proving weakly consistent applications correct
play

Proving Weakly Consistent Applications Correct Alexey Gotsman - PowerPoint PPT Presentation

Oct 10, 2023 •446 likes •967 views

Proving Weakly Consistent Applications Correct Alexey Gotsman IMDEA Software Institute, Madrid, Spain Joint work with Hongseok Yang (Oxford), Carla Ferreira (U Nova Lisboa), Mahsa Najafzadeh, Marc Shapiro (INRIA) Eventually consistent

  1. Proving Weakly Consistent Applications Correct Alexey Gotsman IMDEA Software Institute, Madrid, Spain Joint work with Hongseok Yang (Oxford), Carla Ferreira (U Nova Lisboa), Mahsa Najafzadeh, Marc Shapiro (INRIA)

  2. Eventually consistent databases deposit(100) • No synchronisation: process an update locally, propagate effects to other replicas later • Weakens consistency: deposit seen with a delay

  3. balance ≥ 0 balance = 100 balance = 100

  4. balance ≥ 0 balance = 100 balance = 100 withdraw(100) : ✔ withdraw(100) : ✔ balance = 0 balance = 0

  5. balance ≥ 0 balance = 100 balance = 100 withdraw(100) : ✔ withdraw(100) : ✔ balance = 0 balance = 0 balance = -100

  6. balance ≥ 0 balance = 100 balance = 100 withdraw(100) : ✔ withdraw(100) : ✔ balance = 0 balance = 0 balance = -100 deposit(100)

  7. balance ≥ 0 balance = 100 balance = 100 withdraw(100) : ✔ withdraw(100) : ✔ balance = 0 balance = 0 balance = -100 Tune consistency: • Withdrawals strongly consistent deposit(100) • Deposits eventually consistent

  8. Consistency choices • Databases with multiple consistency levels: ‣ Commercial: Amazon DynamoDB, Basho Riak, Microsoft DocumentDB ‣ Research: Li + OSDI’12; Terry + SOSP’13; Balegas + EuroSys’15... • Pay for stronger semantics with latency, possible unavailability and money • Hard to figure out the minimum consistency necessary to maintain correctness - proof rule and tool

  9. Consistency model • Generic model - not implemented, but can encode many existing models that are: RedBlue consistency [Li + 2012], reservation locks [Balegas + 2015], parallel snapshot isolation [Sovran + 2011], ... • Causal consistency as a baseline: observe an update ➜ observe the updates it depends on • A construct for strengthening consistency on demand

  10. Operation semantics σ op ⟦ op ⟧ val Replica states: σ ∈ State Return value: ⟦ op ⟧ val ∈ State ➞ Value

  11. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) Replica states: σ ∈ State Return value: ⟦ op ⟧ val ∈ State ➞ Value Effector: ⟦ op ⟧ eff ∈ State ➞ (State ➞ State)

  12. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) Replica states: σ ∈ State Return value: ⟦ op ⟧ val ∈ State ➞ Value Effector: ⟦ op ⟧ eff ∈ State ➞ (State ➞ State)

  13. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ Effector ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) Replica states: σ ∈ State Return value: ⟦ op ⟧ val ∈ State ➞ Value Effector: ⟦ op ⟧ eff ∈ State ➞ (State ➞ State)

  14. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ Effector ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) Replica states: σ ∈ State Return value: ⟦ op ⟧ val ∈ State ➞ Value Effector: ⟦ op ⟧ eff ∈ State ➞ (State ➞ State)

  15. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) State = Z ⟦ balance() ⟧ val ( σ ) = σ ⟦ balance() ⟧ eff ( σ ) = λσ . σ

  16. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) ⟦ deposit(100) ⟧ eff ( σ ) = λσʹ . ( σʹ + 100)

  17. Operation semantics σ op ⟦ op ⟧ eff ( σ ) 50 ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) ⟦ deposit(100) ⟧ eff ( σ ) = λσʹ . ( σʹ + 100)

  18. Operation semantics σ op ⟦ op ⟧ eff ( σ ) 50 ⟦ op ⟧ val 150 ⟦ deposit(100) ⟧ eff ( σ ) = λσʹ . ( σʹ + 100)

  19. Ensuring eventual consistency • Effectors have to commute • Eventual consistency: replicas receiving the same messages in different orders end up in the same state • Replicated data types [Shapiro + 2011]: ready-made commutative implementations ⟦ deposit(100) ⟧ eff ( σ ) = λσʹ . ( σʹ + 100)

  20. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  21. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  22. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  23. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  24. balance = 100 balance = 100 withdraw(100) : ✔ withdraw(100) : ✔ λσʹ . σʹ - 100 balance = 0 balance = 0 ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  25. balance = 100 balance = 100 withdraw(100) : ✔ withdraw(100) : ✔ λσʹ . σʹ - 100 balance = 0 balance = 0 balance = -100 ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  26. Strengthening consistency Token system ≈ locks on steroids: • Token = { τ 1 , τ 2 , ...} • Symmetric conflict relation ⋈ ⊆ Token × Token

  27. Strengthening consistency Token system ≈ locks on steroids: • Token = { τ 1 , τ 2 , ...} • Symmetric conflict relation ⋈ ⊆ Token × Token Example - mutual exclusion lock: Token = { τ }; τ ⋈ τ

  28. Strengthening consistency Token system ≈ locks on steroids: • Token = { τ 1 , τ 2 , ...} • Symmetric conflict relation ⋈ ⊆ Token × Token Example - mutual exclusion lock: Token = { τ }; τ ⋈ τ Each operation associated with a set of tokens: ⟦ op ⟧ tok ∈ State ➞ P (Token)

  29. Operations associated with conflicting tokens cannot be unaware of each other τ ⋈ τ balance = 100 balance = 100 withdraw(100) : ✔ { τ }

  30. Operations associated with conflicting tokens cannot be unaware of each other τ ⋈ τ balance = 100 balance = 100 withdraw(100) : ✔ { τ } withdraw(100) : ? { τ } Anything I don’t know about?

  31. Operations associated with conflicting tokens cannot be unaware of each other τ ⋈ τ balance = 100 balance = 100 withdraw(100) : ✔ { τ } balance = 0 withdraw(100) : ? { τ }

  32. Operations associated with conflicting tokens cannot be unaware of each other τ ⋈ τ balance = 100 balance = 100 withdraw(100) : ✔ { τ } balance = 0 withdraw(100) : ✘ { τ }

  33. Operations associated with conflicting tokens cannot be unaware of each other τ ⋈ τ balance = 100 balance = 100 withdraw(100) : ✔ { τ } balance = 0 deposit(100) withdraw(100) : ✘ ∅ { τ } No synchronisation

  34. Operations associated with conflicting tokens Do we always have I = (balance ≥ 0)? cannot be unaware of each other τ ⋈ τ balance = 100 balance = 100 withdraw(100) : ✔ { τ } balance = 0 deposit(100) withdraw(100) : ✘ ∅ { τ } No synchronisation

  35. σ ∈ I o op p ⟦ ( σ ⟧ ) e f f σʹ ⟦ op ⟧ eff ( σ )( σʹ ) ∈ I ? Effect applied in a different state!

  36. σ ∈ I o op p ⟦ ( σ ⟧ ) e f f σʹ ⟦ op ⟧ eff ( σ )( σʹ ) ∈ I ? ⟦ op ⟧ eff ( σ ) = if P( σ ) then f( σ ) else if... ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  37. σ ∈ I o op p ⟦ ( σ ⟧ ) e f f σʹ ⟦ op ⟧ eff ( σ )( σʹ ) ∈ I ? ⟦ op ⟧ eff ( σ ) = if P( σ ) then f( σ ) else if... 1. Effector safety: f preserves I when executed in any state satisfying P

  38. σ ∈ I o op p ⟦ ( σ ⟧ ) e f f σʹ ⟦ op ⟧ eff ( σ )( σʹ ) ∈ I ✔ ⟦ op ⟧ eff ( σ ) = if P( σ ) then f( σ ) else if... 1. Effector safety: f preserves I when executed in any state satisfying P

  39. σ ∈ I o op p ⟦ ( σ ⟧ ) e f f P( σʹ ) ? σʹ ⟦ op ⟧ eff ( σ )( σʹ ) ∈ I ✔ ⟦ op ⟧ eff ( σ ) = if P( σ ) then f( σ ) else if... 1. Effector safety: f preserves I when executed in any state satisfying P

  40. σ ∈ I o op p ⟦ ( σ ⟧ ) e f f P( σʹ ) ? σʹ ⟦ op ⟧ eff ( σ )( σʹ ) ∈ I ✔ ⟦ op ⟧ eff ( σ ) = if P( σ ) then f( σ ) else if... 1. Effector safety: f preserves I when executed in any state satisfying P 2. Precondition stability: P will hold when f is applied at any replica

  41. CISE tool: ‘Cause I’m Strong Enough Discharges proof obligations using Z3 SMT solver By Mahsa Najafzadeh (UPMC & INRIA) ⟦ op ⟧ eff ( σ ) = if P( σ ) then f( σ ) else if... 1. Effector safety: f preserves I when executed in any state satisfying P 2. Precondition stability: P will hold when f is applied at any replica

  43. 31

  44. 1. Effector safety: f preserves I when executed in any state satisfying P 32

  45. 1. Effector safety: f preserves I when executed in any state satisfying P ✔ 32

  46. 2. Precondition stability: P is preserved by concurrent operations 33

  47. 2. Precondition stability: P is preserved by concurrent operations 33

  48. 2. Precondition stability: P is preserved by concurrent operations Bug: concurrent withdrawals may violate the invariant 33

  49. 2. Precondition stability: P is preserved by concurrent operations Add a token restricting concurrency 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Effective and Efficient Compromise Recovery for Weakly Consistent Replication Prince Mahajan (UT

Effective and Efficient Compromise Recovery for Weakly Consistent Replication Prince Mahajan (UT

Effective and Efficient Compromise Recovery for Weakly Consistent Replication Prince Mahajan (UT Austin), Ramakrishna Kotla, Cathy Marshall, Venugopalan Rama Ramasubramanian, Tom Rodeheffer, Doug Terry, Ted Wobber (Microsoft Research

1.34k views • 85 slides
MAINTAINING SQL INVARIANTS IN WEAKLY CONSISTENT DATABASES Nuno Preguia (NOVA LINCS,

MAINTAINING SQL INVARIANTS IN WEAKLY CONSISTENT DATABASES Nuno Preguia (NOVA LINCS,

MAINTAINING SQL INVARIANTS IN WEAKLY CONSISTENT DATABASES Nuno Preguia (NOVA LINCS, FCT/Universidade NOVA de Lisboa) Joint work with: Valter Balegas, Cheng Li (MPI, now Oracle), Joo Sousa, David Lopes, Srgio Duarte, Carla Ferreira, Joo

890 views • 49 slides
Policy-based Access Control for Weakly Consistent Replication Based on paper written by Ted

Policy-based Access Control for Weakly Consistent Replication Based on paper written by Ted

Policy-based Access Control for Weakly Consistent Replication Based on paper written by Ted Webber, Thomas L. Rodeheffer and Douglas B. Terry Outline Whats the problem? Definitions System design Operation on data Updating

978 views • 34 slides
Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts Jonathan

Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts Jonathan

Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich Reading: C.A.R. Hoare, An Axiomatic Basis for Computer Programming Some presentation ideas from a lecture by K. Rustan M. Leino Testing and

392 views • 23 slides
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a

Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a

Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' ``attacks'' everything everything publications 1

590 views • 29 slides
Reliability In case of a crash, recover to a consistent (or correct state) and continue

Reliability In case of a crash, recover to a consistent (or correct state) and continue

Reliability In case of a crash, recover to a consistent (or correct state) and continue processing. Types of Failures Node failure 1. Communication line of failure 2. Loss of a message (or transaction) 3. Network partition 4. Any

559 views • 21 slides
Proving a Concurrent Program Correct by Demonstrating It Does Nothing Bernhard Kragl IST Austria

Proving a Concurrent Program Correct by Demonstrating It Does Nothing Bernhard Kragl IST Austria

Proving a Concurrent Program Correct by Demonstrating It Does Nothing Bernhard Kragl IST Austria doi: 10.1007/978-3-319-96145-3_5 https://github.com/boogie-org/boogie Shaz Qadeer Microsoft https://www.rise4fun.com/civl Credits Cormac

813 views • 67 slides
Weakly Supervised Classification Weakly Supervised Classification and Robust Learning and Robust

Weakly Supervised Classification Weakly Supervised Classification and Robust Learning and Robust

IIT-H and RIKEN-AIP Joint Workshop on March 15, 2019 Machine Learning and Applications, Hyderabad, India Weakly Supervised Classification Weakly Supervised Classification and Robust Learning and Robust Learning --- Overview of Our Recent

1.06k views • 25 slides
Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira

Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira

Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira High Assurance Software Lab and Dept. Inform atica Universidade do Minho Braga, Portugal INFORUM 2010 Braga, Portugal, September 2010 Context

1.1k views • 73 slides
Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein

Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein

W HAT YOU WILL LEARN how to use a theorem prover background, how it works how to prove and specify NICTA Advanced Course Slide 1 Slide 3 Theorem Proving Health Warning Principles, Techniques, Applications Theorem Proving is

262 views • 9 slides
Automated Theorem Proving in Real Applications John Harrison Intel Corporation The cost of

Automated Theorem Proving in Real Applications John Harrison Intel Corporation The cost of

Automated Theorem Proving in Real Applications 1 Automated Theorem Proving in Real Applications John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches

678 views • 29 slides
Theorem Proving and the Real Numbers Applications and Challenges Lawrence C Paulson 1.

Theorem Proving and the Real Numbers Applications and Challenges Lawrence C Paulson 1.

Theorem Proving and the Real Numbers Applications and Challenges Lawrence C Paulson 1. Interactive Theorem Proving A partial, biased history A UTOMATH L. S. van Benthem Jutting, Checking Landaus Grundlagen in the A UTOMATH

920 views • 37 slides
CASA Seminar Self- -consistent Space Charge consistent Space Charge Self Distributions: Theory

CASA Seminar Self- -consistent Space Charge consistent Space Charge Self Distributions: Theory

CASA Seminar Self- -consistent Space Charge consistent Space Charge Self Distributions: Theory and Applications Distributions: Theory and Applications Slava Danilov SNS/ORNL March 12, 2004 Accelerator Physics Oak Ridge National Laboratory

546 views • 26 slides
Real numbers in the real world Industrial applications of theorem proving John Harrison Intel

Real numbers in the real world Industrial applications of theorem proving John Harrison Intel

Real numbers in the real world Industrial applications of theorem proving John Harrison Intel Corporation 30th May 2006 0 Overview Famous computer arithmetic failures Formal verification and theorem proving Floating-point

627 views • 34 slides
Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and

Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and

Introduction Proving properties of programs Proving equality and equivalence Applications Summary Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and Sergei Romanenko Keldysh Institute of Applied

588 views • 31 slides
Lab 2 discussion Last Time Debugging Its a science use experiments to refine

Lab 2 discussion Last Time Debugging Its a science use experiments to refine

size= 64 correct= 0 size= 73 correct= 0 Shuying Liang size= 107 correct= 1 size= 107 correct= 0 size= 108 correct= 0 size= 108 correct= 1 Please do not handin a .doc file, a .zip file, a .tar file, size= 111 correct= 1 size=

430 views • 7 slides
Lets Play Applanting... Ajit Hatti (Co-Founder) Null Open Security Community HELLO From

Lets Play Applanting... Ajit Hatti (Co-Founder) Null Open Security Community HELLO From

Lets Play Applanting... Ajit Hatti (Co-Founder) Null Open Security Community HELLO From INDIA (Technically) Disclaimer Personal Research Personal Views Doesn't represents views of my Employer. Vulnerabilities discussed in the paper

1.1k views • 36 slides
Course Introduction Hybrid Modeling Marco Chiarandini Department of Mathematics & Computer

Course Introduction Hybrid Modeling Marco Chiarandini Department of Mathematics & Computer

DM826 Spring 2012 Modeling and Solving Constrained Optimization Problems Lecture 1 Course Introduction Hybrid Modeling Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark [ Partly based on

1.05k views • 40 slides
LMS and GAMLSS Flexible Regression and Smoothing Mikis Stasinopoulos 1 and Bob Rigby 1 1

LMS and GAMLSS Flexible Regression and Smoothing Mikis Stasinopoulos 1 and Bob Rigby 1 1

LMS and GAMLSS LMS and GAMLSS Flexible Regression and Smoothing Mikis Stasinopoulos 1 and Bob Rigby 1 1 STORM/FLSC, London Metropolitan University Royal Statistical Society, February 2016 1 LMS and GAMLSS Outline 1 The Lambda, Mu and Sigma

4.14k views • 55 slides
26:010:557 / 26:620:557 Social Science Research Methods Dr. Peter R. Gillett Associate

26:010:557 / 26:620:557 Social Science Research Methods Dr. Peter R. Gillett Associate

26:010:557 / 26:620:557 Social Science Research Methods Dr. Peter R. Gillett Associate Professor Department of Accounting & Information Systems Rutgers Business School Newark & New Brunswick Dr. Peter R Gillett October 28, 2004

368 views • 22 slides
Brief Summary of European Neutrino Town Meeting CERN, Oct. 22-24 Peter Shanahan, Alan Bross SAC

Brief Summary of European Neutrino Town Meeting CERN, Oct. 22-24 Peter Shanahan, Alan Bross SAC

Brief Summary of European Neutrino Town Meeting CERN, Oct. 22-24 Peter Shanahan, Alan Bross SAC Meeting 29 Oct 2018 European Neutrino Town meeting and ESPP 2019 Discussion The European Strategy for Particle Physics is owned by the

305 views • 5 slides
Collapsing Ricci-flat metrics on K3 surfaces Jeff Viaclovsky University of California, Irvine

Collapsing Ricci-flat metrics on K3 surfaces Jeff Viaclovsky University of California, Irvine

Surfaces Moduli K3 surfaces Algebraic geometry Details Collapsing Ricci-flat metrics on K3 surfaces Jeff Viaclovsky University of California, Irvine June 27, 2018 Tokyo Institute of Technology Jeff Viaclovsky Collapsing Ricci-flat metrics

710 views • 50 slides
Round table presentation Takaaki Kajita ICRR, Univ of Tokyo Activities in Japan related to APPEC

Round table presentation Takaaki Kajita ICRR, Univ of Tokyo Activities in Japan related to APPEC

Round table presentation Takaaki Kajita ICRR, Univ of Tokyo Activities in Japan related to APPEC Super-Kamiokande has been contributing to neutrino oscillation physics for 20 years. Super-K is going to modify the detector (loading Gd) so

620 views • 5 slides
NTCIR Evaluation Activities: Recent Advances on RITE (Recognizing Inference in Text) Min-Yuh

NTCIR Evaluation Activities: Recent Advances on RITE (Recognizing Inference in Text) Min-Yuh

Workshop on Emerging Trends in Interactive Information Retrieval & Evaluations NTCIR Evaluation Activities: Recent Advances on RITE (Recognizing Inference in Text) Min-Yuh Day, Ph.D. Assistant Professor Department of Information

932 views • 62 slides

More recommend