A Case Study on Parametric Verification of Failure Detectors

Log. Methods Comput. Sci. Pub Date : 2021-12-16 DOI:10.46298/lmcs-19(1:17)2023

T. Tran, I. Konnov, Josef Widder

{"title":"A Case Study on Parametric Verification of Failure Detectors","authors":"T. Tran, I. Konnov, Josef Widder","doi":"10.46298/lmcs-19(1:17)2023","DOIUrl":null,"url":null,"abstract":"Partial synchrony is a model of computation in many distributed algorithms\nand modern blockchains. These algorithms are typically parameterized in the\nnumber of participants, and their correctness requires the existence of bounds\non message delays and on the relative speed of processes after reaching Global\nStabilization Time. These characteristics make partially synchronous algorithms\nparameterized in the number of processes, and parametric in time bounds, which\nrender automated verification of partially synchronous algorithms challenging.\nIn this paper, we present a case study on formal verification of both safety\nand liveness of the Chandra and Toueg failure detector that is based on partial\nsynchrony. To this end, we first introduce and formalize the class of symmetric\npoint-to-point algorithms that contains the failure detector. Second, we show\nthat these symmetric point-to-point algorithms have a cutoff, and the cutoff\nresults hold in three models of computation: synchrony, asynchrony, and partial\nsynchrony. As a result, one can verify them by model checking small instances,\nbut the verification problem stays parametric in time. Next, we specify the\nfailure detector and the partial synchrony assumptions in three frameworks:\nTLA+, IVy, and counter automata. Importantly, we tune our modeling to use the\nstrength of each method: (1) We are using counters to encode message buffers\nwith counter automata, (2) we are using first-order relations to encode message\nbuffers in IVy, and (3) we are using both approaches in TLA+. By running the\ntools for TLA+ and counter automata, we demonstrate safety for fixed time\nbounds. By running IVy, we prove safety for arbitrary time bounds. Moreover, we\nshow how to verify liveness of the failure detector by reducing the\nverification problem to safety verification. Thus, both properties are verified\nby developing inductive invariants with IVy.","PeriodicalId":314387,"journal":{"name":"Log. Methods Comput. Sci.","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-12-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Log. Methods Comput. Sci.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46298/lmcs-19(1:17)2023","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Partial synchrony is a model of computation in many distributed algorithms and modern blockchains. These algorithms are typically parameterized in the number of participants, and their correctness requires the existence of bounds on message delays and on the relative speed of processes after reaching Global Stabilization Time. These characteristics make partially synchronous algorithms parameterized in the number of processes, and parametric in time bounds, which render automated verification of partially synchronous algorithms challenging. In this paper, we present a case study on formal verification of both safety and liveness of the Chandra and Toueg failure detector that is based on partial synchrony. To this end, we first introduce and formalize the class of symmetric point-to-point algorithms that contains the failure detector. Second, we show that these symmetric point-to-point algorithms have a cutoff, and the cutoff results hold in three models of computation: synchrony, asynchrony, and partial synchrony. As a result, one can verify them by model checking small instances, but the verification problem stays parametric in time. Next, we specify the failure detector and the partial synchrony assumptions in three frameworks: TLA+, IVy, and counter automata. Importantly, we tune our modeling to use the strength of each method: (1) We are using counters to encode message buffers with counter automata, (2) we are using first-order relations to encode message buffers in IVy, and (3) we are using both approaches in TLA+. By running the tools for TLA+ and counter automata, we demonstrate safety for fixed time bounds. By running IVy, we prove safety for arbitrary time bounds. Moreover, we show how to verify liveness of the failure detector by reducing the verification problem to safety verification. Thus, both properties are verified by developing inductive invariants with IVy.

查看原文本刊更多论文

故障检测器参数验证的实例研究

部分同步是许多分布式算法和现代区块链中的一种计算模型。这些算法通常以参与者的数量为参数化，其正确性需要边界消息延迟的存在以及达到GlobalStabilization Time后的处理相对速度。这些特征使得部分同步算法在进程数量上参数化，在时间范围上参数化，这使得部分同步算法的自动验证具有挑战性。在本文中，我们提出了一个基于部分同步的钱德拉和Toueg故障探测器的安全性和活跃性的正式验证的案例研究。为此，我们首先引入并形式化了一类包含故障检测器的对称点对点算法。其次，我们展示了这些对称点对点算法有一个截止点，并且截止结果在三种计算模型中保持:同步，异步和部分同步。因此，可以通过模型检查小实例来验证它们，但验证问题在时间上是参数化的。接下来，我们在三个框架中指定故障检测器和部分同步假设:TLA+， IVy和计数器自动机。重要的是，我们调整了我们的建模以使用每种方法的强度:(1)我们使用计数器来编码带有计数器自动机的消息缓冲区，(2)我们使用一阶关系来编码IVy中的消息缓冲区，(3)我们在TLA+中使用这两种方法。通过运行TLA+和计数器自动机的工具，我们证明了固定时间范围的安全性。通过运行IVy，我们证明了任意时间范围内的安全性。此外，通过将验证问题简化为安全验证，演示了如何验证故障检测器的有效性。因此，这两个属性都是通过使用IVy开发归纳不变量来验证的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Log. Methods Comput. Sci.

自引率

0.00%

发文量