james r wilcox zach tatlock ilya sergey distributed
play

` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems - PowerPoint PPT Presentation

Mar 26, 2024 •143 likes •794 views

Programming Language Abstractions for Modularly Verified Distributed Systems { P } c { Q } ` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure Distributed Applications Verified Distributed Systems

  1. Programming Language Abstractions for Modularly Verified Distributed Systems { P } c { Q } ` James R. Wilcox Zach Tatlock Ilya Sergey

  2. Distributed Systems

  3. Distributed Infrastructure

  4. Distributed Applications

  5. Verified Distributed Systems

  6. Verified Distributed Systems

  7. Verified Distributed Infrastructure

  8. Verified Distributed Infrastructure Veri- Wow -Cert Iron

  9. Verified Distributed Applications

  10. Verified Distributed Applications Veri- Wow -Cert Iron

  11. Verified Distributed Applications Veri- Wow Challenging to verify apps in terms of infra. verify clients by starting over! Indicates deeper problems with composition one node’s client is another’s server! -Cert Iron

  12. Challenging to verify apps in terms of infra. Verified Distributed Applications verify clients by starting over! Indicates deeper problems with composition Veri- Wow one node’s client is another’s server! (Make it possible to) verify clients verify clients without starting over! Will also enable more general composition -Cert Iron

  13. Composition: A way to make proofs harder

  14. Composition: A way to make proofs harder When distracting language issues are removed and the underlying mathematics is revealed, compositional reasoning is seen to be of little use.

  15. Approach Distributed Hoare Type Theory ` { P } c { Q }

  16. Distributed Interactions Servers and Clients Combining Services Optimizations Horizons gcc -O3

  17. Cloud Compute 21 C S

  18. Cloud Compute

  19. Cloud Compute

  20. Cloud Compute : Server while True: (from, n) <- recv send (n, factors(n)) to from

  21. Cloud Compute : Server while True: (from, n) <- recv send (n, factors(n)) to from Traditional specification: messages from server have correct factors Proved by finding an invariant of the system

  22. Cloud Compute: Server

  23. Cloud Compute: Client

  24. Cloud Compute: Client send 21 to server (_, ans) <- recv assert ans == {3, 7}

  25. Cloud Compute: Client send 21 to server (_, ans) <- recv assert ans == {3, 7} Expand system to include clients Need to reason about client-server interaction introduce protocol

  26. Protocols

  27. Protocols

  28. Protocols Protocols make it possible to verify clients!

  29. Protocols

  30. Protocols State: abstract state of each node

  31. Protocols State: abstract state of each node Transitions: allowed sends and receives

  32. Cloud Compute Protocol State: Transitions:

  33. Cloud Compute Protocol State: permissions: Set<Msg> Transitions:

  34. Cloud Compute Protocol State: permissions: Set<Msg> Transitions: Send Req Send Resp Recv Req Recv Resp

  35. Cloud Compute: Protocol State: Recv Request n perm: Set<Msg> add (from, n) to perm Effect: Transitions: Send Req Send Resp Recv Req Recv Resp

  36. Cloud Compute: Protocol State: Send Response (n,l) perm: Set<Msg> Requires: l == factors(n) Transitions: (n,to) in perm Send Req Send Resp Effect: Recv Req Recv Resp removes (n,to) from perm

  37. Cloud Compute: Protocol State: Recv Response l perm: Set<Msg> Ensures: l == factors(n) Transitions: (n,to) in perm Send Req Send Resp Recv Req Recv Resp

  38. Cloud Compute: Protocol State: permissions: Set<Msg> Transitions: Send Req Send Resp Recv Req Recv Resp

  39. Cloud Compute: Protocol State: permissions: Set<Msg> Protocols make it possible to verify clients! Transitions: Send Req Send Resp Recv Req Recv Resp

  40. From Protocols to Types ` { P } c { Q }

  41. From Protocols to Types ` { P } { } m h send m to h ( ) sent t ,

  42. From Protocols to Types ` { P } { } m h send m to h ( ) sent t t ,

  43. From Protocols to Types t ∈ ` { P } { } m h send m to h ( ) sent t t ,

  44. From Protocols to Types P ⇒ Pre t t ∈ ` { P } { } m h send m to h ( ) sent t t ,

  45. From Protocols to Types P ⇒ Pre t t ∈ ` { P } { } m h send m to h ( ) sent t t ,

  46. Cloud Compute: Client send 21 to server (_, ans) <- recv assert ans == {3, 7}

  47. Cloud Compute: Client send 21 to server (_, ans) <- recv assert ans == {3, 7} recv ensures correct factors

  48. Cloud Compute: More Clients send 21 to server 1 send 35 to server 2 (_, ans 1 ) <- recv (_, ans 2 ) <- recv assert ans 1 ans 2 == {3, 5, 7} ∪

  49. Cloud Compute: More Clients send 21 to server 1 send 35 to server 2 (_, ans 1 ) <- recv (_, ans 2 ) <- recv assert ans 1 ans 2 == {3, 5, 7} ∪ Same protocol enables verification

  50. Cloud Compute: More Clients send 21 to server 1 send 35 to server 2 (_, ans 1 ) <- recv (_, ans 2 ) <- recv assert ans 1 ans 2 == {3, 5, 7} ∪ Same protocol enables verification

  51. Cloud Compute : Server while True: (from, n) <- recv send (n, factors(n)) to from

  52. Cloud Compute : Server while True: (from, n) <- recv send (n, factors(n)) to from Precondition on send requires correct factors

  53. Cloud Compute : More Servers cache = {} 
 while True: (from, n) <- recv ans = if n cache then cache[n] ∈ else factors(n) cache[n] = ans send (n, ans) to from

  54. Cloud Compute : More Servers cache = {} 
 while True: (from, n) <- recv ans = if n cache then cache[n] ∈ else factors(n) cache[n] = ans send (n, ans) to from Still follows protocol!

  55. Cloud Compute : More Servers while True: (from, n) <- recv send n to backend (_, ans) <- recv send (n, ans) to from

  56. Cloud Compute : More Servers while True: Still follows protocol! (from, n) <- recv send n to backend (_, ans) <- recv send (n, ans) to from

  57. Cloud Compute : More Servers while True: Still follows protocol! (from, n) <- recv send n to backend (_, ans) <- recv send (n, ans) to from Any combination of transitions follows protocol Well-typed programs don’t go wrong! One node’s client is another’s server!

  58. Horizons Sophisticated protocol composition e.g. computation uses separate database Adding other effects e.g. mutable heap, threads, failure… Fault tolerance what do Verdi’s VSTs look like here?

  59. Verified Distributed Applications

  60. Verified Distributed Applications Veri- Wow -Cert Iron

  61. Verified Distributed Applications Veri- Wow Challenging to verify apps in terms of infra. verify clients by starting over! Indicates deeper problems with composition one node’s client is another’s server! -Cert Iron

  62. Challenging to verify apps in terms of infra. Verified Distributed Applications verify clients by starting over! Indicates deeper problems with composition Veri- Wow one node’s client is another’s server! Protocols make it possible to verify clients reason about client-server interaction Also enable more general composition Any combination of transitions follows protocol -Cert Iron Well-typed programs don’t go wrong!

  63. Verified Distributed Applications Protocols make it possible to verify clients reason about client-server interaction Veri- Wow Also enable more general composition Any combination of transitions follows protocol Well-typed programs don’t go wrong! -Cert Iron

  64. Verified Distributed Applications Protocols make it possible to verify clients reason about client-server interaction Veri- Wow Also enable more general composition Any combination of transitions follows protocol Well-typed programs don’t go wrong! Composition is hard but important for infrastructure -Cert Iron Achieve with types syntactic theory of composition

Recommend

` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed

` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed

Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic { P } c { Q } ` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed Systems Distributed Infrastructure Distributed

727 views • 70 slides
` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed

` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed

Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic { P } c { Q } ` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed Systems Distributed Infrastructure Distributed

435 views • 40 slides
Key-value VST store James R. Wilcox, Doug Woos, Pavel Panchekha, Zach Tatlock, Xi

Key-value VST store James R. Wilcox, Doug Woos, Pavel Panchekha, Zach Tatlock, Xi

Verdi: A Framework for Implementing and Formally Verifying Distributed Systems Key-value VST store James R. Wilcox, Doug Woos, Pavel Panchekha, Zach Tatlock, Xi Wang, Michael D. Ernst, Thomas Anderson Challenges Distributed systems

545 views • 38 slides
Pavel Alex James Zach Panchekha Sanchez-Stern Wilcox Tatlock Floating Points Wild

Pavel Alex James Zach Panchekha Sanchez-Stern Wilcox Tatlock Floating Points Wild

Automatically Improving Accuracy for Floating Point Expressions error Pavel Alex James Zach Panchekha Sanchez-Stern Wilcox Tatlock Floating Points Wild Success Floating Points Wild Success F R Often floating point is

1.19k views • 67 slides
Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox, Doug Woos, Zachary Tatlock, and Karl Palmskog We should verify implementations of distributed systems... ...and we have! Framework Prover

1.41k views • 86 slides
Reasoning about Byzantine Protocols Ilya Sergey ilyasergey.net Why Distributed Consensus is

Reasoning about Byzantine Protocols Ilya Sergey ilyasergey.net Why Distributed Consensus is

Reasoning about Byzantine Protocols Ilya Sergey ilyasergey.net Why Distributed Consensus is difficult? Arbitrary message delays (asynchronous network) Independent parties (nodes) can go offline (and also back online) Network

1.29k views • 72 slides
Planning for Change in a Formal Verification of the Raft Consensus Protocol Doug James

Planning for Change in a Formal Verification of the Raft Consensus Protocol Doug James

Planning for Change in a Formal Verification of the Raft Consensus Protocol Doug James Steve Zach Mike Tom Woos Wilcox Anton Tatlock Ernst Anderson Contributions First formal proof of Rafts safety first verified

1.17k views • 52 slides
CSE 505: Programming Languages Lecture 10 Types Zach Tatlock Fall 2013 What Are We Doing?

CSE 505: Programming Languages Lecture 10 Types Zach Tatlock Fall 2013 What Are We Doing?

CSE 505: Programming Languages Lecture 10 Types Zach Tatlock Fall 2013 What Are We Doing? Covered a lot of ground! Easy to lose sight of the big picture. Zach Tatlock CSE 505 Fall 2013, Lecture 10 2 The Big Picture Building Sweet

299 views • 27 slides
Static Analysis and Code Optimizations in Glasgow Haskell Compiler Ilya Sergey

Static Analysis and Code Optimizations in Glasgow Haskell Compiler Ilya Sergey

Static Analysis and Code Optimizations in Glasgow Haskell Compiler Ilya Sergey ilya.sergey@gmail.com 12.12.12 1 The Goal Discuss what happens when we run ghc -O MyProgram.hs 2 The Plan Recall how laziness is implemented in GHC and

987 views • 74 slides
CSE 505: Programming Languages Lecture 8 Reduction Strategies; Substitution Zach Tatlock

CSE 505: Programming Languages Lecture 8 Reduction Strategies; Substitution Zach Tatlock

CSE 505: Programming Languages Lecture 8 Reduction Strategies; Substitution Zach Tatlock Fall 2013 Review -calculus syntax: e ::= x. e | x | e e v ::= x. e Call-By-Value Left-To-Right Small-Step Operational Semantics: e e

397 views • 17 slides
CSE-505: Programming Languages Lecture 1 Course Introduction Zach Tatlock 2016 Today

CSE-505: Programming Languages Lecture 1 Course Introduction Zach Tatlock 2016 Today

CSE-505: Programming Languages Lecture 1 Course Introduction Zach Tatlock 2016 Today Administrative stuff Course motivation and goals A Java example Course overview Course pitfalls Start Caml tutorial (see separate

314 views • 19 slides
A Semantics for Context-Oriented Programming with Layers Dave Clarke and Ilya Sergey Katholieke

A Semantics for Context-Oriented Programming with Layers Dave Clarke and Ilya Sergey Katholieke

What is COP Problem description COP formalization A Semantics for Context-Oriented Programming with Layers Dave Clarke and Ilya Sergey Katholieke Universiteit Leuven {Dave.Clarke,Ilya.Sergey}@cs.kuleuven.be International workshop on

797 views • 35 slides
Lecture 4 Specifications Zach Tatlock / Spring 2018 Administrivia Next assignments posted

Lecture 4 Specifications Zach Tatlock / Spring 2018 Administrivia Next assignments posted

CSE 331 Software Design and Implementation Lecture 4 Specifications Zach Tatlock / Spring 2018 Administrivia Next assignments posted tonight: HW2: Written problems on loops Likely due 10am Tuesday April 10 BUT: HW3 (Java

563 views • 39 slides
CSE 341 Programming Languages More Ruby Zach Tatlock Spring 2014 This lecture Three mostly

CSE 341 Programming Languages More Ruby Zach Tatlock Spring 2014 This lecture Three mostly

CSE 341 Programming Languages More Ruby Zach Tatlock Spring 2014 This lecture Three mostly separate topics Flexible arrays, ranges, and hashes [actually covered in section] Rubys approach to almost-closures (blocks) and closures

253 views • 24 slides
Lecture 24 Wrap Up Zach Tatlock / Spring 2018 Final Logistics Wednesday, 8:30 - 10:20 AM

Lecture 24 Wrap Up Zach Tatlock / Spring 2018 Final Logistics Wednesday, 8:30 - 10:20 AM

CSE 331 Software Design and Implementation Lecture 24 Wrap Up Zach Tatlock / Spring 2018 Final Logistics Wednesday, 8:30 - 10:20 AM Comprehensive, weighted towards 2 nd half Old exams on the web; some questions wont apply if we didnt

1.02k views • 24 slides
Toward Standard Formats and Benchmark Suites for Floating Point Tools Zach Tatlock

Toward Standard Formats and Benchmark Suites for Floating Point Tools Zach Tatlock

Toward Standard Formats and Benchmark Suites for Floating Point Tools Zach Tatlock Collaborators Nasrine Damouche Pavel Panchekha Matthieu Martel Alex Sanchez-Stern Eva Darulova Chen Qiu Heiko Becker Sorin Lerner Debasmita Lohar Bill

408 views • 37 slides
CSE 341 : Programming Languages Lecture 10 Closure Idioms Zach Tatlock Spring 2014 More idioms

CSE 341 : Programming Languages Lecture 10 Closure Idioms Zach Tatlock Spring 2014 More idioms

CSE 341 : Programming Languages Lecture 10 Closure Idioms Zach Tatlock Spring 2014 More idioms We know the rule for lexical scope and function closures Now what is it good for A partial but wide-ranging list: Pass functions with

320 views • 30 slides
CSE 505: Programming Languages Lecture 17 Subtyping Zach Tatlock Fall 2013 Tradeoffs

CSE 505: Programming Languages Lecture 17 Subtyping Zach Tatlock Fall 2013 Tradeoffs

CSE 505: Programming Languages Lecture 17 Subtyping Zach Tatlock Fall 2013 Tradeoffs Desirable type system properties ( desiderata ): soundness - exclude all programs that get stuck completeness - include all programs that dont

302 views • 29 slides
CSE 341 : Programming Languages More Racket Intro Zach Tatlock Spring 2014 Delayed evaluation

CSE 341 : Programming Languages More Racket Intro Zach Tatlock Spring 2014 Delayed evaluation

CSE 341 : Programming Languages More Racket Intro Zach Tatlock Spring 2014 Delayed evaluation For each language construct, the semantics specifies when subexpressions get evaluated. In ML, Racket, Java, C: Function arguments are eager

676 views • 18 slides
CSE 341 Programming Languages Implementing PLs Zach Tatlock Spring 2014 Typical workflow

CSE 341 Programming Languages Implementing PLs Zach Tatlock Spring 2014 Typical workflow

CSE 341 Programming Languages Implementing PLs Zach Tatlock Spring 2014 Typical workflow Possible errors / concrete syntax (string) warnings &quot;(fn x =&gt; x + x) 4&quot; Parsing Call abstract syntax (tree) Function Constant

276 views • 26 slides
CSE 505: Programming Languages Lecture 12 The Curry-Howard Isomorphism Zach Tatlock Fall

CSE 505: Programming Languages Lecture 12 The Curry-Howard Isomorphism Zach Tatlock Fall

CSE 505: Programming Languages Lecture 12 The Curry-Howard Isomorphism Zach Tatlock Fall 2013 We are Language Designers! What have we done? Define a programming language we were fairly formal still pretty close to OCaml if you

446 views • 31 slides
uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary

uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary

uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary Tatlock, Dan Grossman 1 Extraction 2 Extraction K coq 2 Extraction K coq 2 Extraction K coq Extraction 2 Extraction K coq Extraction K

1.3k views • 106 slides
CSE341: Programming Languages Lecture 19 Introduction to Ruby and OOP Zach Tatlock Winter 2018

CSE341: Programming Languages Lecture 19 Introduction to Ruby and OOP Zach Tatlock Winter 2018

CSE341: Programming Languages Lecture 19 Introduction to Ruby and OOP Zach Tatlock Winter 2018 Ruby logistics Next two sections use the Ruby language http://www.ruby-lang.org/ Installation / basic usage instructions on course

632 views • 35 slides
CSE341: Programming Languages Lecture 18 Static vs. Dynamic Typing Zach Tatlock Winter 2018

CSE341: Programming Languages Lecture 18 Static vs. Dynamic Typing Zach Tatlock Winter 2018

CSE341: Programming Languages Lecture 18 Static vs. Dynamic Typing Zach Tatlock Winter 2018 Key differences Racket and ML have much in common Key differences Syntax Pattern-matching vs. struct-tests and accessor-functions

517 views • 36 slides

More recommend