What You Always Wanted to Know About Model Checking of Fault-Tolerant Distributed Algorithms

Konnov, Igor; Veith, Helmut; Widder, Josef

doi:10.1007/978-3-319-41579-6_2

Cited by 13 publications

(23 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Papers [25][26][27] represent a very interesting and effective research line (summarized in [27]), where cardinality constraints are not directly handled but abstracted away using counters. In this sense, this research line looks similar to the methodology we applied in this paper (and in contrast to the alternative methodology we adopted in our previous paper [4]); however abstraction in [27] and in related papers is not obtained via logical formalizations and quantifier elimination, but via a special specification language ('parametric Promela') and/or via special devices, called 'threshold automata'. A comparison with the counter systems we obtain is not immediate and not always possible because the authors of [27] work on asynchronous (not round-based) versions of the algorithms and because their method suffers of some lack of expressiveness whenever local counters are unavoidable.…”

Section: Discussionmentioning

confidence: 99%

Counter Simulations via Higher Order Quantifier Elimination: a preliminary report

Ghilardi

Pagani

2017

Electron. Proc. Theor. Comput. Sci.

View full text Add to dashboard Cite

Quite often, verification tasks for distributed systems are accomplished via counter abstractions. Such abstractions can sometimes be justified via simulations and bisimulations. In this work, we supply logical foundations to this practice, by a specifically designed technique for second order quantifier elimination. Our method, once applied to specifications of verification problems for parameterized distributed systems, produces integer variables systems that are ready to be model-checked by current SMT-based tools. We demonstrate the feasibility of the approach with a prototype implementation and first experiments. * The first authar was supported by the INdAM's GNSAGA group. System Specifications in Higher Order LogicThe behavior of a computer system can be modeled through a transition system, which is a tuple T = (W,W 0 , R, AP,V ) such that (i) W is the set of possible configurations, (ii) W 0 ⊆ W is the set of initial configurations, (iii) AP is a set of 'atomic propositions', (iv) V : W −→ AP is a function labeling each state with the set of propositions 'true in it', (v) R ⊆ W ×W is the transition relation: w 1 Rw 2 describes how the system can 'evolve in one step'.

show abstract

Section: Discussionmentioning

confidence: 99%

Counter Simulations via Higher Order Quantifier Elimination: a preliminary report

Ghilardi

Pagani

2017

Electron. Proc. Theor. Comput. Sci.

View full text Add to dashboard Cite

show abstract

“…More details can be found in [40]. Having constructed a threshold automaton, we compare two verification approaches:…”

Section: Methodsmentioning

confidence: 99%

“…If a counterexample is found, check its feasibility and refine, if needed [13,33]. Figure 1 gives on top a diagram [40] that shows the technique based on counter abstraction. While this allowed us to automatically verify several FTDAs not verified before, there remained two bottlenecks for scalability to larger and more complex protocols: First, counter abstraction can lead to spurious counterexamples.…”

Section: Figmentioning

confidence: 99%

See 1 more Smart Citation

Para $$^2$$ 2 : parameterized path reduction, acceleration, and SMT for reachability in threshold-guarded distributed algorithms

Konnov

Lazić

Veith

et al. 2017

Form Methods Syst Des

Self Cite

View full text Add to dashboard Cite

Automatic verification of threshold-based fault-tolerant distributed algorithms (FTDA) is challenging: FTDAs have multiple parameters that are restricted by arithmetic conditions, the number of processes and faults is parameterized, and the algorithm code is parameterized due to conditions counting the number of received messages. Recently, we introduced a technique that first applies data and counter abstraction and then runs bounded model checking (BMC). Given an FTDA, our technique computes an upper bound on the diameter of the system. This makes BMC complete for reachability properties: it always finds a counterexample, if there is an actual error. To verify state-of-the-art FTDAs, further improvement is needed. In contrast to encoding bounded executions of a counter system over an abstract finite domain in SAT, in this paper, we encode bounded executions over integer counters in SMT. In addition, we introduce a new form of reduction that exploits acceleration and the structure of the FTDAs. This aggressively prunes the execution space to be explored by the solver. In this way, we verified safety of seven FTDAs that were out of reach before.

show abstract

“…A step by a process that goes from local state ℓ to local state ℓ ′ is modeled by decrementing the counter associated with ℓ and incrementing the counter associated with ℓ ′ . When the number p of processes is fixed, each counter is bounded by p." The work described in [KVW15] makes use of SMT solvers [DMB11] in order to perform finite-state model checking of the abstracted model.…”

Section: Related Workmentioning

confidence: 99%

Verification of an Industrial Asynchronous Leader Election Algorithm Using Abstractions and Parametric Model Checking

André

Fribourg

Mota

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The election of a leader in a network is a challenging task, especially when the processes are asynchronous, i. e., execute an algorithm with time-varying periods. Thales developed an industrial election algorithm with an arbitrary number of processes, that can possibly fail. In this work, we prove the correctness of a variant of this industrial algorithm. We use a method combining abstraction, the SafeProver solver, and a parametric timed model-checker. This allows us to prove the correctness of the algorithm for a large number p of processes (p = 5000).Our main contribution is to perform a formal verification of the algorithm correctness for a large number of nodes. By correctness, we mean the actual election of the leader after a fixed number of rounds.We consider here a special form of the general leader election problem [Lyn96]: we assume that, in the network, all the processes (or nodes) have a specific ID number, and they execute the same code (symmetry) in order to agree which ID number is the highest one. In the synchronous context where all processes communicate simultaneously, the problem is often solved using the "Bully algorithm" [GM82]. In the asynchronous context where each process communicates with a specific period possibly subject to delay variation (jitter), the problem is much more difficult. Periods can be all slightly different from each other, which makes the problem particularly complex. For example, a classical distributed leader election protocol, where the nodes exchange data using broadcasting, was designed by Leslie Lamport [Lam98] in the asynchronous context. The correctness of this algorithm was proved mechanically many times using, e. g., TLA + tool [Lam02], or, more recently, using the timed model checking tool Uppaal [BDL04]. However, these automated proofs work only for a small number p of processes, typically for p ≤ 10. In this paper, we present a technique to prove the correctness of such a distributed leader election using automated tools for a large number of nodes (e. g., p = 5000). The principle of the method relies on the abstraction method consisting in viewing the network from the point of view of a specific (but arbitrary) node, say node i , and considering the rest of the nodes of the network as an abstract environment interacting with node i . In this abstract model, two basic properties of the algorithm can be proven. However, in order to prove the full correctness of the leader election algorithm, we will need an auxiliary model, where some timing information is added to (a raw form of) the abstract model. Using this auxiliary timed model, we are able to prove an additional property of the leader election algorithm. Thanks to the three aforementioned properties added as assumptions, we can then prove the full correctness of the leader election algorithm, using the bounded model checker SafeProver [ÉJ17] on the abstract model.The leader election algorithm we use is not Lamport's algorithm, but a simple asynchronous form of the Bully algorithm. We consider a specifi...

show abstract

What You Always Wanted to Know About Model Checking of Fault-Tolerant Distributed Algorithms

Cited by 13 publications

References 32 publications

Counter Simulations via Higher Order Quantifier Elimination: a preliminary report

Counter Simulations via Higher Order Quantifier Elimination: a preliminary report

Para $$^2$$ 2 : parameterized path reduction, acceleration, and SMT for reachability in threshold-guarded distributed algorithms

Verification of an Industrial Asynchronous Leader Election Algorithm Using Abstractions and Parametric Model Checking

Contact Info

Product

Resources

About