3 research outputs found
Paxos Consensus, Deconstructed and Abstracted (Extended Version)
Lamport's Paxos algorithm is a classic consensus protocol for state machine
replication in environments that admit crash failures. Many versions of Paxos
exploit the protocol's intrinsic properties for the sake of gaining better
run-time performance, thus widening the gap between the original description of
the algorithm, which was proven correct, and its real-world implementations. In
this work, we address the challenge of specifying and verifying complex
Paxos-based systems by (a) devising composable specifications for
implementations of Paxos's single-decree version, and (b) engineering
disciplines to reason about protocol-aware, semantics-preserving optimisations
to single-decree Paxos. In a nutshell, our approach elaborates on the
deconstruction of single-decree Paxos by Boichat et al. We provide novel
non-deterministic specifications for each module in the deconstruction and
prove that the implementations refine the corresponding specifications, such
that the proofs of the modules that remain unchanged can be reused across
different implementations. We further reuse this result and show how to obtain
a verified implementation of Multi-Paxos from a verified implementation of
single-decree Paxos, by a series of novel protocol-aware transformations of the
network semantics, which we prove to be behaviour-preserving.Comment: Accepted for publication in the 27th European Symposium on
Programming (ESOP'18
State Machine Replication Is More Expensive Than Consensus
Consensus and State Machine Replication (SMR) are generally considered to be equivalent problems. In certain system models, indeed, the two problems are computationally equivalent: any solution to the former problem leads to a solution to the latter, and vice versa.
In this paper, we study the relation between consensus and SMR from a complexity perspective. We find that, surprisingly, completing an SMR command can be more expensive than solving a consensus instance. Specifically, given a synchronous system model where every instance of consensus always terminates in constant time, completing an SMR command does not necessarily terminate in constant time. This result naturally extends to partially synchronous models. Besides theoretical interest, our result also corresponds to practical phenomena we identify empirically. We experiment with two well-known SMR implementations (Multi-Paxos and Raft) and show that, indeed, SMR is more expensive than consensus in practice. One important implication of our result is that - even under synchrony conditions - no SMR algorithm can ensure bounded response times