Modular, crash-safe refinement for ASMs with submachines

Ernst, Gerhard; Pfähler, Jörg; Schellhorn, Gerhard; Reif, Wolfgang

doi:10.1016/j.scico.2016.04.009

Cited by 14 publications

(23 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Verified crash safety. Recently several verification frameworks have tackled the problem of crash safety of sequential systems, including verified file systems [5,7,10,34]. These systems address many issues, including handling crashes during recovery and giving an abstract specification that covers non-crashing and crashing execution separately.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Verifying concurrent, crash-safe systems with Perennial

Chajed¹,

Tassarotti

Kaashoek³

et al. 2019

Proceedings of the 27th ACM Symposium on Operating Systems Principles

View full text Add to dashboard Cite

This paper introduces Perennial, a framework for verifying concurrent, crash-safe systems. Perennial extends the Iris concurrency framework with three techniques to enable crash-safety reasoning: recovery leases, recovery helping, and versioned memory. To ease development and deployment of applications, Perennial provides Goose, a subset of Go and a translator from that subset to a model in Perennial with support for reasoning about Go threads, data structures, and file-system primitives. We implemented and verified a crash-safe, concurrent mail server using Perennial and Goose that achieves speedup on multiple cores. Both Perennial and Iris use the Coq proof assistant, and the mail server and the framework's proofs are machine checked. CCS Concepts • Software and its engineering → Software verification; Concurrency control; Software fault tolerance.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Several existing verified storage systems address many aspects of crash safety [5,7,10,34], but they support only sequential execution. There has also been great progress in verifying concurrent systems [4,13,14,20,23,41], but none support crash safety reasoning.…”

Section: Introductionmentioning

confidence: 99%

Verifying concurrent, crash-safe systems with Perennial

Chajed¹,

Tassarotti

Kaashoek³

et al. 2019

Proceedings of the 27th ACM Symposium on Operating Systems Principles

View full text Add to dashboard Cite

show abstract

“…There are several existing systems that support reasoning about crashes and recovery, particularly in the context of file-system verification [7,8,11,26,28]. Most have no support for layered recovery, since they consider only a single recovery procedure at a time.…”

Section: Multiple Unreliable Disksmentioning

confidence: 99%

“…Most have no support for layered recovery, since they consider only a single recovery procedure at a time. The Flashix modular crash refinement work [11] does consider layered recovery, but to simplify proofs recovery procedures cannot rely on being able to write to disk. Argosy supports active recovery procedures which write to persistent storage; both the replicated disk and write-ahead log implementations rely on active recovery.…”

Section: Multiple Unreliable Disksmentioning

confidence: 99%

“…Ernst et al [11] also develop a theory of submachine refinement for crashing and recovering systems, which they used to verify their Flashix file system [10]. Their work has a similar notion of a refinement between an abstract specification and its implementation; their reduction from a white-box semantics to a black-box semantics for submachines is analogous to our notion of recovery refinement between interface L A and L C , as described in section 4.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Argosy: verifying layered storage systems with recovery refinement

Chajed

Tassarotti

Kaashoek

et al. 2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Storage systems make persistence guarantees even if the system crashes at any time, which they achieve using recovery procedures that run after a crash. We present Argosy, a framework for machine-checked proofs of storage systems that supports layered recovery implementations with modular proofs. Reasoning about layered recovery procedures is especially challenging because the system can crash in the middle of a more abstract layer's recovery procedure and must start over with the lowest-level recovery procedure.This paper introduces recovery refinement, a set of conditions that ensure proper implementation of an interface with a recovery procedure. Argosy includes a proof that recovery refinements compose, using Kleene algebra for concise definitions and metatheory. We implemented Crash Hoare Logic, the program logic used by FSCQ [8], to prove recovery refinement, and demonstrated the whole system by verifying an example of layered recovery featuring a write-ahead log running on top of a disk replication system. The metatheory of the framework, the soundness of the program logic, and these examples are all verified in the Coq proof assistant.

show abstract

Why Programming Must Be Supported by Modeling and How

Börger

2018

Leveraging Applications of Formal Methods, Verification and Validation. Modeling

View full text Add to dashboard Cite

Modular, crash-safe refinement for ASMs with submachines

Cited by 14 publications

References 6 publications

Verifying concurrent, crash-safe systems with Perennial

Verifying concurrent, crash-safe systems with Perennial

Argosy: verifying layered storage systems with recovery refinement

Why Programming Must Be Supported by Modeling and How

Contact Info

Product

Resources

About