11 research outputs found
A Sequentialization Procedure for Fault-Tolerant Protocols
We introduce a sequentialization procedure for fault-tolerant protocols that takes as input a Distal program and produces a sequentialized counterpart as output. The sequentialization procedure captures a representative subset of the behaviors of the input system and is easier to model check; for a broad class of protocols, it captures a representative for every behavior. Our notion of sequentialization-equivalence extends the well-studied notion of communication closure in distributed protocols, which relates asynchronous and synchronous executions. We implemented our sequentialization and applied it to verify several consensus protocols, including ZooKeeper Atomic Broadcast, and Raft, using the P framework. We considered P models that include critical safety bugs present in implementations and known by the community. The P model checker found these bugs only when using the sequential model but not in the original asynchronous counterparts
A Generic Framework for Reasoning about Dynamic Networks of Infinite-State Processes
We propose a framework for reasoning about unbounded dynamic networks of
infinite-state processes. We propose Constrained Petri Nets (CPN) as generic
models for these networks. They can be seen as Petri nets where tokens
(representing occurrences of processes) are colored by values over some
potentially infinite data domain such as integers, reals, etc. Furthermore, we
define a logic, called CML (colored markings logic), for the description of CPN
configurations. CML is a first-order logic over tokens allowing to reason about
their locations and their colors. Both CPNs and CML are parametrized by a color
logic allowing to express constraints on the colors (data) associated with
tokens. We investigate the decidability of the satisfiability problem of CML
and its applications in the verification of CPNs. We identify a fragment of CML
for which the satisfiability problem is decidable (whenever it is the case for
the underlying color logic), and which is closed under the computations of post
and pre images for CPNs. These results can be used for several kinds of
analysis such as invariance checking, pre-post condition reasoning, and bounded
reachability analysis.Comment: 29 pages, 5 tables, 1 figure, extended version of the paper published
in the the Proceedings of TACAS 2007, LNCS 442
Paxos Consensus, Deconstructed and Abstracted (Extended Version)
Lamport's Paxos algorithm is a classic consensus protocol for state machine
replication in environments that admit crash failures. Many versions of Paxos
exploit the protocol's intrinsic properties for the sake of gaining better
run-time performance, thus widening the gap between the original description of
the algorithm, which was proven correct, and its real-world implementations. In
this work, we address the challenge of specifying and verifying complex
Paxos-based systems by (a) devising composable specifications for
implementations of Paxos's single-decree version, and (b) engineering
disciplines to reason about protocol-aware, semantics-preserving optimisations
to single-decree Paxos. In a nutshell, our approach elaborates on the
deconstruction of single-decree Paxos by Boichat et al. We provide novel
non-deterministic specifications for each module in the deconstruction and
prove that the implementations refine the corresponding specifications, such
that the proofs of the modules that remain unchanged can be reused across
different implementations. We further reuse this result and show how to obtain
a verified implementation of Multi-Paxos from a verified implementation of
single-decree Paxos, by a series of novel protocol-aware transformations of the
network semantics, which we prove to be behaviour-preserving.Comment: Accepted for publication in the 27th European Symposium on
Programming (ESOP'18
Accepting Networks of Evolutionary Processors with Filtered Connections
In this paper we simplify a recent model of computation considered in [Margenstern et al. 2005], namely accepting network of evolutionary processors, by moving the filters from the nodes to the edges. Each edge is viewed as a two-way channel such that input and output filters, respectively, of the two nodes connected by the edge coincide. Thus, the possibility of controlling the computation in such networks seems to be diminished. In spite of this observation these simplified networks have the same computational power as accepting networks of evolutionary processors, that is they are computationally complete. As a consequence, we propose characterizations of two complexity classes, namely NP and PSPACE, in terms of accepting networks of evolutionary processors with filtered connections
Automated Verification of the Parallel Bellman–Ford Algorithm
Many real-world problems such as internet routing are actually graph problems. To develop efficient solutions to such problems, more and more parallel graph algorithms are proposed. This paper discusses the mechanized verification of a commonly used parallel graph algorithm, namely the Bellman–Ford algorithm, which provides an inherently parallel solution to the Single-Source Shortest Path problem. Concretely, we verify an unoptimized GPU version of the Bellman–Ford algorithm, using the VerCors verifier. The main challenge that we had to address was to find suitable global invariants of the graph-based properties for automated verification. This case study is the first deductive verification to prove functional correctness of the parallel Bellman–Ford algorithm. It provides the basis to verify other, optimized implementations of the algorithm. Moreover, it may also provide a good starting point to verify other parallel graph-based algorithms