Abstract
Distributed systems play a crucial role in modern infrastructure, but are notoriously difficult to implement correctly. This difficulty arises from two main challenges: (a) correctly implementing core system components (e.g., two-phase commit), so all their internal invariants hold, and (b) correctly composing standalone system components into functioning trustworthy applications (e.g., persistent storage built on top of a two-phase commit instance). Recent work has developed several approaches for addressing (a) by means of mechanically verifying implementations of core distributed components, but no methodology exists to address (b) by composing such verified components into larger verified applications. As a result, expensive verification efforts for key system components are not easily reusable, which hinders further verification efforts.
In this paper, we present Disel, the first framework for implementation and compositional verification of distributed systems and their clients, all within the mechanized, foundational context of the Coq proof assistant. In Disel, users implement distributed systems using a domain specific language shallowly embedded in Coq and providing both high-level programming constructs as well as low-level communication primitives. Components of composite systems are specified in Disel as protocols, which capture system-specific logic and disentangle system definitions from implementation details. By virtue of Disel's dependent type system, well-typed implementations always satisfy their protocols' invariants and never go wrong, allowing users to verify system implementations interactively using Disel's Hoare-style program logic, which extends state-of-the-art techniques for concurrency verification to the distributed setting. By virtue of the substitution principle and frame rule provided by Disel's logic, system components can be composed leading to modular, reusable verified distributed systems.
We describe Disel, illustrate its use with a series of examples, outline its logic and metatheory, and report on our experience using it as a framework for implementing, specifying, and verifying distributed systems.
Supplemental Material
Available for Download
Disel - Distributed Separation Logic Implementation and case studies of Disel, a separation-style logic for compositional verification of distributed systems. This code accompanies the paper entitled Programming and Proving with Distributed Protocols by Ilya Sergey, James R. Wilcox and Zachary Tatlock, accepted for publication at POPL 2018. Building Requirements * Coq 8.7 (available from https://coq.inria.fr/download) * Mathematical Components 1.6.2 (http://math-comp.github.io/math-comp/) * OCaml 4.05.0 or later (to compile and run the extracted applications)
- Martín Abadi and Leslie Lamport. 1988. The Existence of Refinement Mappings. In LICS. IEEE Computer Society, 165–175. Google ScholarCross Ref
- Mustaque Ahamad, Gil Neiger, James E. Burns, Prince Kohli, and Phillip W. Hutto. 1995. Causal Memory: Definitions, Implementation, and Programming. Distributed Computing 9, 1 (1995), 37–49. Google ScholarDigital Library
- Andrew W. Appel. 2001. Foundational Proof-Carrying Code. In LICS. IEEE Computer Society, 247–256. Google ScholarCross Ref
- Andrew W. Appel, Robert Dockins, Aquinas Hobor, Lennart Beringer, Josiah Dodds, Gordon Stewart, Sandrine Blazy, and Xavier Leroy. 2014. Program Logics for Certified Compilers. Cambridge University Press. Google ScholarCross Ref
- Romain Boichat, Partha Dutta, Svend Frølund, and Rachid Guerraoui. 2003. Deconstructing paxos. SIGACT News 34, 1 (2003), 47–67. Google ScholarDigital Library
- Stephen Brookes. 2007. A semantics for concurrent separation logic. Th. Comp. Sci. 375, 1-3 (2007). Google ScholarDigital Library
- Adam Chlipala. 2011. Mostly-automated verification of low-level programs in computational separation logic. In PLDI. ACM, 234–245. Google ScholarDigital Library
- Coq Development Team. 2017. The Coq Proof Assistant Reference Manual - Version 8.6.Google Scholar
- Pierre-Malo Deniélou and Nobuko Yoshida. 2011. Dynamic multirole session types. In POPL. ACM, 435–446. Google ScholarDigital Library
- Thomas Dinsdale-Young, Mike Dodds, Philippa Gardner, Matthew J. Parkinson, and Viktor Vafeiadis. 2010. Concurrent Abstract Predicates. In ECOOP (LNCS), Vol. 6183. Springer, 504–528. Google ScholarCross Ref
- Cezara Dragoi, Thomas A. Henzinger, and Damien Zufferey. 2016. PSync: a partially synchronous language for fault-tolerant distributed algorithms. In POPL. ACM, 400–415. Google ScholarDigital Library
- Tzilla Elrad and Nissim Francez. 1982. Decomposition of Distributed Programs into Communication-Closed Layers. Sci. Comput. Program. 2, 3 (1982), 155–173. Google ScholarCross Ref
- Xinyu Feng. 2009. Local rely-guarantee reasoning. In POPL. ACM, 315–327. Google ScholarDigital Library
- Xinyu Feng, Rodrigo Ferreira, and Zhong Shao. 2007. On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning. In ESOP (LNCS), Vol. 4421. Springer, 173–188. Google ScholarCross Ref
- Georges Gonthier, Assia Mahboubi, and Enrico Tassi. 2009. A Small Scale Reflection Extension for the Coq system. Technical Report 6455. Microsoft Research – Inria Joint Centre.Google Scholar
- Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In POPL. ACM, 595–608. Google ScholarDigital Library
- Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan (Newman) Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In OSDI. USENIX Association, 653–669.Google Scholar
- Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R. Lorch, Bryan Parno, Michael L. Roberts, Srinath T. V. Setty, and Brian Zill. 2015. IronFleet: proving practical distributed systems correct. In SOSP. ACM, 1–17. Google ScholarDigital Library
- Maurice Herlihy and Jeannette M. Wing. 1990. Linearizability: A Correctness Condition for Concurrent Objects. ACM Trans. Program. Lang. Syst. 12, 3 (1990), 463–492. Google ScholarDigital Library
- Kohei Honda, Vasco Thudichum Vasconcelos, and Makoto Kubo. 1998. Language Primitives and Type Discipline for Structured Communication-Based Programming. In ESOP (LNCS), Vol. 1381. Springer, 122–138. Google ScholarCross Ref
- Kohei Honda, Nobuko Yoshida, and Marco Carbone. 2008. Multiparty asynchronous session types. In POPL. ACM, 273–284. Google ScholarDigital Library
- Cliff B. Jones. 1983. Tentative Steps Toward a Development Method for Interfering Programs. ACM Trans. Program. Lang. Syst. 5, 4 (1983), 596–619. Google ScholarDigital Library
- Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In ICFP. ACM, 256–269. Google ScholarDigital Library
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning. In POPL. ACM, 637–650. Google ScholarDigital Library
- Charles Edwin Killian, James W. Anderson, Ryan Braud, Ranjit Jhala, and Amin M. Vahdat. 2007. Mace: Language Support for Building Distributed Systems. In PLDI. ACM, 179–188. Google ScholarDigital Library
- Gerwin Klein, June Andronick, Kevin Elphinstone, Gernot Heiser, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2010. seL4: formal verification of an operating-system kernel. Commun. ACM 53, 6 (2010), 107–115. Google ScholarDigital Library
- Thomas Kleymann. 1999. Hoare Logic and Auxiliary Variables. Formal Asp. Comput. 11, 5 (1999), 541–566.Google ScholarCross Ref
- Ramana Kumar, Magnus O. Myreen, Michael Norrish, and Scott Owens. 2014. CakeML: a verified implementation of ML. In POPL . ACM, 179–192. Google ScholarDigital Library
- Leslie Lamport. 1978. The Implementation of Reliable Distributed Multiprocess Systems. Computer Networks 2 (1978), 95–114. Google ScholarCross Ref
- Leslie Lamport. 1998a. Composition: A Way to Make Proofs Harder. In Compositionality: The Significant Difference, International Symposium (LNCS) , Vol. 1536. Springer, 402–423. Google ScholarCross Ref
- Leslie Lamport. 1998b. The Part-Time Parliament. ACM Trans. Comput. Syst. 16, 2 (1998), 133–169. Google ScholarDigital Library
- K. Rustan M. Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In LPAR (LNCS), Vol. 6355. Springer, 348–370.Google ScholarDigital Library
- Mohsen Lesani, Christian J. Bell, and Adam Chlipala. 2016. Chapar: certified causally consistent distributed key-value stores. In POPL. ACM, 357–370. Google ScholarDigital Library
- Ruy Ley-Wild and Aleksandar Nanevski. 2013. Subjective auxiliary state for coarse-grained concurrency. In POPL. ACM, 561–574. Google ScholarDigital Library
- Hongjin Liang and Xinyu Feng. 2016. A program logic for concurrent objects under fair scheduling. In POPL. ACM, 385–399. Google ScholarDigital Library
- Richard J. Lipton. 1975. Reduction: A Method of Proving Properties of Parallel Programs. Commun. ACM 18, 12 (1975), 717–721. Google ScholarDigital Library
- Yanhong A. Liu, Scott D. Stoller, Bo Lin, and Michael Gorbovitski. 2012. From Clarity to Efficiency for Distributed Algorithms. In OOPSLA. ACM, New York, NY, USA, 395–410. Google ScholarDigital Library
- Nancy A. Lynch and Frits W. Vaandrager. 1995. Forward and Backward Simulations: I. Untimed Systems. Inf. Comput. 121, 2 (1995), 214–233. Google ScholarDigital Library
- Assia Mahboubi and Enrico Tassi. 2017. Mathematical Components. Available at https://math-comp.github.io/mcb .Google Scholar
- Aleksandar Nanevski, Ruy Ley-Wild, Ilya Sergey, and Germán Andrés Delbianco. 2014. Communicating State Transition Systems for Fine-Grained Concurrent Resources. In ESOP (LNCS), Vol. 8410. Springer, 290–310. Google ScholarDigital Library
- Aleksandar Nanevski, Greg Morrisett, and Lars Birkedal. 2006. Polymorphism and separation in Hoare Type Theory. In ICFP . ACM, 62–73. Google ScholarDigital Library
- Aleksandar Nanevski, Greg Morrisett, Avi Shinnar, Paul Govereau, and Lars Birkedal. 2008. Ynot: Dependent Types for Imperative Programs. In ICFP. ACM Press, 229–240. Google ScholarDigital Library
- Aleksandar Nanevski, Viktor Vafeiadis, and Josh Berdine. 2010. Structuring the verification of heap-manipulating programs. In POPL. ACM, 261–274. Google ScholarDigital Library
- Chris Newcombe, Tim Rath, Fan Zhang, Bogdan Munteanu, Marc Brooker, and Michael Deardeuff. 2015. How Amazon web services uses formal methods. Commun. ACM 58, 4 (2015), 66–73. Google ScholarDigital Library
- Gian Ntzik, Pedro da Rocha Pinto, and Philippa Gardner. 2015. Fault-Tolerant Resource Reasoning. In APLAS (LNCS), Vol. 9458. Springer, 169–188. Google ScholarCross Ref
- Peter W. O’Hearn. 2007. Resources, concurrency, and local reasoning. Th. Comp. Sci. 375, 1-3 (2007), 271–307.Google ScholarDigital Library
- Diego Ongaro and John K. Ousterhout. 2014. In Search of an Understandable Consensus Algorithm. In 2014 USENIX Annual Technical Conference . 305–319.Google Scholar
- Oded Padon, Giuliano Losa, Mooly Sagiv, and Sharon Shoham. 2017. Paxos made EPR: decidable reasoning about distributed protocols. PACMPL 1, OOPSLA (2017), 108:1–108:31.Google ScholarDigital Library
- Oded Padon, Kenneth L. McMillan, Aurojit Panda, Mooly Sagiv, and Sharon Shoham. 2016. Ivy: safety verification by interactive generalization. In PLDI. ACM, 614–630. Google ScholarDigital Library
- Azalea Raad, Jules Villard, and Philippa Gardner. 2015. CoLoSL: Concurrent Local Subjective Logic. In ESOP (LNCS), Vol. 9032. Springer.Google Scholar
- Vincent Rahli, David Guaspari, Mark Bickford, and Robert L. Constable. 2015. Formal Specification, Verification, and Implementation of Fault-Tolerant Systems using EventML. In AVOCS. EASST.Google Scholar
- John C. Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In LICS. IEEE Computer Society, 55–74. Google ScholarCross Ref
- Ilya Sergey. 2014. Programs and Proofs: Mechanizing Mathematics with Dependent Types. Lecture notes with exercises. Available at http://ilyasergey.net/pnp .Google Scholar
- Ilya Sergey, Aleksandar Nanevski, and Anindya Banerjee. 2015. Mechanized Verification of Fine-grained Concurrent Programs. In PLDI. ACM, 77–87. Google ScholarDigital Library
- Gordon Stewart, Lennart Beringer, Santiago Cuellar, and Andrew W. Appel. 2015. Compositional CompCert. In POPL. ACM, 275–287. Google ScholarDigital Library
- Alexander J. Summers and Peter Müller. 2016. Actor Services - Modular Verification of Message Passing Programs. In ESOP (LNCS) , Vol. 9632. Springer, 699–726.Google Scholar
- Kasper Svendsen and Lars Birkedal. 2014. Impredicative Concurrent Abstract Predicates. In ESOP (LNCS), Vol. 8410. Springer, 149–168. Google ScholarDigital Library
- Nikhil Swamy, Juan Chen, Cédric Fournet, Pierre-Yves Strub, Karthikeyan Bhargavan, and Jean Yang. 2011. Secure distributed programming with value-dependent types. In ICFP. ACM, 266–278. Google ScholarDigital Library
- Bernardo Toninho, Luís Caires, and Frank Pfenning. 2011. Dependent session types via intuitionistic linear type theory. In PPDP . ACM, 161–172. Google ScholarDigital Library
- Aaron Turon, Viktor Vafeiadis, and Derek Dreyer. 2014. GPS: navigating weak memory with ghosts, protocols, and separation. In OOPSLA. ACM, 691–707. Google ScholarDigital Library
- Aaron Joseph Turon, Jacob Thamsborg, Amal Ahmed, Lars Birkedal, and Derek Dreyer. 2013. Logical relations for fine-grained concurrency. In POPL. ACM, 343–356. Google ScholarDigital Library
- Viktor Vafeiadis and Matthew J. Parkinson. 2007. A Marriage of Rely/Guarantee and Separation Logic. In CONCUR (LNCS), Vol. 4703. Springer, 256–271.Google ScholarDigital Library
- Robbert van Renesse and Deniz Altinbuken. 2015. Paxos Made Moderately Complex. ACM Comput. Surv. 47, 3 (2015), 42:1–42:36.Google Scholar
- Jules Villard, Étienne Lozes, and Cristiano Calcagno. 2009. Proving Copyless Message Passing. In APLAS (LNCS), Vol. 5904. Springer, 194–209. Google ScholarDigital Library
- Gerhard Weikum and Gottfried Vossen. 2002. Transactional Information Systems: Theory, Algorithms, and the Practice of Concurrency Control and Recovery . Morgan Kaufmann.Google Scholar
- James R. Wilcox, Ilya Sergey, and Zachary Tatlock. 2017. Programming Language Abstractions for Modularly Verified Distributed Systems. In SNAPL (LIPIcs), Vol. 71. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 19:1–19:12.Google Scholar
- James R. Wilcox, Doug Woos, Pavel Panchekha, Zachary Tatlock, Xi Wang, Michael D. Ernst, and Thomas E. Anderson. 2015. Verdi: a framework for implementing and formally verifying distributed systems. In PLDI. ACM, 357–368. Google ScholarDigital Library
- Doug Woos, James R. Wilcox, Steve Anton, Zachary Tatlock, Michael D. Ernst, and Thomas E. Anderson. 2016. Planning for change in a formal verification of the Raft Consensus Protocol. In CPP. ACM, 154–165. Google ScholarDigital Library
Index Terms
- Programming and proving with distributed protocols
Recommendations
Paxos made EPR: decidable reasoning about distributed protocols
Distributed protocols such as Paxos play an important role in many computer systems. Therefore, a bug in a distributed protocol may have tremendous effects. Accordingly, a lot of effort has been invested in verifying such protocols. However, checking ...
Verdi: a framework for implementing and formally verifying distributed systems
PLDI '15: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and ImplementationDistributed systems are difficult to implement correctly because they must handle both concurrency and failures: machines may crash at arbitrary points and networks may reorder, drop, or duplicate packets. Further, their behavior is often too complex ...
Ivy: safety verification by interactive generalization
PLDI '16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and ImplementationDespite several decades of research, the problem of formal verification of infinite-state systems has resisted effective automation. We describe a system --- Ivy --- for interactively verifying safety of infinite-state systems. Ivy's key principle is ...
Comments