http distributedcomponents net ilya sergey james r wilcox
play

` http://distributedcomponents.net Ilya Sergey James R. Wilcox - PowerPoint PPT Presentation

Sep 28, 2022 •27 likes •727 views

Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic { P } c { Q } ` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed Systems Distributed Infrastructure Distributed

  1. Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic { P } c { Q } ` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock

  2. Distributed Systems

  3. Distributed Infrastructure

  4. Distributed Applications

  5. Verified Distributed Systems

  6. Verified Distributed Infrastructure

  7. Verified Distributed Infrastructure Veri- Wow -Cert Iron

  8. Verified Distributed Applications

  9. Verified Distributed Applications Veri- Wow -Cert Iron

  10. Verified Distributed Applications Veri- Wow Challenging to verify apps in terms of infra. starting from scratch is unacceptable Indicates deeper problems with composition one node’s client is another’s server! -Cert Iron

  11. Verified Distributed Applications Challenges Client reasoning Veri- Wow Invariants Separation -Cert Iron

  12. Verified Distributed Applications Challenges Solutions Client reasoning Protocols Veri- Wow Invariants rule WithInv Separation rule/Hooks Frame ` { P } c { Q } -Cert Disel: Iron

  13. Outline ` { P } c { Q } Protocols and running example Logical mechanisms programming with protocols invariants framing and hooks Implementation and future work

  14. Cloud Compute C S

  15. Cloud Compute 21 C S

  16. Cloud Compute

  17. Cloud Compute

  18. Cloud Compute : Server while true: (from, n) <- recv Req send Resp(n, factors(n)) to from

  19. Cloud Compute : Server while true: (from, n) <- recv Req send Resp(n, factors(n)) to from Traditional specification: messages from server have correct factors Proved by finding an invariant of the system

  20. Cloud Compute: Server

  21. Cloud Compute: Client

  22. Cloud Compute: Client send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7}

  23. Cloud Compute: Client send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7} Start over with clients in system?

  24. Cloud Compute: Client send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7} Start over with clients in system? In Disel: use protocol to describe client interface

  25. Protocols

  26. Protocols

  27. Protocols A protocol is an interface among nodes

  28. Protocols A protocol is an interface among nodes Enables compositional verification

  29. Cloud Compute Protocol Messages:

  30. Cloud Compute Protocol Messages: State:

  31. Cloud Compute Protocol Messages: State: Transitions:

  32. Cloud Compute Protocol Messages: State: Transitions: Sends: precondition and effect

  33. Cloud Compute Protocol Messages: State: Transitions: Sends: precondition and effect Receives: effect

  34. Cloud Compute Protocol Messages: State: Transitions: Sends: Receives:

  35. Cloud Compute Protocol Messages: Req(n) | Resp(n,s) State: Transitions: Sends: Receives:

  36. Cloud Compute Protocol Messages: Req(n) | Resp(n,s) outstanding: Set<Msg> State: Transitions: Sends: Receives:

  37. Cloud Compute Protocol Messages: Req(n) | Resp(n,s) outstanding: Set<Msg> State: Transitions: Req Resp Sends: Receives: Req Resp

  38. Cloud Compute Req(21) C S Send Req(n) Precondition: none Effect: none

  39. Cloud Compute Req(21) ( C ,21) { } C S Receive Req(n) add (from, n) to out Effect:

  40. Cloud Compute { } C S Resp({3,7}) Send Resp(n,l) l == factors(n) Requires: (n,to) in out removes (n,to) from out Effect:

  41. Cloud Compute { } C S Resp({3,7}) Recv Resp(n,l) Effect: none

  42. Cloud Compute Protocol Messages: Req(n) | Resp(n,s) outstanding: Set<Msg> State: Transitions: Req Resp Sends: Receives: Req Resp

  43. Outline ` { P } c { Q } Protocols and running example Logical mechanisms programming with protocols invariants framing and hooks Implementation and future work

  44. Cloud Compute : Server while true: (from, n) <- recv Req send Resp(n, factors(n)) to from

  45. Cloud Compute : Server while true: (from, n) <- recv Req send Resp(n, factors(n)) to from Precondition on send requires correct factors

  46. Cloud Compute: Server { Pre } ` { } m h send m to h ( ) sent t t , while true: (from, n) <- recv Req send Resp(n, factors(n)) to from Precondition on send requires correct factors

  47. Cloud Compute: Server { Pre } ` { } m h send m to h ( ) sent t t t , while true: (from, n) <- recv Req send Resp(n, factors(n)) to from Precondition on send requires correct factors

  48. Cloud Compute: Server t ∈ { Pre } ` { } m h send m to h ( ) sent t t t , while true: (from, n) <- recv Req send Resp(n, factors(n)) to from Precondition on send requires correct factors

  49. Cloud Compute: Server t ∈ { Pre } ` { } m h send m to h ( ) sent t t t , while true: (from, n) <- recv Req send Resp(n, factors(n)) to from Precondition on send requires correct factors

  50. Cloud Compute: Server t ∈ { Pre } ` { } m h send m to h ( ) sent t t t , while true: (from, n) <- recv Req send Resp(n, factors(n)) to from Precondition on send requires correct factors

  51. Cloud Compute: Client send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7}

  52. Cloud Compute: Client send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7} recv doesn’t ensure correct factors

  53. Cloud Compute: Client send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7} recv doesn’t ensure correct factors

  54. Cloud Compute: Client t ∈ ` { > } m { recvd ( ) } recv m t send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7} recv doesn’t ensure correct factors

  55. Protocol Invariants ` { P } c { Q } I inductive 0 ` { P ∧ I } c { Q ∧ I }

  56. Protocol Invariants ` { P } c { Q } I inductive 0 ` { P ∧ I } c { Q ∧ I } Protocol where every state satisfies I

  57. Cloud Compute: Client t ∈ 0 ` { > } m { recvd ( ) } recv m t send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7} Now recv ensures correct factors

  58. Cloud Compute: More Clients send Req(21) to server 1 send Req(35) to server 2 (_, ans 1 ) <- recv Resp (_, ans 2 ) <- recv Resp assert ans 1 ans 2 == {3, 5, 7} ∪

  59. Cloud Compute: More Clients send Req(21) to server 1 send Req(35) to server 2 (_, ans 1 ) <- recv Resp (_, ans 2 ) <- recv Resp assert ans 1 ans 2 == {3, 5, 7} ∪ Same protocol enables verification

  60. Frame rule ` { P } c { Q } R stable ` { P R } c { Q R } ∗ ∗

  61. Frame rule ` { P } c { Q } R stable ` { P R } c { Q R } ∗ ∗ Reuse invariants from component protocols

  62. Frame rule ` { P } c { Q } R stable independent protocols ` { P R } c { Q R } ∗ ∗ Reuse invariants from component protocols

  63. Frame rule: Hooks ` { P } c { Q } R stable ` { P R } c { Q R } ∗ ∗

  64. Frame rule: Hooks ` { P } c { Q } R stable ` { P R } c { Q R } ∗ ∗ Allows one protocol to restrict another

  65. Outline ` { P } c { Q } Protocols and running example Logical mechanisms programming with protocols invariants framing and hooks Implementation and future work

  66. Implementation Shallowly embedded in Coq with full power of functional programming Executable via extraction to OCaml via trusted shim to implement semantics Case study: two-phase commit exercises all features of the logic

  67. Related and Future Work Concurrent separation logics Iris, FCSL, CAP, … Adding other effects e.g. mutable heap, threads, failure…

  68. Composition: A way to make proofs harder

  69. Composition: A way to make proofs harder “In 1997, the unfortunate reality is that engineers rarely specify and reason formally about the systems they build. It seems unlikely that reasoning about the composition of open-system specifications will be a practical concern within the next 15 years.”

  70. Verified Distributed Applications Challenges Solutions Client reasoning Protocols Veri- Wow Invariants rule WithInv Separation rule/Hooks Frame ` { P } c { Q } -Cert Disel: Iron

Recommend

` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed

` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed

Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic { P } c { Q } ` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed Systems Distributed Infrastructure Distributed

435 views • 40 slides
` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure

` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure

Programming Language Abstractions for Modularly Verified Distributed Systems { P } c { Q } ` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure Distributed Applications Verified Distributed Systems

794 views • 64 slides
Static Analysis and Code Optimizations in Glasgow Haskell Compiler Ilya Sergey

Static Analysis and Code Optimizations in Glasgow Haskell Compiler Ilya Sergey

Static Analysis and Code Optimizations in Glasgow Haskell Compiler Ilya Sergey ilya.sergey@gmail.com 12.12.12 1 The Goal Discuss what happens when we run ghc -O MyProgram.hs 2 The Plan Recall how laziness is implemented in GHC and

987 views • 74 slides
A Semantics for Context-Oriented Programming with Layers Dave Clarke and Ilya Sergey Katholieke

A Semantics for Context-Oriented Programming with Layers Dave Clarke and Ilya Sergey Katholieke

What is COP Problem description COP formalization A Semantics for Context-Oriented Programming with Layers Dave Clarke and Ilya Sergey Katholieke Universiteit Leuven {Dave.Clarke,Ilya.Sergey}@cs.kuleuven.be International workshop on

797 views • 35 slides
Functional Programming is Everywhere Ilya Sergey ilyasergey.net PLMW @ ICFP 2019 2

Functional Programming is Everywhere Ilya Sergey ilyasergey.net PLMW @ ICFP 2019 2

Functional Programming is Everywhere Ilya Sergey ilyasergey.net PLMW @ ICFP 2019 2 About myself MSc Saint Petersburg State University, 2008 PhD KU Leuven, 2008-2012 Currently Associate Professor (tenure-track) at Yale-NUS College

1.18k views • 91 slides
Reasoning about Byzantine Protocols Ilya Sergey ilyasergey.net Why Distributed Consensus is

Reasoning about Byzantine Protocols Ilya Sergey ilyasergey.net Why Distributed Consensus is

Reasoning about Byzantine Protocols Ilya Sergey ilyasergey.net Why Distributed Consensus is difficult? Arbitrary message delays (asynchronous network) Independent parties (nodes) can go offline (and also back online) Network

1.29k views • 72 slides
Programming and Proving with Concurrent Resources Ilya Sergey joint work with Aleks

Programming and Proving with Concurrent Resources Ilya Sergey joint work with Aleks

Programming and Proving with Concurrent Resources Ilya Sergey joint work with Aleks Nanevski, Anindya Banerjee, Ruy Ley-Wild and Germn Delbianco What and why Concurrency parallelism efficiency A gap between informal

1.54k views • 109 slides
Reasoning about Consensus Protocols Ilya Sergey ilyasergey.net Consensus Common meaning :

Reasoning about Consensus Protocols Ilya Sergey ilyasergey.net Consensus Common meaning :

Reasoning about Consensus Protocols Ilya Sergey ilyasergey.net Consensus Common meaning : a way for a set of parties to come to a shared agreement. In computing : ensuring that among the values proposed by a collection of

767 views • 63 slides
Mechanising Blockchain Consensus George Prlea and Ilya Sergey Monday, 8 January 2018 CPP2018

Mechanising Blockchain Consensus George Prlea and Ilya Sergey Monday, 8 January 2018 CPP2018

Mechanising Blockchain Consensus George Prlea and Ilya Sergey Monday, 8 January 2018 CPP2018 1 Context Hundreds of deployed public blockchains $600 625 675 735 755 780 820 billion total market cap (7 day progression since Jan 1 st )

1.32k views • 38 slides
Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work

Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work

Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work with Sam Blackshear, Peter OHearn, Nikos Gorogiannis Key Messages Static analyses for concurrency can be made scalable and precise . Unsound

827 views • 80 slides
Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski

Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski

Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski Anindya Banerjee PLDI 2015 Terminology Coarse-grained Concurrency synchronisation between threads via locks ; Fine-grained

973 views • 72 slides
A Concurrent Perspective on Smart Contracts Ilya Sergey Aquinas Hobor 1st Workshop on

A Concurrent Perspective on Smart Contracts Ilya Sergey Aquinas Hobor 1st Workshop on

A Concurrent Perspective on Smart Contracts Ilya Sergey Aquinas Hobor 1st Workshop on Trusted Smart Contracts 7 April 2017 class ConcurrentQueue &lt;E&gt; { public synchronized void enqueue(E elem) {} public synchronized E dequeue()

605 views • 21 slides
Microsoft Corporation http://www.jeff.wilcox.name/ 2

Microsoft Corporation http://www.jeff.wilcox.name/ 2

Microsoft Corporation http://www.jeff.wilcox.name/ 2 3 Multimedia Display Codec acceleration 480x800 QVGA Other resolutions in the future Capacitive

1.16k views • 90 slides
Fixing Idioms A recursion primitive for Applicative DSLs Dominique Devriese Ilya Sergey Dave

Fixing Idioms A recursion primitive for Applicative DSLs Dominique Devriese Ilya Sergey Dave

Fixing Idioms A recursion primitive for Applicative DSLs Dominique Devriese Ilya Sergey Dave Clarke Frank Piessens Functional DSLs Functional languages are a good host for elegant DSLs Shallow functional embeddings inherit desirable

595 views • 14 slides
pointer-manipulating programs Nadia Polikarpova joint work with Ilya Sergey (Yale-NUS) follow

pointer-manipulating programs Nadia Polikarpova joint work with Ilya Sergey (Yale-NUS) follow

SuSLik: synthesis of safe pointer-manipulating programs Nadia Polikarpova joint work with Ilya Sergey (Yale-NUS) follow along https://github.com/TyGuS/suslik-tutorial 2 pointer-manipulating programs network / security operating systems

1.23k views • 105 slides
Calculating Graph Algorithms for Dominance and Shortest Path Ilya Sergey Jan Midtgaard

Calculating Graph Algorithms for Dominance and Shortest Path Ilya Sergey Jan Midtgaard

Calculating Graph Algorithms for Dominance and Shortest Path Ilya Sergey Jan Midtgaard Dave Clarke MPC 2012 How to derive two graph algorithms by means of Abstract Interpretation ? Abstract Interpretation Abstract Interpretation

1.27k views • 101 slides
Key-value VST store James R. Wilcox, Doug Woos, Pavel Panchekha, Zach Tatlock, Xi

Key-value VST store James R. Wilcox, Doug Woos, Pavel Panchekha, Zach Tatlock, Xi

Verdi: A Framework for Implementing and Formally Verifying Distributed Systems Key-value VST store James R. Wilcox, Doug Woos, Pavel Panchekha, Zach Tatlock, Xi Wang, Michael D. Ernst, Thomas Anderson Challenges Distributed systems

545 views • 38 slides
Radiation Testing of Advanced Non-Volatile Memories Ted Wilcox ted.wilcox@nasa.gov NASA Goddard

Radiation Testing of Advanced Non-Volatile Memories Ted Wilcox ted.wilcox@nasa.gov NASA Goddard

Radiation Testing of Advanced Non-Volatile Memories Ted Wilcox ted.wilcox@nasa.gov NASA Goddard Space Flight Center 1 To be presented by Ted Wilcox at the 2019 NEPP Electronics Technology Workshop (ETW), NASA GSFC, Greenbelt, MD, June 17-20,

404 views • 25 slides
Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox, Doug Woos, Zachary Tatlock, and Karl Palmskog We should verify implementations of distributed systems... ...and we have! Framework Prover

1.41k views • 86 slides
Gradual Ownership Types Ilya Sergey Dave Clarke ESOP 2012 Ownership Types (a gradual

Gradual Ownership Types Ilya Sergey Dave Clarke ESOP 2012 Ownership Types (a gradual

Gradual Ownership Types Ilya Sergey Dave Clarke ESOP 2012 Ownership Types (a gradual introduction) class List { Link head; void add(Data d) { Data Data head = new Link(head, d); } owner Iterator makeIterator() { return new

781 views • 38 slides
Scenario Week 4 (comp203p) Ilya Sergey scenario@cs.ucl.ac.uk 22-26 February 2016 How many

Scenario Week 4 (comp203p) Ilya Sergey scenario@cs.ucl.ac.uk 22-26 February 2016 How many

Scenario Week 4 (comp203p) Ilya Sergey scenario@cs.ucl.ac.uk 22-26 February 2016 How many guards do we really need? The answer depends on the shape of the gallery. How many guards do we really need? The answer depends on the shape of the

390 views • 26 slides
SPDY, err... HTTP 2.0 WebRTC for fun and profit... Ilya Grigorik - @igrigorik,

SPDY, err... HTTP 2.0 WebRTC for fun and profit... Ilya Grigorik - @igrigorik,

SPDY, err... HTTP 2.0 WebRTC for fun and profit... Ilya Grigorik - @igrigorik, gplus.to/igrigorik Make the Web Fast, Google So... HTTP 2.0, or SPDY? &quot;This draft is a work-in-progress, and does not yet reflect Working Group consensus ...

1.25k views • 55 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
SPDY, err... HTTP 2.0 WebRTC what is it, how, why, and when? Ilya Grigorik - @igrigorik,

SPDY, err... HTTP 2.0 WebRTC what is it, how, why, and when? Ilya Grigorik - @igrigorik,

SPDY, err... HTTP 2.0 WebRTC what is it, how, why, and when? Ilya Grigorik - @igrigorik, gplus.to/igrigorik Make the Web Fast, Google Improve end-user perceived latency Address the &quot;head of line blocking&quot; Not require

1.06k views • 47 slides

More recommend