Abstract
Distributed systems are critical to reliable and scalable computing; however, they are complicated in nature and prone to bugs. To manage this complexity, network middleware has been traditionally built in layered stacks of components.We present a novel approach to compositional verification of distributed stacks to verify each component based on only the specification of lower components. We present TLC (Temporal Logic of Components), a novel temporal program logic that offers intuitive inference rules for verification of both safety and liveness properties of functional implementations of distributed components. To support compositional reasoning, we define a novel transformation on the assertion language that lowers the specification of a component to be used as a subcomponent. We prove the soundness of TLC and the lowering transformation with respect to a novel operational semantics for stacks of composed components in partially synchronous networks. We successfully apply TLC to compose and verify a stack of fundamental distributed components.
Supplemental Material
- Rajeev Alur, Kousha Etessami, and Parthasarathy Madhusudan. 2004. A temporal logic of nested calls and returns. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 467-481.Google Scholar
Cross Ref
- Rajeev Alur and Thomas A Henzinger. 1999. Reactive modules. Formal methods in system design 15, 1 ( 1999 ), 7-48.Google Scholar
- Appendix. 2020. Submitted Supplement Document.Google Scholar
- Alexander Bakst, Klaus v. Gleissenthall, Rami Gokhan Kici, and Ranjit Jhala. 2017. Verifying Distributed Programs via Canonical Sequentialization. Proc. ACM Program. Lang. 1, OOPSLA, Article 110 (Oct. 2017 ), 27 pages. https: //doi.org/10.1145/3133934 Google Scholar
Digital Library
- Edoardo Biagioni, Robert Harper, and Peter Lee. 2001. A network protocol stack in Standard ML. Higher-Order and Symbolic Computation 14, 4 ( 2001 ), 309-356.Google Scholar
- M. Biely, P. Delgado, Z. Milosevic, and A. Schiper. 2013. Distal: A framework for implementing fault-tolerant distributed algorithms. In 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 1-8. https://doi.org/10.1109/DSN. 2013.6575306 Google Scholar
Digital Library
- Romain Boichat, Partha Dutta, Svend Frolund, and Rachid Guerraoui. 2003. Deconstructing paxos. ACM Sigact News 34, 1 ( 2003 ), 47-67.Google Scholar
Digital Library
- Sebastian Burckhardt, Manuel Fähndrich, Daan Leijen, and Benjamin P Wood. 2012. Cloud types for eventual consistency. In European Conference on Object-Oriented Programming. Springer, 283-307.Google Scholar
Digital Library
- Christian Cachin, Rachid Guerraoui, and Lus Rodrigues. 2011. Introduction to Reliable and Secure Distributed Programming (2nd ed.). Springer Publishing Company, Incorporated.Google Scholar
Digital Library
- Henry Cejtin, Suresh Jagannathan, and Richard Kelsey. 1995. Higher-order Distributed Objects. ACM Trans. Program. Lang. Syst. 17, 5 (Sept. 1995 ), 704-739. https://doi.org/10.1145/213978.213986 Google Scholar
Digital Library
- Saksham Chand, Yanhong A. Liu, and Scott D. Stoller. 2016. Formal Verification of Multi-Paxos for Distributed Consensus. In FM 2016: Formal Methods, John Fitzgerald, Constance Heitmeyer, Stefania Gnesi, and Anna Philippou (Eds.). Springer International Publishing, Cham, 119-136.Google Scholar
- Arthur Charguéraud. 2012. The Locally Nameless Representation. Journal of Automated Reasoning 49, 3 ( 01 Oct 2012 ), 363-408. https://doi.org/10.1007/s10817-011-9225-2 Google Scholar
Cross Ref
- Bernadette Charron-Bost and André Schiper. 2009. The Heard-Of model: computing in distributed systems with benign faults. Distributed Computing 22, 1 ( 01 Apr 2009 ), 49-71. https://doi.org/10.1007/s00446-009-0084-6 Google Scholar
Digital Library
- Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport, and Stephan Merz. 2010. The TLA + Proof System: Building a Heterogeneous Verification Platform. In Theoretical Aspects of Computing-ICTAC 2010, Ana Cavalcanti, David Deharbe, Marie-Claude Gaudel, and Jim Woodcock (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 44-44.Google Scholar
Cross Ref
- R. L. Constable, S. F. Allen, H. M. Bromley, W. R. Cleaveland, J. F. Cremer, R. W. Harper, D. J. Howe, T. B. Knoblock, N. P. Mendler, P. Panangaden, J. T. Sasaki, and S. F. Smith. 1986. Implementing Mathematics with the Nuprl Proof Development System. Prentice-Hall, Inc., Upper Saddle River, NJ, USA.Google Scholar
- Byron Cook, Eric Koskinen, and Moshe Vardi. 2011. Temporal property verification as a program analysis task. In International Conference on Computer Aided Verification. Springer, 333-348.Google Scholar
Cross Ref
- Ankush Das, Jan Hofmann, and Frank Pfenning. 2018. Parallel Complexity Analysis with Temporal Session Types. arXiv preprint arXiv: 1804. 06013 ( 2018 ).Google Scholar
- Cezara Dragoi, Thomas A Henzinger, and Damien Zuferey. 2016. PSYNC : A partially synchronous language for fault-tolerant distributed algorithms. Popl ( 2016 ), 1-16. https://doi.org/10.1145/nnnnnnn.nnnnnnn Google Scholar
Cross Ref
- Bruno Dutertre, Dejan Jovanovic, and Jorge A. Navas. 2018. Verification of Fault-Tolerant Protocols with Sally. In NFM (Lecture Notes in Computer Science), Vol. 10811. Springer, 113-120.Google Scholar
- Cynthia Dwork, Nancy Lynch, and Larry Stockmeyer. 1988. Consensus in the presence of partial synchrony. Journal of the ACM (JACM) 35, 2 ( 1988 ), 288-323.Google Scholar
Digital Library
- Michael J. Fischer, Nancy A. Lynch, and Michael S. Paterson. 1985. Impossibility of Distributed Consensus with One Faulty Process. J. ACM 32, 2 (April 1985 ), 374-382. https://doi.org/10.1145/3149.214121 Google Scholar
Digital Library
- Robert W. Floyd. 1967. Assigning Meanings to Programs. Proceedings of Symposium on Applied Mathematics 19 ( 1967 ), 19-32. http://laser.cs.umass.edu/courses/cs521-621.Spr06/papers/Floyd.pdfGoogle Scholar
Cross Ref
- Álvaro García-Pérez, Alexey Gotsman, Yuri Meshman, and Ilya Sergey. 2018. Paxos consensus, deconstructed and abstracted. In European Symposium on Programming. Springer, Cham, 912-939.Google Scholar
Cross Ref
- Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI'16). USENIX Association, Berkeley, CA, USA, 653-669. http://dl.acm.org/citation.cfm?id= 3026877. 3026928Google Scholar
Digital Library
- Zhenyu Guo, Sean McDirmid, Mao Yang, Li Zhuang, Pu Zhang, Yingwei Luo, Tom Bergan, Peter Bodik, Madan Musuvathi, Zheng Zhang, and Lidong Zhou. 2013. Failure Recovery: When the Cure is Worse Than the Disease. In Proceedings of the 14th USENIX Conference on Hot Topics in Operating Systems (HotOS'13). USENIX Association, Berkeley, CA, USA, 8-8. http://dl.acm.org/citation.cfm?id= 2490483. 2490491Google Scholar
- Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R. Lorch, Bryan Parno, Michael L. Roberts, Srinath Setty, and Brian Zill. 2015. IronFleet: Proving Practical Distributed Systems Correct. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP '15). ACM, New York, NY, USA, 1-17. https://doi.org/10.1145/2815400.2815428 Google Scholar
Digital Library
- Jifeng He, C. A. R. Hoare, and Jef W. Sanders. 1986. Data Refinement Refined. In Proc. ESOP.Google Scholar
- C. A. R. Hoare. 1969. An Axiomatic Basis for Computer Programming. Commun. ACM 12, 10 (Oct. 1969 ), 576-580. https://doi.org/10.1145/363235.363259 Google Scholar
Digital Library
- Daniel Jackson. 2006. Software Abstractions: Logic, Language, and Analysis. The MIT Press.Google Scholar
Digital Library
- Alan Jefrey. 2012. LTL types FRP: linear-time temporal logic propositions as types, proofs as functional reactive programs. In Proceedings of the sixth workshop on Programming languages meets program verification. 49-60.Google Scholar
Digital Library
- Annu John, Igor Konnov, Ulrich Schmid, Helmut Veith, and Josef Widder. 2013. Parameterized model checking of faulttolerant distributed algorithms by abstraction. In Proc. FMCAD.Google Scholar
- Kazuhiko Kato, Atsushi Ohori, Takeo Murakami, and Takashi Masuda. 1993. Distributed C language based on a higher-order RPC technique. ( 1993 ).Google Scholar
- Bas Ketsman, Aws Albarghouthi, and Paraschos Koutris. 2019. Distribution policies for datalog. Theory of Computing Systems ( 2019 ), 1-34.Google Scholar
- Charles Edwin Killian, James W. Anderson, Ryan Braud, Ranjit Jhala, and Amin M. Vahdat. 2007. Mace: Language Support for Building Distributed Systems. In Proc. PLDI.Google Scholar
- Nicolas Koh, Yao Li, Yishuai Li, Li-yao Xia, Lennart Beringer, Wolf Honoré, William Mansky, Benjamin C Pierce, and Steve Zdancewic. 2019. From C to interaction trees: specifying, verifying, and testing a networked server. In Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and Proofs. ACM, 234-248.Google Scholar
Digital Library
- Igor Konnov, Marijana Lazić, Helmut Veith, and Josef Widder. 2017. A Short Counterexample Property for Safety and Liveness Verification of Fault-tolerant Distributed Algorithms. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2017 ). ACM, New York, NY, USA, 719-734. https://doi.org/10.1145/3009837.3009860 Google Scholar
Digital Library
- Leslie Lamport. 1994. The Temporal Logic of Actions. ACM Trans. Program. Lang. Syst. 16, 3 (May 1994 ), 872-923. https://doi.org/10.1145/177492.177726 Google Scholar
Digital Library
- Leslie Lamport. 1998. The Part-time Parliament. ACM Trans. Comput. Syst. 16, 2 ( 1998 ).Google Scholar
Digital Library
- Leslie Lamport. 2000. Distributed Algorithms in TLA (Abstract). In Proceedings of the Nineteenth Annual ACM Symposium on Principles of Distributed Computing (PODC '00). ACM, New York, NY, USA, 3-. https://doi.org/10.1145/343477.343497 Google Scholar
Digital Library
- Leslie Lamport. 2002. Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA.Google Scholar
Digital Library
- Mohsen Lesani, Christian J. Bell, and Adam Chlipala. 2016. Chapar: Certified Causally Consistent Distributed Key-value Stores. In Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '16). ACM, New York, NY, USA, 357-370. https://doi.org/10.1145/2837614.2837622 Google Scholar
Digital Library
- Yanhong A. Liu, Scott D. Stoller, Bo Lin, and Michael Gorbovitski. 2012. From Clarity to Eficiency for Distributed Algorithms. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA '12). ACM, New York, NY, USA, 395-410. https://doi.org/10.1145/2384616.2384645 Google Scholar
Digital Library
- Nancy Lynch and Frits W. Vaandrager. 1995. Forward and Backward Simulations Part I: Untimed Systems. 121 ( 09 1995 ), 214-233.Google Scholar
- Nancy A. Lynch and Mark R. Tuttle. 1989. An introduction to input/output automata. CWI Quarterly 2 ( 1989 ).Google Scholar
- Zohar Manna and Amir Pnueli. 1992. The Temporal Logic of Reactive and Concurrent Systems. Springer-Verlag New York, Inc., New York, NY, USA.Google Scholar
- Ognjen Marić, Christoph Sprenger, and David Basin. 2017. Cutof Bounds for Consensus Algorithms. In Computer Aided Verification, Rupak Majumdar and Viktor Kunčak (Eds.). Springer International Publishing, Cham, 217-237.Google Scholar
- Samuel Merten, Alexander Bagnall, and Gordon Stewart. 2018. Verified Learning Without Regret. In 27th European Symposium on Programming, ESOP 2018. 561-588.Google Scholar
- Heather Miller, Philipp Haller, Normen Müller, and Jocelyn Boullier. 2016. Function Passing: A Model for Typed, Distributed Functional Programming. In Proceedings of the 2016 ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software (Onward! 2016 ). ACM, New York, NY, USA, 82-97. https://doi.org/10.1145/ 2986012.2986014 Google Scholar
Digital Library
- Madanlal Musuvathi and Dawson R. Engler. 2004. Model Checking Large Network Protocol Implementations. In Proc. NSDI.Google Scholar
- Chris Newcombe, Tim Rath, Fan Zhang, Bogdan Munteanu, Marc Brooker, and Michael Deardeuf. 2015. How Amazon Web Services Uses Formal Methods. Commun. ACM 58, 4 (March 2015 ), 66-73. https://doi.org/10.1145/2699417 Google Scholar
Digital Library
Index Terms
TLC: temporal logic of distributed components
Recommendations
Composable semantics for model-based notations
SIGSOFT '02/FSE-10: Proceedings of the 10th ACM SIGSOFT symposium on Foundations of software engineeringWe propose a unifying framework for model-based specification notations. Our framework captures the execution semantics that are common among model-based notations, and leaves the distinct elements to be defined by a set of parameters. The basic ...
Defining noninterference in the temporal logic of actions
SP '96: Proceedings of the 1996 IEEE Symposium on Security and PrivacyAbstract: Covert channels are a critical concern for multilevel secure (MLS) systems. Due to their subtlety, it is desirable to use formal methods to analyze MLS systems for the presence of covert channels. This paper describes an approach for using ...
Composable semantics for model-based notations
We propose a unifying framework for model-based specification notations. Our framework captures the execution semantics that are common among model-based notations, and leaves the distinct elements to be defined by a set of parameters. The basic ...






Comments