

Local proof transformations for flexible interpolation and proof reduction N. Sharygina Formal

Local proof transformations for flexible interpolation and proof reduction N. Sharygina Formal Verification and Security Group University of Lugano June 21, 2011 Natasha Sharygina (USI) Flexible Proof Transformation June 21, 2011 1 / 72

2.21k views • 186 slides
Constructive Mathematics in Constructive Set Theory Nicola Gambino University of Palermo MALOA

Constructive Mathematics in Constructive Set Theory Nicola Gambino University of Palermo MALOA

Constructive Mathematics in Constructive Set Theory Nicola Gambino University of Palermo MALOA Worskhop Leeds, June 30th 2011 Classical vs Constructive Mathematics AC EM Pow ZFC ZF IZF Topos

255 views • 24 slides
Riemann-Liouville Fractional Calculus of Coalescence Hidden-variable Fractal Interpolation

Riemann-Liouville Fractional Calculus of Coalescence Hidden-variable Fractal Interpolation

Riemann-Liouville Fractional Calculus of Coalescence Hidden-variable Fractal Interpolation Functions Srijanani Anurag Prasad Department of Applied Sciences, The NorthCap University, Gurgaon 6 th Cornell Conference on Analysis, Probability, and

911 views • 31 slides
Type Theory in Rosario Thorsten Altenkirch July 25, 2011 Thorsten Altenkirch () Rosario July

Type Theory in Rosario Thorsten Altenkirch July 25, 2011 Thorsten Altenkirch () Rosario July

Type Theory in Rosario Thorsten Altenkirch July 25, 2011 Thorsten Altenkirch () Rosario July 25, 2011 1 / 7 Zermelo-Fraenkel Set Theory Zermelo (1871-1953) Fraenkel (1891-1965) Axiomatic Set Theory 1925 ZFC = Zermelo-Fraenkel with

482 views • 7 slides
Constructive Aspects of Gelfand Duality Christopher Mulvey University of Sussex

Constructive Aspects of Gelfand Duality Christopher Mulvey University of Sussex

Constructive Aspects of Gelfand Duality Christopher Mulvey University of Sussex www.maths.sussex.ac.uk/Staff/CJM c.j.mulvey@cantab.net Background In this talk, I will tell you something about Gelfand duality, seen through the eyes of the

459 views • 42 slides
Addition is exponentially harder than counting for shallow monotone circuits Igor Carboni

Addition is exponentially harder than counting for shallow monotone circuits Igor Carboni

Addition is exponentially harder than counting for shallow monotone circuits Igor Carboni Oliveira Columbia University / Charles University in Prague Joint work with Xi Chen (Columbia) and Rocco Servedio (Columbia) 1 What is this talk about?

556 views • 38 slides
Computer Graphics Si Lu Fall 2017 http://web.cecs.pdx.edu/~lusi/CS447/CS447_547_Comp

Computer Graphics Si Lu Fall 2017 http://web.cecs.pdx.edu/~lusi/CS447/CS447_547_Comp

Computer Graphics Si Lu Fall 2017 http://web.cecs.pdx.edu/~lusi/CS447/CS447_547_Comp uter_Graphics.htm 11/15/2017 Last time o Polygon Mesh and Modeling 2 Today o Modeling Technologies o Final Exam: 2:00-3:30, Novermber 29, 2017 3 Modeling

576 views • 44 slides
Transforming Objects Ray : R(t) = s + c t Objects : Sphere, box, cone etc. We assume the objects

Transforming Objects Ray : R(t) = s + c t Objects : Sphere, box, cone etc. We assume the objects

Transforming Objects Ray : R(t) = s + c t Objects : Sphere, box, cone etc. We assume the objects to be normalized so that the ray-object intersection test is easier. e.g. Sphere is x 2 + y 2 + z 2 = 1 Now while instantiating the objects in our

304 views • 15 slides
4.1 Polygon Meshes and Implicit Surfaces Hao Li http://cs420.hao-li.com 1 Geometric

4.1 Polygon Meshes and Implicit Surfaces Hao Li http://cs420.hao-li.com 1 Geometric

Fall 2018 CSCI 420: Computer Graphics 4.1 Polygon Meshes and Implicit Surfaces Hao Li http://cs420.hao-li.com 1 Geometric Representations point based quad mesh triangle mesh implicit surfaces / particles volumetric tetrahedrons 2

1.11k views • 54 slides
Before we begin Paper summaries for today? Objects and Transformations Setting up your scene

Before we begin Paper summaries for today? Objects and Transformations Setting up your scene

Before we begin Paper summaries for today? Objects and Transformations Setting up your scene Computer Graphics as Virtual Photography Defining your 3D world real camera photo Photographic Photography: scene (captures processing

348 views • 10 slides

More recommend