Verifying Safety of Fault-Tolerant Distributed Components R. - - PowerPoint PPT Presentation

verifying safety of fault tolerant distributed components
SMART_READER_LITE
LIVE PREVIEW

Verifying Safety of Fault-Tolerant Distributed Components R. - - PowerPoint PPT Presentation

Feb 09, 2024 466 likes •755 views

Verifying Safety of Fault-Tolerant Distributed Components R. Ameur-Boulifa (1) , R. Halalai (2) , L. Henrio (2) , E. Madelaine (2) (1) Telecom-ParisTech Sophia-Antipolis (2) Oasis team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis

slide-1
SLIDE 1
  • Sept. 2011 - 1
  • R. Ameur-Boulifa(1), R. Halalai(2), L. Henrio(2), E. Madelaine(2)

(1) Telecom-ParisTech

Sophia-Antipolis

(2) Oasis team

INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis

Verifying Safety of Fault-Tolerant Distributed Components

slide-2
SLIDE 2
  • Sept. 2011 - 2

Motivations

Programming asynchronous (component-based) applications is difficult, we must provide tools for analysing / debugging complex behaviours. We want to provide a full behavioural semantics for Fractal/GCM components, including their advanced features: asynchronous request queues and future proxies, multicast interfaces.

“Compositional Model-checking can scale very far” How far ?

slide-3
SLIDE 3
  • Sept. 2011 - 3
  • Byzantine hypothesis:

– “bad” guys can have any possible behaviour, – everybody can turn bad, but only up to a fixed % of the processes.

Byzantine Fault Tolerant Systems

slide-4
SLIDE 4
  • Sept. 2011 - 4
  • Correction of BFT is difficult to prove [see bibs in the paper]

… but is important in the context of large distributed infrastructures (e.g. P2P networks).

  • high complexity because of the behaviour of faulty

processes, and asynchronous group communication.

  • several advanced features of the GCM component model.

Byzantine Fault Tolerant Systems

slide-5
SLIDE 5
  • Sept. 2011 - 5
  • Scaling up: are finite-state models able to tame complex, hierarchical,

distributed systems ? – Compositionnality: hierarchical semantic model for hierarchical components – Bisimulations; context dependent minimization

  • Combining reduction techniques:

– Data abstraction + compositionality + distributed MC

Challenges

slide-6
SLIDE 6
  • Sept. 2011 - 6
  • Use-case
  • Formalisms and Semantics
  • Use-case: state-space generation and model-checking
  • Conclusion and Perspectives

Agenda

slide-7
SLIDE 7
  • Sept. 2011 - 7

Use-case modeling in GCM

  • 1 composite component

with 2 external services Read/Write.

  • The service requests are

delegated to the Master. Fig 3 from paper Note: 3f+1 slaves

  • 1 multicast interface sending write/read/commit requests to all slaves.
  • the salves reply asynchronously, the master only needs 2f+1 coherent

answers to terminate

slide-8
SLIDE 8
  • Sept. 2011 - 8
  • 1. The master is reliable: this simplifies the 3-phases commit protocol,

and avoid the consensus research phase. 2. The underlying middleware ensures safe communications: faulty components only respond to their own requests, and communication

  • rder is preserved.

3. To tolerate f faults we use 3f+1 slaves, and require 2f+1 agreeing answers, as in the usual BFT algorithms.

Simplification hypothesis

slide-9
SLIDE 9
  • Sept. 2011 - 9

Properties

Reachability(*): 1- The Read service can terminate

∀ ∀ ∀ ∀ fid:nat among {0...2}. ∃ ∃ ∃ ∃ b:bool. <true* . {!R_Read !fid !b}> true

2- Is the BFT hypothesis respected bu the model ?

< true* . 'Error (NotBFT)'> true

Termination: After receiving a Q_Write(f,x) request, it is (fairly) inevitable that the Write services terminates with a R_Write(f) answer, or an Error is raised. Functional correctness: After receiving a ?Q_Write(f1,x), and before the next ?Q_Write, a ?Q_Read requests raises a !R_Read(y) response, with y=x

(*) Model Checking Language (MCL), Mateescu et al, FM’08

slide-10
SLIDE 10
  • Sept. 2011 - 10
  • Use-case
  • Formalisms and Semantics
  • State-space generation and model-checking
  • Conclusion and Perspectives

Agenda

slide-11
SLIDE 11
  • Sept. 2011 - 11

[Annals of Telecoms 2008]

  • LTS with explicit data handling (value-passing) with 1st order types
  • Parallelism and hierarchy using extended synchronization vectors,

with parameterized topology.

Compromise:

  • Flexible: accommodate a wide choice of communication /

synchronization mechanisms

  • Opened to convenient “abstractions” towards specific classes of

decidable models (finite, regular, etc.)

Semantic Formalism : the pNet model

slide-12
SLIDE 12
  • Sept. 2011 - 12

Full picture

slide-13
SLIDE 13
  • Sept. 2011 - 13

Eric MADELAINE 13

Building pNets (1) : parameterized LTSs

Labelled transition systems, with:

  • Value passing
  • Local variables
  • Guards….
slide-14
SLIDE 14
  • Sept. 2011 - 14

Building pNets (2) : generalized parallel operator

BFT-Net : < Master, Slave_1,…,Slave_n > k ∈ ∈ ∈ ∈ [1:n] with synchronisation vectors : <?Write(x), - , …, - > => ?Write(x) <!Q_Write(f,x), ?Q_Write(f,x) , …, ?Q_Write(f,x) > => Q_Write(f,x) ∀ ∀ ∀ ∀k <?R_Write(f,k), - , …, !R_Write(f), …, - > => R_Write(f,k)

Master Slave[k]

R_Write() Q_Write(f,x) Q_Commit(f) Q_Read() Write(x) Read()

BFT-Net

R_Commit() R_Read()

slide-15
SLIDE 15
  • Sept. 2011 - 15

Building pNet models (3)

Proxies for Asynchronous group requests

manage the return of results, with flexible policies:

  • Vector of results
  • First N results
  • Individual results

Group Proxy [c] BC Q_m(d) CO R_m(v)

i ∈ ∈ ∈ ∈ D D D D i ∈ ∈ ∈ ∈ D D D D

Body !Q_m(d) ?get_m(x)

[c]

!get_m(x) ?R_m(x) ?Q_m(d) !get_m(i,x) !waitN_m(n,x)

Broadcast Collate

slide-16
SLIDE 16
  • Sept. 2011 - 16
  • Challenges
  • Formalisms and Semantics
  • Use-case: state-space generation and model-checking
  • Conclusion and Perspectives

Agenda

slide-17
SLIDE 17
  • Sept. 2011 - 17

Tool Architecture

Goal: fully automatic chain Current state of the platform: production of the CADP input formats only partially (~50%) available.

slide-18
SLIDE 18
  • Sept. 2011 - 18

Generation of state-space

Taming state-space explosion: Data abstraction (through abstract interpretation): integers => small intervals arrays ??? => open question. Partitioning and minimizing by bisimulation + context specification Distributed verification. Only partially available (state-space generation, but no M.C.). 3 Tbytes of RAM ?

slide-19
SLIDE 19
  • Sept. 2011 - 19

Build product

Flac + Distributor + Minimize Master.exp MQueue.bcg

Master Queue

MQueue.fcr MQueue.bcg

Master Body

MBody.fcr

WriteProxy.bcg

Write Proxy

WriteProxy.fcr

(Hide/Rename) Minimize

Master.exp

State-space generation workflow

slide-20
SLIDE 20
  • Sept. 2011 - 20

29 Sept. 2011 - 20

Master

Write Write Proxy Commit Proxy

Model generation workflow

Eric MADELAINE

Body Queue PM ACF

W SubSys Read Read Proxy R SubSys

237 33 788 15 139 20 3 728 28 542 131 171 71 5 866 073 # cores # states (minimized) 5 5 5 5 5 5 2 2 5 1 1 1 Good Slave Bad Slave Good Slave Good Slave Good Slave Bad Slave Client BFT 5936 2420 16 34 677 5 10 1 2 Altogether: ~60 cores, 300 GB RAM 1 hour clock time

slide-21
SLIDE 21
  • Sept. 2011 - 21

Distributed State generation

Abstract model: f=1, (=> 4 slaves), |data|= 2, |proxies|=3*3, |client requests|=3 Master queue size = 2 ~100 cores, max 300 GB RAM System parts sizes (states/transitions):

237/3189 Queue 59’ 34K/164K 5936/61K 5M/103M 524/3107 Time Global Good Slave Master Largest intermediate

Estimated brute force state spaces :

~ 1032 6.103 1018

slide-22
SLIDE 22
  • Sept. 2011 - 22

Conclusions

Contributions: Semantics of GCM components with multicast interfaces. Scaling-up : gained 2 orders of magnitude by a combination of:

  • data abstraction,
  • compositional and contextual minimization,
  • distributed state-space generation.

Verification of the correctness of a simple BFT application.

pNets: 2004-2008 CoCoME: hier. & synch. FACS’08: 1st class futures WCSI’10: group communication This paper: GCM & multicast interfaces More to come ? Reconfiguration...

slide-23
SLIDE 23
  • Sept. 2011 - 23

Ongoing and Future Work

1. Tooling 2. Verifying dynamic distributed systems (GCM + Reconfiguration): – handle Life-cycle and Binding Controllers, – encode sub-component updates, – several orders of magnitude bigger. 3. Support for distributed MC: – scripting languages, – partitioning strategies

slide-24
SLIDE 24
  • Sept. 2011 - 24

Open Questions

1. More on data abstraction: – symmetry in useful data structures (intervals, arrays, …), 2. Context constraints: – ad-hoc correctness proofs (e.g. through proof obligations), – links with assume-guaranty approaches, with behavioural typing. 3. Tooling: – Assisted definition of (valid) abstractions. – Assisted definition of MC partitioning and strategies.

slide-25
SLIDE 25
  • Sept. 2011 - 25

Thank you

谢谢 谢谢 谢谢 谢谢

Takk MulŃumesc mult

Papers, Use-cases, and Tools at :

http://www-sop.inria.fr/oasis/Vercors

Partially Funded by ANR Blanc with Tsinghua Un. Bejing.

slide-26
SLIDE 26
  • Sept. 2011 - 26

Active Objects (very short…)

  • Runnable (mono-threaded) objects
  • Communicating by remote method call
  • Asynchronous computation
  • Request queues (user-definable policy)
  • No shared memory
  • Futures

Client obj. A Server obj. B

slide-27
SLIDE 27
  • Sept. 2011 - 27

Fractal hierarchical model :

Attribute Controller Binding Controller Lifecycle Controller Content Controller

Content Controller / membrane

composites encapsulate primitives, which encapsulates code

  • Provided/Required

Interfaces

  • Hierarchy
  • Separation of

concern: functional / non-functional

  • ADL
  • Extensible