5 research outputs found
Graph- versus Vector-Based Analysis of a Consensus Protocol
The Paxos distributed consensus algorithm is a challenging case-study for
standard, vector-based model checking techniques. Due to asynchronous
communication, exhaustive analysis may generate very large state spaces already
for small model instances. In this paper, we show the advantages of graph
transformation as an alternative modelling technique. We model Paxos in a rich
declarative transformation language, featuring (among other things) nested
quantifiers, and we validate our model using the GROOVE model checker, a
graph-based tool that exploits isomorphism as a natural way to prune the state
space via symmetry reductions. We compare the results with those obtained by
the standard model checker Spin on the basis of a vector-based encoding of the
algorithm.Comment: In Proceedings GRAPHITE 2014, arXiv:1407.767
Model Checking Paxos in Spin
We present a formal model of a distributed consensus algorithm in the
executable specification language Promela extended with a new type of guards,
called counting guards, needed to implement transitions that depend on majority
voting. Our formalization exploits abstractions that follow from reduction
theorems applied to the specific case-study. We apply the model checker Spin to
automatically validate finite instances of the model and to extract
preconditions on the size of quorums used in the election phases of the
protocol.Comment: In Proceedings GandALF 2014, arXiv:1408.556
Supporting Domain-Specific State Space Reductions through Local Partial-Order Reduction
Model checkers offer to automatically prove safety and liveness properties of complex concurrent software systems, but they are limited by state space explosion. Partial-Order Reduction (POR) is an effective technique to mitigate this burden. However, applying existing notions of POR requires to verify conditions based on execution paths of unbounded length, a difficult task in general. To enable a more intuitive and still flexible application of POR, we propose local POR (LPOR). LPOR is based on the existing notion of statically computed stubborn sets, but its locality allows to verify conditions in single states rather than over long paths. As a case study, we apply LPOR to message-passing systems. We implement it within the Java Pathfinder model checker using our general Java-based LPOR library. Our experiments show significant reductions achieved by LPOR for model checking representative message-passing protocols and, maybe surprisingly, that LPOR can outperform dynamic POR. © 2011 IEEE
On efficient models for model checking message-passing distributed protocols
The complexity of distributed algorithms, such as state machine replication, motivates the use of formal methods to assist correctness verification. The design of the formal model of an algorithm directly affects the efficiency of the analysis. Therefore, it is desirable that this model does not add "unnecessary" complexity to the analysis. In this paper, we consider a general message-passing (MP) model of distributed algorithms and compare different ways of modeling the message traffic. We prove that the different MP models are equivalent with respect to the common properties of distributed algorithms. Therefore, one can select the model which is best suited for the applied verification technique. We consider MP models which differ regarding whether (1) the event of message delivery can be interleaved with other events and (2) a computation event must consume all messages that have been delivered after the last computation event of the same process. For generalized MP distributed protocols and especially focusing on fault-tolerance, we show that our proposed model (without interleaved delivery events and with relaxed semantics of computation events) is significantly more efficient for explicit state model checking. For example, the model size of the Paxos algorithm is 1/13 th that of existing equivalent MP models. © 2010 Springer-Verlag