Mechanical Verification of a Constructive Proof for FLP according - - PowerPoint PPT Presentation

mechanical verification of a constructive proof for flp
SMART_READER_LITE
LIVE PREVIEW

Mechanical Verification of a Constructive Proof for FLP according - - PowerPoint PPT Presentation

Oct 30, 2023 463 likes •950 views

Mechanical Verification of a Constructive Proof for FLP according to Hagen V olzer Bisping Brodmann Jungnickel Rickmann St uber Wilhelm-Weidner Seidler Peters Nestmann 24 August 2016 Models and Theory of Distributed Systems

slide-1
SLIDE 1

Mechanical Verification of a Constructive Proof for FLP

according to Hagen V¨

  • lzer

Bisping Brodmann Jungnickel Rickmann Seidler St¨ uber Wilhelm-Weidner Peters Nestmann 24 August 2016 Models and Theory of Distributed Systems

Bisping et al. FLP Constructive Proof 24 August 2016 1 / 15

slide-2
SLIDE 2

Introduction

Consensus – Motivation

Example

  • distributed database
  • each at different state
  • decide whether to apply transaction

Bisping et al. FLP Constructive Proof 24 August 2016 2 / 15

slide-3
SLIDE 3

Introduction

Consensus – Motivation

Example

  • distributed database
  • each at different state
  • decide whether to apply transaction
  • exchange messages
  • all have to arrive at same decision

Bisping et al. FLP Constructive Proof 24 August 2016 2 / 15

slide-4
SLIDE 4

Introduction

Consensus – Motivation

Example

  • distributed database
  • each at different state
  • decide whether to apply transaction
  • exchange messages
  • all have to arrive at same decision

Problem processes may crash

Bisping et al. FLP Constructive Proof 24 August 2016 2 / 15

slide-5
SLIDE 5

Introduction

The FLP Theorem

Theorem (Fischer, Lynch, Paterson, 1985) impossible to ensure consensus, if processes may crash

Bisping et al. FLP Constructive Proof 24 August 2016 3 / 15

slide-6
SLIDE 6

Introduction

The FLP Theorem

Theorem (Fischer, Lynch, Paterson, 1985) impossible to ensure consensus, if processes may crash Theorem (V¨

  • lzer, 2004)

more constructive proof of FLP

Bisping et al. FLP Constructive Proof 24 August 2016 3 / 15

slide-7
SLIDE 7

Introduction

The FLP Theorem

Theorem (Fischer, Lynch, Paterson, 1985) impossible to ensure consensus, if processes may crash Theorem (V¨

  • lzer, 2004)

more constructive proof of FLP Our Work

  • based on the more constructive paper of V¨
  • lzer
  • formalizing this proof in Isabelle/HOL
  • . . . including “fairness”, which was just stated

Bisping et al. FLP Constructive Proof 24 August 2016 3 / 15

slide-8
SLIDE 8

Introduction

Consensus

Model

  • finite set of sequential processes
  • asynchronous communication channels between all pairs

p0 1 p1 p2 p3 1

Bisping et al. FLP Constructive Proof 24 August 2016 4 / 15

slide-9
SLIDE 9

Introduction

Consensus

Model

  • finite set of sequential processes
  • asynchronous communication channels between all pairs

p0 1 p1 p2 p3 1

Definition: Binary Consensus Each process gets an input value from {0, 1} and may irrevocably decide on a final output value such that:

  • Agreement: No two processes decide

differently.

  • Validity: The output value is the input value
  • f some process.
  • Termination: Each process eventually

decides or crashes.

Bisping et al. FLP Constructive Proof 24 August 2016 4 / 15

slide-10
SLIDE 10

Introduction

Consensus

Model

  • finite set of sequential processes
  • asynchronous communication channels between all pairs

p0 1 p1 p2 p3 1

Definition: Binary Consensus Each process gets an input value from {0, 1} and may irrevocably decide on a final output value such that:

  • Agreement: No two processes decide

differently.

  • Validity: The output value is the input value
  • f some process.
  • Termination: Each process eventually

decides or crashes.

Bisping et al. FLP Constructive Proof 24 August 2016 4 / 15

slide-11
SLIDE 11

Introduction

Fairness

  • easy to obtain undesired behaviour
  • “block” process by not processing its messages

Bisping et al. FLP Constructive Proof 24 August 2016 5 / 15

slide-12
SLIDE 12

Introduction

Fairness

  • easy to obtain undesired behaviour
  • “block” process by not processing its messages

Definition: Fair Execution Each message is processed (as long as receiver not crashed).

Bisping et al. FLP Constructive Proof 24 August 2016 5 / 15

slide-13
SLIDE 13

Introduction

Fairness

  • easy to obtain undesired behaviour
  • “block” process by not processing its messages

Definition: Fair Execution Each message is processed (as long as receiver not crashed).

  • unfair execution practically irrelevant

Bisping et al. FLP Constructive Proof 24 August 2016 5 / 15

slide-14
SLIDE 14

Introduction

The FLP Theorem

Theorem (V¨

  • lzer, 2004)

There is no consensus algorithm such that

  • a process may crash
  • validity
  • agreement
  • every fair execution terminates

Bisping et al. FLP Constructive Proof 24 August 2016 6 / 15

slide-15
SLIDE 15

Introduction

The FLP Theorem

Theorem (V¨

  • lzer, 2004)

There is no consensus algorithm such that

  • a process may crash
  • validity
  • agreement
  • every fair execution terminates

fundamental result in distributed computing

Bisping et al. FLP Constructive Proof 24 August 2016 6 / 15

slide-16
SLIDE 16

Introduction

The FLP Theorem

Theorem (V¨

  • lzer, 2004)

Every consensus algorithm such that

  • a process may crash
  • validity
  • agreement

has an infinite fair execution that does not decide.

Bisping et al. FLP Constructive Proof 24 August 2016 7 / 15

slide-17
SLIDE 17

Introduction

The FLP Theorem

Theorem (V¨

  • lzer, 2004)

Every consensus algorithm such that

  • a process may crash
  • validity
  • agreement

has an infinite fair execution that does not decide. constructive

Bisping et al. FLP Constructive Proof 24 August 2016 7 / 15

slide-18
SLIDE 18

Introduction

The FLP Theorem

Theorem (V¨

  • lzer, 2004)

Every consensus algorithm such that

  • a process may crash
  • validity
  • agreement

has an infinite fair execution that does not decide. constructive Idea of proof

  • find invariant that ensures non-decided
  • find proper way to extend finite execution, keeping the invariant
  • infinite fair run

Bisping et al. FLP Constructive Proof 24 August 2016 7 / 15

slide-19
SLIDE 19

Our proof in Isabelle/HOL

Initial Lemma

Non-uniform There are processes p, q such that

  • crash of p allows decision 0
  • crash of q allows decision 1

Bisping et al. FLP Constructive Proof 24 August 2016 8 / 15

slide-20
SLIDE 20

Our proof in Isabelle/HOL

Initial Lemma

Non-uniform There are processes p, q such that

  • crash of p allows decision 0
  • crash of q allows decision 1

Initial Lemma There is a non-uniform initial configuration.

Bisping et al. FLP Constructive Proof 24 August 2016 8 / 15

slide-21
SLIDE 21

Our proof in Isabelle/HOL

Initial Lemma

Non-uniform There are processes p, q such that

  • crash of p allows decision 0
  • crash of q allows decision 1

Initial Lemma There is a non-uniform initial configuration. Small error in V¨

  • lzer’s proof
  • used same symbol for different configurations
  • required adaption in proof

Bisping et al. FLP Constructive Proof 24 August 2016 8 / 15

slide-22
SLIDE 22

Our proof in Isabelle/HOL

Extension Lemma

Extension Lemma - V¨

  • lzer’s version

For each non-uniform configuration c and each process p there is a configuration c′ such that c ⇒∗ c′ and crash of p in c′ allows for both decisions.

Bisping et al. FLP Constructive Proof 24 August 2016 9 / 15

slide-23
SLIDE 23

Our proof in Isabelle/HOL

Extension Lemma

Extension Lemma - V¨

  • lzer’s version

For each non-uniform configuration c and each process p there is a configuration c′ such that c ⇒∗ c′ and crash of p in c′ allows for both decisions. Extension Lemma – our version

  • choose message (p, m) – receiver p, content m
  • apply Extension Lemma for this p
  • can safely consume message (keeping invariant)

all put into single extension

Bisping et al. FLP Constructive Proof 24 August 2016 9 / 15

slide-24
SLIDE 24

Our proof in Isabelle/HOL

Extension – Picture

1

  • c

Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

slide-25
SLIDE 25

Our proof in Isabelle/HOL

Extension – Picture

1

  • c
  • p

Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

slide-26
SLIDE 26

Our proof in Isabelle/HOL

Extension – Picture

1

  • c
  • p

c′

Extension Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

slide-27
SLIDE 27

Our proof in Isabelle/HOL

Extension – Picture

1

  • c
  • c′

p

Extension Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

slide-28
SLIDE 28

Our proof in Isabelle/HOL

Extension – Picture

1

  • c
  • c′

p

Extension Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

slide-29
SLIDE 29

Our proof in Isabelle/HOL

FLP-Theorem

FLP-Theorem Each possible consensus algorithm has a fair infinite execution that does not decide.

Bisping et al. FLP Constructive Proof 24 August 2016 11 / 15

slide-30
SLIDE 30

Our proof in Isabelle/HOL

FLP-Theorem

FLP-Theorem Each possible consensus algorithm has a fair infinite execution that does not decide. Proof by V¨

  • lzer
  • start with non-uniform initial configuration
  • take message with minimal enabling time
  • extend execution using Extension Lemma,

ending with non-uniform configuration

  • repeat this process

Bisping et al. FLP Constructive Proof 24 August 2016 11 / 15

slide-31
SLIDE 31

Our proof in Isabelle/HOL

Proof Idea

1

  • Initial

Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

slide-32
SLIDE 32

Our proof in Isabelle/HOL

Proof Idea

1

  • Initial
  • (p1, m1)

Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

slide-33
SLIDE 33

Our proof in Isabelle/HOL

Proof Idea

1

  • Initial
  • (p1, m1)

Extension Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

slide-34
SLIDE 34

Our proof in Isabelle/HOL

Proof Idea

1

  • Initial
  • (p1, m1)

Extension Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

slide-35
SLIDE 35

Our proof in Isabelle/HOL

Proof Idea

1

  • Initial
  • (p1, m1)

Extension

  • (p2, m2)

Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

slide-36
SLIDE 36

Our proof in Isabelle/HOL

Proof Idea

1

  • Initial
  • (p1, m1)

Extension

  • (p2, m2)

Extension Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

slide-37
SLIDE 37

Our proof in Isabelle/HOL

Proof Idea

1

  • Initial
  • (p1, m1)

Extension

  • (p2, m2)

Extension Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

slide-38
SLIDE 38

Our proof in Isabelle/HOL

Proof Idea

1

  • Initial
  • (p1, m1)

Extension

  • (p2, m2)

Extension

  • . . .

Extension Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

slide-39
SLIDE 39

Our proof in Isabelle/HOL

Infinite Executions

Problem

  • fairness/correctness defined for single (infinite) execution
  • construction yields sequence of finite executions

Bisping et al. FLP Constructive Proof 24 August 2016 13 / 15

slide-40
SLIDE 40

Our proof in Isabelle/HOL

Infinite Executions

Problem

  • fairness/correctness defined for single (infinite) execution
  • construction yields sequence of finite executions

Infinite executions – our model

  • as function from natural numbers to finite executions

Bisping et al. FLP Constructive Proof 24 August 2016 13 / 15

slide-41
SLIDE 41

Our proof in Isabelle/HOL

Infinite Executions

Problem

  • fairness/correctness defined for single (infinite) execution
  • construction yields sequence of finite executions

Infinite executions – our model

  • as function from natural numbers to finite executions

definition infiniteExecution :: "(nat ⇒ ((’p, ’v, ’s) configuration list)) ⇒ (nat ⇒ ((’p, ’v) message list)) ⇒ bool" where "infiniteExecution fe ft ≡ ∀ n . execution trans sends start (fe n) (ft n) ∧ prefixList (fe n) (fe (n+1)) ∧ prefixList (ft n) (ft (n+1))"

Bisping et al. FLP Constructive Proof 24 August 2016 13 / 15

slide-42
SLIDE 42

Our proof in Isabelle/HOL

Proof of Fairness

  • lzer: “We obtain a fair execution

where all processes are correct and that is always eventually non-uniform and hence does not decide. ”

Bisping et al. FLP Constructive Proof 24 August 2016 14 / 15

slide-43
SLIDE 43

Our proof in Isabelle/HOL

Proof of Fairness

  • lzer: “We obtain a fair execution

where all processes are correct and that is always eventually non-uniform and hence does not decide. ”

Bisping et al. FLP Constructive Proof 24 August 2016 14 / 15

slide-44
SLIDE 44

Our proof in Isabelle/HOL

Proof of Fairness

  • lzer: “We obtain a fair execution

where all processes are correct and that is always eventually non-uniform and hence does not decide. ”

Bisping et al. FLP Constructive Proof 24 August 2016 14 / 15

slide-45
SLIDE 45

Conclusions

Conclusions

theorem ConsensusFails: assumes Termination: " fe ft . (fairInfiniteExecution fe ft = ⇒ terminationFLP fe ft)" and Validity: "∀ i c . validity i c" and Agreement: "∀ i c . agreementInit i c" shows "False"

Bisping et al. FLP Constructive Proof 24 August 2016 15 / 15

slide-46
SLIDE 46

Conclusions

Conclusions

theorem ConsensusFails: assumes Termination: " fe ft . (fairInfiniteExecution fe ft = ⇒ terminationFLP fe ft)" and Validity: "∀ i c . validity i c" and Agreement: "∀ i c . agreementInit i c" shows "False"

Conclusions

  • formalization of V¨
  • lzer’s proof in Isabelle/HOL
  • 2 1

2 pages → 4000 LOC

  • precise list of preconditions for individual proofs
  • proof of fairness
  • correctness up to correctness of Isabelle/HOL

Bisping et al. FLP Constructive Proof 24 August 2016 15 / 15

slide-47
SLIDE 47

Conclusions

Conclusions

theorem ConsensusFails: assumes Termination: " fe ft . (fairInfiniteExecution fe ft = ⇒ terminationFLP fe ft)" and Validity: "∀ i c . validity i c" and Agreement: "∀ i c . agreementInit i c" shows "False"

Conclusions

  • formalization of V¨
  • lzer’s proof in Isabelle/HOL
  • 2 1

2 pages → 4000 LOC

  • precise list of preconditions for individual proofs
  • proof of fairness
  • correctness up to correctness of Isabelle/HOL

Thank you very much for your attention.

Bisping et al. FLP Constructive Proof 24 August 2016 15 / 15