Static Verification of Cloud Applications with Why3

Nowadays large-scale distributed applications rely on replication in order to improve their services. Having data replicated in multiple datacenters increases availability, but it might lead to concurrent updates that violate data integrity. A possible approach to solve this issue is to use strong consistency in the application because this way there is a total order of operations in every replica. However, that would make the application abdicate of its availability. An alternative would be to use weak consistency to make the application more available, but that could break data integrity. To resolve this issue many of these applications use a combination of weak and strong consistency models, such that synchronization is only introduced in the execution of operations that can break data integrity. To build applications that use multiple consistency models, developers have the difficult task of finding the right balance between two conflicting goals: minimizing synchronization while preserving data integrity. To achieve this balance developers have to reason about the concurrent effects of each operation, which is a non-trivial task when it comes to large and complex applications. In this document we propose an approach consisting of a static analysis tool that helps developers find a balance between strong and weak consistency in applications that operate over weakly consistent databases. The verification process is based on a recently defined proof rule that was proven to be sound. The proposed tool uses Why3 as an intermediate framework that communicates with external provers, to analyse the correctness of the application specification. Our contributions also include a predicate transformer and a library of verified data types that can be used to resolve commutativity issues in applications. The predicate transformer can be used to lighten the specification effort

Data consistency in transactional storage systems: a centralised approach.

We introduce an interleaving operational semantics for describing the client-observable behaviour of atomic transactions on distributed key-value stores. Our semantics builds on abstract states comprising centralised, global key-value stores and partial client views. We provide operational definitions of consistency models for our key-value stores which are shown to be equivalent to the well-known declarative definitions of consistency model for execution graphs. We explore two immediate applications of our semantics: specific protocols of geo-replicated databases (e.g. COPS) and partitioned databases (e.g. Clock-SI) can be shown to be correct for a specific consistency model by embedding them in our centralised semantics; programs can be directly shown to have invariant properties such as robustness results against a weak consistency model