TLA + Proofs

Self Cite

Abstract. Peer-to-peer protocols for maintaining distributed hash tables, such as Pastry or Chord, have become popular for a class of Internet applications. While such protocols promise certain properties concerning correctness and performance, verification attempts using formal methods invariably discover border cases that violate some of those guarantees. Tianxiang Lu reported correctness problems in published versions of Pastry and also developed a model, which he called LuPastry, for which he provided a partial proof of correct delivery assuming no node departures, mechanized in the TLA + Proof System. Lu's proof is based on certain assumptions that were left unproven. We found counter-examples to several of these assumptions. In this paper, we present a revised model and rigorous proof of correct delivery, which we call LuPastry + . Aside from being the first complete proof, LuPastry + also improves upon Lu's work by reformulating parts of the specification in such a way that the reasoning complexity is confined to a small part of the proof.

Section: Introductionmentioning

confidence: 99%

A Rigorous Correctness Proof for Pastry

Azmy

Merz

Weidenbach

2016

Self Cite

“…In this work, we formally specify a high-level model of PharOS executions in the specification language TLA + [6] and use tlaps, the TLA + Proof System [4], to formally prove determinacy of our model. Our proof is based on the paperand-pencil proof of [9].…”

Section: Introductionmentioning

confidence: 99%

“…tlaps [4] is an interactive proof assistant for TLA + . It allows users to develop proofs for lemmas and theorems asserted in a TLA + module, using a hierarchical proof language.…”

mentioning

confidence: 99%

Proving Determinacy of the PharOS Real-Time Operating System

Azaiez

Doligez

Lemerre

et al. 2016

Self Cite

Abstract. Executions in the PharOS real-time system are deterministic in the sense that the sequence of local states for every process is independent of the order in which processes are scheduled. The essential ingredient for achieving this property is that a temporal window of execution is associated with every instruction. Messages become visible to receiving processes only after the time window of the sending message has elapsed. We present a high-level model of PharOS in TLA + and formally state and prove determinacy using the TLA + Proof System.

“…An attractive way to assess the validity of distributed algorithm is to use tool assisted verification, be it based process algebra [3,18], local computations [25], Event-B [7], COQ [8], HOL [9], Isabelle/HOL [21], or TLA [23,22] that can enjoy an Isabelle back-end for its provers [12]. Surprisingly, only few works consider using mechanized assistance for networks of mobile entities, be it population protocols [13,10] or mobile robots [14,4].…”

Section: Introductionmentioning

confidence: 99%

Certified Impossibility Results for Byzantine-Tolerant Mobile Robots

Auger

Bouzid

Courtieu

et al. 2013

Abstract. We propose a framework to build formal developments for robot networks using the COQ proof assistant, to state and to prove formally various properties. We focus in this paper on impossibility proofs, as it is natural to take advantage of the COQ higher order calculus to reason about algorithms as abstract objects. We present in particular formal proofs of two impossibility results for convergence of oblivious mobile robots if respectively more than one half and more than one third of the robots exhibit Byzantine failures, starting from the original theorems by Bouzid et al.. Thanks to our formalization, the corresponding COQ developments are quite compact. To our knowledge, these are the first certified (in the sense of formally proved) impossibility results for robot networks.