The election of a leader in a network is a challenging task, especially when the processes are asynchronous, i. e., execute an algorithm with time-varying periods. Thales developed an industrial election algorithm with an arbitrary number of processes, that can possibly fail. In this work, we prove the correctness of a variant of this industrial algorithm. We use a method combining abstraction, the SafeProver solver, and a parametric timed model-checker. This allows us to prove the correctness of the algorithm for a large number p of processes (p = 5000).Our main contribution is to perform a formal verification of the algorithm correctness for a large number of nodes. By correctness, we mean the actual election of the leader after a fixed number of rounds.We consider here a special form of the general leader election problem [Lyn96]: we assume that, in the network, all the processes (or nodes) have a specific ID number, and they execute the same code (symmetry) in order to agree which ID number is the highest one. In the synchronous context where all processes communicate simultaneously, the problem is often solved using the "Bully algorithm" [GM82]. In the asynchronous context where each process communicates with a specific period possibly subject to delay variation (jitter), the problem is much more difficult. Periods can be all slightly different from each other, which makes the problem particularly complex. For example, a classical distributed leader election protocol, where the nodes exchange data using broadcasting, was designed by Leslie Lamport [Lam98] in the asynchronous context. The correctness of this algorithm was proved mechanically many times using, e. g., TLA + tool [Lam02], or, more recently, using the timed model checking tool Uppaal [BDL04]. However, these automated proofs work only for a small number p of processes, typically for p ≤ 10. In this paper, we present a technique to prove the correctness of such a distributed leader election using automated tools for a large number of nodes (e. g., p = 5000). The principle of the method relies on the abstraction method consisting in viewing the network from the point of view of a specific (but arbitrary) node, say node i , and considering the rest of the nodes of the network as an abstract environment interacting with node i . In this abstract model, two basic properties of the algorithm can be proven. However, in order to prove the full correctness of the leader election algorithm, we will need an auxiliary model, where some timing information is added to (a raw form of) the abstract model. Using this auxiliary timed model, we are able to prove an additional property of the leader election algorithm. Thanks to the three aforementioned properties added as assumptions, we can then prove the full correctness of the leader election algorithm, using the bounded model checker SafeProver [ÉJ17] on the abstract model.The leader election algorithm we use is not Lamport's algorithm, but a simple asynchronous form of the Bully algorithm. We consider a specifi...
