Tutorial on Parameterized Model Checking of Fault-Tolerant Distributed Algorithms

Gmeiner, Annu; Konnov, Igor; Schmid, Ulrich; Veith, Helmut; Widder, Josef

doi:10.1007/978-3-319-07317-0_4

Cited by 16 publications

(18 citation statements)

References 59 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Proposition C. 36. Let σ be a configuration, let τ be a steady conventional schedule applicable to σ, and let ψ be a propositional formula.…”

Section: C3 Representative Schedules Maintainingmentioning

confidence: 99%

“…Contributions. We generalize the approach by Konnov et al [42,44] to liveness by presenting a framework and a model checking tool that takes as input a description of a distributed algorithm (in our variant [36] of Promela [39]) and specifications in a fragment of linear temporal logic. It then shows correctness for all parameter values (e.g., n and t) that satisfy the required resilience condition (e.g., t < n/3), or reports a counterexample: 1.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A short counterexample property for safety and liveness verification of fault-tolerant distributed algorithms

Konnov

Lazić

Veith

et al. 2017

Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages

Self Cite

View full text Add to dashboard Cite

Distributed algorithms have many mission-critical applications ranging from embedded systems and replicated databases to cloud computing. Due to asynchronous communication, process faults, or network failures, these algorithms are difficult to design and verify. Many algorithms achieve fault tolerance by using threshold guards that, for instance, ensure that a process waits until it has received an acknowledgment from a majority of its peers. Consequently, domain-specific languages for fault-tolerant distributed systems offer language support for threshold guards.We introduce an automated method for model checking of safety and liveness of threshold-guarded distributed algorithms in systems where the number of processes and the fraction of faulty processes are parameters. Our method is based on a short counterexample property: if a distributed algorithm violates a temporal specification (in a fragment of LTL), then there is a counterexample whose length is bounded and independent of the parameters. We prove this property by (i) characterizing executions depending on the structure of the temporal formula, and (ii) using commutativity of transitions to accelerate and shorten executions. We extended the ByMC toolset (Byzantine Model Checker) with our technique, and verified liveness and safety of 10 prominent fault-tolerant distributed algorithms, most of which were out of reach for existing techniques.

show abstract

“…Proposition C. 36. Let σ be a configuration, let τ be a steady conventional schedule applicable to σ, and let ψ be a propositional formula.…”

Section: C3 Representative Schedules Maintainingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

A short counterexample property for safety and liveness verification of fault-tolerant distributed algorithms

Konnov

Lazić

Veith

et al. 2017

Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages

Self Cite

View full text Add to dashboard Cite

show abstract

“…We have shown that such cutoffs are already useful for establishing the decidability of the parameterized model checking problem. On the other hand, some experimental results on PMCP from real-world case studies (e.g., [25,42] or [38,Sec. 6.2]) suggest that templates in such systems usually have tens or hundreds of states, suggesting that small cutoffs are desirable if one is to use them to solve the PMCP in practice.…”

Section: Discussion and Related Workmentioning

confidence: 99%

Parameterized model checking of rendezvous systems

et al. 2017

Self Cite

View full text Add to dashboard Cite

Parameterized model checking is the problem of deciding if a given formula holds irrespective of the number of participating processes. A standard approach for solving the parameterized model checking problem is to reduce it to model checking finitely many finite-state systems. This work considers the theoretical power and limitations of this technique. We focus on concurrent systems in which processes communicate via pairwise rendezvous, as well as the special cases of disjunctive guards and token passing; specifications are expressed in indexed temporal logic without the next operator; and the underlying network topologies are generated by suitable formulas and graph operations. First, we settle the exact computational complexity of the parameterized model checking problem for some of our concurrent systems, and establish new decidability results for others. Second, we consider the cases where model checking the parameterized system can be reduced to model checking some fixed number of processes, the number is known as a cutoff. We provide many cases for when such cutoffs can be computed, establish lower bounds on the size of such cutoffs, and identify cases where no cutoff exists. Third, we consider cases for which the parameterized system is equivalent to a single finite-state system (more precisely a Büchi word automaton), and establish tight bounds on the sizes of such automata.

show abstract

“…All of our benchmark algorithms were originally published in pseudocode, and we model them in a parametric extension of Promela, which was discussed in [27,34].…”

Section: Methodsmentioning

confidence: 99%

“…Tool chain with counter abstraction [27,33,41] on top, and with SMT-based bounded model checking on bottom 1. Apply a parametric data abstraction to the process code to get a finite state process description, and construct the threshold automaton (TA) [33,36].…”

Section: Figmentioning

confidence: 99%

Para $$^2$$ 2 : parameterized path reduction, acceleration, and SMT for reachability in threshold-guarded distributed algorithms

Konnov

Lazić

Veith

et al. 2017

Form Methods Syst Des

Self Cite

View full text Add to dashboard Cite

Automatic verification of threshold-based fault-tolerant distributed algorithms (FTDA) is challenging: FTDAs have multiple parameters that are restricted by arithmetic conditions, the number of processes and faults is parameterized, and the algorithm code is parameterized due to conditions counting the number of received messages. Recently, we introduced a technique that first applies data and counter abstraction and then runs bounded model checking (BMC). Given an FTDA, our technique computes an upper bound on the diameter of the system. This makes BMC complete for reachability properties: it always finds a counterexample, if there is an actual error. To verify state-of-the-art FTDAs, further improvement is needed. In contrast to encoding bounded executions of a counter system over an abstract finite domain in SAT, in this paper, we encode bounded executions over integer counters in SMT. In addition, we introduce a new form of reduction that exploits acceleration and the structure of the FTDAs. This aggressively prunes the execution space to be explored by the solver. In this way, we verified safety of seven FTDAs that were out of reach before.

show abstract

Tutorial on Parameterized Model Checking of Fault-Tolerant Distributed Algorithms

Cited by 16 publications

References 59 publications

A short counterexample property for safety and liveness verification of fault-tolerant distributed algorithms

A short counterexample property for safety and liveness verification of fault-tolerant distributed algorithms

Parameterized model checking of rendezvous systems

Para $$^2$$ 2 : parameterized path reduction, acceleration, and SMT for reachability in threshold-guarded distributed algorithms

Contact Info

Product

Resources

About