proving weakly consistent applications correct
play

Proving Weakly Consistent Applications Correct Alexey Gotsman - PowerPoint PPT Presentation

Oct 10, 2023 •446 likes •967 views

Proving Weakly Consistent Applications Correct Alexey Gotsman IMDEA Software Institute, Madrid, Spain Joint work with Hongseok Yang (Oxford), Carla Ferreira (U Nova Lisboa), Mahsa Najafzadeh, Marc Shapiro (INRIA) Eventually consistent

  1. Proving Weakly Consistent Applications Correct Alexey Gotsman IMDEA Software Institute, Madrid, Spain Joint work with Hongseok Yang (Oxford), Carla Ferreira (U Nova Lisboa), Mahsa Najafzadeh, Marc Shapiro (INRIA)

  2. Eventually consistent databases deposit(100) • No synchronisation: process an update locally, propagate effects to other replicas later • Weakens consistency: deposit seen with a delay

  3. balance ≥ 0 balance = 100 balance = 100

  4. balance ≥ 0 balance = 100 balance = 100 withdraw(100) : ✔ withdraw(100) : ✔ balance = 0 balance = 0

  5. balance ≥ 0 balance = 100 balance = 100 withdraw(100) : ✔ withdraw(100) : ✔ balance = 0 balance = 0 balance = -100

  6. balance ≥ 0 balance = 100 balance = 100 withdraw(100) : ✔ withdraw(100) : ✔ balance = 0 balance = 0 balance = -100 deposit(100)

  7. balance ≥ 0 balance = 100 balance = 100 withdraw(100) : ✔ withdraw(100) : ✔ balance = 0 balance = 0 balance = -100 Tune consistency: • Withdrawals strongly consistent deposit(100) • Deposits eventually consistent

  8. Consistency choices • Databases with multiple consistency levels: ‣ Commercial: Amazon DynamoDB, Basho Riak, Microsoft DocumentDB ‣ Research: Li + OSDI’12; Terry + SOSP’13; Balegas + EuroSys’15... • Pay for stronger semantics with latency, possible unavailability and money • Hard to figure out the minimum consistency necessary to maintain correctness - proof rule and tool

  9. Consistency model • Generic model - not implemented, but can encode many existing models that are: RedBlue consistency [Li + 2012], reservation locks [Balegas + 2015], parallel snapshot isolation [Sovran + 2011], ... • Causal consistency as a baseline: observe an update ➜ observe the updates it depends on • A construct for strengthening consistency on demand

  10. Operation semantics σ op ⟦ op ⟧ val Replica states: σ ∈ State Return value: ⟦ op ⟧ val ∈ State ➞ Value

  11. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) Replica states: σ ∈ State Return value: ⟦ op ⟧ val ∈ State ➞ Value Effector: ⟦ op ⟧ eff ∈ State ➞ (State ➞ State)

  12. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) Replica states: σ ∈ State Return value: ⟦ op ⟧ val ∈ State ➞ Value Effector: ⟦ op ⟧ eff ∈ State ➞ (State ➞ State)

  13. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ Effector ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) Replica states: σ ∈ State Return value: ⟦ op ⟧ val ∈ State ➞ Value Effector: ⟦ op ⟧ eff ∈ State ➞ (State ➞ State)

  14. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ Effector ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) Replica states: σ ∈ State Return value: ⟦ op ⟧ val ∈ State ➞ Value Effector: ⟦ op ⟧ eff ∈ State ➞ (State ➞ State)

  15. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) State = Z ⟦ balance() ⟧ val ( σ ) = σ ⟦ balance() ⟧ eff ( σ ) = λσ . σ

  16. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) ⟦ deposit(100) ⟧ eff ( σ ) = λσʹ . ( σʹ + 100)

  17. Operation semantics σ op ⟦ op ⟧ eff ( σ ) 50 ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) ⟦ deposit(100) ⟧ eff ( σ ) = λσʹ . ( σʹ + 100)

  18. Operation semantics σ op ⟦ op ⟧ eff ( σ ) 50 ⟦ op ⟧ val 150 ⟦ deposit(100) ⟧ eff ( σ ) = λσʹ . ( σʹ + 100)

  19. Ensuring eventual consistency • Effectors have to commute • Eventual consistency: replicas receiving the same messages in different orders end up in the same state • Replicated data types [Shapiro + 2011]: ready-made commutative implementations ⟦ deposit(100) ⟧ eff ( σ ) = λσʹ . ( σʹ + 100)

  20. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  21. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  22. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  23. Operation semantics σ op ⟦ op ⟧ eff ( σ ) σʹ ⟦ op ⟧ val ⟦ op ⟧ eff ( σ )( σʹ ) ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  24. balance = 100 balance = 100 withdraw(100) : ✔ withdraw(100) : ✔ λσʹ . σʹ - 100 balance = 0 balance = 0 ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  25. balance = 100 balance = 100 withdraw(100) : ✔ withdraw(100) : ✔ λσʹ . σʹ - 100 balance = 0 balance = 0 balance = -100 ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  26. Strengthening consistency Token system ≈ locks on steroids: • Token = { τ 1 , τ 2 , ...} • Symmetric conflict relation ⋈ ⊆ Token × Token

  27. Strengthening consistency Token system ≈ locks on steroids: • Token = { τ 1 , τ 2 , ...} • Symmetric conflict relation ⋈ ⊆ Token × Token Example - mutual exclusion lock: Token = { τ }; τ ⋈ τ

  28. Strengthening consistency Token system ≈ locks on steroids: • Token = { τ 1 , τ 2 , ...} • Symmetric conflict relation ⋈ ⊆ Token × Token Example - mutual exclusion lock: Token = { τ }; τ ⋈ τ Each operation associated with a set of tokens: ⟦ op ⟧ tok ∈ State ➞ P (Token)

  29. Operations associated with conflicting tokens cannot be unaware of each other τ ⋈ τ balance = 100 balance = 100 withdraw(100) : ✔ { τ }

  30. Operations associated with conflicting tokens cannot be unaware of each other τ ⋈ τ balance = 100 balance = 100 withdraw(100) : ✔ { τ } withdraw(100) : ? { τ } Anything I don’t know about?

  31. Operations associated with conflicting tokens cannot be unaware of each other τ ⋈ τ balance = 100 balance = 100 withdraw(100) : ✔ { τ } balance = 0 withdraw(100) : ? { τ }

  32. Operations associated with conflicting tokens cannot be unaware of each other τ ⋈ τ balance = 100 balance = 100 withdraw(100) : ✔ { τ } balance = 0 withdraw(100) : ✘ { τ }

  33. Operations associated with conflicting tokens cannot be unaware of each other τ ⋈ τ balance = 100 balance = 100 withdraw(100) : ✔ { τ } balance = 0 deposit(100) withdraw(100) : ✘ ∅ { τ } No synchronisation

  34. Operations associated with conflicting tokens Do we always have I = (balance ≥ 0)? cannot be unaware of each other τ ⋈ τ balance = 100 balance = 100 withdraw(100) : ✔ { τ } balance = 0 deposit(100) withdraw(100) : ✘ ∅ { τ } No synchronisation

  35. σ ∈ I o op p ⟦ ( σ ⟧ ) e f f σʹ ⟦ op ⟧ eff ( σ )( σʹ ) ∈ I ? Effect applied in a different state!

  36. σ ∈ I o op p ⟦ ( σ ⟧ ) e f f σʹ ⟦ op ⟧ eff ( σ )( σʹ ) ∈ I ? ⟦ op ⟧ eff ( σ ) = if P( σ ) then f( σ ) else if... ⟦ withdraw(100) ⟧ eff ( σ ) = if σ ≥ 100 then ( λσʹ . σʹ - 100) else ( λσʹ . σʹ )

  37. σ ∈ I o op p ⟦ ( σ ⟧ ) e f f σʹ ⟦ op ⟧ eff ( σ )( σʹ ) ∈ I ? ⟦ op ⟧ eff ( σ ) = if P( σ ) then f( σ ) else if... 1. Effector safety: f preserves I when executed in any state satisfying P

  38. σ ∈ I o op p ⟦ ( σ ⟧ ) e f f σʹ ⟦ op ⟧ eff ( σ )( σʹ ) ∈ I ✔ ⟦ op ⟧ eff ( σ ) = if P( σ ) then f( σ ) else if... 1. Effector safety: f preserves I when executed in any state satisfying P

  39. σ ∈ I o op p ⟦ ( σ ⟧ ) e f f P( σʹ ) ? σʹ ⟦ op ⟧ eff ( σ )( σʹ ) ∈ I ✔ ⟦ op ⟧ eff ( σ ) = if P( σ ) then f( σ ) else if... 1. Effector safety: f preserves I when executed in any state satisfying P

  40. σ ∈ I o op p ⟦ ( σ ⟧ ) e f f P( σʹ ) ? σʹ ⟦ op ⟧ eff ( σ )( σʹ ) ∈ I ✔ ⟦ op ⟧ eff ( σ ) = if P( σ ) then f( σ ) else if... 1. Effector safety: f preserves I when executed in any state satisfying P 2. Precondition stability: P will hold when f is applied at any replica

  41. CISE tool: ‘Cause I’m Strong Enough Discharges proof obligations using Z3 SMT solver By Mahsa Najafzadeh (UPMC & INRIA) ⟦ op ⟧ eff ( σ ) = if P( σ ) then f( σ ) else if... 1. Effector safety: f preserves I when executed in any state satisfying P 2. Precondition stability: P will hold when f is applied at any replica

  43. 31

  44. 1. Effector safety: f preserves I when executed in any state satisfying P 32

  45. 1. Effector safety: f preserves I when executed in any state satisfying P ✔ 32

  46. 2. Precondition stability: P is preserved by concurrent operations 33

  47. 2. Precondition stability: P is preserved by concurrent operations 33

  48. 2. Precondition stability: P is preserved by concurrent operations Bug: concurrent withdrawals may violate the invariant 33

  49. 2. Precondition stability: P is preserved by concurrent operations Add a token restricting concurrency 34

Recommend

Effective and Efficient Compromise Recovery for Weakly Consistent Replication Prince Mahajan (UT

Effective and Efficient Compromise Recovery for Weakly Consistent Replication Prince Mahajan (UT

Effective and Efficient Compromise Recovery for Weakly Consistent Replication Prince Mahajan (UT Austin), Ramakrishna Kotla, Cathy Marshall, Venugopalan Rama Ramasubramanian, Tom Rodeheffer, Doug Terry, Ted Wobber (Microsoft Research

1.34k views • 85 slides
MAINTAINING SQL INVARIANTS IN WEAKLY CONSISTENT DATABASES Nuno Preguia (NOVA LINCS,

MAINTAINING SQL INVARIANTS IN WEAKLY CONSISTENT DATABASES Nuno Preguia (NOVA LINCS,

MAINTAINING SQL INVARIANTS IN WEAKLY CONSISTENT DATABASES Nuno Preguia (NOVA LINCS, FCT/Universidade NOVA de Lisboa) Joint work with: Valter Balegas, Cheng Li (MPI, now Oracle), Joo Sousa, David Lopes, Srgio Duarte, Carla Ferreira, Joo

890 views • 49 slides
Policy-based Access Control for Weakly Consistent Replication Based on paper written by Ted

Policy-based Access Control for Weakly Consistent Replication Based on paper written by Ted

Policy-based Access Control for Weakly Consistent Replication Based on paper written by Ted Webber, Thomas L. Rodeheffer and Douglas B. Terry Outline Whats the problem? Definitions System design Operation on data Updating

978 views • 34 slides
Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts Jonathan

Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts Jonathan

Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich Reading: C.A.R. Hoare, An Axiomatic Basis for Computer Programming Some presentation ideas from a lecture by K. Rustan M. Leino Testing and

392 views • 23 slides
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a

Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a

Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' ``attacks'' everything everything publications 1

590 views • 29 slides
Reliability In case of a crash, recover to a consistent (or correct state) and continue

Reliability In case of a crash, recover to a consistent (or correct state) and continue

Reliability In case of a crash, recover to a consistent (or correct state) and continue processing. Types of Failures Node failure 1. Communication line of failure 2. Loss of a message (or transaction) 3. Network partition 4. Any

559 views • 21 slides
Proving a Concurrent Program Correct by Demonstrating It Does Nothing Bernhard Kragl IST Austria

Proving a Concurrent Program Correct by Demonstrating It Does Nothing Bernhard Kragl IST Austria

Proving a Concurrent Program Correct by Demonstrating It Does Nothing Bernhard Kragl IST Austria doi: 10.1007/978-3-319-96145-3_5 https://github.com/boogie-org/boogie Shaz Qadeer Microsoft https://www.rise4fun.com/civl Credits Cormac

813 views • 67 slides
Weakly Supervised Classification Weakly Supervised Classification and Robust Learning and Robust

Weakly Supervised Classification Weakly Supervised Classification and Robust Learning and Robust

IIT-H and RIKEN-AIP Joint Workshop on March 15, 2019 Machine Learning and Applications, Hyderabad, India Weakly Supervised Classification Weakly Supervised Classification and Robust Learning and Robust Learning --- Overview of Our Recent

1.06k views • 25 slides
Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira

Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira

Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira High Assurance Software Lab and Dept. Inform atica Universidade do Minho Braga, Portugal INFORUM 2010 Braga, Portugal, September 2010 Context

1.1k views • 73 slides
Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein

Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein

W HAT YOU WILL LEARN how to use a theorem prover background, how it works how to prove and specify NICTA Advanced Course Slide 1 Slide 3 Theorem Proving Health Warning Principles, Techniques, Applications Theorem Proving is

262 views • 9 slides
Automated Theorem Proving in Real Applications John Harrison Intel Corporation The cost of

Automated Theorem Proving in Real Applications John Harrison Intel Corporation The cost of

Automated Theorem Proving in Real Applications 1 Automated Theorem Proving in Real Applications John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches

678 views • 29 slides
Theorem Proving and the Real Numbers Applications and Challenges Lawrence C Paulson 1.

Theorem Proving and the Real Numbers Applications and Challenges Lawrence C Paulson 1.

Theorem Proving and the Real Numbers Applications and Challenges Lawrence C Paulson 1. Interactive Theorem Proving A partial, biased history A UTOMATH L. S. van Benthem Jutting, Checking Landaus Grundlagen in the A UTOMATH

920 views • 37 slides
CASA Seminar Self- -consistent Space Charge consistent Space Charge Self Distributions: Theory

CASA Seminar Self- -consistent Space Charge consistent Space Charge Self Distributions: Theory

CASA Seminar Self- -consistent Space Charge consistent Space Charge Self Distributions: Theory and Applications Distributions: Theory and Applications Slava Danilov SNS/ORNL March 12, 2004 Accelerator Physics Oak Ridge National Laboratory

546 views • 26 slides
Real numbers in the real world Industrial applications of theorem proving John Harrison Intel

Real numbers in the real world Industrial applications of theorem proving John Harrison Intel

Real numbers in the real world Industrial applications of theorem proving John Harrison Intel Corporation 30th May 2006 0 Overview Famous computer arithmetic failures Formal verification and theorem proving Floating-point

627 views • 34 slides
Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and

Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and

Introduction Proving properties of programs Proving equality and equivalence Applications Summary Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and Sergei Romanenko Keldysh Institute of Applied

588 views • 31 slides
Lab 2 discussion Last Time Debugging Its a science use experiments to refine

Lab 2 discussion Last Time Debugging Its a science use experiments to refine

size= 64 correct= 0 size= 73 correct= 0 Shuying Liang size= 107 correct= 1 size= 107 correct= 0 size= 108 correct= 0 size= 108 correct= 1 Please do not handin a .doc file, a .zip file, a .tar file, size= 111 correct= 1 size=

430 views • 7 slides
SWIM: S calable W eakly-consistent I nfection-style Process Group M embership Protocol Das, A.,

SWIM: S calable W eakly-consistent I nfection-style Process Group M embership Protocol Das, A.,

SWIM: S calable W eakly-consistent I nfection-style Process Group M embership Protocol Das, A., Gupta, I . and Motivala, A., 2002, June. Swim: Scalable weakly- consistent infection-style process group membership protocol. In Proceedings

408 views • 27 slides
ECE 4524 Artificial Intelligence and Engineering Applications Lecture 10: Theorem Proving in

ECE 4524 Artificial Intelligence and Engineering Applications Lecture 10: Theorem Proving in

ECE 4524 Artificial Intelligence and Engineering Applications Lecture 10: Theorem Proving in Propositional Logic Reading: AIAMA 7.5 Todays Schedule: Inference and Proofs Conjunctive Normal Form Resolution Forward and Backward

658 views • 16 slides
Database Management Isolation Systems Serial execution: Since each transaction is

Database Management Isolation Systems Serial execution: Since each transaction is

Lecture 7 Database Management Isolation Systems Serial execution: Since each transaction is consistent and isolated from all Winter 2004 others, schedule is guaranteed to be correct for all applications CMPUT 391: Implementing

934 views • 14 slides
Notes On Requirements Development Requirements specification should be : Correct Complete

Notes On Requirements Development Requirements specification should be : Correct Complete

Notes On Requirements Development Requirements specification should be : Correct Complete Consistent Unambiguous Derived from functional decomposition ... therefore, traceable Verifiable Easily changed CSE, UTA 1 Notes On Requirements

1.78k views • 27 slides
On Theorem Proving for Program Checking Historical perspective and recent developments Maria

On Theorem Proving for Program Checking Historical perspective and recent developments Maria

Outline Introduction Where is theorem proving in program checking Inside theorem proving Big and little engines together: a new theorem proving style Decision procedures with speculative inferences Current and future challenges On Theorem

944 views • 69 slides
Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Interactive Theorem Proving, Nancy August 22, 2016 Joachim Breitner Karlsruhe Institute of Technology University of Pennsylvania, Philadelphia Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without Syntax

579 views • 43 slides
NICTA Advanced Course Theorem Proving Principles, Techniques, Applications Gerwin Klein Formal

NICTA Advanced Course Theorem Proving Principles, Techniques, Applications Gerwin Klein Formal

NICTA Advanced Course Theorem Proving Principles, Techniques, Applications Gerwin Klein Formal Methods 1 O RGANISATORIALS When Mon 14:00 15:30 Wed 10:30 12:00 7 weeks ends Mon, 20.9.2004 Exceptions Mon 6.9., 13.9., 20.9. at

1.07k views • 93 slides
Universal homogeneous constraint structures and the hom-equivalence classes of weakly

Universal homogeneous constraint structures and the hom-equivalence classes of weakly

Universal homogeneous constraint structures and the hom-equivalence classes of weakly oligomorphic structures Christian Pech Maja Pech 17.03.2012 Weakly oligomorphic structures Definition A countable relational structure A is called weakly

196 views • 18 slides

More recommend