A short counterexample property for safety and liveness verification of fault-tolerant distributed algorithms

Konnov, Igor; Lazić, Marijana; Veith, Helmut; Widder, Josef

doi:10.1145/3009837.3009860

Cited by 41 publications

(62 citation statements)

References 77 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…More importantly, our framework opens the door for applying more advanced techniques such as abstraction [Ball et al 2001;Clarke et al 2003] and reduction [Cohen and Lamport 1998;Lipton 1975]. Reductions were shown to be efficient for special classes of fault-tolerant distributed algorithms by [Damian et al 2019;Konnov et al 2017b;von Gleissenthall et al 2019]. We are going to explore similar techniques, in order to check complex TLA + specifications of Raft by [Ongaro 2014], Disk Paxos [Gafni and Lamport 2003], and Egalitarian Paxos by [Moraru et al 2013].…”

Section: Discussionmentioning

confidence: 99%

“…Several techniques and tools for parameterized verification of fault-tolerant distributed algorithms were introduced by [Drăgoi et al 2014;Drăgoi et al 2016], [Farzan et al 2016], [von Gleissenthall et al 2016], [Konnov et al 2017b], and [Maric et al 2017]. The efficiency of these techniques comes from the restriction to special domains, whereas our approach applies to virtually any TLA + specification over finite structures.…”

Section: Model Checkers For Specialized Languagesmentioning

confidence: 99%

See 1 more Smart Citation

TLA+ model checking made symbolic

Konnov

Kukovec²,

Tran³

2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

TLA + is a language for formal specification of all kinds of computer systems. System designers use this language to specify concurrent, distributed, and fault-tolerant protocols, which are traditionally presented in pseudo-code. TLA + is extremely concise yet expressive: The language primitives include Booleans, integers, functions, tuples, records, sequences, and sets thereof, which can be also nested. This is probably why the only model checker for TLA + (called TLC) relies on explicit enumeration of values and states. In this paper, we present APALACHE Ð a first symbolic model checker for TLA +. Like TLC, it assumes that all specification parameters are fixed and all states are finite structures. Unlike TLC, APALACHE translates the underlying transition relation into quantifier-free SMT constraints, which allows us to exploit the power of SMT solvers. Designing this translation is the central challenge that we address in this paper. Our experiments show that APALACHE outperforms TLC on examples with large state spaces. CCS Concepts: • Theory of computation → Logic and verification; • Software and its engineering → Model checking; Specification languages.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Model Checkers For Specialized Languagesmentioning

confidence: 99%

TLA+ model checking made symbolic

Konnov

Kukovec²,

Tran³

2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

show abstract

“…There are several other frameworks for the verification of asynchronous distributed algorithms, e.g., Verdi [45], IronFleet [22], ByMC [25], Ivy [37], and Disel [40]. Very interesting distributed algorithms have been verified in these frameworks.…”

Section: Related Workmentioning

confidence: 99%

Communication-Closed Asynchronous Protocols

Damian

Drăgoi

Militaru

et al. 2019

Computer Aided Verification

Self Cite

View full text Add to dashboard Cite

Fault-tolerant distributed systems are implemented over asynchronous networks, so that they use algorithms for asynchronous models with faults. Due to asynchronous communication and the occurrence of faults (e.g., process crashes or the network dropping messages) the implementations are hard to understand and analyze. In contrast, synchronous computation models simplify design and reasoning. In this paper, we bridge the gap between these two worlds. For a class of asynchronous protocols, we introduce a procedure that, given an asynchronous protocol, soundly computes its round-based synchronous counterpart. This class is defined by properties of the sequential code. We computed the synchronous counterpart of known consensus and leader election protocols, such as, Paxos, and Chandra and Toueg's consensus. Using Verifast we checked the sequential properties required by the rewriting. We verified the round-based synchronous counter-part of Multi-Paxos, and other algorithms, using existing deductive verification methods for synchronous protocols.

show abstract

“…To name a few, CBMC [15] and CPAChecker [3] implement bounded model checking [4] and CEGAR [9]. Domain-specific tools ByMC and Cubicle prove properties of parameterized distributed algorithms with SMT [10,14].…”

Section: Introductionmentioning

confidence: 99%

Extracting symbolic transitions from TLA+ specifications

Kukovec

Tran

Konnov

2020

Science of Computer Programming

Self Cite

View full text Add to dashboard Cite

In TLA + , a system specification is written as a logical formula that restricts the system behavior. As a logic, TLA + does not have assignments and other imperative statements that are used by model checkers to compute the successor states of a system state. Model checkers compute successors either explicitly-by evaluating program statementsor symbolically-by translating program statements to an SMT formula and checking its satisfiability. To efficiently enumerate the successors, TLA's model checker TLC introduces side effects. For instance, an equality x = e is interpreted as an assignment of e to the yet unbound variable x. Inspired by TLC, we introduce an automatic technique for discovering expressions in TLA + formulas such as x = e and x ∈ {e1,. .. , e k } that can be provably used as assignments. In contrast to TLC, our technique does not explicitly evaluate expressions, but it reduces the problem of finding assignments to the satisfiability of an SMT formula. Hence, we give a way to slice a TLA + formula in symbolic transitions, which can be used as an input to a symbolic model checker. Our prototype implementation successfully extracts symbolic transitions from a few TLA + benchmarks.

show abstract

A short counterexample property for safety and liveness verification of fault-tolerant distributed algorithms

Cited by 41 publications

References 77 publications

TLA+ model checking made symbolic

TLA+ model checking made symbolic

Communication-Closed Asynchronous Protocols

Extracting symbolic transitions from TLA+ specifications

Contact Info

Product

Resources

About