mechanical verification of a constructive proof for flp
play

Mechanical Verification of a Constructive Proof for FLP according - PowerPoint PPT Presentation

Oct 30, 2023 •463 likes •947 views

Mechanical Verification of a Constructive Proof for FLP according to Hagen V olzer Bisping Brodmann Jungnickel Rickmann St uber Wilhelm-Weidner Seidler Peters Nestmann 24 August 2016 Models and Theory of Distributed Systems

  1. Mechanical Verification of a Constructive Proof for FLP according to Hagen V¨ olzer Bisping Brodmann Jungnickel Rickmann St¨ uber Wilhelm-Weidner Seidler Peters Nestmann 24 August 2016 Models and Theory of Distributed Systems Bisping et al. FLP Constructive Proof 24 August 2016 1 / 15

  2. Introduction Consensus – Motivation Example • distributed database • each at different state • decide whether to apply transaction Bisping et al. FLP Constructive Proof 24 August 2016 2 / 15

  3. Introduction Consensus – Motivation Example • distributed database • each at different state • decide whether to apply transaction • exchange messages • all have to arrive at same decision Bisping et al. FLP Constructive Proof 24 August 2016 2 / 15

  4. Introduction Consensus – Motivation Example • distributed database • each at different state • decide whether to apply transaction • exchange messages • all have to arrive at same decision Problem processes may crash Bisping et al. FLP Constructive Proof 24 August 2016 2 / 15

  5. Introduction The FLP Theorem Theorem (Fischer, Lynch, Paterson, 1985) impossible to ensure consensus, if processes may crash Bisping et al. FLP Constructive Proof 24 August 2016 3 / 15

  6. Introduction The FLP Theorem Theorem (Fischer, Lynch, Paterson, 1985) impossible to ensure consensus, if processes may crash Theorem (V¨ olzer, 2004) more constructive proof of FLP Bisping et al. FLP Constructive Proof 24 August 2016 3 / 15

  7. Introduction The FLP Theorem Theorem (Fischer, Lynch, Paterson, 1985) impossible to ensure consensus, if processes may crash Theorem (V¨ olzer, 2004) more constructive proof of FLP Our Work • based on the more constructive paper of V¨ olzer • formalizing this proof in Isabelle/HOL • . . . including “fairness”, which was just stated Bisping et al. FLP Constructive Proof 24 August 2016 3 / 15

  8. Introduction Consensus Model • finite set of sequential processes • asynchronous communication channels between all pairs p 0 1 p 3 p 1 1 0 p 2 0 Bisping et al. FLP Constructive Proof 24 August 2016 4 / 15

  9. Introduction Consensus Model • finite set of sequential processes • asynchronous communication channels between all pairs Definition: Binary Consensus p 0 Each process gets an input value from { 0 , 1 } and 1 may irrevocably decide on a final output value such that: p 3 p 1 • Agreement : No two processes decide 1 0 differently. • Validity : The output value is the input value p 2 of some process. 0 • Termination : Each process eventually decides or crashes. Bisping et al. FLP Constructive Proof 24 August 2016 4 / 15

  10. Introduction Consensus Model • finite set of sequential processes • asynchronous communication channels between all pairs Definition: Binary Consensus p 0 Each process gets an input value from { 0 , 1 } and 1 may irrevocably decide on a final output value such that: p 3 p 1 • Agreement : No two processes decide 1 0 differently. • Validity : The output value is the input value p 2 of some process. 0 • Termination : Each process eventually decides or crashes. Bisping et al. FLP Constructive Proof 24 August 2016 4 / 15

  11. Introduction Fairness • easy to obtain undesired behaviour • “block” process by not processing its messages Bisping et al. FLP Constructive Proof 24 August 2016 5 / 15

  12. Introduction Fairness • easy to obtain undesired behaviour • “block” process by not processing its messages Definition: Fair Execution Each message is processed (as long as receiver not crashed). Bisping et al. FLP Constructive Proof 24 August 2016 5 / 15

  13. Introduction Fairness • easy to obtain undesired behaviour • “block” process by not processing its messages Definition: Fair Execution Each message is processed (as long as receiver not crashed). • unfair execution practically irrelevant Bisping et al. FLP Constructive Proof 24 August 2016 5 / 15

  14. Introduction The FLP Theorem Theorem (V¨ olzer, 2004) There is no consensus algorithm such that • a process may crash • validity • agreement • every fair execution terminates Bisping et al. FLP Constructive Proof 24 August 2016 6 / 15

  15. Introduction The FLP Theorem Theorem (V¨ olzer, 2004) There is no consensus algorithm such that • a process may crash • validity • agreement • every fair execution terminates fundamental result in distributed computing Bisping et al. FLP Constructive Proof 24 August 2016 6 / 15

  16. Introduction The FLP Theorem Theorem (V¨ olzer, 2004) Every consensus algorithm such that • a process may crash • validity • agreement has an infinite fair execution that does not decide. Bisping et al. FLP Constructive Proof 24 August 2016 7 / 15

  17. Introduction The FLP Theorem Theorem (V¨ olzer, 2004) Every consensus algorithm such that • a process may crash • validity • agreement has an infinite fair execution that does not decide. � constructive Bisping et al. FLP Constructive Proof 24 August 2016 7 / 15

  18. Introduction The FLP Theorem Theorem (V¨ olzer, 2004) Every consensus algorithm such that • a process may crash • validity • agreement has an infinite fair execution that does not decide. � constructive Idea of proof • find invariant that ensures non-decided • find proper way to extend finite execution, keeping the invariant • infinite fair run Bisping et al. FLP Constructive Proof 24 August 2016 7 / 15

  19. Our proof in Isabelle/HOL Initial Lemma Non-uniform There are processes p , q such that • crash of p allows decision 0 • crash of q allows decision 1 Bisping et al. FLP Constructive Proof 24 August 2016 8 / 15

  20. Our proof in Isabelle/HOL Initial Lemma Non-uniform There are processes p , q such that • crash of p allows decision 0 • crash of q allows decision 1 Initial Lemma There is a non-uniform initial configuration. Bisping et al. FLP Constructive Proof 24 August 2016 8 / 15

  21. Our proof in Isabelle/HOL Initial Lemma Non-uniform There are processes p , q such that • crash of p allows decision 0 • crash of q allows decision 1 Initial Lemma There is a non-uniform initial configuration. Small error in V¨ olzer’s proof • used same symbol for different configurations • required adaption in proof Bisping et al. FLP Constructive Proof 24 August 2016 8 / 15

  22. Our proof in Isabelle/HOL Extension Lemma Extension Lemma - V¨ olzer’s version For each non-uniform configuration c and each process p there is a configuration c ′ such that c ⇒ ∗ c ′ and crash of p in c ′ allows for both decisions. Bisping et al. FLP Constructive Proof 24 August 2016 9 / 15

  23. Our proof in Isabelle/HOL Extension Lemma Extension Lemma - V¨ olzer’s version For each non-uniform configuration c and each process p there is a configuration c ′ such that c ⇒ ∗ c ′ and crash of p in c ′ allows for both decisions. Extension Lemma – our version • choose message ( p , m ) – receiver p , content m • apply Extension Lemma for this p • can safely consume message (keeping invariant) all put into single extension Bisping et al. FLP Constructive Proof 24 August 2016 9 / 15

  24. Our proof in Isabelle/HOL Extension – Picture 0 • c 1 Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

  25. Our proof in Isabelle/HOL Extension – Picture 0 p • • c 1 Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

  26. Our proof in Isabelle/HOL Extension – Picture 0 p Extension • • c c ′ 1 Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

  27. Our proof in Isabelle/HOL Extension – Picture 0 p Extension • • c c ′ 1 Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

  28. Our proof in Isabelle/HOL Extension – Picture 0 p Extension • • c c ′ 1 Bisping et al. FLP Constructive Proof 24 August 2016 10 / 15

  29. Our proof in Isabelle/HOL FLP-Theorem FLP-Theorem Each possible consensus algorithm has a fair infinite execution that does not decide. Bisping et al. FLP Constructive Proof 24 August 2016 11 / 15

  30. Our proof in Isabelle/HOL FLP-Theorem FLP-Theorem Each possible consensus algorithm has a fair infinite execution that does not decide. Proof by V¨ olzer • start with non-uniform initial configuration • take message with minimal enabling time • extend execution using Extension Lemma, ending with non-uniform configuration • repeat this process Bisping et al. FLP Constructive Proof 24 August 2016 11 / 15

  31. Our proof in Isabelle/HOL Proof Idea 0 • Initial 1 Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

  32. Our proof in Isabelle/HOL Proof Idea 0 • • Initial ( p 1 , m 1 ) • 1 Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

  33. Our proof in Isabelle/HOL Proof Idea 0 Extension • • Initial ( p 1 , m 1 ) • 1 Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

  34. Our proof in Isabelle/HOL Proof Idea 0 Extension • • Initial ( p 1 , m 1 ) • 1 Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

  35. Our proof in Isabelle/HOL Proof Idea 0 • ( p 2 , m 2 ) Extension • • • Initial ( p 1 , m 1 ) • 1 Bisping et al. FLP Constructive Proof 24 August 2016 12 / 15

Recommend

Constructive decision via redundancy-free proof-search Dominique Larchey-Wendling TYPES team,

Constructive decision via redundancy-free proof-search Dominique Larchey-Wendling TYPES team,

Constructive decision via redundancy-free proof-search Dominique Larchey-Wendling TYPES team, ANR TICAMORE LORIA CNRS Nancy, France Second TICAMORE meeting Marseille, Nov. 2017 1 Constructive termination of

517 views • 19 slides
Constructive Verification, Empirical Induction, and Falibilist Deduction: A Threefold Contrast

Constructive Verification, Empirical Induction, and Falibilist Deduction: A Threefold Contrast

Constructive Verification, Empirical Induction, and Falibilist Deduction: A Threefold Contrast Interpretation of Bayesian e -values Julio Michael Stern , Institute of Mathematics and Statistics of the University of Sao Paulo

371 views • 36 slides
An Almost Constructive Proof of Classical First-Order Completeness First Bachelor Seminar Talk

An Almost Constructive Proof of Classical First-Order Completeness First Bachelor Seminar Talk

An Almost Constructive Proof of Classical First-Order Completeness First Bachelor Seminar Talk Dominik Wehr Advisors: Dominik Kirst, Yannick Forster Saarland University 14th December 2018 Syntax, Deduction, and Semantics Model Existence

489 views • 19 slides
Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic Andreas Abel, Bor-Yuh

Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic Andreas Abel, Bor-Yuh

Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic Andreas Abel, Bor-Yuh Evan Chang, and Frank Pfenning Workshop on Proof Transformations, Proof Presentations and Complexity of Proofs International Joint Conference on

578 views • 23 slides
TOURNAMENT PAPER WORK REVIEW TOURNAMENT PLAYER VERIFICATION FORM Proof of Age Proof of

TOURNAMENT PAPER WORK REVIEW TOURNAMENT PLAYER VERIFICATION FORM Proof of Age Proof of

TOURNAMENT PAPER WORK REVIEW TOURNAMENT PLAYER VERIFICATION FORM Proof of Age Proof of Residency School Enrollment Player Information Proof of Age (BC) Proof of Residency OR School Enrollment Waivers Signatures Proof of Residency:

480 views • 32 slides
+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an

+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an

+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an Vanzetto LPAR-18, M erida, Venezuela March 12th, 2012 1 + language The TLA Specification and verification language for (concurrent and

735 views • 27 slides
Program Extraction in Constructive Analysis Helmut Schwichtenberg Mathematisches Institut,

Program Extraction in Constructive Analysis Helmut Schwichtenberg Mathematisches Institut,

Program Extraction in Constructive Analysis Helmut Schwichtenberg Mathematisches Institut, Universit at M unchen 1 Program extraction from proofs Every constructive existence proof contains an algorithm. Bishop 1970 Mathematics as a

868 views • 45 slides
A Constructive Proof of Dependent Choice, Compatible with Classical Logic Hugo Herbelin INRIA -

A Constructive Proof of Dependent Choice, Compatible with Classical Logic Hugo Herbelin INRIA -

A Constructive Proof of Dependent Choice, Compatible with Classical Logic Hugo Herbelin INRIA - PPS - Univ. Paris Diderot Paris, France e-mail: Hugo.Herbelin@inria.fr and P ( t 2 ) in the right-hand side, leading to an unexpected de- Abstract

271 views • 10 slides
KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems Safety-critical Verification Proof assistance Proof assistants Proof experience 2/10 Proof Experience Issues High iteration cost

339 views • 10 slides
iCoq : Regression Proof Selection for Large-Scale Verification Projects Karl Palmskog University

iCoq : Regression Proof Selection for Large-Scale Verification Projects Karl Palmskog University

iCoq : Regression Proof Selection for Large-Scale Verification Projects iCoq : Regression Proof Selection for Large-Scale Verification Projects Karl Palmskog University of Illinois at Urbana-Champaign Joint work with Ahmet Celik and Milos

837 views • 45 slides
A Simple Framework for Program Verification and its Mechanical Certification in Theorema Tudor

A Simple Framework for Program Verification and its Mechanical Certification in Theorema Tudor

A Simple Framework for Program Verification and its Mechanical Certification in Theorema Tudor Jebelean M ad alina Era scu Research Institute for Symbolic Computation, Johannes Kepler University, Linz, Austria October 2012 1/25

430 views • 26 slides
Logosphere A Digital Library of Formal Proof Carsten Schrmann Processor Verification

Logosphere A Digital Library of Formal Proof Carsten Schrmann Processor Verification

Logosphere A Digital Library of Formal Proof Carsten Schrmann Processor Verification INTEL (HOL/HOL light). [John Harrison] $500mio Pentium bug. AMD (ACL2, Nqthm). [Matt Kaufmann] Siemens, Microsoft (ASM). [Yuri

502 views • 32 slides
Formal verification of an optimizing compiler or: a software-proof codesign approach to the

Formal verification of an optimizing compiler or: a software-proof codesign approach to the

Formal verification of an optimizing compiler or: a software-proof codesign approach to the development of trusted compilers Xavier Leroy INRIA Rocquencourt MEMOCODE 2007 X. Leroy (INRIA) Formal compiler verification MEMOCODE 2007 1 / 61

969 views • 62 slides
A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20

A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20

A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20 th 2010 Cocktail Derive programs from their specifications Does not scale and nobody programs like this Create proofs interactively with an

342 views • 7 slides
Local proof transformations for flexible interpolation and proof reduction N. Sharygina Formal

Local proof transformations for flexible interpolation and proof reduction N. Sharygina Formal

Local proof transformations for flexible interpolation and proof reduction N. Sharygina Formal Verification and Security Group University of Lugano June 21, 2011 Natasha Sharygina (USI) Flexible Proof Transformation June 21, 2011 1 / 72

2.21k views • 186 slides
Constructive Mathematics in Constructive Set Theory Nicola Gambino University of Palermo MALOA

Constructive Mathematics in Constructive Set Theory Nicola Gambino University of Palermo MALOA

Constructive Mathematics in Constructive Set Theory Nicola Gambino University of Palermo MALOA Worskhop Leeds, June 30th 2011 Classical vs Constructive Mathematics AC EM Pow ZFC ZF IZF Topos

255 views • 24 slides
Whats on todays menu? F Wrap up of Proof Techniques F Review of Chapter 1 F Introduction to

Whats on todays menu? F Wrap up of Proof Techniques F Review of Chapter 1 F Introduction to

Whats on todays menu? F Wrap up of Proof Techniques F Review of Chapter 1 F Introduction to Sets R. Rao, CSE 311 Chapter 1 review 1 Existence Proofs F Goal: Prove x P( x ) 1 st way: F Two ways: 2 nd way: Constructive proof Destructive

264 views • 5 slides
Constructive Homology Classes and Constructive Triangulations Dedicated to Mirian Andr` es

Constructive Homology Classes and Constructive Triangulations Dedicated to Mirian Andr` es

Constructive Homology Classes and Constructive Triangulations Dedicated to Mirian Andr` es Francis Sergeraert, Institut Fourier, Grenoble Mathematics Algorithms and Proofs Logro no, Spain, 8-12 November, 2010 1/17 Semantics of colours:

314 views • 19 slides
On the constructive content of proofs in abstract analysis Ulrich Berger Swansea University

On the constructive content of proofs in abstract analysis Ulrich Berger Swansea University

On the constructive content of proofs in abstract analysis Ulrich Berger Swansea University j.w.w. Hideki Tsuiki Kyoto University Proof and translation: Glivenkos theorem 90 years after CLMPST, Prague, August 9, 2019 1 / 44 From

1.41k views • 108 slides
Tableaux Modulo Theories using Superdeduction An Application to the Verification of B Proof Rules

Tableaux Modulo Theories using Superdeduction An Application to the Verification of B Proof Rules

Tableaux Modulo Theories using Superdeduction An Application to the Verification of B Proof Rules with the Zenon Automated Theorem Prover David Delahaye David.Delahaye@cnam.fr CPR Team / Deducteam (CEDRIC / Inria) CPR / Deducteam Seminar

525 views • 30 slides
Verification of Dekkers Algorithm Proof of mutual exclusion Algorithm 4.2: Dekkers

Verification of Dekkers Algorithm Proof of mutual exclusion Algorithm 4.2: Dekkers

CoSc 450: Programming Paradigms 04 Verification of Dekkers Algorithm Proof of mutual exclusion Algorithm 4.2: Dekkers algorithm boolean wantp false, wantq false integer turn 1 p q loop forever loop forever non-critical

1.32k views • 82 slides
Aims of Session Understand the concept of constructive alignment Identify the benefits

Aims of Session Understand the concept of constructive alignment Identify the benefits

Aims of Session Understand the concept of constructive alignment Identify the benefits of constructive alignment Consider examples of how constructive alignment can enhance the learning and teaching environment Constructive

518 views • 14 slides
Verification in Scientific Computing: from Pristine to Practical to Perimeter-Extending Joseph M.

Verification in Scientific Computing: from Pristine to Practical to Perimeter-Extending Joseph M.

Verification in Scientific Computing: from Pristine to Practical to Perimeter-Extending Joseph M. Powers Department of Aerospace and Mechanical Engineering University of Notre Dame ASME V&V 2020 Virtual Verification and Validation

791 views • 55 slides
A Mechanical Soundness Proof for Subtyping over Recursive Types Timothy Jones, David Pearce

A Mechanical Soundness Proof for Subtyping over Recursive Types Timothy Jones, David Pearce

A Mechanical Soundness Proof for Subtyping over Recursive Types Timothy Jones, David Pearce Victoria University of Wellington tim@ecs.vuw.ac.nz July 19, 2016 Recursive Types Recursive Types type IntList is { int data, IntList next } | null 1

973 views • 61 slides

More recommend