SlideShare a Scribd company logo
1 of 99
Download to read offline
Model Checking of Fault-Tolerant Distributed Algorithms
Part III: Parameterized Model Checking of Fault-tolerant Distributed
Algorithms by Abstraction
Annu Gmeiner Igor Konnov Ulrich Schmid
Helmut Veith Josef Widder
TMPA 2014, Kostroma, Russia
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 1 / 1
Fault-tolerant DAs: Model Checking Challenges
unbounded data types
counting how many messages have been received
parameterization in multiple parameters
among n processes f ≤ t are faulty with n > 3t
contrast to concurrent programs
fault tolerance against adverse environments
degrees of concurrency
many degrees of partial synchrony
continuous time
fault-tolerant clock synchronization
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 2 / 1
Distributed algorithms: computational model and faults
In previous parts, we considered algorithms operating
in the classic model by [Fischer, Lynch, Paterson’85]
Environment:
Asynchronous processes (interleaving semantics)
Reliable asynchronous message passing (non-blocking send and receive)
Faults:
crashes and clean crashes,
omission faults,
symmetric faults,
Byzantine faults
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 3 / 1
Model checking problem for fault-tolerant DA algorithms
Parameterized model checking problem:
given a distributed algorithm and spec. ϕ
show for all n, t, and f satisfying n > 3t ∧ t ≥ f ≥ 0
M(n, t, f ) |= ϕ
every M(n, t, f ) is a system of n − f correct processes
n
?
?
?
t
n
?
?
?
t f
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 4 / 1
Model checking problem for fault-tolerant DA algorithms
Parameterized model checking problem:
given a distributed algorithm and spec. ϕ
show for all n, t, and f satisfying resilience condition
M(n, t, f ) |= ϕ
every M(n, t, f ) is a system of N(n, f ) correct processes
n
?
?
?
t
n
?
?
?
t f
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 4 / 1
Properties in Linear Temporal Logic
Unforgeability (U). If vi = 0 for all correct processes i, then for all correct
processes j, acceptj remains 0 forever.
G
n−f
i=1
vi = 0 → G
n−f
j=1
acceptj = 0
Completeness (C). If vi = 1 for all correct processes i, then there is a correct
process j that eventually sets acceptj to 1.
G
n−f
i=1
vi = 1 → F
n−f
j=1
acceptj = 1
Relay (R). If a correct process i sets accepti to 1, then eventually all correct
processes j set acceptj to 1.
G
n−f
i=1
accepti = 1 → F
n−f
j=1
acceptj = 1
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 5 / 1
Properties in Linear Temporal Logic
Unforgeability (U). If vi = 0 for all correct processes i, then for all correct
processes j, acceptj remains 0 forever.
G
n−f
i=1
vi = 0 → G
n−f
j=1
acceptj = 0 Safety
Completeness (C). If vi = 1 for all correct processes i, then there is a correct
process j that eventually sets acceptj to 1.
G
n−f
i=1
vi = 1 → F
n−f
j=1
acceptj = 1 Liveness
Relay (R). If a correct process i sets accepti to 1, then eventually all correct
processes j set acceptj to 1.
G
n−f
i=1
accepti = 1 → F
n−f
j=1
acceptj = 1 Liveness
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 5 / 1
Threshold-guarded
fault-tolerant
distributed algorithms
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 6 / 1
Threshold-guarded FTDAs
Fault-free construct: quantified guards (t=f=0)
Existential Guard
if received m from some process then ...
Universal Guard
if received m from all processes then ...
These guards allow one to treat the processes in a parameterized way
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 7 / 1
Threshold-guarded FTDAs
Fault-free construct: quantified guards (t=f=0)
Existential Guard
if received m from some process then ...
Universal Guard
if received m from all processes then ...
These guards allow one to treat the processes in a parameterized way
what if faults might occur?
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 7 / 1
Threshold-guarded FTDAs
Fault-free construct: quantified guards (t=f=0)
Existential Guard
if received m from some process then ...
Universal Guard
if received m from all processes then ...
These guards allow one to treat the processes in a parameterized way
what if faults might occur?
Fault-Tolerant Algorithms: n processes, at most t are Byzantine
Threshold Guard
if received m from n − t processes then ...
(the processes cannot refer to f!)
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 7 / 1
Threshold-based fault-tolerant distributed algorithms
The parameters (n, t, f ) are fixed in each run
Main loop with the body executed atomically
Processes are anonymous (no identifiers)
Receiving messages, counting them and comparing to thresholds, e.g.,
if received <ECHO> from t + 1 distinct processes
then ...
Sending messages to all processes, e.g.,
send <ECHO> to all
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 8 / 1
Control Flow Automata
Variables of process i
vi : {0 , 1} init with 0 or 1
accepti : {0 , 1} init with 0
An indivisible step:
i f vi = 1
then send ( echo ) to all ;
i f received (echo) from at l e a s t
t + 1 distinct processes
and not sent ( echo ) before
then send ( echo ) to all ;
i f received ( echo ) from at l e a s t
n - t distinct processes
then accepti := 1;
n − f copies of the process
qI
q0
q1
q2
q3
sv = V1
¬(sv = V1) inc nsnt
sv := SE
q4
q5
q6
q7
q8
qF
nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f )
¬(t + 1 ≤ nrcvd)
t + 1 ≤ nrcvd
sv = V0
¬(sv = V0)
inc nsnt
n − t ≤ nrcvd
¬(n − t ≤ nrcvd)
sv := SE
sv := AC
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 9 / 1
Counting argument in threshold-guarded algorithms
n
t f
if received m from t + 1 processes then ...
t + 1
Correct processes count distinct incoming messages
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 10 / 1
Counting argument in threshold-guarded algorithms
n
t f
if received m from t + 1 processes then ...
t + 1
Correct processes count distinct incoming messages
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 10 / 1
Counting argument in threshold-guarded algorithms
n
t f
if received m from t + 1 processes then ...
t + 1
at least one non-faulty sent the message
Correct processes count distinct incoming messages
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 10 / 1
qI
q0
q1
q2
q3
sv = V1
¬(sv = V1) inc nsnt
sv := SE
q4
q5
q6
q7
q8
qF
nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f )
¬(t + 1 ≤ nrcvd)
t + 1 ≤ nrcvd
sv = V0
¬(sv = V0)
inc nsnt
n − t ≤ nrcvd
¬(n − t ≤ nrcvd)
sv := SE
sv := AC
concrete values are not important
thresholds are essential:
0, 1, t + 1, n − t
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 11 / 1
qI
q0
q1
q2
q3
sv = V1
¬(sv = V1) inc nsnt
sv := SE
q4
q5
q6
q7
q8
qF
nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f )
¬(t + 1 ≤ nrcvd)
t + 1 ≤ nrcvd
sv = V0
¬(sv = V0)
inc nsnt
n − t ≤ nrcvd
¬(n − t ≤ nrcvd)
sv := SE
sv := AC
concrete values are not important
thresholds are essential:
0, 1, t + 1, n − t
intervals with symbolic boundaries:
I0 = [0, 1)
I1 = [1, t + 1)
It+1 = [t + 1, n − t)
In−t = [n − t, ∞)
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 11 / 1
qI
q0
q1
q2
q3
sv = V1
¬(sv = V1) inc nsnt
sv := SE
q4
q5
q6
q7
q8
qF
nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f )
¬(t + 1 ≤ nrcvd)
t + 1 ≤ nrcvd
sv = V0
¬(sv = V0)
inc nsnt
n − t ≤ nrcvd
¬(n − t ≤ nrcvd)
sv := SE
sv := AC
concrete values are not important
thresholds are essential:
0, 1, t + 1, n − t
intervals with symbolic boundaries:
I0 = [0, 1)
I1 = [1, t + 1)
It+1 = [t + 1, n − t)
In−t = [n − t, ∞)
Parameteric Interval Abstraction (PIA)
Similar to interval abstraction:
[t + 1, n − t) rather than [4, 10).
Total order: 0 < 1 < t + 1 < n − t for
all parameters satisfying RC:
n > 3t, t ≥ f ≥ 0.
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 11 / 1
Technical challenges
We have to reduce the verification of an infinite number of instances
where
1 the process code is parameterized
2 the number of processes is parameterized
to one finite state model checking instance
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 12 / 1
Technical challenges
We have to reduce the verification of an infinite number of instances
where
1 the process code is parameterized
2 the number of processes is parameterized
to one finite state model checking instance
We do that by:
1 PIA data abstraction
2 PIA counter abstraction
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 12 / 1
Technical challenges
We have to reduce the verification of an infinite number of instances
where
1 the process code is parameterized
2 the number of processes is parameterized
to one finite state model checking instance
We do that by:
1 PIA data abstraction
2 PIA counter abstraction
abstraction is an over approximation ⇒ possible abstract behavior that
does not correspond to a concrete behavior.
3 Refining spurious counter-examples
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 12 / 1
Abstraction overview
Parameterized family
M(n, t, f ) = P(n, t, f ) · · · P(n, t, f )
N(n,t,f ) processes
: n > 3t, t ≥ f , f ≥ 0} extract
Parametric Interval Domain D
parametric interval
data abstraction
Uniform parameterized family
ˆM(n, t, f ) = ˆP · · · ˆP
N(n,t,f ) processes
: n > 3t, t ≥ f , f ≥ 0}
P does not depend on n, t, f
P simulates P(n, t, f )
change representation
Counter representation
parametric interval
counter abstraction
one abstract system A that
simulates for every n, t, f
the behavior of M(n, t, f )
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 13 / 1
Abstraction overview
Parameterized family
M(n, t, f ) = P(n, t, f ) · · · P(n, t, f )
N(n,t,f ) processes
: n > 3t, t ≥ f , f ≥ 0} extract
Parametric Interval Domain D
parametric interval
data abstraction
Uniform parameterized family
ˆM(n, t, f ) = ˆP · · · ˆP
N(n,t,f ) processes
: n > 3t, t ≥ f , f ≥ 0}
P does not depend on n, t, f
P simulates P(n, t, f )
change representation
Counter representation
parametric interval
counter abstraction
one abstract system A that
simulates for every n, t, f
the behavior of M(n, t, f )
finite-state model checkin
replay the counter-example
refine the system
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 13 / 1
Data abstraction
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 14 / 1
qI
q0
q1
q2
q3
sv = V1
¬(sv = V1) inc nsnt
sv := SE
q4
q5
q6
q7
q8
qF
nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f )
¬(t + 1 ≤ nrcvd)
t + 1 ≤ nrcvd
sv = V0
¬(sv = V0)
inc nsnt
n − t ≤ nrcvd
¬(n − t ≤ nrcvd)
sv := SE
sv := AC
concrete values are not important
thresholds are essential:
0, 1, t + 1, n − t
intervals with symbolic boundaries:
I0 = [0, 1)
I1 = [1, t + 1)
It+1 = [t + 1, n − t)
In−t = [n − t, ∞)
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 15 / 1
Abstract operations
Concrete:
Abstract:
0 1 t + 1 n − t above
· · ·
I0 I1 It+1 In−t
Concrete t + 1 ≤ x
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
Abstract operations
Concrete:
Abstract:
0 1 t + 1 n − t above
· · ·
I0 I1 It+1 In−t
Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t.
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
Abstract operations
Concrete:
Abstract:
0 1 t + 1 n − t above
· · ·
I0 I1 It+1 In−t
Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t.
Concrete x = x + 1,
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
Abstract operations
Concrete:
Abstract:
0 1 t + 1 n − t above
· · ·
I0 I1I0 I1 It+1 In−t
Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t.
Concrete x = x + 1, is abstracted as:
x = I0 ∧ x = I1 . . .
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
Abstract operations
Concrete:
Abstract:
0 1 t + 1 n − t above
· · ·
I0 I1I0 I1 It+1 In−t
Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t.
Concrete x = x + 1, is abstracted as:
x = I0 ∧ x = I1
∨x = I1 ∧ (x = I1 ∨ x = It+1) . . .
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
Abstract operations
Concrete:
Abstract:
0 1 t + 1 n − t above
· · ·
I0 I1I0 I1 It+1 In−t
Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t.
Concrete x = x + 1, is abstracted as:
x = I0 ∧ x = I1
∨x = I1 ∧ (x = I1 ∨ x = It+1)
∨x = It+1 ∧ (x = It+1 ∨ x = In−t) . . .
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
Abstract operations
Concrete:
Abstract:
0 1 t + 1 n − t above
· · ·
I0 I1I0 I1 It+1 In−t
Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t.
Concrete x = x + 1, is abstracted as:
x = I0 ∧ x = I1
∨x = I1 ∧ (x = I1 ∨ x = It+1)
∨x = It+1 ∧ (x = It+1 ∨ x = In−t)
∨x = In−t ∧ x = In−t
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
Abstract operations
Concrete:
Abstract:
0 1 t + 1 n − t above
· · ·
I0 I1
Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t.
Concrete x = x + 1, is abstracted as:
x = I0 ∧ x = I1
∨x = I1 ∧ (x = I1 ∨ x = It+1)
∨x = It+1 ∧ (x = It+1 ∨ x = In−t)
∨x = In−t ∧ x = In−t
abstract increase may keep the same value!
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
Abstract CFA
qI
q0
q1
q2
q3
sv = V1
¬(sv = V1) inc nsnt
sv := SE
q4
q5
q6
q7
nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f )
¬(t + 1 ≤ nrcvd)
t + 1 ≤ nrcvd
sv = V0
¬(sv = V0)
inc nsnt
n − t ≤ nrcvd
¬(n − t ≤ nrcvd)
sv := AC
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 17 / 1
Abstract CFA
qI
q0
q1
q2
q3
sv = V1
¬(sv = V1) inc nsnt
sv := SE
q4
q5
q6
q7
nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f )
¬(t + 1 ≤ nrcvd)
t + 1 ≤ nrcvd
sv = V0
¬(sv = V0)
inc nsnt
n − t ≤ nrcvd
¬(n − t ≤ nrcvd)
sv := AC
qI
q0
q1
q2
q3
sv = V1
¬(sv = V1) inc nsnt
sv := SE
q4
q5
q6
q7
nrcvd = I0 ∧ nsnt = I0 ∧ (nrcvd = I0 ∨ nrcvd = I1) ∨ . . .
¬(t + 1 ≤ nrcvd)
nrcvd = It+1 ∨ nrcvd = In−t
sv = V0
¬(sv = V0)
nsnt = I1 ∧ (nsnt = I1 ∨ nsnt = It+1) ∨ . . .
n − t ≤ nrcvd
¬(n − t ≤ nrcvd)
sv := AC
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 17 / 1
Abstraction overview
Parameterized family
M(n, t, f ) = P(n, t, f ) · · · P(n, t, f )
N(n,t,f ) processes
: n > 3t, t ≥ f , f ≥ 0} extract
Parametric Interval Domain D
parametric interval
data abstraction
Uniform parameterized family
ˆM(n, t, f ) = ˆP · · · ˆP
N(n,t,f ) processes
: n > 3t, t ≥ f , f ≥ 0}
P does not depend on n, t, f
P simulates P(n, t, f )
change representation
Counter representation
parametric interval
counter abstraction
one abstract system A that
simulates for every n, t, f
the behavior of M(n, t, f )
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 18 / 1
Counter abstraction
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 19 / 1
Classic (0, 1, ∞)-counter abstraction
Pnueli, Xu, and Zuck (2001) introduced (0, 1, ∞)-counter abstraction:
finitely many local states,
e.g., {N, T, C}.
based on counter representation:
for each local states count how many processes are in it
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 20 / 1
Classic (0, 1, ∞)-counter abstraction
Pnueli, Xu, and Zuck (2001) introduced (0, 1, ∞)-counter abstraction:
finitely many local states,
e.g., {N, T, C}.
based on counter representation:
for each local states count how many processes are in it
abstract the number of processes in every state,
e.g., K : C → 0, T → 1, N → “many”.
perfectly reflects mutual exclusion properties
e.g., G (K(C) = 0 ∨ K(C) = 1).
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 20 / 1
Limits of (0, 1, ∞)-counter abstraction
Our parametric data + counter abstraction:
we require finer counting of processes:
t + 1 processes in a specific state can force global progress,
t processes cannot
mapping t, t + 1, and n − t to “many” is too coarse.
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 21 / 1
Limits of (0, 1, ∞)-counter abstraction
Our parametric data + counter abstraction:
we require finer counting of processes:
t + 1 processes in a specific state can force global progress,
t processes cannot
mapping t, t + 1, and n − t to “many” is too coarse.
starting point of our approach...
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 21 / 1
Data + counter abstraction over parametric intervals
n = 6, t = 1, f = 1
t + 1 = 2, n − t = 5
nr. processes (counters)
received received
sent accepted
•
0
•
0
•
1
•
1
•
2
•
2
•
3
•
3
•
4
•
4
•
5
•
5
•
6
•
6
•0
•1
•2
•3
•4
•5
•6
•
Local state is (sv, nrcvd),
where sv ∈ {sent, accepted} and 0 ≤ rcvd ≤ n
3 processes at (sent, received=3)
1 process at (accepted, received=5)
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 22 / 1
Data + counter abstraction over parametric intervals
n = 6, t = 1, f = 1
t + 1 = 2, n − t = 5
nr. processes (counters)
received received
sent accepted
•
0
•
0
•
1
•
1
•
2
•
2
•
3
•
3
•
4
•
4
•
5
•
5
•
6
•
6
•0
•1
•2
•3
•4
•5
•6
•
Local state is (sv, nrcvd),
where sv ∈ {sent, accepted} and 0 ≤ rcvd ≤ n
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 22 / 1
Data + counter abstraction over parametric intervals
n = 6, t = 1, f = 1
t + 1 = 2, n − t = 5
nr. processes (counters)
received received
sent accepted
•
0
•
0
•
1
•
1
•
2
•
2
•
3
•
3
•
4
•
4
•
5
•
5
•
6
•
6
•0
•1
•2
•3
•4
•5
•6
•
Local state is (sv, nrcvd),
where sv ∈ {sent, accepted} and 0 ≤ rcvd ≤ n
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 22 / 1
Data + counter abstraction over parametric intervals
XXXXXXn = 6, XXXXXXt = 1, XXXXXXf = 1
n  3 · t ∧ t ≥ f
Parametricintervals:
I0 = [0, 1) I1 = [1, t + 1)
It+1 = [t + 1, n − t)
In−t = [n − t, ∞)
nr. processes (counters)
received received
sent accepted
• • • •
I0 I1 It+1 In−t
• • • •
I0 I1 It+1 In−t
•
•
•
•
I0
I1
It+1
In−t
A local state is (sv, nrcvd),
where sv ∈ {sent, accepted} and nrcvd ∈ {I0, I1, It+1, In−t}
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 22 / 1
Data + counter abstraction over parametric intervals
n  3 · t ∧ t ≥ f
Parametricintervals:
I0 = [0, 1) I1 = [1, t + 1)
It+1 = [t + 1, n − t)
In−t = [n − t, ∞)
nr. processes (counters)
received received
sent accepted
• • • •
I0 I1 It+1 In−t
• • • •
I0 I1 It+1 In−t
•
•
•
•
I0
I1
It+1
In−t
when all correct processes accepted,
all non-zero counters are in this area
A local state is (sv, nrcvd),
where sv ∈ {sent, accepted} and nrcvd ∈ {I0, I1, It+1, In−t}
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 22 / 1
Abstraction refinement
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 23 / 1
Spurious behavior
abstraction adds behaviors (e.g., x’=x+1 may lead to x’ being equal to x)
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 24 / 1
Spurious behavior
abstraction adds behaviors (e.g., x’=x+1 may lead to x’ being equal to x)
⇒ specs that hold in concrete system may be violated in abstract system
spurious counterexamples
we have to reduce the behaviors of the abstract system
make it more concrete
. . . based on the counterexamples = CEGAR
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 24 / 1
Spurious behavior
abstraction adds behaviors (e.g., x’=x+1 may lead to x’ being equal to x)
⇒ specs that hold in concrete system may be violated in abstract system
spurious counterexamples
we have to reduce the behaviors of the abstract system
make it more concrete
. . . based on the counterexamples = CEGAR
Three sources of spurious behavior
# processes decreasing or increasing
# messages sent = # processes which have sent a message
unfair loops
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 24 / 1
Spurious behavior
abstraction adds behaviors (e.g., x’=x+1 may lead to x’ being equal to x)
⇒ specs that hold in concrete system may be violated in abstract system
spurious counterexamples
we have to reduce the behaviors of the abstract system
make it more concrete
. . . based on the counterexamples = CEGAR
Three sources of spurious behavior
# processes decreasing or increasing
# messages sent = # processes which have sent a message
unfair loops
. . . and a new abstraction phenomenon
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 24 / 1
Parametric abst. refinement — uniformly spurious paths
Classic case:
Concrete
Abstract
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 25 / 1
Parametric abst. refinement — uniformly spurious paths
Classic case:
Concrete
Abstract
Our case:
Concrete
n2
, t2
, f2
Concrete
n1
, t1
, f1
Abstract
···
···
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 25 / 1
CEGAR — automated workflow
Model Checking
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 26 / 1
CEGAR — automated workflow
Model Checking
correct
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 26 / 1
CEGAR — automated workflow
Model Checking
correct
Abstraction refinement
using SMT
counterexample
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 26 / 1
CEGAR — automated workflow
Model Checking
correct
Abstraction refinement
using SMT
counterexample
CE feasible: bug
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 26 / 1
CEGAR — automated workflow
Model Checking
correct
Abstraction refinement
using SMT
counterexample
CE feasible: bug
CE spurious:
refined abstraction
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 26 / 1
What is SMT?
recall SAT:
given a Boolean formula, e.g., (¬a ∨ ¬b ∨ c) ∧ (¬a ∨ b ∨ d ∨ e)
is there an assignment of true and false to variables a, b, c, d, e
such that the formula evaluates to true?
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 27 / 1
What is SMT?
recall SAT:
given a Boolean formula, e.g., (¬a ∨ ¬b ∨ c) ∧ (¬a ∨ b ∨ d ∨ e)
is there an assignment of true and false to variables a, b, c, d, e
such that the formula evaluates to true?
Satisfiability Modulo Theories (SMT) :
here just linear arithmetics
given a formula, e.g.,
x = y ∧ y = z ∧ u = x ∧ (x + y ≤ 1 ∧ 2x + y = 1) ∨ 3x + 2y ≥ 3
is there an assignment of values to u, x, y, z such that formula
evaluates to true?
practically efficient tools: Yices, Z3
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 27 / 1
Counter example: losing processes
Output of data abstraction: 16 local states: L = {(sv, ˆnrcvd)
with sv ∈ {v0, v1, sent, accepted} and ˆrcvd ∈ {I0, I1, It+1, In−t}}
An abstract global state is (ˆk, ˆnsnt),
where ˆnsnt ∈ {I0, I1, It+1, In−t} and ˆk : L → {I0, I1, It+1, In−t}
Consider an abstract trace:
ˆnsnt1 = I0
ˆk1( ) =


In−t , if = (v1, I0)
I0, otherwise
ˆnsnt2 = I1
ˆk2( ) =


In−t , if = (v1, I0)
I1, if = (sent, I0)
I0, otherwise
ˆnsnt3 = It+1
ˆk3( ) =


In−t , if = (v1, I0)
It+1, if = (sent, I0)
I0, otherwise
Encode the last state in SMT as a conjunction T of the constraints:
resilience condition n  3t ∧ t ≥ f ∧ f ≥ 0
zero counters (i = 4 ∧ i = 8) → 0 ≤ k3[i]  1
non-zero counters n − t ≤ k3[4] ∧ t + 1 ≤ k3[8]  n − t
system size n − f = k3[0] + k3[1] + · · · + k3[15]
UNSAT
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 28 / 1
Remove transitions
We ask the SMT solver:
is there a satisfiable assignment for T?
if yes,
then the state is OK, may be part of a real counterexample
if not, then the state is spurious
remove transitions to that state in the abstract system
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 29 / 1
Liveness
distributed algorithm requires reliable communication
every message sent is eventually received
¬in transit ≡ [∀i. nrcvdi ≥ nsnt]
fairness F G ¬in transit necessary to verify liveness,
e.g., F G ¬in transit → G ([∀i. svi = v1] → F [∀i. svi = accept])
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 30 / 1
Liveness
distributed algorithm requires reliable communication
every message sent is eventually received
¬in transit ≡ [∀i. nrcvdi ≥ nsnt]
fairness F G ¬in transit necessary to verify liveness,
e.g., F G ¬in transit → G ([∀i. svi = v1] → F [∀i. svi = accept])
counter example (lasso):
¬in transit
¬in transit
¬in transit
¬in transit
¬in transit
¬in transit
¬in transit
s1 ¬in transit
s2
sk
s3
· · ·
· · ·
· · ·
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 30 / 1
Liveness — fairness suppression
¬in transit
¬in transit
¬in transit
¬in transit
¬in transit
¬in transit
¬in transit
s1 ¬in transit
s2
sk
s3
· · ·
· · ·
· · ·
if there is a spurious sj (all its concretizations violate ¬in transit),
then the loop is spurious.
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 31 / 1
Liveness — fairness suppression
¬in transit
¬in transit
¬in transit
¬in transit
¬in transit
¬in transit
¬in transit
s1 ¬in transit
s2
sk
s3
· · ·
· · ·
· · ·
if there is a spurious sj (all its concretizations violate ¬in transit),
then the loop is spurious.
refine fairness to F G ¬in transit ∧ G F
1≤j≤k
“out of sj
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 31 / 1
Liveness — fairness suppression
¬in transit
¬in transit
¬in transit
¬in transit
¬in transit
¬in transit
¬in transit
s1 ¬in transit
s2
sk
s3
· · ·
· · ·
· · ·
if there is a spurious sj (all its concretizations violate ¬in transit),
then the loop is spurious.
refine fairness to F G ¬in transit ∧ G F
1≤j≤k
“out of sj
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 31 / 1
experimental evaluation
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 32 / 1
Concrete vs. parameterized (Byzantine case)
Time to check relay (sec, logscale) Memory to check relay (MB, logscale)
Parameterized model checking performs well (the red line).
Experiments for fixed parameters quickly degrade
(n = 9 runs out of memory).
We found counter-examples for the cases n = 3t and f  t,
where the resilience condition is violated.
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 33 / 1
Experimental results at a glance
Algorithm Fault Resilience Property Valid? #Refinements Time
ST87 Byz n  3t U  0 4 sec.
ST87 Byz n  3t C  10 32 sec.
ST87 Byz n  3t R  10 24 sec.
ST87 Symm n  2t U  0 1 sec.
ST87 Symm n  2t C  2 3 sec.
ST87 Symm n  2t R  12 16 sec.
ST87 Omit n  2t U  0 1 sec.
ST87 Omit n  2t C  5 6 sec.
ST87 Omit n  2t R  5 10 sec.
ST87 Clean n  t U  0 2 sec.
ST87 Clean n  t C  4 8 sec.
ST87 Clean n  t R  13 31 sec.
CT96 Clean n  t U  0 1 sec.
CT96 Clean n  t A  0 1 sec.
CT96 Clean n  t R  0 1 sec.
CT96 Clean n  t C  0 1 sec.
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 34 / 1
When resilience condition is wrong...
Algorithm Fault Resilience Property Valid? #Refinements Time
ST87 Byz n  3t ∧ f ≤ t+1 U  9 56 sec.
ST87 Byz n  3t ∧ f ≤ t+1 C  11 52 sec.
ST87 Byz n  3t ∧ f ≤ t+1 R  10 17 sec.
ST87 Byz n ≥ 3t ∧ f ≤ t U  0 5 sec.
ST87 Byz n ≥ 3t ∧ f ≤ t C  9 32 sec.
ST87 Byz n ≥ 3t ∧ f ≤ t R  30 78 sec.
ST87 Symm n  2t ∧ f ≤ t+1 U  0 2 sec.
ST87 Symm n  2t ∧ f ≤ t+1 C  2 4 sec.
ST87 Symm n  2t ∧ f ≤ t+1 R  8 12 sec.
ST87 Omit n ≥ 2t ∧ f ≤ t U  0 1 sec.
ST87 Omit n ≥ 2t ∧ f ≤ t C  0 2 sec.
ST87 Omit n ≥ 2t ∧ f ≤ t R  0 2 sec.
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 35 / 1
Summary of results
Abstraction tailored for distributed algorithms
threshold-based
fault-tolerant
allows to express different fault assumptions
Verification of threshold-based fault-tolerant algorithms
with threshold guards that are widely used
Byzantine faults (and other)
for all system sizes
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 36 / 1
Related work: non-parameterized
Model checking of the small size instances:
clock synchronization [Steiner, Rushby, Sorea, Pfeifer 2004]
consensus [Tsuchiya, Schiper 2011]
asynchronous agreement, folklore broadcast, condition-based
consensus [John, Konnov, Schmid, Veith, Widder 2013]
and more...
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 37 / 1
Related work: parameterized case
Regular model checking of fault-tolerant distributed protocols:
[Fisman, Kupferman, Lustig 2008]
“First-shot” theoretical framework.
No guards like x ≥ t + 1, only x ≥ 1.
No implementation.
Manual analysis applied to folklore broadcast (crash faults).
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 38 / 1
Related work: parameterized case
Regular model checking of fault-tolerant distributed protocols:
[Fisman, Kupferman, Lustig 2008]
“First-shot” theoretical framework.
No guards like x ≥ t + 1, only x ≥ 1.
No implementation.
Manual analysis applied to folklore broadcast (crash faults).
Backward reachability using SMT with arrays:
[Alberti, Ghilardi, Pagani, Ranise, Rossi 2010-2012]
Implementation.
Experiments on Chandra-Toueg 1990.
No resilience conditions like n  3t.
Safety only.
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 38 / 1
Our current work
Discrete
synchronous
Discrete
partially
synchronous
Discrete
asynchronous
Continuous
synchronous
Continuous
partially
synchronous
One instance/
finite payload
Many inst./
finite payload
Many inst./
unbounded
payload
Messages with
reals
core of {ST87,
BT87, CT96},
MA06 (common),
MR04 (binary)
one-shot broadcast, c.b.consensus
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 39 / 1
Future work: threshold guards + orthogonal features
Discrete
synchronous
Discrete
partially
synchronous
Discrete
asynchronous
Continuous
synchronous
Continuous
partially
synchronous
One instance/
finite payload
Many inst./
finite payload
Many inst./
unbounded
payload
Messages with
reals
core of {ST87,
BT87, CT96},
MA06 (common),
MR04 (binary)
one-shot broadcast, c.b.consensus
DHM12
ST87
AK00
CT96
(failure detector)
DLS86, MA06,
L98 (Paxos)
ST87, BT87,
CT96, DAs with
failure-detectors
DLPSW86
DFLPS13
WS07
ST87 (JACM)
FSFK06
WS09
clock sync
broadcast
approx. agreement
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 39 / 1
Thank you!
http://forsyte.at/software/bymc
Doctoral College: Vienna, Graz, Linz
http://logic-cs.at
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 40 / 1
the implementation
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 41 / 1
Tool Chain: ByMC
Parametric Promela code static analysis + Yices
Parametric Interval Domain D
Parametric data abstraction
with Yices
Parametric Promela code
Parametric counter ab-
straction with Yices
normal
Promela code
Spin
property holds
counterexample
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 42 / 1
Tool Chain: ByMC
Parametric Promela code static analysis + Yices
Parametric Interval Domain D
Parametric data abstraction
with Yices
Parametric Promela code
Parametric counter ab-
straction with Yices
normal
Promela code
Spin
property holds
counterexample
Refine
Concrete counter
representation (VASS)
SMT formula
Yices
counterexample feasible
unsat
sat
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 42 / 1
Tool Chain: ByMC
Parametric Promela code static analysis + Yices
Parametric Interval Domain D
Parametric data abstraction
with Yices
Parametric Promela code
Parametric counter ab-
straction with Yices
normal
Promela code
Spin
property holds
counterexample
Refine
Concrete counter
representation (VASS)
SMT formula
Yices
counterexample feasible
invariant candidates (by the user)
unsat
sat
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 42 / 1
Experimental setup
The tool (source code in OCaml),
the code of the distributed algorithms in Parametric Promela,
and a virtual machine with full setup
are available at: http://forsyte.at/software/bymc
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 43 / 1
Running the tool — concrete case
user specifies parameter value
useful to check whether the code behaves as expected
$bymc/verifyco-spin N=4,T=1,F=1 bcast-byz.pml relay
model checking problem in directory
“./x/spin-bcast-byz-relay-N=4,T=1,F=1”
in concrete.prm
parameters are replaced by numbers
process prototype is replaced with N − F = 3 active processes
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 44 / 1
Running the tool — parameterized model checking
PIA data and counter abstraction
finite-state model checking on abstract model
$bymc/verifypa-spin bcast-omit.pml relay
model checking problem in directory
“./x/bcast-byz-relay-yymmdd-HHMM.*”
directory contains
abs-interval.prm: result of the data abstraction;
abs-counter.prm: result of the counter abstraction;
abs-vass.prm: auxiliary abstraction for abstraction refinement;
mc.out: the last output by Spin;
cex.trace: the counterexample (if there is one);
yices.log: communication log with Yices.
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 45 / 1
Fairness, Refinement, and Invariants
In the Byzantine case we have in transit : ∀i. (nrcvdi ≥ nsnt) and
G F ¬in transit.
In this case communication fairness implies computation fairness.
But in the abstract version nsnt can deviate from the number of
processes who sent the echo message.
In this case the user formulates a simple state invariant candidate,
e.g., nsnt = K([sv = SE ∨ sv = AC]) (on the level of the original
concrete system).
The tool checks automatically, whether the candidate is actually a
state invariant.
After the abstraction the abstract version of the invariant restricts the
behavior of the abstract transition system.
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 46 / 1
Parametric abstraction refinement — justice suppression
justice G F ¬in transit necessary to verify liveness
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 47 / 1
Parametric abstraction refinement — justice suppression
justice G F ¬in transit necessary to verify liveness
counter example:
in transit
in transit
in transit
in transit
in transit
in transit
in transit
s1 in transit
s2
sk
s3
· · ·
· · ·
· · ·
if ∀j all concretizations of sj violate ¬in transit, then CE is spurious.
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 47 / 1
Parametric abstraction refinement — justice suppression
justice G F ¬in transit necessary to verify liveness
counter example:
in transit
in transit
in transit
in transit
in transit
in transit
in transit
s1 in transit
s2
sk
s3
· · ·
· · ·
· · ·
if ∀j all concretizations of sj violate ¬in transit, then CE is spurious.
refine justice to G F ¬in transit ∧ G F
1≤j≤k
¬at(sj )
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 47 / 1
Parametric abstraction refinement — justice suppression
justice G F ¬in transit necessary to verify liveness
counter example:
in transit
in transit
in transit
in transit
in transit
in transit
in transit
s1 in transit
s2
sk
s3
· · ·
· · ·
· · ·
if ∀j all concretizations of sj violate ¬in transit, then CE is spurious.
refine justice to G F ¬in transit ∧ G F
1≤j≤k
¬at(sj )
. . . we use unsat cores to refine several loops at once
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 47 / 1
Parametric abstraction refinement — justice suppression
justice G F ¬in transit necessary to verify liveness
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 48 / 1
Parametric abstraction refinement — justice suppression
justice G F ¬in transit necessary to verify liveness
counter example:
in transit
in transit
in transit
in transit
in transit
in transit
in transit
s1 in transit
s2
sk
s3
· · ·
· · ·
· · ·
if ∀j all concretizations of sj violate ¬in transit, then CE is spurious.
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 48 / 1
Parametric abstraction refinement — justice suppression
justice G F ¬in transit necessary to verify liveness
counter example:
in transit
in transit
in transit
in transit
in transit
in transit
in transit
s1 in transit
s2
sk
s3
· · ·
· · ·
· · ·
if ∀j all concretizations of sj violate ¬in transit, then CE is spurious.
refine justice to G F ¬in transit ∧ G F
1≤j≤k
¬at(sj )
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 48 / 1
Parametric abstraction refinement — justice suppression
justice G F ¬in transit necessary to verify liveness
counter example:
in transit
in transit
in transit
in transit
in transit
in transit
in transit
s1 in transit
s2
sk
s3
· · ·
· · ·
· · ·
if ∀j all concretizations of sj violate ¬in transit, then CE is spurious.
refine justice to G F ¬in transit ∧ G F
1≤j≤k
¬at(sj )
. . . we use unsat cores to refine several loops at once
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 48 / 1
asynchronous reliable broadcast (srikanth  toueg 1987)
the core of the classic broadcast algorithm from the da literature.
it solves an agreement problem depending on the inputs vi .
Variables of process i
vi : {0 , 1} init with 0 or 1
accepti : {0 , 1} init with 0
An indivisible step:
i f vi = 1
then send ( echo ) to all ;
i f received (echo) from at l e a s t
t + 1 distinct processes
and not sent ( echo ) before
then send ( echo ) to all ;
i f received ( echo ) from at l e a s t
n - t distinct processes
then accepti := 1;
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 49 / 1
asynchronous reliable broadcast (srikanth  toueg 1987)
the core of the classic broadcast algorithm from the da literature.
it solves an agreement problem depending on the inputs vi .
Variables of process i
vi : {0 , 1} init with 0 or 1
accepti : {0 , 1} init with 0
An indivisible step:
i f vi = 1
then send ( echo ) to all ;
i f received (echo) from at l e a s t
t + 1 distinct processes
and not sent ( echo ) before
then send ( echo ) to all ;
i f received ( echo ) from at l e a s t
n - t distinct processes
then accepti := 1;
asynchronous
t byzantine faults
correct if n  3t
resilience condition rc
parameterized process
skeleton p(n, t)
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 49 / 1
Abstract CFA
qI
q0
q1
q2
q3
sv = V1
¬(sv = V1) inc nsnt
sv := SE
q4
q5
q6
q7
nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f )
¬(t + 1 ≤ nrcvd)
t + 1 ≤ nrcvd
sv = V0
¬(sv = V0)
inc nsnt
n − t ≤ nrcvd
¬(n − t ≤ nrcvd)
sv := AC
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 50 / 1
Abstract CFA
qI
q0
q1
q2
q3
sv = V1
¬(sv = V1) inc nsnt
sv := SE
q4
q5
q6
q7
nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f )
¬(t + 1 ≤ nrcvd)
t + 1 ≤ nrcvd
sv = V0
¬(sv = V0)
inc nsnt
n − t ≤ nrcvd
¬(n − t ≤ nrcvd)
sv := AC
qI
q0
q1
q2
q3
sv = V1
¬(sv = V1) inc nsnt
sv := SE
q4
q5
q6
q7
nrcvd = I0 ∧ nsnt = I0 ∧ (nrcvd = I0 ∨ nrcvd = I1) ∨ . . .
¬(t + 1 ≤ nrcvd)
nrcvd = It+1 ∨ nrcvd = In−t
sv = V0
¬(sv = V0)
nsnt = I1 ∧ (nsnt = I1 ∨ nsnt = It+1) ∨ . . .
n − t ≤ nrcvd
¬(n − t ≤ nrcvd)
sv := AC
Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 50 / 1

More Related Content

What's hot

Process Synchronization
Process SynchronizationProcess Synchronization
Process SynchronizationSonali Chauhan
 
Lec11 semaphores
Lec11 semaphoresLec11 semaphores
Lec11 semaphoresanandammca
 
Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...
Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...
Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...siouxhotornot
 
Process Synchronization
Process SynchronizationProcess Synchronization
Process Synchronizationvinay arora
 
OS Process Synchronization, semaphore and Monitors
OS Process Synchronization, semaphore and MonitorsOS Process Synchronization, semaphore and Monitors
OS Process Synchronization, semaphore and Monitorssgpraju
 
Mutual Exclusion
Mutual ExclusionMutual Exclusion
Mutual ExclusionDavid Evans
 
Critical section problem in operating system.
Critical section problem in operating system.Critical section problem in operating system.
Critical section problem in operating system.MOHIT DADU
 
Concurrency: Mutual Exclusion and Synchronization
Concurrency: Mutual Exclusion and SynchronizationConcurrency: Mutual Exclusion and Synchronization
Concurrency: Mutual Exclusion and SynchronizationAnas Ebrahim
 
Process synchronization(deepa)
Process synchronization(deepa)Process synchronization(deepa)
Process synchronization(deepa)Nagarajan
 
Keynote joearmstrong
Keynote joearmstrongKeynote joearmstrong
Keynote joearmstrongSentifi
 

What's hot (20)

Operating system critical section
Operating system   critical sectionOperating system   critical section
Operating system critical section
 
Semaphores
SemaphoresSemaphores
Semaphores
 
Process Synchronization
Process SynchronizationProcess Synchronization
Process Synchronization
 
OSCh7
OSCh7OSCh7
OSCh7
 
Lec11 semaphores
Lec11 semaphoresLec11 semaphores
Lec11 semaphores
 
Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
Mutual exclusion
Mutual exclusionMutual exclusion
Mutual exclusion
 
Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...
Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...
Sioux Hot-or-Not: Functional programming: unlocking the real power of multi-c...
 
Process Synchronization
Process SynchronizationProcess Synchronization
Process Synchronization
 
OS Process Synchronization, semaphore and Monitors
OS Process Synchronization, semaphore and MonitorsOS Process Synchronization, semaphore and Monitors
OS Process Synchronization, semaphore and Monitors
 
Os3
Os3Os3
Os3
 
6 Synchronisation
6 Synchronisation6 Synchronisation
6 Synchronisation
 
Monitors
MonitorsMonitors
Monitors
 
Mutual Exclusion
Mutual ExclusionMutual Exclusion
Mutual Exclusion
 
Critical section problem in operating system.
Critical section problem in operating system.Critical section problem in operating system.
Critical section problem in operating system.
 
Concurrency: Mutual Exclusion and Synchronization
Concurrency: Mutual Exclusion and SynchronizationConcurrency: Mutual Exclusion and Synchronization
Concurrency: Mutual Exclusion and Synchronization
 
Critical section operating system
Critical section  operating systemCritical section  operating system
Critical section operating system
 
Process synchronization(deepa)
Process synchronization(deepa)Process synchronization(deepa)
Process synchronization(deepa)
 
Keynote joearmstrong
Keynote joearmstrongKeynote joearmstrong
Keynote joearmstrong
 

Viewers also liked

Model Checking Base on Interoplation
Model Checking Base onInteroplationModel Checking Base onInteroplation
Model Checking Base on Interoplationleticia2307
 
Complex Variable & Numerical Method
Complex Variable & Numerical MethodComplex Variable & Numerical Method
Complex Variable & Numerical MethodNeel Patel
 
GISG 112 Final Presentation
GISG 112 Final PresentationGISG 112 Final Presentation
GISG 112 Final Presentationstevestr
 
numericai matmatic matlab uygulamalar ali abdullah
numericai matmatic  matlab  uygulamalar ali abdullahnumericai matmatic  matlab  uygulamalar ali abdullah
numericai matmatic matlab uygulamalar ali abdullahAli Abdullah
 
Gauss seidel. gustavo villasmil
Gauss seidel. gustavo villasmilGauss seidel. gustavo villasmil
Gauss seidel. gustavo villasmilGustavo Villasmil
 
Power system operation and control lab
Power system operation and control labPower system operation and control lab
Power system operation and control labM Rashid Malik
 
MATLAB : Numerical Differention and Integration
MATLAB : Numerical Differention and IntegrationMATLAB : Numerical Differention and Integration
MATLAB : Numerical Differention and IntegrationAinul Islam
 
Curve and surface interpolation and approximation
Curve and surface interpolation and approximationCurve and surface interpolation and approximation
Curve and surface interpolation and approximationAlejandro Cosin Ayerbe
 
Temeltas Bored Piling 25.06
Temeltas Bored Piling 25.06Temeltas Bored Piling 25.06
Temeltas Bored Piling 25.06Can Cihan Cankat
 
Solving laplace equation using gauss seidel method in matlab
Solving laplace equation using gauss seidel method in matlabSolving laplace equation using gauss seidel method in matlab
Solving laplace equation using gauss seidel method in matlabMohamed Ahmed
 
Exp 5 (1)5. Newton Raphson load flow analysis Matlab Software
Exp 5 (1)5.	Newton Raphson load flow analysis Matlab SoftwareExp 5 (1)5.	Newton Raphson load flow analysis Matlab Software
Exp 5 (1)5. Newton Raphson load flow analysis Matlab SoftwareShweta Yadav
 
Secent method
Secent methodSecent method
Secent methodritu1806
 

Viewers also liked (20)

Model Checking Base on Interoplation
Model Checking Base onInteroplationModel Checking Base onInteroplation
Model Checking Base on Interoplation
 
Tom Impelluso,2008 Fellow, 1st Iteration Course Design
Tom Impelluso,2008 Fellow,  1st Iteration Course DesignTom Impelluso,2008 Fellow,  1st Iteration Course Design
Tom Impelluso,2008 Fellow, 1st Iteration Course Design
 
Book
BookBook
Book
 
Complex Variable & Numerical Method
Complex Variable & Numerical MethodComplex Variable & Numerical Method
Complex Variable & Numerical Method
 
GISG 112 Final Presentation
GISG 112 Final PresentationGISG 112 Final Presentation
GISG 112 Final Presentation
 
numericai matmatic matlab uygulamalar ali abdullah
numericai matmatic  matlab  uygulamalar ali abdullahnumericai matmatic  matlab  uygulamalar ali abdullah
numericai matmatic matlab uygulamalar ali abdullah
 
Gauss seidel. gustavo villasmil
Gauss seidel. gustavo villasmilGauss seidel. gustavo villasmil
Gauss seidel. gustavo villasmil
 
Lecture 13
Lecture 13Lecture 13
Lecture 13
 
Power system operation and control lab
Power system operation and control labPower system operation and control lab
Power system operation and control lab
 
02 newton-raphson
02 newton-raphson02 newton-raphson
02 newton-raphson
 
MATLAB : Numerical Differention and Integration
MATLAB : Numerical Differention and IntegrationMATLAB : Numerical Differention and Integration
MATLAB : Numerical Differention and Integration
 
Curve and surface interpolation and approximation
Curve and surface interpolation and approximationCurve and surface interpolation and approximation
Curve and surface interpolation and approximation
 
Secante
SecanteSecante
Secante
 
Temeltas Bored Piling 25.06
Temeltas Bored Piling 25.06Temeltas Bored Piling 25.06
Temeltas Bored Piling 25.06
 
Lecture 3
Lecture 3Lecture 3
Lecture 3
 
Solving laplace equation using gauss seidel method in matlab
Solving laplace equation using gauss seidel method in matlabSolving laplace equation using gauss seidel method in matlab
Solving laplace equation using gauss seidel method in matlab
 
Secant method
Secant methodSecant method
Secant method
 
metode iterasi Gauss seidel
metode iterasi Gauss seidelmetode iterasi Gauss seidel
metode iterasi Gauss seidel
 
Exp 5 (1)5. Newton Raphson load flow analysis Matlab Software
Exp 5 (1)5.	Newton Raphson load flow analysis Matlab SoftwareExp 5 (1)5.	Newton Raphson load flow analysis Matlab Software
Exp 5 (1)5. Newton Raphson load flow analysis Matlab Software
 
Secent method
Secent methodSecent method
Secent method
 

Similar to Parametrized Model Checking of Fault Tolerant Distributed Algorithms by Abstraction (part 1)

Anlysis and design of algorithms part 1
Anlysis and design of algorithms part 1Anlysis and design of algorithms part 1
Anlysis and design of algorithms part 1Deepak John
 
Digital Signal Processing Tutorial:Chapt 1 signal and systems
Digital Signal Processing Tutorial:Chapt 1 signal and systemsDigital Signal Processing Tutorial:Chapt 1 signal and systems
Digital Signal Processing Tutorial:Chapt 1 signal and systemsChandrashekhar Padole
 
Business Analytics CHAPTER 16 STOCHASTIC MODELS Business Analytics.PPTX
Business Analytics CHAPTER 16 STOCHASTIC MODELS Business Analytics.PPTXBusiness Analytics CHAPTER 16 STOCHASTIC MODELS Business Analytics.PPTX
Business Analytics CHAPTER 16 STOCHASTIC MODELS Business Analytics.PPTXPavithra M. R
 
19 algorithms-and-complexity-110627100203-phpapp02
19 algorithms-and-complexity-110627100203-phpapp0219 algorithms-and-complexity-110627100203-phpapp02
19 algorithms-and-complexity-110627100203-phpapp02Muhammad Aslam
 
EXTENT-2016: Industry Practices of Advanced Program Analysis
EXTENT-2016: Industry Practices of Advanced Program AnalysisEXTENT-2016: Industry Practices of Advanced Program Analysis
EXTENT-2016: Industry Practices of Advanced Program AnalysisIosif Itkin
 
Event Stream Processing with Multiple Threads
Event Stream Processing with Multiple ThreadsEvent Stream Processing with Multiple Threads
Event Stream Processing with Multiple ThreadsSylvain Hallé
 
Real Time Filtering on Embedded ARM
Real Time Filtering on Embedded ARMReal Time Filtering on Embedded ARM
Real Time Filtering on Embedded ARMVincent Claes
 
Lightweight Neighborhood Cardinality Estimation in Dynamic Wireless Networks ...
Lightweight Neighborhood Cardinality Estimation in Dynamic Wireless Networks ...Lightweight Neighborhood Cardinality Estimation in Dynamic Wireless Networks ...
Lightweight Neighborhood Cardinality Estimation in Dynamic Wireless Networks ...Marco Cattani
 
INTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTION
INTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTIONINTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTION
INTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTIONIJNSA Journal
 
INTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTION
INTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTIONINTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTION
INTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTIONIJNSA Journal
 
Intrusion detection system using discrete fourier transform with window function
Intrusion detection system using discrete fourier transform with window functionIntrusion detection system using discrete fourier transform with window function
Intrusion detection system using discrete fourier transform with window functionIJNSA Journal
 
Selm Falzon Compressed
Selm Falzon CompressedSelm Falzon Compressed
Selm Falzon Compressedgfalzon2
 
Correctness attraction __kth_2017
Correctness attraction __kth_2017Correctness attraction __kth_2017
Correctness attraction __kth_2017Benjamin Danglot
 
Node Unique Label Cover
Node Unique Label CoverNode Unique Label Cover
Node Unique Label Covermsramanujan
 
Spectral-, source-, connectivity- and network analysis of EEG and MEG data
Spectral-, source-, connectivity- and network analysis of EEG and MEG dataSpectral-, source-, connectivity- and network analysis of EEG and MEG data
Spectral-, source-, connectivity- and network analysis of EEG and MEG dataRadboud University
 
Extended Kalman observer based sensor fault detection
Extended Kalman observer based sensor fault detectionExtended Kalman observer based sensor fault detection
Extended Kalman observer based sensor fault detectionIJECEIAES
 

Similar to Parametrized Model Checking of Fault Tolerant Distributed Algorithms by Abstraction (part 1) (20)

Anlysis and design of algorithms part 1
Anlysis and design of algorithms part 1Anlysis and design of algorithms part 1
Anlysis and design of algorithms part 1
 
Digital Signal Processing Tutorial:Chapt 1 signal and systems
Digital Signal Processing Tutorial:Chapt 1 signal and systemsDigital Signal Processing Tutorial:Chapt 1 signal and systems
Digital Signal Processing Tutorial:Chapt 1 signal and systems
 
PBFT
PBFTPBFT
PBFT
 
Vft
VftVft
Vft
 
Business Analytics CHAPTER 16 STOCHASTIC MODELS Business Analytics.PPTX
Business Analytics CHAPTER 16 STOCHASTIC MODELS Business Analytics.PPTXBusiness Analytics CHAPTER 16 STOCHASTIC MODELS Business Analytics.PPTX
Business Analytics CHAPTER 16 STOCHASTIC MODELS Business Analytics.PPTX
 
19 algorithms-and-complexity-110627100203-phpapp02
19 algorithms-and-complexity-110627100203-phpapp0219 algorithms-and-complexity-110627100203-phpapp02
19 algorithms-and-complexity-110627100203-phpapp02
 
EXTENT-2016: Industry Practices of Advanced Program Analysis
EXTENT-2016: Industry Practices of Advanced Program AnalysisEXTENT-2016: Industry Practices of Advanced Program Analysis
EXTENT-2016: Industry Practices of Advanced Program Analysis
 
Event Stream Processing with Multiple Threads
Event Stream Processing with Multiple ThreadsEvent Stream Processing with Multiple Threads
Event Stream Processing with Multiple Threads
 
Real Time Filtering on Embedded ARM
Real Time Filtering on Embedded ARMReal Time Filtering on Embedded ARM
Real Time Filtering on Embedded ARM
 
01-algo.ppt
01-algo.ppt01-algo.ppt
01-algo.ppt
 
Dsp 2marks
Dsp 2marksDsp 2marks
Dsp 2marks
 
Lightweight Neighborhood Cardinality Estimation in Dynamic Wireless Networks ...
Lightweight Neighborhood Cardinality Estimation in Dynamic Wireless Networks ...Lightweight Neighborhood Cardinality Estimation in Dynamic Wireless Networks ...
Lightweight Neighborhood Cardinality Estimation in Dynamic Wireless Networks ...
 
INTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTION
INTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTIONINTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTION
INTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTION
 
INTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTION
INTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTIONINTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTION
INTRUSION DETECTION SYSTEM USING DISCRETE FOURIER TRANSFORM WITH WINDOW FUNCTION
 
Intrusion detection system using discrete fourier transform with window function
Intrusion detection system using discrete fourier transform with window functionIntrusion detection system using discrete fourier transform with window function
Intrusion detection system using discrete fourier transform with window function
 
Selm Falzon Compressed
Selm Falzon CompressedSelm Falzon Compressed
Selm Falzon Compressed
 
Correctness attraction __kth_2017
Correctness attraction __kth_2017Correctness attraction __kth_2017
Correctness attraction __kth_2017
 
Node Unique Label Cover
Node Unique Label CoverNode Unique Label Cover
Node Unique Label Cover
 
Spectral-, source-, connectivity- and network analysis of EEG and MEG data
Spectral-, source-, connectivity- and network analysis of EEG and MEG dataSpectral-, source-, connectivity- and network analysis of EEG and MEG data
Spectral-, source-, connectivity- and network analysis of EEG and MEG data
 
Extended Kalman observer based sensor fault detection
Extended Kalman observer based sensor fault detectionExtended Kalman observer based sensor fault detection
Extended Kalman observer based sensor fault detection
 

More from Iosif Itkin

Foundations of Software Testing Lecture 4
Foundations of Software Testing Lecture 4Foundations of Software Testing Lecture 4
Foundations of Software Testing Lecture 4Iosif Itkin
 
QA Financial Forum London 2021 - Automation in Software Testing. Humans and C...
QA Financial Forum London 2021 - Automation in Software Testing. Humans and C...QA Financial Forum London 2021 - Automation in Software Testing. Humans and C...
QA Financial Forum London 2021 - Automation in Software Testing. Humans and C...Iosif Itkin
 
Exactpro FinTech Webinar - Global Exchanges Test Oracles
Exactpro FinTech Webinar - Global Exchanges Test OraclesExactpro FinTech Webinar - Global Exchanges Test Oracles
Exactpro FinTech Webinar - Global Exchanges Test OraclesIosif Itkin
 
Exactpro FinTech Webinar - Global Exchanges FIX Protocol
Exactpro FinTech Webinar - Global Exchanges FIX ProtocolExactpro FinTech Webinar - Global Exchanges FIX Protocol
Exactpro FinTech Webinar - Global Exchanges FIX ProtocolIosif Itkin
 
Operational Resilience in Financial Market Infrastructures
Operational Resilience in Financial Market InfrastructuresOperational Resilience in Financial Market Infrastructures
Operational Resilience in Financial Market InfrastructuresIosif Itkin
 
20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season
20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season
20 Simple Questions from Exactpro for Your Enjoyment This Holiday SeasonIosif Itkin
 
Testing the Intelligence of your AI
Testing the Intelligence of your AITesting the Intelligence of your AI
Testing the Intelligence of your AIIosif Itkin
 
EXTENT 2019: Exactpro Quality Assurance for Financial Market Infrastructures
EXTENT 2019: Exactpro Quality Assurance for Financial Market InfrastructuresEXTENT 2019: Exactpro Quality Assurance for Financial Market Infrastructures
EXTENT 2019: Exactpro Quality Assurance for Financial Market InfrastructuresIosif Itkin
 
ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...
ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...
ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...Iosif Itkin
 
EXTENT Talks 2019 Tbilisi: Failover and Recovery Test Automation - Ivan Shamrai
EXTENT Talks 2019 Tbilisi: Failover and Recovery Test Automation - Ivan ShamraiEXTENT Talks 2019 Tbilisi: Failover and Recovery Test Automation - Ivan Shamrai
EXTENT Talks 2019 Tbilisi: Failover and Recovery Test Automation - Ivan ShamraiIosif Itkin
 
EXTENT Talks QA Community Tbilisi 20 April 2019 - Conference Open
EXTENT Talks QA Community Tbilisi 20 April 2019 - Conference OpenEXTENT Talks QA Community Tbilisi 20 April 2019 - Conference Open
EXTENT Talks QA Community Tbilisi 20 April 2019 - Conference OpenIosif Itkin
 
User-Assisted Log Analysis for Quality Control of Distributed Fintech Applica...
User-Assisted Log Analysis for Quality Control of Distributed Fintech Applica...User-Assisted Log Analysis for Quality Control of Distributed Fintech Applica...
User-Assisted Log Analysis for Quality Control of Distributed Fintech Applica...Iosif Itkin
 
QAFF Chicago 2019 - Complex Post-Trade Systems, Requirements Traceability and...
QAFF Chicago 2019 - Complex Post-Trade Systems, Requirements Traceability and...QAFF Chicago 2019 - Complex Post-Trade Systems, Requirements Traceability and...
QAFF Chicago 2019 - Complex Post-Trade Systems, Requirements Traceability and...Iosif Itkin
 
QA Community Saratov: Past, Present, Future (2019-02-08)
QA Community Saratov: Past, Present, Future (2019-02-08)QA Community Saratov: Past, Present, Future (2019-02-08)
QA Community Saratov: Past, Present, Future (2019-02-08)Iosif Itkin
 
Machine Learning and RoboCop Testing
Machine Learning and RoboCop TestingMachine Learning and RoboCop Testing
Machine Learning and RoboCop TestingIosif Itkin
 
Behaviour Driven Development: Oltre i limiti del possibile
Behaviour Driven Development: Oltre i limiti del possibileBehaviour Driven Development: Oltre i limiti del possibile
Behaviour Driven Development: Oltre i limiti del possibileIosif Itkin
 
2018 - Exactpro Year in Review
2018 - Exactpro Year in Review2018 - Exactpro Year in Review
2018 - Exactpro Year in ReviewIosif Itkin
 
Exactpro Discussion about Joy and Strategy
Exactpro Discussion about Joy and StrategyExactpro Discussion about Joy and Strategy
Exactpro Discussion about Joy and StrategyIosif Itkin
 
FIX EMEA Conference 2018 - Post Trade Software Testing Challenges
FIX EMEA Conference 2018 - Post Trade Software Testing ChallengesFIX EMEA Conference 2018 - Post Trade Software Testing Challenges
FIX EMEA Conference 2018 - Post Trade Software Testing ChallengesIosif Itkin
 
BDD. The Outer Limits. Iosif Itkin at Youcon (in Russian)
BDD. The Outer Limits. Iosif Itkin at Youcon (in Russian)BDD. The Outer Limits. Iosif Itkin at Youcon (in Russian)
BDD. The Outer Limits. Iosif Itkin at Youcon (in Russian)Iosif Itkin
 

More from Iosif Itkin (20)

Foundations of Software Testing Lecture 4
Foundations of Software Testing Lecture 4Foundations of Software Testing Lecture 4
Foundations of Software Testing Lecture 4
 
QA Financial Forum London 2021 - Automation in Software Testing. Humans and C...
QA Financial Forum London 2021 - Automation in Software Testing. Humans and C...QA Financial Forum London 2021 - Automation in Software Testing. Humans and C...
QA Financial Forum London 2021 - Automation in Software Testing. Humans and C...
 
Exactpro FinTech Webinar - Global Exchanges Test Oracles
Exactpro FinTech Webinar - Global Exchanges Test OraclesExactpro FinTech Webinar - Global Exchanges Test Oracles
Exactpro FinTech Webinar - Global Exchanges Test Oracles
 
Exactpro FinTech Webinar - Global Exchanges FIX Protocol
Exactpro FinTech Webinar - Global Exchanges FIX ProtocolExactpro FinTech Webinar - Global Exchanges FIX Protocol
Exactpro FinTech Webinar - Global Exchanges FIX Protocol
 
Operational Resilience in Financial Market Infrastructures
Operational Resilience in Financial Market InfrastructuresOperational Resilience in Financial Market Infrastructures
Operational Resilience in Financial Market Infrastructures
 
20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season
20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season
20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season
 
Testing the Intelligence of your AI
Testing the Intelligence of your AITesting the Intelligence of your AI
Testing the Intelligence of your AI
 
EXTENT 2019: Exactpro Quality Assurance for Financial Market Infrastructures
EXTENT 2019: Exactpro Quality Assurance for Financial Market InfrastructuresEXTENT 2019: Exactpro Quality Assurance for Financial Market Infrastructures
EXTENT 2019: Exactpro Quality Assurance for Financial Market Infrastructures
 
ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...
ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...
ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...
 
EXTENT Talks 2019 Tbilisi: Failover and Recovery Test Automation - Ivan Shamrai
EXTENT Talks 2019 Tbilisi: Failover and Recovery Test Automation - Ivan ShamraiEXTENT Talks 2019 Tbilisi: Failover and Recovery Test Automation - Ivan Shamrai
EXTENT Talks 2019 Tbilisi: Failover and Recovery Test Automation - Ivan Shamrai
 
EXTENT Talks QA Community Tbilisi 20 April 2019 - Conference Open
EXTENT Talks QA Community Tbilisi 20 April 2019 - Conference OpenEXTENT Talks QA Community Tbilisi 20 April 2019 - Conference Open
EXTENT Talks QA Community Tbilisi 20 April 2019 - Conference Open
 
User-Assisted Log Analysis for Quality Control of Distributed Fintech Applica...
User-Assisted Log Analysis for Quality Control of Distributed Fintech Applica...User-Assisted Log Analysis for Quality Control of Distributed Fintech Applica...
User-Assisted Log Analysis for Quality Control of Distributed Fintech Applica...
 
QAFF Chicago 2019 - Complex Post-Trade Systems, Requirements Traceability and...
QAFF Chicago 2019 - Complex Post-Trade Systems, Requirements Traceability and...QAFF Chicago 2019 - Complex Post-Trade Systems, Requirements Traceability and...
QAFF Chicago 2019 - Complex Post-Trade Systems, Requirements Traceability and...
 
QA Community Saratov: Past, Present, Future (2019-02-08)
QA Community Saratov: Past, Present, Future (2019-02-08)QA Community Saratov: Past, Present, Future (2019-02-08)
QA Community Saratov: Past, Present, Future (2019-02-08)
 
Machine Learning and RoboCop Testing
Machine Learning and RoboCop TestingMachine Learning and RoboCop Testing
Machine Learning and RoboCop Testing
 
Behaviour Driven Development: Oltre i limiti del possibile
Behaviour Driven Development: Oltre i limiti del possibileBehaviour Driven Development: Oltre i limiti del possibile
Behaviour Driven Development: Oltre i limiti del possibile
 
2018 - Exactpro Year in Review
2018 - Exactpro Year in Review2018 - Exactpro Year in Review
2018 - Exactpro Year in Review
 
Exactpro Discussion about Joy and Strategy
Exactpro Discussion about Joy and StrategyExactpro Discussion about Joy and Strategy
Exactpro Discussion about Joy and Strategy
 
FIX EMEA Conference 2018 - Post Trade Software Testing Challenges
FIX EMEA Conference 2018 - Post Trade Software Testing ChallengesFIX EMEA Conference 2018 - Post Trade Software Testing Challenges
FIX EMEA Conference 2018 - Post Trade Software Testing Challenges
 
BDD. The Outer Limits. Iosif Itkin at Youcon (in Russian)
BDD. The Outer Limits. Iosif Itkin at Youcon (in Russian)BDD. The Outer Limits. Iosif Itkin at Youcon (in Russian)
BDD. The Outer Limits. Iosif Itkin at Youcon (in Russian)
 

Recently uploaded

HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxMYDA ANGELICA SUAN
 
How to Print Employee Resume in the Odoo 17
How to Print Employee Resume in the Odoo 17How to Print Employee Resume in the Odoo 17
How to Print Employee Resume in the Odoo 17Celine George
 
3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx
3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx
3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptxmary850239
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.EnglishCEIPdeSigeiro
 
Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830Dave Phillips
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfTechSoup
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxKatherine Villaluna
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapitolTechU
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptxraviapr7
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxSaurabhParmar42
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.raviapr7
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationMJDuyan
 

Recently uploaded (20)

HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptx
 
How to Print Employee Resume in the Odoo 17
How to Print Employee Resume in the Odoo 17How to Print Employee Resume in the Odoo 17
How to Print Employee Resume in the Odoo 17
 
3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx
3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx
3.19.24 Urban Uprisings and the Chicago Freedom Movement.pptx
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.
 
Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptx
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptx
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptx
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive Education
 

Parametrized Model Checking of Fault Tolerant Distributed Algorithms by Abstraction (part 1)

  • 1. Model Checking of Fault-Tolerant Distributed Algorithms Part III: Parameterized Model Checking of Fault-tolerant Distributed Algorithms by Abstraction Annu Gmeiner Igor Konnov Ulrich Schmid Helmut Veith Josef Widder TMPA 2014, Kostroma, Russia Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 1 / 1
  • 2. Fault-tolerant DAs: Model Checking Challenges unbounded data types counting how many messages have been received parameterization in multiple parameters among n processes f ≤ t are faulty with n > 3t contrast to concurrent programs fault tolerance against adverse environments degrees of concurrency many degrees of partial synchrony continuous time fault-tolerant clock synchronization Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 2 / 1
  • 3. Distributed algorithms: computational model and faults In previous parts, we considered algorithms operating in the classic model by [Fischer, Lynch, Paterson’85] Environment: Asynchronous processes (interleaving semantics) Reliable asynchronous message passing (non-blocking send and receive) Faults: crashes and clean crashes, omission faults, symmetric faults, Byzantine faults Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 3 / 1
  • 4. Model checking problem for fault-tolerant DA algorithms Parameterized model checking problem: given a distributed algorithm and spec. ϕ show for all n, t, and f satisfying n > 3t ∧ t ≥ f ≥ 0 M(n, t, f ) |= ϕ every M(n, t, f ) is a system of n − f correct processes n ? ? ? t n ? ? ? t f Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 4 / 1
  • 5. Model checking problem for fault-tolerant DA algorithms Parameterized model checking problem: given a distributed algorithm and spec. ϕ show for all n, t, and f satisfying resilience condition M(n, t, f ) |= ϕ every M(n, t, f ) is a system of N(n, f ) correct processes n ? ? ? t n ? ? ? t f Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 4 / 1
  • 6. Properties in Linear Temporal Logic Unforgeability (U). If vi = 0 for all correct processes i, then for all correct processes j, acceptj remains 0 forever. G n−f i=1 vi = 0 → G n−f j=1 acceptj = 0 Completeness (C). If vi = 1 for all correct processes i, then there is a correct process j that eventually sets acceptj to 1. G n−f i=1 vi = 1 → F n−f j=1 acceptj = 1 Relay (R). If a correct process i sets accepti to 1, then eventually all correct processes j set acceptj to 1. G n−f i=1 accepti = 1 → F n−f j=1 acceptj = 1 Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 5 / 1
  • 7. Properties in Linear Temporal Logic Unforgeability (U). If vi = 0 for all correct processes i, then for all correct processes j, acceptj remains 0 forever. G n−f i=1 vi = 0 → G n−f j=1 acceptj = 0 Safety Completeness (C). If vi = 1 for all correct processes i, then there is a correct process j that eventually sets acceptj to 1. G n−f i=1 vi = 1 → F n−f j=1 acceptj = 1 Liveness Relay (R). If a correct process i sets accepti to 1, then eventually all correct processes j set acceptj to 1. G n−f i=1 accepti = 1 → F n−f j=1 acceptj = 1 Liveness Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 5 / 1
  • 8. Threshold-guarded fault-tolerant distributed algorithms Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 6 / 1
  • 9. Threshold-guarded FTDAs Fault-free construct: quantified guards (t=f=0) Existential Guard if received m from some process then ... Universal Guard if received m from all processes then ... These guards allow one to treat the processes in a parameterized way Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 7 / 1
  • 10. Threshold-guarded FTDAs Fault-free construct: quantified guards (t=f=0) Existential Guard if received m from some process then ... Universal Guard if received m from all processes then ... These guards allow one to treat the processes in a parameterized way what if faults might occur? Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 7 / 1
  • 11. Threshold-guarded FTDAs Fault-free construct: quantified guards (t=f=0) Existential Guard if received m from some process then ... Universal Guard if received m from all processes then ... These guards allow one to treat the processes in a parameterized way what if faults might occur? Fault-Tolerant Algorithms: n processes, at most t are Byzantine Threshold Guard if received m from n − t processes then ... (the processes cannot refer to f!) Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 7 / 1
  • 12. Threshold-based fault-tolerant distributed algorithms The parameters (n, t, f ) are fixed in each run Main loop with the body executed atomically Processes are anonymous (no identifiers) Receiving messages, counting them and comparing to thresholds, e.g., if received <ECHO> from t + 1 distinct processes then ... Sending messages to all processes, e.g., send <ECHO> to all Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 8 / 1
  • 13. Control Flow Automata Variables of process i vi : {0 , 1} init with 0 or 1 accepti : {0 , 1} init with 0 An indivisible step: i f vi = 1 then send ( echo ) to all ; i f received (echo) from at l e a s t t + 1 distinct processes and not sent ( echo ) before then send ( echo ) to all ; i f received ( echo ) from at l e a s t n - t distinct processes then accepti := 1; n − f copies of the process qI q0 q1 q2 q3 sv = V1 ¬(sv = V1) inc nsnt sv := SE q4 q5 q6 q7 q8 qF nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f ) ¬(t + 1 ≤ nrcvd) t + 1 ≤ nrcvd sv = V0 ¬(sv = V0) inc nsnt n − t ≤ nrcvd ¬(n − t ≤ nrcvd) sv := SE sv := AC Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 9 / 1
  • 14. Counting argument in threshold-guarded algorithms n t f if received m from t + 1 processes then ... t + 1 Correct processes count distinct incoming messages Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 10 / 1
  • 15. Counting argument in threshold-guarded algorithms n t f if received m from t + 1 processes then ... t + 1 Correct processes count distinct incoming messages Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 10 / 1
  • 16. Counting argument in threshold-guarded algorithms n t f if received m from t + 1 processes then ... t + 1 at least one non-faulty sent the message Correct processes count distinct incoming messages Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 10 / 1
  • 17. qI q0 q1 q2 q3 sv = V1 ¬(sv = V1) inc nsnt sv := SE q4 q5 q6 q7 q8 qF nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f ) ¬(t + 1 ≤ nrcvd) t + 1 ≤ nrcvd sv = V0 ¬(sv = V0) inc nsnt n − t ≤ nrcvd ¬(n − t ≤ nrcvd) sv := SE sv := AC concrete values are not important thresholds are essential: 0, 1, t + 1, n − t Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 11 / 1
  • 18. qI q0 q1 q2 q3 sv = V1 ¬(sv = V1) inc nsnt sv := SE q4 q5 q6 q7 q8 qF nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f ) ¬(t + 1 ≤ nrcvd) t + 1 ≤ nrcvd sv = V0 ¬(sv = V0) inc nsnt n − t ≤ nrcvd ¬(n − t ≤ nrcvd) sv := SE sv := AC concrete values are not important thresholds are essential: 0, 1, t + 1, n − t intervals with symbolic boundaries: I0 = [0, 1) I1 = [1, t + 1) It+1 = [t + 1, n − t) In−t = [n − t, ∞) Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 11 / 1
  • 19. qI q0 q1 q2 q3 sv = V1 ¬(sv = V1) inc nsnt sv := SE q4 q5 q6 q7 q8 qF nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f ) ¬(t + 1 ≤ nrcvd) t + 1 ≤ nrcvd sv = V0 ¬(sv = V0) inc nsnt n − t ≤ nrcvd ¬(n − t ≤ nrcvd) sv := SE sv := AC concrete values are not important thresholds are essential: 0, 1, t + 1, n − t intervals with symbolic boundaries: I0 = [0, 1) I1 = [1, t + 1) It+1 = [t + 1, n − t) In−t = [n − t, ∞) Parameteric Interval Abstraction (PIA) Similar to interval abstraction: [t + 1, n − t) rather than [4, 10). Total order: 0 < 1 < t + 1 < n − t for all parameters satisfying RC: n > 3t, t ≥ f ≥ 0. Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 11 / 1
  • 20. Technical challenges We have to reduce the verification of an infinite number of instances where 1 the process code is parameterized 2 the number of processes is parameterized to one finite state model checking instance Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 12 / 1
  • 21. Technical challenges We have to reduce the verification of an infinite number of instances where 1 the process code is parameterized 2 the number of processes is parameterized to one finite state model checking instance We do that by: 1 PIA data abstraction 2 PIA counter abstraction Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 12 / 1
  • 22. Technical challenges We have to reduce the verification of an infinite number of instances where 1 the process code is parameterized 2 the number of processes is parameterized to one finite state model checking instance We do that by: 1 PIA data abstraction 2 PIA counter abstraction abstraction is an over approximation ⇒ possible abstract behavior that does not correspond to a concrete behavior. 3 Refining spurious counter-examples Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 12 / 1
  • 23. Abstraction overview Parameterized family M(n, t, f ) = P(n, t, f ) · · · P(n, t, f ) N(n,t,f ) processes : n > 3t, t ≥ f , f ≥ 0} extract Parametric Interval Domain D parametric interval data abstraction Uniform parameterized family ˆM(n, t, f ) = ˆP · · · ˆP N(n,t,f ) processes : n > 3t, t ≥ f , f ≥ 0} P does not depend on n, t, f P simulates P(n, t, f ) change representation Counter representation parametric interval counter abstraction one abstract system A that simulates for every n, t, f the behavior of M(n, t, f ) Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 13 / 1
  • 24. Abstraction overview Parameterized family M(n, t, f ) = P(n, t, f ) · · · P(n, t, f ) N(n,t,f ) processes : n > 3t, t ≥ f , f ≥ 0} extract Parametric Interval Domain D parametric interval data abstraction Uniform parameterized family ˆM(n, t, f ) = ˆP · · · ˆP N(n,t,f ) processes : n > 3t, t ≥ f , f ≥ 0} P does not depend on n, t, f P simulates P(n, t, f ) change representation Counter representation parametric interval counter abstraction one abstract system A that simulates for every n, t, f the behavior of M(n, t, f ) finite-state model checkin replay the counter-example refine the system Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 13 / 1
  • 25. Data abstraction Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 14 / 1
  • 26. qI q0 q1 q2 q3 sv = V1 ¬(sv = V1) inc nsnt sv := SE q4 q5 q6 q7 q8 qF nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f ) ¬(t + 1 ≤ nrcvd) t + 1 ≤ nrcvd sv = V0 ¬(sv = V0) inc nsnt n − t ≤ nrcvd ¬(n − t ≤ nrcvd) sv := SE sv := AC concrete values are not important thresholds are essential: 0, 1, t + 1, n − t intervals with symbolic boundaries: I0 = [0, 1) I1 = [1, t + 1) It+1 = [t + 1, n − t) In−t = [n − t, ∞) Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 15 / 1
  • 27. Abstract operations Concrete: Abstract: 0 1 t + 1 n − t above · · · I0 I1 It+1 In−t Concrete t + 1 ≤ x Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
  • 28. Abstract operations Concrete: Abstract: 0 1 t + 1 n − t above · · · I0 I1 It+1 In−t Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t. Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
  • 29. Abstract operations Concrete: Abstract: 0 1 t + 1 n − t above · · · I0 I1 It+1 In−t Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t. Concrete x = x + 1, Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
  • 30. Abstract operations Concrete: Abstract: 0 1 t + 1 n − t above · · · I0 I1I0 I1 It+1 In−t Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t. Concrete x = x + 1, is abstracted as: x = I0 ∧ x = I1 . . . Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
  • 31. Abstract operations Concrete: Abstract: 0 1 t + 1 n − t above · · · I0 I1I0 I1 It+1 In−t Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t. Concrete x = x + 1, is abstracted as: x = I0 ∧ x = I1 ∨x = I1 ∧ (x = I1 ∨ x = It+1) . . . Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
  • 32. Abstract operations Concrete: Abstract: 0 1 t + 1 n − t above · · · I0 I1I0 I1 It+1 In−t Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t. Concrete x = x + 1, is abstracted as: x = I0 ∧ x = I1 ∨x = I1 ∧ (x = I1 ∨ x = It+1) ∨x = It+1 ∧ (x = It+1 ∨ x = In−t) . . . Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
  • 33. Abstract operations Concrete: Abstract: 0 1 t + 1 n − t above · · · I0 I1I0 I1 It+1 In−t Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t. Concrete x = x + 1, is abstracted as: x = I0 ∧ x = I1 ∨x = I1 ∧ (x = I1 ∨ x = It+1) ∨x = It+1 ∧ (x = It+1 ∨ x = In−t) ∨x = In−t ∧ x = In−t Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
  • 34. Abstract operations Concrete: Abstract: 0 1 t + 1 n − t above · · · I0 I1 Concrete t + 1 ≤ x is abstracted as x = It+1 ∨ x = In−t. Concrete x = x + 1, is abstracted as: x = I0 ∧ x = I1 ∨x = I1 ∧ (x = I1 ∨ x = It+1) ∨x = It+1 ∧ (x = It+1 ∨ x = In−t) ∨x = In−t ∧ x = In−t abstract increase may keep the same value! Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 16 / 1
  • 35. Abstract CFA qI q0 q1 q2 q3 sv = V1 ¬(sv = V1) inc nsnt sv := SE q4 q5 q6 q7 nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f ) ¬(t + 1 ≤ nrcvd) t + 1 ≤ nrcvd sv = V0 ¬(sv = V0) inc nsnt n − t ≤ nrcvd ¬(n − t ≤ nrcvd) sv := AC Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 17 / 1
  • 36. Abstract CFA qI q0 q1 q2 q3 sv = V1 ¬(sv = V1) inc nsnt sv := SE q4 q5 q6 q7 nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f ) ¬(t + 1 ≤ nrcvd) t + 1 ≤ nrcvd sv = V0 ¬(sv = V0) inc nsnt n − t ≤ nrcvd ¬(n − t ≤ nrcvd) sv := AC qI q0 q1 q2 q3 sv = V1 ¬(sv = V1) inc nsnt sv := SE q4 q5 q6 q7 nrcvd = I0 ∧ nsnt = I0 ∧ (nrcvd = I0 ∨ nrcvd = I1) ∨ . . . ¬(t + 1 ≤ nrcvd) nrcvd = It+1 ∨ nrcvd = In−t sv = V0 ¬(sv = V0) nsnt = I1 ∧ (nsnt = I1 ∨ nsnt = It+1) ∨ . . . n − t ≤ nrcvd ¬(n − t ≤ nrcvd) sv := AC Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 17 / 1
  • 37. Abstraction overview Parameterized family M(n, t, f ) = P(n, t, f ) · · · P(n, t, f ) N(n,t,f ) processes : n > 3t, t ≥ f , f ≥ 0} extract Parametric Interval Domain D parametric interval data abstraction Uniform parameterized family ˆM(n, t, f ) = ˆP · · · ˆP N(n,t,f ) processes : n > 3t, t ≥ f , f ≥ 0} P does not depend on n, t, f P simulates P(n, t, f ) change representation Counter representation parametric interval counter abstraction one abstract system A that simulates for every n, t, f the behavior of M(n, t, f ) Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 18 / 1
  • 38. Counter abstraction Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 19 / 1
  • 39. Classic (0, 1, ∞)-counter abstraction Pnueli, Xu, and Zuck (2001) introduced (0, 1, ∞)-counter abstraction: finitely many local states, e.g., {N, T, C}. based on counter representation: for each local states count how many processes are in it Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 20 / 1
  • 40. Classic (0, 1, ∞)-counter abstraction Pnueli, Xu, and Zuck (2001) introduced (0, 1, ∞)-counter abstraction: finitely many local states, e.g., {N, T, C}. based on counter representation: for each local states count how many processes are in it abstract the number of processes in every state, e.g., K : C → 0, T → 1, N → “many”. perfectly reflects mutual exclusion properties e.g., G (K(C) = 0 ∨ K(C) = 1). Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 20 / 1
  • 41. Limits of (0, 1, ∞)-counter abstraction Our parametric data + counter abstraction: we require finer counting of processes: t + 1 processes in a specific state can force global progress, t processes cannot mapping t, t + 1, and n − t to “many” is too coarse. Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 21 / 1
  • 42. Limits of (0, 1, ∞)-counter abstraction Our parametric data + counter abstraction: we require finer counting of processes: t + 1 processes in a specific state can force global progress, t processes cannot mapping t, t + 1, and n − t to “many” is too coarse. starting point of our approach... Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 21 / 1
  • 43. Data + counter abstraction over parametric intervals n = 6, t = 1, f = 1 t + 1 = 2, n − t = 5 nr. processes (counters) received received sent accepted • 0 • 0 • 1 • 1 • 2 • 2 • 3 • 3 • 4 • 4 • 5 • 5 • 6 • 6 •0 •1 •2 •3 •4 •5 •6 • Local state is (sv, nrcvd), where sv ∈ {sent, accepted} and 0 ≤ rcvd ≤ n 3 processes at (sent, received=3) 1 process at (accepted, received=5) Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 22 / 1
  • 44. Data + counter abstraction over parametric intervals n = 6, t = 1, f = 1 t + 1 = 2, n − t = 5 nr. processes (counters) received received sent accepted • 0 • 0 • 1 • 1 • 2 • 2 • 3 • 3 • 4 • 4 • 5 • 5 • 6 • 6 •0 •1 •2 •3 •4 •5 •6 • Local state is (sv, nrcvd), where sv ∈ {sent, accepted} and 0 ≤ rcvd ≤ n Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 22 / 1
  • 45. Data + counter abstraction over parametric intervals n = 6, t = 1, f = 1 t + 1 = 2, n − t = 5 nr. processes (counters) received received sent accepted • 0 • 0 • 1 • 1 • 2 • 2 • 3 • 3 • 4 • 4 • 5 • 5 • 6 • 6 •0 •1 •2 •3 •4 •5 •6 • Local state is (sv, nrcvd), where sv ∈ {sent, accepted} and 0 ≤ rcvd ≤ n Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 22 / 1
  • 46. Data + counter abstraction over parametric intervals XXXXXXn = 6, XXXXXXt = 1, XXXXXXf = 1 n 3 · t ∧ t ≥ f Parametricintervals: I0 = [0, 1) I1 = [1, t + 1) It+1 = [t + 1, n − t) In−t = [n − t, ∞) nr. processes (counters) received received sent accepted • • • • I0 I1 It+1 In−t • • • • I0 I1 It+1 In−t • • • • I0 I1 It+1 In−t A local state is (sv, nrcvd), where sv ∈ {sent, accepted} and nrcvd ∈ {I0, I1, It+1, In−t} Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 22 / 1
  • 47. Data + counter abstraction over parametric intervals n 3 · t ∧ t ≥ f Parametricintervals: I0 = [0, 1) I1 = [1, t + 1) It+1 = [t + 1, n − t) In−t = [n − t, ∞) nr. processes (counters) received received sent accepted • • • • I0 I1 It+1 In−t • • • • I0 I1 It+1 In−t • • • • I0 I1 It+1 In−t when all correct processes accepted, all non-zero counters are in this area A local state is (sv, nrcvd), where sv ∈ {sent, accepted} and nrcvd ∈ {I0, I1, It+1, In−t} Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 22 / 1
  • 48. Abstraction refinement Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 23 / 1
  • 49. Spurious behavior abstraction adds behaviors (e.g., x’=x+1 may lead to x’ being equal to x) Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 24 / 1
  • 50. Spurious behavior abstraction adds behaviors (e.g., x’=x+1 may lead to x’ being equal to x) ⇒ specs that hold in concrete system may be violated in abstract system spurious counterexamples we have to reduce the behaviors of the abstract system make it more concrete . . . based on the counterexamples = CEGAR Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 24 / 1
  • 51. Spurious behavior abstraction adds behaviors (e.g., x’=x+1 may lead to x’ being equal to x) ⇒ specs that hold in concrete system may be violated in abstract system spurious counterexamples we have to reduce the behaviors of the abstract system make it more concrete . . . based on the counterexamples = CEGAR Three sources of spurious behavior # processes decreasing or increasing # messages sent = # processes which have sent a message unfair loops Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 24 / 1
  • 52. Spurious behavior abstraction adds behaviors (e.g., x’=x+1 may lead to x’ being equal to x) ⇒ specs that hold in concrete system may be violated in abstract system spurious counterexamples we have to reduce the behaviors of the abstract system make it more concrete . . . based on the counterexamples = CEGAR Three sources of spurious behavior # processes decreasing or increasing # messages sent = # processes which have sent a message unfair loops . . . and a new abstraction phenomenon Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 24 / 1
  • 53. Parametric abst. refinement — uniformly spurious paths Classic case: Concrete Abstract Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 25 / 1
  • 54. Parametric abst. refinement — uniformly spurious paths Classic case: Concrete Abstract Our case: Concrete n2 , t2 , f2 Concrete n1 , t1 , f1 Abstract ··· ··· Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 25 / 1
  • 55. CEGAR — automated workflow Model Checking Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 26 / 1
  • 56. CEGAR — automated workflow Model Checking correct Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 26 / 1
  • 57. CEGAR — automated workflow Model Checking correct Abstraction refinement using SMT counterexample Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 26 / 1
  • 58. CEGAR — automated workflow Model Checking correct Abstraction refinement using SMT counterexample CE feasible: bug Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 26 / 1
  • 59. CEGAR — automated workflow Model Checking correct Abstraction refinement using SMT counterexample CE feasible: bug CE spurious: refined abstraction Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 26 / 1
  • 60. What is SMT? recall SAT: given a Boolean formula, e.g., (¬a ∨ ¬b ∨ c) ∧ (¬a ∨ b ∨ d ∨ e) is there an assignment of true and false to variables a, b, c, d, e such that the formula evaluates to true? Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 27 / 1
  • 61. What is SMT? recall SAT: given a Boolean formula, e.g., (¬a ∨ ¬b ∨ c) ∧ (¬a ∨ b ∨ d ∨ e) is there an assignment of true and false to variables a, b, c, d, e such that the formula evaluates to true? Satisfiability Modulo Theories (SMT) : here just linear arithmetics given a formula, e.g., x = y ∧ y = z ∧ u = x ∧ (x + y ≤ 1 ∧ 2x + y = 1) ∨ 3x + 2y ≥ 3 is there an assignment of values to u, x, y, z such that formula evaluates to true? practically efficient tools: Yices, Z3 Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 27 / 1
  • 62. Counter example: losing processes Output of data abstraction: 16 local states: L = {(sv, ˆnrcvd) with sv ∈ {v0, v1, sent, accepted} and ˆrcvd ∈ {I0, I1, It+1, In−t}} An abstract global state is (ˆk, ˆnsnt), where ˆnsnt ∈ {I0, I1, It+1, In−t} and ˆk : L → {I0, I1, It+1, In−t} Consider an abstract trace: ˆnsnt1 = I0 ˆk1( ) =   In−t , if = (v1, I0) I0, otherwise ˆnsnt2 = I1 ˆk2( ) =   In−t , if = (v1, I0) I1, if = (sent, I0) I0, otherwise ˆnsnt3 = It+1 ˆk3( ) =   In−t , if = (v1, I0) It+1, if = (sent, I0) I0, otherwise Encode the last state in SMT as a conjunction T of the constraints: resilience condition n 3t ∧ t ≥ f ∧ f ≥ 0 zero counters (i = 4 ∧ i = 8) → 0 ≤ k3[i] 1 non-zero counters n − t ≤ k3[4] ∧ t + 1 ≤ k3[8] n − t system size n − f = k3[0] + k3[1] + · · · + k3[15] UNSAT Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 28 / 1
  • 63. Remove transitions We ask the SMT solver: is there a satisfiable assignment for T? if yes, then the state is OK, may be part of a real counterexample if not, then the state is spurious remove transitions to that state in the abstract system Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 29 / 1
  • 64. Liveness distributed algorithm requires reliable communication every message sent is eventually received ¬in transit ≡ [∀i. nrcvdi ≥ nsnt] fairness F G ¬in transit necessary to verify liveness, e.g., F G ¬in transit → G ([∀i. svi = v1] → F [∀i. svi = accept]) Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 30 / 1
  • 65. Liveness distributed algorithm requires reliable communication every message sent is eventually received ¬in transit ≡ [∀i. nrcvdi ≥ nsnt] fairness F G ¬in transit necessary to verify liveness, e.g., F G ¬in transit → G ([∀i. svi = v1] → F [∀i. svi = accept]) counter example (lasso): ¬in transit ¬in transit ¬in transit ¬in transit ¬in transit ¬in transit ¬in transit s1 ¬in transit s2 sk s3 · · · · · · · · · Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 30 / 1
  • 66. Liveness — fairness suppression ¬in transit ¬in transit ¬in transit ¬in transit ¬in transit ¬in transit ¬in transit s1 ¬in transit s2 sk s3 · · · · · · · · · if there is a spurious sj (all its concretizations violate ¬in transit), then the loop is spurious. Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 31 / 1
  • 67. Liveness — fairness suppression ¬in transit ¬in transit ¬in transit ¬in transit ¬in transit ¬in transit ¬in transit s1 ¬in transit s2 sk s3 · · · · · · · · · if there is a spurious sj (all its concretizations violate ¬in transit), then the loop is spurious. refine fairness to F G ¬in transit ∧ G F 1≤j≤k “out of sj Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 31 / 1
  • 68. Liveness — fairness suppression ¬in transit ¬in transit ¬in transit ¬in transit ¬in transit ¬in transit ¬in transit s1 ¬in transit s2 sk s3 · · · · · · · · · if there is a spurious sj (all its concretizations violate ¬in transit), then the loop is spurious. refine fairness to F G ¬in transit ∧ G F 1≤j≤k “out of sj Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 31 / 1
  • 69. experimental evaluation Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 32 / 1
  • 70. Concrete vs. parameterized (Byzantine case) Time to check relay (sec, logscale) Memory to check relay (MB, logscale) Parameterized model checking performs well (the red line). Experiments for fixed parameters quickly degrade (n = 9 runs out of memory). We found counter-examples for the cases n = 3t and f t, where the resilience condition is violated. Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 33 / 1
  • 71. Experimental results at a glance Algorithm Fault Resilience Property Valid? #Refinements Time ST87 Byz n 3t U 0 4 sec. ST87 Byz n 3t C 10 32 sec. ST87 Byz n 3t R 10 24 sec. ST87 Symm n 2t U 0 1 sec. ST87 Symm n 2t C 2 3 sec. ST87 Symm n 2t R 12 16 sec. ST87 Omit n 2t U 0 1 sec. ST87 Omit n 2t C 5 6 sec. ST87 Omit n 2t R 5 10 sec. ST87 Clean n t U 0 2 sec. ST87 Clean n t C 4 8 sec. ST87 Clean n t R 13 31 sec. CT96 Clean n t U 0 1 sec. CT96 Clean n t A 0 1 sec. CT96 Clean n t R 0 1 sec. CT96 Clean n t C 0 1 sec. Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 34 / 1
  • 72. When resilience condition is wrong... Algorithm Fault Resilience Property Valid? #Refinements Time ST87 Byz n 3t ∧ f ≤ t+1 U 9 56 sec. ST87 Byz n 3t ∧ f ≤ t+1 C 11 52 sec. ST87 Byz n 3t ∧ f ≤ t+1 R 10 17 sec. ST87 Byz n ≥ 3t ∧ f ≤ t U 0 5 sec. ST87 Byz n ≥ 3t ∧ f ≤ t C 9 32 sec. ST87 Byz n ≥ 3t ∧ f ≤ t R 30 78 sec. ST87 Symm n 2t ∧ f ≤ t+1 U 0 2 sec. ST87 Symm n 2t ∧ f ≤ t+1 C 2 4 sec. ST87 Symm n 2t ∧ f ≤ t+1 R 8 12 sec. ST87 Omit n ≥ 2t ∧ f ≤ t U 0 1 sec. ST87 Omit n ≥ 2t ∧ f ≤ t C 0 2 sec. ST87 Omit n ≥ 2t ∧ f ≤ t R 0 2 sec. Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 35 / 1
  • 73. Summary of results Abstraction tailored for distributed algorithms threshold-based fault-tolerant allows to express different fault assumptions Verification of threshold-based fault-tolerant algorithms with threshold guards that are widely used Byzantine faults (and other) for all system sizes Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 36 / 1
  • 74. Related work: non-parameterized Model checking of the small size instances: clock synchronization [Steiner, Rushby, Sorea, Pfeifer 2004] consensus [Tsuchiya, Schiper 2011] asynchronous agreement, folklore broadcast, condition-based consensus [John, Konnov, Schmid, Veith, Widder 2013] and more... Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 37 / 1
  • 75. Related work: parameterized case Regular model checking of fault-tolerant distributed protocols: [Fisman, Kupferman, Lustig 2008] “First-shot” theoretical framework. No guards like x ≥ t + 1, only x ≥ 1. No implementation. Manual analysis applied to folklore broadcast (crash faults). Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 38 / 1
  • 76. Related work: parameterized case Regular model checking of fault-tolerant distributed protocols: [Fisman, Kupferman, Lustig 2008] “First-shot” theoretical framework. No guards like x ≥ t + 1, only x ≥ 1. No implementation. Manual analysis applied to folklore broadcast (crash faults). Backward reachability using SMT with arrays: [Alberti, Ghilardi, Pagani, Ranise, Rossi 2010-2012] Implementation. Experiments on Chandra-Toueg 1990. No resilience conditions like n 3t. Safety only. Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 38 / 1
  • 77. Our current work Discrete synchronous Discrete partially synchronous Discrete asynchronous Continuous synchronous Continuous partially synchronous One instance/ finite payload Many inst./ finite payload Many inst./ unbounded payload Messages with reals core of {ST87, BT87, CT96}, MA06 (common), MR04 (binary) one-shot broadcast, c.b.consensus Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 39 / 1
  • 78. Future work: threshold guards + orthogonal features Discrete synchronous Discrete partially synchronous Discrete asynchronous Continuous synchronous Continuous partially synchronous One instance/ finite payload Many inst./ finite payload Many inst./ unbounded payload Messages with reals core of {ST87, BT87, CT96}, MA06 (common), MR04 (binary) one-shot broadcast, c.b.consensus DHM12 ST87 AK00 CT96 (failure detector) DLS86, MA06, L98 (Paxos) ST87, BT87, CT96, DAs with failure-detectors DLPSW86 DFLPS13 WS07 ST87 (JACM) FSFK06 WS09 clock sync broadcast approx. agreement Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 39 / 1
  • 79. Thank you! http://forsyte.at/software/bymc Doctoral College: Vienna, Graz, Linz http://logic-cs.at Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 40 / 1
  • 80. the implementation Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 41 / 1
  • 81. Tool Chain: ByMC Parametric Promela code static analysis + Yices Parametric Interval Domain D Parametric data abstraction with Yices Parametric Promela code Parametric counter ab- straction with Yices normal Promela code Spin property holds counterexample Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 42 / 1
  • 82. Tool Chain: ByMC Parametric Promela code static analysis + Yices Parametric Interval Domain D Parametric data abstraction with Yices Parametric Promela code Parametric counter ab- straction with Yices normal Promela code Spin property holds counterexample Refine Concrete counter representation (VASS) SMT formula Yices counterexample feasible unsat sat Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 42 / 1
  • 83. Tool Chain: ByMC Parametric Promela code static analysis + Yices Parametric Interval Domain D Parametric data abstraction with Yices Parametric Promela code Parametric counter ab- straction with Yices normal Promela code Spin property holds counterexample Refine Concrete counter representation (VASS) SMT formula Yices counterexample feasible invariant candidates (by the user) unsat sat Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 42 / 1
  • 84. Experimental setup The tool (source code in OCaml), the code of the distributed algorithms in Parametric Promela, and a virtual machine with full setup are available at: http://forsyte.at/software/bymc Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 43 / 1
  • 85. Running the tool — concrete case user specifies parameter value useful to check whether the code behaves as expected $bymc/verifyco-spin N=4,T=1,F=1 bcast-byz.pml relay model checking problem in directory “./x/spin-bcast-byz-relay-N=4,T=1,F=1” in concrete.prm parameters are replaced by numbers process prototype is replaced with N − F = 3 active processes Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 44 / 1
  • 86. Running the tool — parameterized model checking PIA data and counter abstraction finite-state model checking on abstract model $bymc/verifypa-spin bcast-omit.pml relay model checking problem in directory “./x/bcast-byz-relay-yymmdd-HHMM.*” directory contains abs-interval.prm: result of the data abstraction; abs-counter.prm: result of the counter abstraction; abs-vass.prm: auxiliary abstraction for abstraction refinement; mc.out: the last output by Spin; cex.trace: the counterexample (if there is one); yices.log: communication log with Yices. Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 45 / 1
  • 87. Fairness, Refinement, and Invariants In the Byzantine case we have in transit : ∀i. (nrcvdi ≥ nsnt) and G F ¬in transit. In this case communication fairness implies computation fairness. But in the abstract version nsnt can deviate from the number of processes who sent the echo message. In this case the user formulates a simple state invariant candidate, e.g., nsnt = K([sv = SE ∨ sv = AC]) (on the level of the original concrete system). The tool checks automatically, whether the candidate is actually a state invariant. After the abstraction the abstract version of the invariant restricts the behavior of the abstract transition system. Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 46 / 1
  • 88. Parametric abstraction refinement — justice suppression justice G F ¬in transit necessary to verify liveness Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 47 / 1
  • 89. Parametric abstraction refinement — justice suppression justice G F ¬in transit necessary to verify liveness counter example: in transit in transit in transit in transit in transit in transit in transit s1 in transit s2 sk s3 · · · · · · · · · if ∀j all concretizations of sj violate ¬in transit, then CE is spurious. Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 47 / 1
  • 90. Parametric abstraction refinement — justice suppression justice G F ¬in transit necessary to verify liveness counter example: in transit in transit in transit in transit in transit in transit in transit s1 in transit s2 sk s3 · · · · · · · · · if ∀j all concretizations of sj violate ¬in transit, then CE is spurious. refine justice to G F ¬in transit ∧ G F 1≤j≤k ¬at(sj ) Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 47 / 1
  • 91. Parametric abstraction refinement — justice suppression justice G F ¬in transit necessary to verify liveness counter example: in transit in transit in transit in transit in transit in transit in transit s1 in transit s2 sk s3 · · · · · · · · · if ∀j all concretizations of sj violate ¬in transit, then CE is spurious. refine justice to G F ¬in transit ∧ G F 1≤j≤k ¬at(sj ) . . . we use unsat cores to refine several loops at once Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 47 / 1
  • 92. Parametric abstraction refinement — justice suppression justice G F ¬in transit necessary to verify liveness Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 48 / 1
  • 93. Parametric abstraction refinement — justice suppression justice G F ¬in transit necessary to verify liveness counter example: in transit in transit in transit in transit in transit in transit in transit s1 in transit s2 sk s3 · · · · · · · · · if ∀j all concretizations of sj violate ¬in transit, then CE is spurious. Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 48 / 1
  • 94. Parametric abstraction refinement — justice suppression justice G F ¬in transit necessary to verify liveness counter example: in transit in transit in transit in transit in transit in transit in transit s1 in transit s2 sk s3 · · · · · · · · · if ∀j all concretizations of sj violate ¬in transit, then CE is spurious. refine justice to G F ¬in transit ∧ G F 1≤j≤k ¬at(sj ) Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 48 / 1
  • 95. Parametric abstraction refinement — justice suppression justice G F ¬in transit necessary to verify liveness counter example: in transit in transit in transit in transit in transit in transit in transit s1 in transit s2 sk s3 · · · · · · · · · if ∀j all concretizations of sj violate ¬in transit, then CE is spurious. refine justice to G F ¬in transit ∧ G F 1≤j≤k ¬at(sj ) . . . we use unsat cores to refine several loops at once Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 48 / 1
  • 96. asynchronous reliable broadcast (srikanth toueg 1987) the core of the classic broadcast algorithm from the da literature. it solves an agreement problem depending on the inputs vi . Variables of process i vi : {0 , 1} init with 0 or 1 accepti : {0 , 1} init with 0 An indivisible step: i f vi = 1 then send ( echo ) to all ; i f received (echo) from at l e a s t t + 1 distinct processes and not sent ( echo ) before then send ( echo ) to all ; i f received ( echo ) from at l e a s t n - t distinct processes then accepti := 1; Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 49 / 1
  • 97. asynchronous reliable broadcast (srikanth toueg 1987) the core of the classic broadcast algorithm from the da literature. it solves an agreement problem depending on the inputs vi . Variables of process i vi : {0 , 1} init with 0 or 1 accepti : {0 , 1} init with 0 An indivisible step: i f vi = 1 then send ( echo ) to all ; i f received (echo) from at l e a s t t + 1 distinct processes and not sent ( echo ) before then send ( echo ) to all ; i f received ( echo ) from at l e a s t n - t distinct processes then accepti := 1; asynchronous t byzantine faults correct if n 3t resilience condition rc parameterized process skeleton p(n, t) Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 49 / 1
  • 98. Abstract CFA qI q0 q1 q2 q3 sv = V1 ¬(sv = V1) inc nsnt sv := SE q4 q5 q6 q7 nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f ) ¬(t + 1 ≤ nrcvd) t + 1 ≤ nrcvd sv = V0 ¬(sv = V0) inc nsnt n − t ≤ nrcvd ¬(n − t ≤ nrcvd) sv := AC Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 50 / 1
  • 99. Abstract CFA qI q0 q1 q2 q3 sv = V1 ¬(sv = V1) inc nsnt sv := SE q4 q5 q6 q7 nrcvd := z where (nrcvd ≤ z ∧ z ≤ nsnt + f ) ¬(t + 1 ≤ nrcvd) t + 1 ≤ nrcvd sv = V0 ¬(sv = V0) inc nsnt n − t ≤ nrcvd ¬(n − t ≤ nrcvd) sv := AC qI q0 q1 q2 q3 sv = V1 ¬(sv = V1) inc nsnt sv := SE q4 q5 q6 q7 nrcvd = I0 ∧ nsnt = I0 ∧ (nrcvd = I0 ∨ nrcvd = I1) ∨ . . . ¬(t + 1 ≤ nrcvd) nrcvd = It+1 ∨ nrcvd = In−t sv = V0 ¬(sv = V0) nsnt = I1 ∧ (nsnt = I1 ∨ nsnt = It+1) ∨ . . . n − t ≤ nrcvd ¬(n − t ≤ nrcvd) sv := AC Igor Konnov (www.forsyte.at) Checking Fault-Tolerant Distributed Algos TMPA’14, Nov. 2014 50 / 1