model checking of fault tolerant distributed algorithms
play

Model Checking of Fault-Tolerant Distributed Algorithms Igor Konnov - PowerPoint PPT Presentation

Nov 10, 2023 •243 likes •979 views

Model Checking of Fault-Tolerant Distributed Algorithms Igor Konnov joint work with Annu Gmeiner Ulrich Schmid Helmut Veith Josef Widder Igor Konnov Distributed Systems Are they always working? 2/63 No. . . some failing systems

  1. Model Checking of Fault-Tolerant Distributed Algorithms Igor Konnov joint work with Annu Gmeiner Ulrich Schmid Helmut Veith Josef Widder

  2. Igor Konnov Distributed Systems Are they always working? 2/63

  3. No. . . some failing systems Therac-25 (1985) radiation therapy machine gave massive overdoses, e.g., due to race conditions of concurrent tasks Quantas Airbus in-flight Learmonth upset (2008) 1 out of 3 replicated components failed computer initiated dangerous altitude drop Ariane 501 maiden flight (1996) primary/backup, i.e., 2 replicated computers both run into the same integer overflow Netflix outages due to Amazon’s cloud (ongoing) one is not sure what is going on there hundreds of computers involved Igor Konnov 3/63

  4. Why do they fail? Igor Konnov 4/63

  5. Why do they fail? faults at design/implementation phase faults at runtime outside of control of designer/developer e.g., to the right: crack in a diode in the data link interface of the Space Shuttle ⇒ led to erroneous messages being sent Driscoll (Honeywell) Igor Konnov 5/63

  6. Why do they fail? faults at design/implementation phase approach: find and fix faults before operation ⇒ model checking faults at runtime outside of control of designer/developer e.g., to the right: crack in a diode in the data link interface of the Space Shuttle ⇒ led to erroneous messages being sent Driscoll (Honeywell) Igor Konnov 6/63

  7. Why do they fail? faults at design/implementation phase approach: find and fix faults before operation ⇒ model checking faults at runtime outside of control of designer/developer e.g., to the right: crack in a diode in the data link interface of the Space Shuttle ⇒ led to erroneous messages being sent approach: keep system operational despite faults Driscoll (Honeywell) ⇒ fault-tolerant distributed algorithms Igor Konnov 7/63

  8. Bringing both together Goal: automatically verified fault-tolerant distributed algorithms e.g., Paxos, Fast Byzantine Consensus, etc. Igor Konnov 8/63

  9. Bringing both together Goal: automatically verified fault-tolerant distributed algorithms e.g., Paxos, Fast Byzantine Consensus, etc. model checking FTDAs is a research challenge: computers run independently at different speeds exchange messages with uncertain delays faults parameterization . . . fault-tolerance makes model checking harder Igor Konnov 9/63

  10. Why Model Checking? Transition system: s 0 : { r } an alternative proof approach s 3 : { r , y , g } useful counter-examples s 1 : { y } s 2 : { y } ability to define and vary assumptions about the system s 4 : { g } and see why it breaks Linear Temporal Logic: closer to code level F ( ) s 0 s 1 s 2 s 3 s 4 good degree of automation G ( ) s ′ s ′ s ′ s ′ s ′ 0 1 2 3 4 Igor Konnov 10/63

  11. Distributed Algorithms: Model Checking Challenges unbounded data types unbounded number of rounds (round numbers part of messages) parameterization in multiple parameters among n processes f ≤ t are faulty with n > 3 t contrast to concurrent programs diverse fault models (adverse environments) continuous time fault-tolerant clock synchronization degrees of concurrency: synchronous, asynchronous partially synchronous a process makes at most 5 steps between 2 steps of any other process Igor Konnov 11/63

  12. Challenge #1: fault models clean crashes: least severe faulty processes prematurely halt after/before “send to all” crash faults: faulty processes prematurely halt (also) in the middle of “send to all” omission faults: faulty processes follow the algorithm, but some messages sent by them might be lost symmetric faults: faulty processes send arbitrarily to all or nobody Byzantine faults: most severe faulty processes can do anything encompass all behaviors of above models Igor Konnov 12/63

  13. Challenges #2 & #3: Pseudo-code and Communication Translate pseudo-code to a formal description that allows us to verify the algorithm and does not oversimplify the original algorithm. Assumptions about the communication medium are usually written in plain English, spread across research papers, constitute folklore knowledge. Igor Konnov 13/63

  14. Typical Structure of a Computation Step receive messages compute using atomic messages and local variables (description in English with basic control flow if-then-else) send messages Igor Konnov 14/63

  15. Typical Structure of a Computation Step t i c i l p receive messages m i e compute using d atomic messages and local variables o c (description in English - o d with basic control flow u if-then-else) e s p send messages Igor Konnov 15/63

  16. Challenge #4: Parameterized Model Checking Parameterized model checking problem: given a process template P ( n , t , f ) , resilience condition RC : n > 3 t ∧ t ≥ f ≥ 0, fairness constraints Φ , e.g., “all messages will be delivered” and an LTL-X formula ϕ show for all n , t , and f satisfying RC ( P ( n , t , f )) n − f + f faults | = (Φ → ϕ ) n n ? ? ? ? ? ? t t f Igor Konnov 16/63

  17. Challenge #5: Liveness in Distributed Algorithms Interplay of safety and liveness is a central challenge in DAs achieving safety and liveness is non-trivial asynchrony and faults lead to impossibility results [Fischer, Lynch, Paterson’85] Igor Konnov 17/63

  18. Challenge #5: Liveness in Distributed Algorithms Interplay of safety and liveness is a central challenge in DAs achieving safety and liveness is non-trivial asynchrony and faults lead to impossibility results [Fischer, Lynch, Paterson’85] Rich literature to verify safety (e.g. in concurrent systems) Distributed algorithms perspective: “doing nothing is always safe” “tools verify algorithms that actually might do nothing” Verification efforts often have to simplify assumptions Igor Konnov 18/63

  19. Summary We have to model: faults, communication medium captured in English, algorithms written in pseudo-code. and check: safety and liveness of parameterized systems with unbounded integers, non-standard fairness constraints, Igor Konnov 19/63

  20. Model Checking for Small System Sizes Igor Konnov 20/63

  21. Fault-tolerant distributed algorithms n n processes communicate by messages all processes know that at most t of them might be faulty f are actually faulty Igor Konnov 21/63

  22. Fault-tolerant distributed algorithms n ? ? ? t n processes communicate by messages all processes know that at most t of them might be faulty f are actually faulty Igor Konnov 22/63

  23. Fault-tolerant distributed algorithms n ? ? ? t f n processes communicate by messages all processes know that at most t of them might be faulty f are actually faulty Igor Konnov 23/63

  24. Asynchronous Reliable Broadcast [Srikanth & Toueg’87] The core of the classic broadcast algorithm from the DA literature. It solves an agreement problem depending on the inputs v i . Variables of process i v i : { 0 , 1 } i n i t i a l l y 0 or 1 accept i : { 0 , 1 } i n i t i a l l y 0 An atomic step: i f v i = 1 then send ( echo ) to all ; i f received (echo) from at l e a s t t + 1 distinct processes and not sent ( echo ) before then send ( echo ) to all ; i f received ( echo ) from at l e a s t n - t distinct processes then accept i := 1 ; Igor Konnov 24/63

  25. Asynchronous Reliable Broadcast [Srikanth & Toueg’87] The core of the classic broadcast algorithm from the DA literature. It solves an agreement problem depending on the inputs v i . Variables of process i v i : { 0 , 1 } i n i t i a l l y 0 or 1 accept i : { 0 , 1 } i n i t i a l l y 0 asynchronous t Byzantine faults An atomic step: i f v i = 1 correct if n > 3 t then send ( echo ) to all ; the code is i f received (echo) from parameterized in n at l e a s t t + 1 distinct processes and t and not sent ( echo ) before then send ( echo ) to all ; ⇒ process template i f received ( echo ) from at l e a s t P ( n , t , f ) n - t distinct processes then accept i := 1 ; Igor Konnov 25/63

  26. Threshold-Guarded Distributed Algorithms Standard construct: quantified guards (t=f=0) Existential Guard if received m from some process then ... Universal Guard if received m from all processes then ... Igor Konnov 26/63

  27. Threshold-Guarded Distributed Algorithms Standard construct: quantified guards (t=f=0) Existential Guard if received m from some process then ... Universal Guard if received m from all processes then ... what if faults might occur? Igor Konnov 27/63

  28. Threshold-Guarded Distributed Algorithms Standard construct: quantified guards (t=f=0) Existential Guard if received m from some process then ... Universal Guard if received m from all processes then ... what if faults might occur? Fault-Tolerant Algorithms: n processes, at most t are Byzantine Threshold Guard if received m from n − t processes then ... (the processes cannot refer to f !) Igor Konnov 28/63

  29. Counting Argument in Threshold-Guarded Algorithms t + 1 n t f Correct processes count incoming messages from distinct processes Igor Konnov 29/63

  30. Counting Argument in Threshold-Guarded Algorithms t + 1 n t f Correct processes count incoming messages from distinct processes Igor Konnov 30/63

  31. Counting Argument in Threshold-Guarded Algorithms t + 1 n at least one non-faulty sent the message t f Correct processes count incoming messages from distinct processes Igor Konnov 31/63

Recommend

Parameterized Model Checking of Fault-tolerant Distributed Algorithms by Abstraction Annu John

Parameterized Model Checking of Fault-tolerant Distributed Algorithms by Abstraction Annu John

Parameterized Model Checking of Fault-tolerant Distributed Algorithms by Abstraction Annu John Igor Konnov Ulrich Schmid Helmut Veith Josef Widder FMCAD13 Portland, OR, USA, Oct 20-23, 2013 Igor Konnov (www.forsyte.at) Parameterized

939 views • 70 slides
SMT and POR beat Counter Abstraction Parameterized Model Checking of Threshold-Based Distributed

SMT and POR beat Counter Abstraction Parameterized Model Checking of Threshold-Based Distributed

SMT and POR beat Counter Abstraction Parameterized Model Checking of Threshold-Based Distributed Algorithms Igor Konnov Helmut Veith Josef Widder Alpine Verification Meeting May 4-6, 2015 Why fault-tolerant (FT) distributed algorithms

859 views • 64 slides
Overview Introduction ECE 753: FAULT-TOLERANT Watchdog techniques COMPUTING

Overview Introduction ECE 753: FAULT-TOLERANT Watchdog techniques COMPUTING

3/25/2014 Overview Introduction ECE 753: FAULT-TOLERANT Watchdog techniques COMPUTING Timers, watchdog processors, error model, control flow checking, memory access and assertion Kewal K.Saluja checking Re-execution for

209 views • 5 slides
Fault-tolerant techniques Fault-tolerant techniques What causes component faults? What are the

Fault-tolerant techniques Fault-tolerant techniques What causes component faults? What are the

EDA421/DIT171 - Parallel and Distributed Real-Time Systems, Chalmers/GU, 2011/2012 Lecture #14 Updated May 2, 2012 Fault-tolerant techniques Fault-tolerant techniques What causes component faults? What are the effects if the

374 views • 9 slides
Fault-Tolerant Distributed Optimization Lili Su, Arun Padakandla, Qiong Hu, Seyyed A. Fatemi,

Fault-Tolerant Distributed Optimization Lili Su, Arun Padakandla, Qiong Hu, Seyyed A. Fatemi,

Fault-Tolerant Distributed Optimization Lili Su, Arun Padakandla, Qiong Hu, Seyyed A. Fatemi, Rehana Mahfuz, Vidyasagar Sadhu CSOI-Data Science Workshop May 27th, 2016 Lili Su et al. (SOI-DSWKSP) Fault-tolerant distributed optimization May

854 views • 6 slides
Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault

Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault

4/1/2014 Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault coverage COMPUTING Checkpointing and backward error recovery (rollback) Kewal K.Saluja General principles General principles

259 views • 3 slides
Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi

Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi

Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi Distributed Systems Fault tolerance A system or a component fails due to a fault Fault tolerance means that the system continues to provide its

428 views • 40 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
Re Resilient Distributed Datasets: A Fa Fault-To Tolerant Abstraction for In In-Me Memor

Re Resilient Distributed Datasets: A Fa Fault-To Tolerant Abstraction for In In-Me Memor

Re Resilient Distributed Datasets: A Fa Fault-To Tolerant Abstraction for In In-Me Memor ory Cl Cluster r Com Computi ting Authors: Matei Zaharia, Mosharaf Chowdhury, Tathagata Das, Ankur Dave, Justin Ma, Murphy McCauley, Michael J.

733 views • 27 slides
Computability Abstractions for Fault-tolerant Asynchronous Distributed Computing Julien Stainer

Computability Abstractions for Fault-tolerant Asynchronous Distributed Computing Julien Stainer

Computability Abstractions for Fault-tolerant Asynchronous Distributed Computing Julien Stainer under the supervision of Michel Raynal March 18 th , 2015 Computability Abstractions for Fault-tolerant Asynchronous Distributed Computing 1 / 51

1.63k views • 147 slides
Fault Tolerant Distributed Main Memory Systems CompSci 590.04

Fault Tolerant Distributed Main Memory Systems CompSci 590.04

Fault Tolerant Distributed Main Memory Systems CompSci 590.04 Instructor: Ashwin Machanavajjhala Lecture 16 : 590.04 Fall 15 1 Recap: Map Reduce ma p ! ! ,

641 views • 30 slides
FAULT-TOLERANT CONTROL Is it possible? JAN MACIEJOWSKI Fault- tolerant control. DPS09,

FAULT-TOLERANT CONTROL Is it possible? JAN MACIEJOWSKI Fault- tolerant control. DPS09,

FAULT-TOLERANT CONTROL Is it possible? JAN MACIEJOWSKI Fault- tolerant control. DPS09, Gdask Canonical Control Engineering Problem Disturbance Controlled output Set-point Filter Controller Plant Sensor Noise This problem is

639 views • 29 slides
4/22/2009 Designing highly available systems Incorporate elements of fault-tolerant design

4/22/2009 Designing highly available systems Incorporate elements of fault-tolerant design

4/22/2009 Designing highly available systems Incorporate elements of fault-tolerant design Replication, TMR Distributed Systems Fully fault tolerant system will offer non-stop availability Clusters You cant achieve this! Problem:

458 views • 11 slides
CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms for ( U ) Counter Examples and witnesses Symbolic Model Checking (Thursday) Binary Decision Trees

740 views • 40 slides
An Approach to Manage Reconfiguration in Fault- Tolerant Distributed System s Stefano Porcarelli

An Approach to Manage Reconfiguration in Fault- Tolerant Distributed System s Stefano Porcarelli

An Approach to Manage Reconfiguration in Fault- Tolerant Distributed System s Stefano Porcarelli 1 , Marco Castaldi 2 , Felicita Di Giandomenico 1 , Andrea Bondavalli 3 , Paola Inverardi 2 1 Italian National Research Council, ISTI Dept, Italy

284 views • 14 slides
Resilient Distributed Datasets: A Fault-Tolerant Abstraction for In-Memory Cluster Computing

Resilient Distributed Datasets: A Fault-Tolerant Abstraction for In-Memory Cluster Computing

Resilient Distributed Datasets: A Fault-Tolerant Abstraction for In-Memory Cluster Computing Presentation by Zbigniew Chlebicki based on paper by Matei Zaharia, Mosharaf Chowdhury, Tathagata Das, Ankur Dave, Justin Ma, Murphy McCauley, Michael

510 views • 15 slides
Resilient Distributed Datasets: A Fault-Tolerant Abstraction for In-Memory Cluster Computing M.

Resilient Distributed Datasets: A Fault-Tolerant Abstraction for In-Memory Cluster Computing M.

Resilient Distributed Datasets: A Fault-Tolerant Abstraction for In-Memory Cluster Computing M. Zaharia, M. Chowdhury, T. Das, A. Dave, J. Ma, M. McCauley, M.J. Franklin, S. Shenker, I. Stoica Computer Laboratory Principal Motivation

628 views • 15 slides
Building a Fault- Building a Fault- Tolerant Distributed Tolerant Distributed System with

Building a Fault- Building a Fault- Tolerant Distributed Tolerant Distributed System with

Building a Fault- Building a Fault- Tolerant Distributed Tolerant Distributed System with System with zookeepertcl zookeepertcl Tcl Conference 2018 Tcl Conference 2018 Garrett McGrath Garrett McGrath /whois /whois /whois /whois

1.43k views • 125 slides
On Partial Aborts and Reducing Validation Costs in Fault-tolerant Distributed Transactional

On Partial Aborts and Reducing Validation Costs in Fault-tolerant Distributed Transactional

On Partial Aborts and Reducing Validation Costs in Fault-tolerant Distributed Transactional Memory Committee Members: Presented by Aditya Dhoke Binoy Ravindran, Co-Chair 09/04/2013 Eli Tilevich, Co-Chair Wu-chun Feng Thesis Contribution

391 views • 37 slides
CS6100: Topics in Design and Analysis of Algorithms Fault Tolerant Consensus CS6100 (Even 2012):

CS6100: Topics in Design and Analysis of Algorithms Fault Tolerant Consensus CS6100 (Even 2012):

CS6100: Topics in Design and Analysis of Algorithms Fault Tolerant Consensus CS6100 (Even 2012): Fault Tolerant Consensus Models Failure Types 1. Clean Crash Failure completely fail 2. (Unclean) Crash Failure fail after some messages

653 views • 16 slides
A Distributed Replication Strategy Evaluation and Selection Framework for Fault Tolerant Web

A Distributed Replication Strategy Evaluation and Selection Framework for Fault Tolerant Web

A Distributed Replication Strategy Evaluation and Selection Framework for Fault Tolerant Web Services Zibin Zheng and Michael R. Lyu Department of Computer Science & Engineering The Chinese University of Hong Kong Hong Kong, China ICWS

208 views • 20 slides
Adaptive Fault Tolerant Systems: Adaptive Fault Tolerant Systems: Reflective Design and

Adaptive Fault Tolerant Systems: Adaptive Fault Tolerant Systems: Reflective Design and

1 Adaptive Fault Tolerant Systems: Adaptive Fault Tolerant Systems: Reflective Design and Validation Reflective Design and Validation Marc-Olivier Killijian Dependable Computing and Fault Tolerance Research Group Toulouse - France 2

865 views • 50 slides
Fault-Tolerant Services in Distributed Systems Usin Vijay K. Garg email: garg@ece.utexas.edu

Fault-Tolerant Services in Distributed Systems Usin Vijay K. Garg email: garg@ece.utexas.edu

Using Order in Distributed Computing Fault-Tolerant Services in Distributed Systems Usin Vijay K. Garg email: garg@ece.utexas.edu (includes joint work with Bharath Balasubramanian and Vi ECE Dept., Univ. Texas at Austin Using Order in

713 views • 27 slides
Non-Cryptographic Fault-Tolerant Distributed Computation Marek Hamerlik December 6, 2007 Marek

Non-Cryptographic Fault-Tolerant Distributed Computation Marek Hamerlik December 6, 2007 Marek

Introduction t-privacy Tools t-resilience Advanced Non-Cryptographic Fault-Tolerant Distributed Computation Marek Hamerlik December 6, 2007 Marek Hamerlik Non-Cryptographic Fault-Tolerant Distributed Computation Introduction t-privacy

866 views • 67 slides

More recommend