Automated Fast-Track Reconfiguration of Group Communication Systems Christoph Kreitz Department of Computer Science, Cornell University Ithaca, NY 14853 thanks to Jason Hickey, Mark Hayden, Bob Constable, and Robbert VanRenesse for valuable contributions
✑ ✂ ✖ ☞ ✟ ✑✒ ✍ ✆ ☎✆ ☎ ✄ ✂✄ ✁ ☞ ✁ ✁ � � � ✒ ☞ Secure Group Communication Systems Safety-critical Network Applications Many Properties – Many Protocols ⇓ Modular Communication Toolkits — Protocol Layer Stacking SENDER RECEIVER ✕✞✕✖ ✓✞✓ ✔✞✔ ✕✞✕ ✓✞✓ ✔✞✔ LAYER ✎✞✎ ✏✞✏ LAYER LAYER ✎✞✎ ✏✞✏ ✏✞✏ ✎✞✎ Header LAYER LAYER ✌✞✌✍ FIFO Queues ✌✞✌ ☛✞☛ LAYER LAYER ☛✞☛ ☛✞☛ LAYER LAYER ✡✞✡ ✠✞✠ ✝✞✝✟ ✠✞✠ ✝✞✝ ✡✞✡ LAYER BOTTOM LAYER BOTTOM LAYER NET Protocol Stack Protocol Stack Event Message Automated Fast-Track Reconfiguration ... 1 Introduction
Why automated Fast-Track Reconfiguration? • Performance Cost of Modularity – Redundant & extraneous code – Communication between modules – Message headers increase net load • Individual configurations can be optimized – State assumptions about common events & states – Analyze path of common events – Rewrite code of protocol stack – Compress headers of common messages – Delay state updates . . . �→ Dramatic efficiency improvements possible • Reconfiguration by hand error-prone ⇓ Formal Reconfiguration Tools Necessary Automated Fast-Track Reconfiguration ... 2 Introduction
Simple Protocol Stack: Bottom||Mnak||Pt2pt Trace path of downgoing Send events Mnak (350 lines) Bottom (200 lines) let init ack rate (ls,vs) = { ......... } let name = Trace.source file ¨BOTTOM¨ let hdlrs s (ls,vs) { ......... } type header = NoHdr | ... | ... = ... let ... type state = { mutable all alive : bool ; ... } and dn hdlr ev abv = match getType ev with (ls,vs) = { ......... } let init | ECast -> let iov = getIov ev in let hdlrs s (ls,vs) let buf = Arraye.get s.buf ls.rank in { up out=up;upnm out=upnm; let seqno = Iq.hi buf in dn out=dn;dnlm out=dnlm;dnnm out=dnnm } assert (Iq.opt insert check buf seqno) ; = ... Arraye.set s.buf ls.rank let up hdlr ev abv hdr = (Iq.opt insert doread buf seqno iov abv) ; match getType ev, hdr with s.acct size <- s.acct size + getIovLen ev ; | (ECast|ESend), NoHdr -> dn ev abv (Data seqno) if s.all alive or not (s bottom.failed.(getPeer ev)) | -> dn ev abv NoHdr . then up ev abv . . else free name ev | . . Pt2pt (250 lines) . and uplm hdlr ev hdr = ... (ls,vs) = { ......... } let init and upnm hdlr ev = ... and dn hdlr ev abv = let hdlrs s (ls,vs) { ......... } if s.enabled then = ... match getType ev with let ... | ECast -> dn ev abv NoHdr and dn hdlr ev abv = | ESend -> dn ev abv NoHdr match getType ev with | ECastUnrel -> dn (set name ev[Type ECast]) abv Unrel | ESend -> | ESendUnrel -> dn (set name ev[Type ESend]) abv Unrel let dest = getPeer ev in | EMergeRequest -> dn ev abv MergeRequest if dest = ls.rank then ( | EMergeGranted -> dn ev abv MergeGranted eprintf ¨PT2PT:%s \ nPT2PT:%s \ n¨ | EMergeDenied -> dn ev abv MergeDenied (Event.to string ev) (View.string of full (ls,vs)); | -> failwith ¨bad down event[1]¨ failwith ¨send to myself¨ ; else (free name ev) ) ; and dnnm hdlr ev = ... let sends = Arraye.get s.sends dest in in { up in=up hdlr;uplm in=uplm hdlr;upnm in=upnm hdlr; let seqno = Iq.hi sends in dn in=dn hdlr;dnnm in=dnnm hdlr } let iov = getIov ev in Arraye.set s.sends dest (Iq.add sends iov abv) ; let l args vs = Layer.hdr init hdlrs args vs dn ev abv (Data seqno) | -> dn ev abv NoHdr . Layer.install name (Layer.init l) . . Automated Fast-Track Reconfiguration ... 3 Introduction
Link Ensemble Group Communication Toolkit with NuPRL Proof/Program Development System Deductive System Programming Environment SPECIFICATION OCaml NuPRL / TYPE THEORY SIMULATED VERIFY PROOF ENSEMBLE IMPORT ENSEMBLE OPTIMIZE TRANSFORM RECONFIGURED FAST & SECURE PROOF EXPORT ENSEMBLE of ENSEMBLE RECONFIGURATION “Logical Programming Environment” Automated Fast-Track Reconfiguration ... 4 Logical Programming Environment
Logical Programming Environment: Existing Results √ Type-theoretical semantics for Ocaml subset Deductive System Programming Environment SPECIFICATION OCaml NuPRL / TYPE THEORY √ NuPRL -terms displayed in Ocaml syntax SIMULATED VERIFY PROOF ENSEMBLE IMPORT ENSEMBLE √ Automatic import/export of Ocaml -code into NuPRL OPTIMIZE TRANSFORM RECONFIGURED √ Ocaml libraries / Ensemble code available in NuPRL FAST & SECURE PROOF EXPORT ENSEMBLE of ENSEMBLE RECONFIGURATION Deductive System Programming Environment SPECIFICATION √ Programming Logic for Ocaml OCaml NuPRL / TYPE THEORY SIMULATED ENSEMBLE IMPORT VERIFY PROOF ENSEMBLE √ IOA-specification + Verification of Ensemble protocol layers OPTIMIZE TRANSFORM RECONFIGURED FAST & SECURE PROOF EXPORT ENSEMBLE ENSEMBLE of RECONFIGURATION Programming Environment Deductive System SPECIFICATION √ Symbolic evaluation rules for Ocaml ( NuPRL tactics) OCaml NuPRL / TYPE THEORY SIMULATED VERIFY PROOF ENSEMBLE IMPORT ENSEMBLE √ General evaluation strategies OPTIMIZE TRANSFORM RECONFIGURED FAST & SECURE PROOF EXPORT ENSEMBLE ENSEMBLE of RECONFIGURATION ⇓ Formal reasoning on level of programming language Automated Fast-Track Reconfiguration ... 5 Logical Programming Environment
✆ ✄ ☞ ✑ ✟ ☞ ✒ ✍ ☎✆ ☎ ✂✄ ☞ ✂ ✁ ✁ ✁ � � � ✑✒ ✖ Architecture of Ensemble SENDER RECEIVER ✕✞✕✖ ✔✞✔ ✓✞✓ ✕✞✕ ✔✞✔ ✓✞✓ LAYER ✎✞✎ ✏✞✏ LAYER LAYER ✎✞✎ ✏✞✏ ✎✞✎ Header ✏✞✏ LAYER LAYER ✌✞✌✍ FIFO Queues ✌✞✌ ☛✞☛ LAYER LAYER ☛✞☛ ☛✞☛ LAYER LAYER ✝✞✝✟ ✡✞✡ ✠✞✠ ✠✞✠ ✡✞✡ ✝✞✝ LAYER BOTTOM LAYER BOTTOM LAYER NET Protocol Stack Protocol Stack Event Message Automated Fast-Track Reconfiguration ... 6 Logical Programming Environment
Tactic-based Layer Reconfiguration • Interactive reconfiguration – System provides formal abbreviation for reconfiguration goal RECONFIGURE LAYER l AND STATE s l FOR EVENT event ASSUMING assumptions – ‘User’ states assumptions about common case – ‘User’ guides macro steps and decides when to stop • Basic program transformation steps ( Nuprl tactics) – Red : symbolic evaluation / function inlining (outermost or user-controlled) based on evaluation tactics for Ocaml – UseHyp : Context-dependent simplification (equality resoning) – RedLayerStructure : search-free evaluation of common layer structure based on β -/ η -reduction and logical lemmata (e.g. distributive laws) Automated Fast-Track Reconfiguration ... 7 Layer Reconfiguration
Reconfiguration of the Bottom Layer ⊢ RECONFIGURE LAYER Bottom FOR EVENT UpM(ev, Full(NoHdr, hdr)) AND STATE s bottom ASSUMING getType ev = ECast ∧ s bottom.failed.(getPeer ev) = false by RedLayerStructure ASSUME 1. getType ev = ECast 2. s bottom.failed.(getPeer ev) = false ⊢ (match (getType ev, NoHdr) with ((ECast | ESend), NoHdr) -> ...... | (ECast, Unrel) -> ...... | (ESend, Unrel) -> ...... | ( , MergeRequest) -> ...... | ( , MergeGranted) -> ...... | ( , MergeDenied) -> ...... | -> ...... ) (s bottom, Fqueue.empty) by UseHyp 1 ⊢ (if s bottom.all alive or (not (s bottom.failed.(getPeer ev))) then fun ((s, q)) -> (s, Fqueue.add UpM(ev, hdr) q) else free name ev ) (s bottom, Fqueue.empty) by UseHyp 2 ⊢ (s bottom,[:UpM(ev,hdr):]) by DONE Automated Fast-Track Reconfiguration ... 8 Layer Reconfiguration
Reconfiguration Theorems for Individual Layers Verify reconfigured code ≡ original code • Formal abbreviation RECONFIGURE LAYER l AND STATE s l FOR EVENT event ASSUMING assumptions AND STATE s ′ YIELDS EVENTS [: out-events :] l • Theorem created automatically – Reconfiguration provides proof goal – Proof mirrors reconfiguration steps (no search, succeeds always) • Fixed set of theorems for each Ensemble release – Common events: up- & downgoing messages, sending & broadcasting – Common state characterized by Ensemble system developer �→ Abstract knowledge base of a priori reconfigurations Automated Fast-Track Reconfiguration ... 9 Layer Reconfiguration
Theorem-based Stack Reconfiguration Tactics alone too slow (many steps / large terms) Most layers do not affect common messages ⇓ • Prove theorems about composition of reconfigurations – For up/down-going, linear/bouncing/splitting traces – (Higher-order) statement obvious RECONFIGURING LAYER Upper FOR EVENT DnM(ev,hdr) AND STATE s u YIELDS EVENTS [:DnM(ev,hdr1):] AND STATE s1 u ∧ RECONFIGURING LAYER Lower FOR EVENT DnM(ev,hdr1) AND STATE s l YIELDS EVENTS [:DnM(ev,hdr2):] AND STATE s1 l ⇒ RECONFIGURING LAYER Upper || Lower FOR EVENT DnM(ev,hdr) AND STATE (s u,s l) YIELDS EVENTS [:DnM(ev,hdr2):] AND STATE (s1 u,s1 l) – Proof involves Ensemble ’s code for composition • Create & prove reconfiguration theorem for stack – Apply composition theorems to individual layer reconfiguration theorems Automated Fast-Track Reconfiguration ... 10 Stack Reconfiguration
Recommend
More recommend