Formal Methods for the Verification of Distributed Algorithms Paul Gastin Laboratoire Spécification et Vérification ENS Paris Saclay & CNRS with C. Aiswarya (CMI) & Benedikt Bollig (LSV)
Motivations • Distributed algorithms are extremely difficult to get right • Correctness proofs are often involved • Formal methods may help verifying the correctness of tricky algorithms
Formal methods: Model Checking Peterson's algorithm Specification for n from 0 to N − 1 exclusive Mutual exclusion level[i] ← n last_to_enter[n] ← i � ¬ ( CS i ∧ CS j ) while last_to_enter[n] = i and there exists k ≠ i, such that level[k] ≥ n i ̸ = j wait Yes No
Formal methods: Model Checking Peterson's algorithm Specification for n from 0 to N − 1 exclusive Mutual exclusion level[i] ← n last_to_enter[n] ← i � ¬ ( CS i ∧ CS j ) while last_to_enter[n] = i and there exists k ≠ i, such that level[k] ≥ n i ̸ = j wait m e l b o r p n o i s i c e D Yes No
Models for programs/algorithms • Finite state machine (control points) • Data structures • Boolean variables • Integer variables • Stacks (recursivity) • Queues (asynchronous communication)
Models for programs/algorithms Peterson's algorithm for n from 0 to N − 1 exclusive level[i] := n last_to_enter[n] := i while last_to_enter[n] = i and there exists k ≠ i, such that level[k] ≥ n wait init last_to_enter[n] = i n := 0 max{level[k], k ≠ i} ≥ n level[i] := n trying wait last_to_enter[n] := i else n := n+1 n < N n = N wait CS
Models for programs/algorithms Franklin’s leader election algorithm Processes are arranged in an undirected ring. Each node has a unique identity. Each node is either active or passive (relay mode) at a given time. The algorithm executes as follows: – Each active node sends its identity to its neighbors. Let each active node p1 receive identities from p0 and p2. Where p0 and p2 are its either neighbors in the ring. – If min( ID[p0], ID[p2] ) > ID[p1], then p1 becomes passive – If min( ID[p0], ID[p2] ) < ID[p1], then p1 sends its ID to its neighbors again – If min( ID[p0], ID[p2] ) == ID[p1], then p1 declares itself as leader – Passive nodes only pass on messages. – The loop continues until a leader with highest unique ID has been elected. left ! id right ! id left?r 1 right?r 2 id > r 1 ∧ id > r 2 left ! id right ! id active left?r 1 right?r 2 leader id = r 1 fwd left ! id right ! id left?r 1 right?r 2 passive id < r 1 ∨ id < r 2
Languages for the specification • Modal logics • Temporal logics • First-order logic • Dynamic logics
Model checking: sources of undecidability • Each infinite/unbounded aspects • number of processes/agents • Integer variables (pids, timestamps, …) • FIFO channels (asynchronous communication)
Model checking (Linear time) set of possible set of admissible traces traces Behavior L ( A ) L ( ϕ ) model checking | A ϕ = L ( A ) ⊆ L ( ϕ ) ? System model Specification ¬ F specificati distributed
Model checking: First solution Reachability L ( ϕ ) Behavior ? = ∅ L ( A ) L ( A 0 ) ∩ effective A 0 ¬ ϕ model checking ϕ A | = L ( A ) ⊆ L ( ϕ ) ? Finite automata LTL specification ¬ F specificati distributed
Model checking: Second solution Validity ? L ( ϕ ) Behavior ! ⇒ " L ( A ) effective ! model checking ϕ A | = L ( A ) ⊆ L ( ϕ ) ? Finite automata LTL specification ¬ F specificati distributed
Models of Distributed Systems 23 5 47 71 19 42
Distributed algorithms: our hypotheses • Number of processes: arbitrary, unknown • Unique process identification • Comparisons: <, = • No arithmetic • Topology: fixed degree (ring, …) • Communication: Synchronous in rounds • Round: send messages, receive messages, compute and update local registers
Distributed algorithms Leader election [Franklin ’82] round } z { | 5 71 42 19 47 23 Behavior left ! id right ! id left?r 1 right?r 2 id > r 1 ∧ id > r 2 active left ! id right ! id left?r 1 right?r 2 passive id < r 1 ∨ id < r 2 Distributed algorithm
Distributed algorithms Leader election [Franklin ’82] round } z { | 5 71 42 19 Active id = 47 47 r1 = 23 r2 = 19 23 Behavior left ! id right ! id left?r 1 right?r 2 id > r 1 ∧ id > r 2 active left ! id right ! id left?r 1 right?r 2 passive id < r 1 ∨ id < r 2 Distributed algorithm
Distributed algorithms Leader election [Franklin ’82] 5 71 42 71 47 19 47 23 Behavior left ! id right ! id left?r 1 right?r 2 id > r 1 ∧ id > r 2 active fwd left ! id right ! id left?r 1 right?r 2 passive id < r 1 ∨ id < r 2 Distributed algorithm
Distributed algorithms Leader election [Franklin ’82] 5 71 71 42 19 47 23 Behavior left ! id right ! id left?r 1 right?r 2 id > r 1 ∧ id > r 2 left ! id right ! id active left?r 1 right?r 2 leader id = r 1 fwd left ! id right ! id left?r 1 right?r 2 passive id < r 1 ∨ id < r 2 Distributed algorithm
Distributed algorithms Leader election [Franklin ’82] 5 71 42 19 47 23 Behavior left ! id right ! id left?r 1 right?r 2 id > r 1 ∧ id > r 2 left ! id right ! id active left?r 1 right?r 2 leader id = r 1 fwd left ! id right ! id left?r 1 right?r 2 passive id < r 1 ∨ id < r 2 Distributed algorithm
Distributed algorithms 23 5 • Identical finite-state 47 processes 71 • Number of processes is unknown and unbounded right • Processes have unique left 19 pids (integers — 42 unbounded data)
A formal model for distributed algorithms An automata-like way of writing DA Every process can be described by: 5 • Set of states • Set of transitions • send pids to neighbours • Initial state • receive pids from neighbours, • Set of registers and store in registers • compare registers • stores pid • update registers
Behaviors two unbounded dimensions 5 71 42 19 Active id = 47 47 r1 = 23 r2 = 19 23 left ! id right ! id Cylinders left?r 1 right?r 2 Arbitrary length and width id > r 1 ∧ id > r 2 Labelled with data left ! id right ! id from an infinite domain active left?r 1 right?r 2 leader id = r 1 fwd left ! id right ! id left?r 1 right?r 2 3 sources of infinity passive id < r 1 ∨ id < r 2 Distributed algorithm
Abstraction of Data Values 23 5 47 71 19 42
Model Checking Distributed algorithms 5 71 42 19 Active id = 47 47 r1 = 23 r2 = 19 23 UNDECIDABLE • Behaviors: Cylinders of arbitrary width and length Data from an infinite domain • System: Register automata with data comparisons • Specification: Data PDL with data comparisons
⇒ Reduction to Satisfiability of LCPDL: Data abstraction 5 71 42 19 47 23 # $ A ϕ valid over cylinders ⇒ A | ⇐ = ϕ Distributed algorithm PDL with loop (over finite alphabet) Data PDL
LCPDL: Propositional Dynamic logic with Loop and Converse ψ Ψ , Ψ ′ ::= E ψ | ¬ Ψ | Ψ ∧ Ψ ′ ψ , ψ ′ ::= ‡ | p | ¬ ψ | ψ ∧ ψ ′ | ⟨ π ⟩ ψ | loop ( π ) π , π ′ ::= { ψ } ? | → | ↓ | π + π ′ | π · π ′ | π ∗ | π − 1
LCPDL: Propositional Dynamic logic with Loop and Converse ‡ Ψ , Ψ ′ ::= E ψ | ¬ Ψ | Ψ ∧ Ψ ′ ψ , ψ ′ ::= ‡ | p | ¬ ψ | ψ ∧ ψ ′ | ⟨ π ⟩ ψ | loop ( π ) π , π ′ ::= { ψ } ? | → | ↓ | π + π ′ | π · π ′ | π ∗ | π − 1
LCPDL: Propositional Dynamic logic with Loop and Converse Ψ , Ψ ′ ::= E ψ | ¬ Ψ | Ψ ∧ Ψ ′ ψ , ψ ′ ::= ‡ | p | ¬ ψ | ψ ∧ ψ ′ | ⟨ π ⟩ ψ | loop ( π ) π , π ′ ::= { ψ } ? | → | ↓ | π + π ′ | π · π ′ | π ∗ | π − 1
LCPDL: Propositional Dynamic logic with Loop and Converse ⟨ π ⟩ ψ ψ π ⟨↓ ∗ ← ∗ {•} ?( ↓↓ {•} ?) ∗ → ∗ {•} ? → {•} ? ↑ ∗ ⟩ • Ψ , Ψ ′ ::= E ψ | ¬ Ψ | Ψ ∧ Ψ ′ ψ , ψ ′ ::= ‡ | p | ¬ ψ | ψ ∧ ψ ′ | ⟨ π ⟩ ψ | loop ( π ) π , π ′ ::= { ψ } ? | → | ↓ | π + π ′ | π · π ′ | π ∗ | π − 1
LCPDL: Propositional Dynamic logic with Loop and Converse loop ( π ) π Ψ , Ψ ′ ::= E ψ | ¬ Ψ | Ψ ∧ Ψ ′ ψ , ψ ′ ::= ‡ | p | ¬ ψ | ψ ∧ ψ ′ | ⟨ π ⟩ ψ | loop ( π ) π , π ′ ::= { ψ } ? | → | ↓ | π + π ′ | π · π ′ | π ∗ | π − 1
Data abstraction: symbolic runs + tracking data 5 71 42 19 Active id = 47 47 r1 = 23 r2 = 19 23 left ! id right ! id left?r 1 right?r 2 id > r 1 ∧ id > r 2 left ! id right ! id active left?r 1 right?r 2 leader id = r 1 fwd left ! id right ! id left?r 1 right?r 2 passive id < r 1 ∨ id < r 2 Distributed algorithm
Data abstraction: symbolic runs + tracking data t 3 t 3 5 t 2 t 1 t 4 71 t 1 t 3 t 3 t 2 42 t 2 t 3 t 3 19 t 1 t 2 t 3 47 t 2 t 3 t 3 23 left ! id right ! id t 1 left?r 1 right?r 2 id > r 1 ∧ id > r 2 t 4 left ! id right ! id active left?r 1 right?r 2 leader id = r 1 t 3 fwd left ! id right ! id left?r 1 right?r 2 t 2 passive id < r 1 ∨ id < r 2 Distributed algorithm
Recommend
More recommend