Modularity for decidability of deductive verification with applications to distributed systems

Taube, Marcelo; Losa, Giuliano; McMillan, Kenneth L.; Padon, Oded; Sagiv, Mooly; Shoham, Sharon; Wilcox, J. R.; Woos, Doug

doi:10.1145/3192366.3192414

Cited by 41 publications

(27 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We have used Goolong to develop four challenging case studies: the classic two-phase commit protocol, the Raft leader election protocol, single-decree Paxos protocol and a Multi-Paxos based distributed key-value store that employs our protocol rounds. In our tests, the key-value store outperformed other verified stores [Drăgoi et al 2016;Taube et al 2018a] while staying within 3x of an unverified state-of-the-art implementation [Moraru et al 2013]. Goolong Library To be able to extract IceT programs from programs written in Go, we wrote a library that exposes IceT language primitives (e.g., sequential iteration, symmetric processes, send and recvTO etc) in Go.…”

Section: Discussionmentioning

confidence: 93%

“…For this, we run it on three separate Amazon EC2 t2.micro instances in the same availability zone using a client executing a series of PUT or GET queries. Table Table 2 show the throughput compared to Psync [Drăgoi et al 2016], Ivy [Taube et al 2018b], and IronFleet [Hawblitzel et al 2015a]. While we were able to run Psync, we were unable to run Ivy and IronKV and instead we provide their published results as a (albeit not directly comparable) reference.…”

Section: Q3: Verification Timementioning

confidence: 99%

“…Disel [Sergey et al 2018;Wilcox et al 2017] aims to enable the user to compose protocols in an effort to modularize proofs of correctness. Similarly, [Taube et al 2018a] aims to modularize verification of distributed algorithms by splitting verification conditions into subsets each of which uses a decidable fragment of first-order logic, were different subsets may use different fragments. [Padon et al 2017] presents a method of (manually) transforming general, first-order verification conditions into effectively propositional logic, and applies it to verifying several Paxos variants.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Pretend synchrony: synchronous verification of asynchronous distributed programs

Gleissenthall

Kıcı

Bakst

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We present pretend synchrony, a new approach to verifying distributed systems, based on the observation that while distributed programs must execute asynchronously, we can often soundly treat them as if they were synchronous when verifying their correctness. To do so, we compute a synchronization, a semantically equivalent program where all sends, receives, and message buffers, have been replaced by simple assignments, yielding a program that can be verified using Floyd-Hoare style Verification Conditions and SMT. We implement our approach as a framework for writing verified distributed programs in Go and evaluate it with four challenging case studiesÐ the classic two-phase commit, the Raft leader election protocol, single-decree Paxos protocol, and a Multi-Paxos based distributed key-value store. We find that pretend synchrony allows us to develop performant systems while making verification of functional correctness simpler by reducing manually specified invariants by a factor of 6, and faster, by reducing checking time by three orders of magnitude. CCS Concepts: • Theory of computation → Program verification; Program analysis; Distributed computing models; Concurrency; • Software and its engineering → Software notations and tools.

show abstract

Section: Discussionmentioning

confidence: 93%

Section: Q3: Verification Timementioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Pretend synchrony: synchronous verification of asynchronous distributed programs

Gleissenthall

Kıcı

Bakst

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…Outside the realm of process calculi, various works tackle the problem of protocol-aware verification, e.g., [40,71,74]. We share similar goals, although we adopt a different theory and design, leading to different tradeoffs: crucially, the works above develop new languages, or build upon a powerful dependently-typed host language (Coq) with interactive proofs, to support rich representations of protocol state.…”

Section: Conclusion and Related Workmentioning

confidence: 99%

Verifying message-passing programs with dependent behavioural types

Scalas

Yoshida

Benussi

2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Concurrent and distributed programming is notoriously hard. Modern languages and toolkits ease this difficulty by offering message-passing abstractions, such as actors (e.g., Erlang, Akka, Orleans) or processes (e.g., Go): they allow for simpler reasoning w.r.t. shared-memory concurrency, but do not ensure that a program implements a given specification.To address this challenge, it would be desirable to specify and verify the intended behaviour of message-passing applications using types, and ensure that, if a program type-checks and compiles, then it will run and communicate as desired.We develop this idea in theory and practice. We formalise a concurrent functional language λ π ⩽ , with a new blend of behavioural types (from π -calculus theory), and dependent function types (from the Dotty programming language, a.k.a. the future Scala 3). Our theory yields four main payoffs: (1) it verifies safety and liveness properties of programs via typelevel model checking; (2) unlike previous work, it accurately verifies channel-passing (covering a typical pattern of actor programs) and higher-order interaction (i.e., sending/receiving mobile code); (3) it is directly embedded in Dotty, as a toolkit called Effpi, offering a simplified actor-based API; (4) it enables an efficient runtime system for Effpi, for highly concurrent programs with millions of processes/actors.

show abstract

“…Ivy [Padon et al 2016] initially supported debugging infinite-state systems using bounded verification, and verifying their safety by gradually building inductive invariants. Their decidable decomposition notion [Taube et al 2018] (i.e., systems, models and proofs must be built modularly to enable the use of different decidable logics) allowed Ivy to automatically verify the correctness of implementations of crash-fault tolerant systems such as Raft and Paxos (as opposed to models in [Padon et al 2017]). Ivy also supports liveness by reducing it to safety .…”

Section: Toolsmentioning

confidence: 99%

Asphalion: trustworthy shielding against Byzantine faults

Vukotic

Rahli

Esteves-Veríssimo

2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Byzantine fault-tolerant state-machine replication (BFT-SMR) is a technique for hardening systems to tolerate arbitrary faults. Although robust, BFT-SMR protocols are very costly in terms of the number of required replicas (3f + 1 to tolerate f faults) and of exchanged messages. However, with łhybridž architectures, where łnormalž components trust some łspecialž components to provide properties in a trustworthy manner, the cost of using BFT can be dramatically reduced. Unfortunately, even though such hybridization techniques decrease the message/time/space complexity of BFT protocols, they also increase their structural complexity. Therefore, we introduce Asphalion, the first theorem prover-based framework for verifying implementations of hybrid systems and protocols. It relies on three novel languages: (1) HyLoE: a Hybrid Logic of Events to reason about hybrid fault models; (2) MoC: a Monadic Component language to implement systems as collections of interacting hybrid components; and (3) LoCK: a sound Logic of events-based Calculus of Knowledge to reason about both homogeneous and hybrid systems at a high-level of abstraction (thereby allowing reusing proofs, and capturing the high-level logic of distributed systems). In addition, Asphalion supports compositional reasoning, e.g., through mechanisms to lift properties about trusted-trustworthy components, to the level of the distributed systems they are integrated in. As a case study, we have verified crucial safety properties (e.g., agreement) of several implementations of hybrid protocols. CCS Concepts: • Theory of computation → Logic and verification.

show abstract

Modularity for decidability of deductive verification with applications to distributed systems

Cited by 41 publications

References 29 publications

Pretend synchrony: synchronous verification of asynchronous distributed programs

Pretend synchrony: synchronous verification of asynchronous distributed programs

Verifying message-passing programs with dependent behavioural types

Asphalion: trustworthy shielding against Byzantine faults

Contact Info

Product

Resources

About