Fault-Tolerant Resource Reasoning

Ntzik, Gian; Pinto, Pedro da Rocha; Gardner, Philippa

doi:10.1007/978-3-319-26529-2_10

Cited by 16 publications

(23 citation statements)

References 24 publications

(26 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are several existing systems that support reasoning about crashes and recovery, particularly in the context of file-system verification [7,8,11,26,28]. Most have no support for layered recovery, since they consider only a single recovery procedure at a time.…”

Section: Multiple Unreliable Disksmentioning

confidence: 99%

“…Ntzik et al [26] developed an extension to concurrent separation logic to support reasoning about crashes in concurrent systems. Similar to CHL's idempotence principle, this logic has a rule for verifying a recovery procedure which involves showing that the precondition for recovery is an invariant during recovery's execution.…”

Section: Related Workmentioning

confidence: 99%

“…The metatheory of Argosy is all accompanied by machinechecked proofs, unlike Yggdrasil, submachine refinement, and the logic of Ntzik et al [26].…”

Section: Related Workmentioning

confidence: 99%

“…No concurrent refinement framework has direct support for these special aspects of crashes and recovery. Indeed, these differences between crashes and standard concurrency are what required Ntzik et al [26] to develop the extension to concurrent separation logic described above. However, as mentioned, that logic is for reasoning about a single layer of recovery, rather than multiple layers.…”

Section: Related Workmentioning

confidence: 99%

See 3 more Smart Citations

Argosy: verifying layered storage systems with recovery refinement

Chajed

Tassarotti

Kaashoek

et al. 2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Storage systems make persistence guarantees even if the system crashes at any time, which they achieve using recovery procedures that run after a crash. We present Argosy, a framework for machine-checked proofs of storage systems that supports layered recovery implementations with modular proofs. Reasoning about layered recovery procedures is especially challenging because the system can crash in the middle of a more abstract layer's recovery procedure and must start over with the lowest-level recovery procedure.This paper introduces recovery refinement, a set of conditions that ensure proper implementation of an interface with a recovery procedure. Argosy includes a proof that recovery refinements compose, using Kleene algebra for concise definitions and metatheory. We implemented Crash Hoare Logic, the program logic used by FSCQ [8], to prove recovery refinement, and demonstrated the whole system by verifying an example of layered recovery featuring a write-ahead log running on top of a disk replication system. The metatheory of the framework, the soundness of the program logic, and these examples are all verified in the Coq proof assistant.

show abstract

Section: Multiple Unreliable Disksmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

“…The metatheory of Argosy is all accompanied by machinechecked proofs, unlike Yggdrasil, submachine refinement, and the logic of Ntzik et al [26].…”

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Argosy: verifying layered storage systems with recovery refinement

Chajed

Tassarotti

Kaashoek

et al. 2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

show abstract

“…These kinds of bugs can be particularly frustrating because, even when it has been formally proved for a program P that P ⊧ ϕ, the proof is foiled by these external events that crash and restart the program. Some recent efforts [7,8,19,26] notwithstanding, this space remains largely unexplored: little backbone has been developed for understanding what it means for a program to correctly recover from a crash from a verification perspective.…”

Section: Introductionmentioning

confidence: 99%

Reducing crash recoverability to reachability

Koskinen

Yang

2016

SIGPLAN Not.

View full text Add to dashboard Cite

Software applications run on a variety of platforms (filesystems, virtual slices, mobile hardware, etc.) that do not provide 100% uptime. As such, these applications may crash at any unfortunate moment losing volatile data and, when re-launched, they must be able to correctly recover from potentially inconsistent states left on persistent storage. From a verification perspective, crash recovery bugs can be particularly frustrating because, even when it has been formally proved for a program that it satisfies a property, the proof is foiled by these external events that crash and restart the program.In this paper we first provide a hierarchical formal model of what it means for a program to be crash recoverable. Our model captures the recoverability of many real world programs, including those in our evaluation which use sophisticated recovery algorithms such as shadow paging and write-ahead logging. Next, we introduce a novel technique capable of automatically proving that a program correctly recovers from a crash via a reduction to reachability. Our technique takes an input control-flow automaton and transforms it into an encoding that blends the capture of snapshots of pre-crash states into a symbolic search for a proof that recovery terminates and every recovered execution simulates some crashfree execution. Our encoding is designed to enable one to apply existing abstraction techniques in order to do the work that is necessary to prove recoverability.We have implemented our technique in a tool called ELEVEN82, capable of analyzing C programs to detect recoverability bugs or prove their absence. We have applied our tool to benchmark examples drawn from industrial file systems and databases, including GDBM, LevelDB, LMDB, PostgreSQL, SQLite, VMware and ZooKeeper. Within minutes, our tool is able to discover bugs or prove that these fragments are crash recoverable.

show abstract

View-Based Owicki–Gries Reasoning for Persistent x86-TSO

Bila

Dongol

Lahav

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The rise of persistent memory is disrupting computing to its core. Our work aims to help programmers navigate this brave new world by providing a program logic for reasoning about x86 code that uses low-level operations such as memory accesses and fences, as well as persistency primitives such as flushes. Our logic, Pierogi, benefits from a simple underlying operational semantics based on views, is able to handle optimised flush operations, and is mechanised in the Isabelle/HOL proof assistant. We detail the proof rules of Pierogi and prove them sound. We also show how Pierogi can be used to reason about a range of challenging single- and multi-threaded persistent programs.

show abstract

Fault-Tolerant Resource Reasoning

Cited by 16 publications

References 24 publications

Argosy: verifying layered storage systems with recovery refinement

Argosy: verifying layered storage systems with recovery refinement

Reducing crash recoverability to reachability

View-Based Owicki–Gries Reasoning for Persistent x86-TSO

Contact Info

Product

Resources

About