Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular...
Transcript of Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular...
![Page 1: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/1.jpg)
Towards modular verification of
consensus protocolsÁlvaro García Pérez
IMDEA Software Institute, Madrid
Joint work with Yuri Meshman and Alexey Gotsman (IMDEA), Ilya Sergey (UCL), and Hongseok Yang (Oxford)
![Page 2: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/2.jpg)
Consensus
•Several nodes, which can crash
![Page 3: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/3.jpg)
Consensus
v1
•Several nodes, which can crash
•Each node proposes a value
v2 v3
![Page 4: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/4.jpg)
Consensus
v1
v2
•Several nodes, which can crash
•Each node proposes a value
•All non-crashed nodes agree on a single value
v2 v3
v2
✘
![Page 5: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/5.jpg)
Deterministic state machine
c1 c2 c3
Clients submit commands
![Page 6: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/6.jpg)
c1 c2 c3
Machine totally orders commands and computes the sequence of results
Deterministic state machine
r1, r2, r3
c1, c2, c3
![Page 7: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/7.jpg)
c1 c2 c3
Machine totally orders commands and computes the sequence of results
Deterministic state machine
✘
c1, c2, c3
![Page 8: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/8.jpg)
State machine replication
c3, c2, c1
c1 c2 c3
c1, c2, c3 c2, c1, c3
Clients send commands to all replicasReplicas may receive commands in different orders
![Page 9: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/9.jpg)
State machine replication
c3, c2, c1
c1 c2 c3
c1, c2, c3 c2, c1, c3
c2, c1, c3 c2, c1, c3 c2, c1, c3
Totally order commands via a sequence ofconsensus instances
![Page 10: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/10.jpg)
State machine replication
c3, c2, c1
r2, r1, r3
c1 c2 c3
c1, c2, c3
r2, r1, r3
c2, c1, c3
r2, r1, r3
c2, c1, c3 c2, c1, c3 c2, c1, c3
Replicas compute the same sequence of results
![Page 11: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/11.jpg)
State machine replication
c3, c2, c1
r2, r1, r3
c1 c2 c3
c1, c2, c3
r2, r1, r3
c2, c1, c3
c2, c1, c3 c2, c1, c3
Replicas compute the same sequence of results
✘
![Page 12: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/12.jpg)
State machine replication
c3, c2, c1
r2, r1, r3
c1 c2 c3
c1, c2, c3
r2, r1, r3
c2, c1, c3
c2, c1, c3 c2, c1, c3
Replicas compute the same sequence of results
✘
Correctness: replicated implementation is linearizable by
single-server one: replication transparent to clients
![Page 13: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/13.jpg)
The zoo of consensus protocols
• Viewstamped replication (1988)
• Paxos (1998)
• Disk Paxos (2003)
• Cheap Paxos (2004)
• Generalized Paxos (2004)
• Paxos Commit (2004)
• Fast Paxos (2006)
• Stoppable Paxos (2008)
• Mencius (2008)
• Vertical Paxos (2009)
• ZAB (2009)
• Ring Paxos (2010)
• Egalitarian Paxos (2013)
• Raft (2014)
• M2Paxos (2016)
• Flexible Paxos (2016)
• Caesar (2017)
![Page 14: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/14.jpg)
The zoo of consensus protocols
• Viewstamped replication (1988)
• Paxos (1998)
• Disk Paxos (2003)
• Cheap Paxos (2004)
• Generalized Paxos (2004)
• Paxos Commit (2004)
• Fast Paxos (2006)
• Stoppable Paxos (2008)
• Mencius (2008)
• Vertical Paxos (2009)
• ZAB (2009)
• Ring Paxos (2010)
• Egalitarian Paxos (2013)
• Raft (2014)
• M2Paxos (2016)
• Flexible Paxos (2016)
• Caesar (2017)
Complex protocols: constant fight for better
performance
![Page 15: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/15.jpg)
![Page 16: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/16.jpg)
![Page 17: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/17.jpg)
![Page 18: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/18.jpg)
![Page 19: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/19.jpg)
![Page 20: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/20.jpg)
![Page 21: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/21.jpg)
![Page 22: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/22.jpg)
![Page 23: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/23.jpg)
Broken [Michael+ 2016]
![Page 24: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/24.jpg)
Broken [Michael+ 2016]
Is it all lost?Is it all lost?
![Page 25: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/25.jpg)
Goals
•Develop methods for proving protocols correct, including realistic deployments
•Get insights into their structure
•Design new and better protocols?
![Page 26: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/26.jpg)
Goals
•Develop methods for proving protocols correct, including realistic deployments
•Get insights into their structure
•Design new and better protocols?
![Page 27: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/27.jpg)
Approach
P1
P2
P3
• Modular reasoning: verify parts of the protocol separately instead of the whole thing
• Linearizability implies refinement [Filipovic+ 2009]
![Page 28: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/28.jpg)
Approach
P1
P2
P3 P1 ⊑ S1
• Modular reasoning: verify parts of the protocol separately instead of the whole thing
• Linearizability implies refinement [Filipovic+ 2009]
![Page 29: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/29.jpg)
Approach
S1
P2
P3 P1 ⊑ S1
• Modular reasoning: verify parts of the protocol separately instead of the whole thing
• Linearizability implies refinement [Filipovic+ 2009]
atomic { ...}
![Page 30: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/30.jpg)
Approach
S1
P2
P3 P1 ⊑ S1
• Modular reasoning: verify parts of the protocol separately instead of the whole thing
• Linearizability implies refinement [Filipovic+ 2009]
atomic { ...}
P2(S1) ⊑ S2
![Page 31: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/31.jpg)
Approach
S2
P3
P2(S1) ⊑ S2
P1 ⊑ S1
atomic { ... ...}
• Modular reasoning: verify parts of the protocol separately instead of the whole thing
• Linearizability implies refinement [Filipovic+ 2009]
![Page 32: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/32.jpg)
Approach
S2
P3
P2(S1) ⊑ S2
P1 ⊑ S1
• Modular reasoning: verify parts of the protocol separately instead of the whole thing
• Linearizability implies refinement [Filipovic+ 2009]
atomic { ... ...}
P3(S2) ⊑ S3
![Page 33: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/33.jpg)
Approach
S3
P2(S1) ⊑ S2
P3(S2) ⊑ S3
P1 ⊑ S1
• Modular reasoning: verify parts of the protocol separately instead of the whole thing
• Linearizability implies refinement [Filipovic+ 2009]
atomic { ... ... ...}
![Page 34: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/34.jpg)
Approach
S3
P2(S1) ⊑ S2
P3(S2) ⊑ S3
P1 ⊑ S1
• Modular reasoning: verify parts of the protocol separately instead of the whole thing
• Linearizability implies refinement [Filipovic+ 2009]
atomic { ... ... ...}
Only reason about separate
components
![Page 35: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/35.jpg)
Modular structure in consensus
•Steal abstractions from an existing analysis of Paxos [Boichat+ 2003, Chockler+ 2002]
•Show their linearizability ➜ modular proof of Paxos
•Generalise them to modularise proofs of other consensus protocols, such as ZAB
![Page 36: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/36.jpg)
v1 v2 v3
• Acceptors = members of parliament:can vote to accept a value,majority wins
• Leader = parliament speaker: proposes its value to vote on
• Good for multi-consensus: can elect the leader once and get it to process multiple client requests
1 2 3
AcceptorAcceptor AcceptorAcceptor AcceptorAcceptor
LeaderLeader
![Page 37: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/37.jpg)
1 2 3
Leader ?
• Phase 1: a prospective leader convinces a majority of acceptors to accept its authority
![Page 38: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/38.jpg)
1 2 3
Leader#: 2
• Phase 1: a prospective leader convinces a majority of acceptors to accept its authority
![Page 39: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/39.jpg)
Leader#: 2
ok1 2 3
• Phase 1: a prospective leader convinces a majority of acceptors to accept its authority
✘Leader#: 2
![Page 40: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/40.jpg)
Leader#: 2
1 2 3
Leader#: 2
v2
• Phase 1: a prospective leader convinces a majority of acceptors to accept its authority
• Phase 2: the leader gets a majority of acceptors to accept its value and replies to the client
✘
![Page 41: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/41.jpg)
Leader#: 2Accepted: v2
1 2 3✘ok ✘
• Phase 2: the leader gets a majority of acceptors to accept its value and replies to the client
• Phase 1: a prospective leader convinces a majority of acceptors to accept its authority
Leader#: 2Accepted: v2
![Page 42: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/42.jpg)
1 2 3✘✘
• Phase 2: the leader gets a majority of acceptors to accept its value and replies to the client
• Phase 1: a prospective leader convinces a majority of acceptors to accept its authority
Leader#: 2Accepted: v2
Reply v2 to client
Leader#: 2Accepted: v2
![Page 43: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/43.jpg)
1 2 3
• Phase 2: the leader gets a majority of acceptors to accept its value and replies to the client
• Phase 1: a prospective leader convinces a majority of acceptors to accept its authority
Leader#: 2Accepted: v2
Reply v2 to client
Leader#: 2Accepted: v2
![Page 44: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/44.jpg)
1 2 3
• Problem: node 3 may wake up, form a majority of 1 and 3, and accept value v3
• Need to ensure once a value is chosen by a majority, it can’t be changed
• Use round numbers to distinguish different votes
Leader#: 3Accepted: v3
Reply v2 to client
Leader#: 2Accepted: v2
Reply v3 to client
Leader#: 3Accepted: v3
![Page 45: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/45.jpg)
1 2 3
• Phase 1: a prospective leader choses a round r and convinces a majority of acceptors to switch to r
• Acceptor switches only if it’s current round is less
Leader#: ?Round#: 0Accepted: ?
Leader#: ?Round#: 0Accepted: ?
Leader#: ?Round#: 0Accepted: ?
![Page 46: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/46.jpg)
1 2 3
Leader#: 2Round#: rAccepted: ?
Leader#: ?Round#: 0Accepted: ?
r
Leader#: ?Round#: 0Accepted: ?
• Phase 1: a prospective leader choses a round r and convinces a majority of acceptors to switch to r
• Acceptor switches only if it’s current round is less
![Page 47: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/47.jpg)
1 2 3
Leader#: 2 ✔Round#: rAccepted: ?
Leader#: 2Round#: rAccepted: ?
Leader#: ?Round#: 0Accepted: ?
ok
• Phase 1: a prospective leader choses a round r and convinces a majority of acceptors to switch to r
• Acceptor switches only if it’s current round is less
![Page 48: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/48.jpg)
1 2 3
Leader#: 2 ✔Round#: rAccepted: v2
Leader#: 2Round#: rAccepted: ?
Leader#: ?Round#: 0Accepted: ?
r, v2
• Phase 2: the leader sends its value tagged with the round number
• Acceptor only accepts a value tagged with the round it is in
![Page 49: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/49.jpg)
1 2 3
Leader#: 2 ✔Round#: rAccepted: v2 ✔Reply v2 to client
Leader#: 2Round#: rAccepted: v2
Leader#: ?Round#: 0Accepted: ?
ok
• Phase 2: the leader sends its value tagged with the round number
• Acceptor only accepts a value tagged with the round it is in
![Page 50: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/50.jpg)
1 2 3
Leader#: 2 ✔Round#: rAccepted: v2 ✔Reply v2 to client
Leader#: 2Round#: rAccepted: v2
Leader#: 3Round#: rʹAccepted: ?
• Phase 1: a prospective leader choses a round r’ and convinces a majority of acceptors to switch to r’
rʹ
![Page 51: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/51.jpg)
1 2 3
Leader#: 2 ✔Round#: rAccepted: v2 ✔Reply v2 to client
Leader#: 3Round#: rʹAccepted: v2
Leader#: 3Round#: rʹAccepted: ?
ok, r, v2
• Phase 1: a prospective leader choses a round r’ and convinces a majority of acceptors to switch to r’
• Acceptor sends to the prospective leader its round number and value
![Page 52: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/52.jpg)
1 2 3
Leader#: 2 ✔Round#: rAccepted: v2 ✔Reply v2 to client
Leader#: 3Round#: rʹAccepted: v2
Leader#: 3Round#: rʹAccepted: v2
ok, r, v2
• Phase 1: a prospective leader choses a round r’ and convinces a majority of acceptors to switch to r’
• Acceptor sends to the prospective leader its round number and value
• If some acceptor has accepted a value, the leader proposes the value with the highest round number
![Page 53: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/53.jpg)
1 2 3
Leader#: 2 ✔Round#: rAccepted: v2 ✔Reply v2 to client
Leader#: 3Round#: rʹAccepted: v2
Leader#: 3Round#: rʹAccepted: v2
ok, r, v2
• Phase 1: a prospective leader choses a round r’ and convinces a majority of acceptors to switch to r’
• Acceptor sends to the prospective leader its round number and value
• If some acceptor has accepted a value, the leader proposes the value with the highest round number
Ensures that the chosen value v2 will not be changed
![Page 54: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/54.jpg)
Round-based register [Boichat+ 2003]
•Data type encapsulating the state of acceptors
•read() - Phase 1 of Paxos
•write() - Phase 2 of Paxos
Round-basedregister
Paxos
![Page 55: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/55.jpg)
Read - Paxos Phase 1read(r) { if (a majority of acceptors has round <r) { switch them to round r; if (no acceptor has a value accepted) return none; else return the value at the acceptor with the highest round; } else { return abort; }}
![Page 56: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/56.jpg)
Write - Paxos Phase 2
write(r, v) { if (a majority of acceptors has round r) { write v to them; return commit; } else { return abort; }}
![Page 57: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/57.jpg)
Consensus using the register
propose(v) { chose a round r vʹ = read(r); if (vʹ = abort) increase r and repeat; if (vʹ = none) vʹ = v; if (write(r, v’) = commit) return v’; else increase r and repeat;}
![Page 58: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/58.jpg)
Conjecture
Round-basedregister
Paxos
Round-based register is linearizable wrt an atomic, single-server specification strong
enough to prove Paxos correct
replicated implementation
Paxos
atomicsingleserver specification
* only safety, no liveness
Round-basedregister
![Page 59: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/59.jpg)
atomic read(k) { if (round < k) { round = k; v = pickNondet(vals); return v; } else return abort; }}
atomic write(k, v) { if (round <= k) { if (nondet()) { vals = {v}; round = k; return commit; } else { vals = vals U {v}; return abort; } } else return abort;}
round = 0;vals = {none};
![Page 60: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/60.jpg)
atomic read(k) { if (round < k) { round = k; v = pickNondet(vals); return v; } else return abort; }}
atomic write(k, v) { if (round <= k) { if (nondet()) { vals = {v}; round = k; return commit; } else { vals = vals U {v}; return abort; } } else return abort;}
round = 0;vals = {none};
Single state copy, atomic methods
![Page 61: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/61.jpg)
atomic read(k) { if (round < k) { round = k; v = pickNondet(vals); return v; } else return abort; }}
atomic write(k, v) { if (round <= k) { if (nondet()) { vals = {v}; round = k; return commit; } else { vals = vals U {v}; return abort; } } else return abort;}
round = 0;vals = {none};
propose(v) { chose a round r; vʹ = read(r); if (vʹ = abort) increase r and repeat; if (vʹ = none) vʹ = v; if (write(r, v’) = commit) return v’; else increase r and repeat;}
propose(v) { chose a round r; vʹ = read(r); if (vʹ = abort) increase r and repeat; if (vʹ = none) vʹ = v; if (write(r, v’) = commit) return v’; else increase r and repeat;}
Single state copy, atomic methods ➜ Paxos as a shared-memory alg.
![Page 62: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/62.jpg)
Single round number: the last round a majority of acceptors was switched to
• Tricky to simulate the implementation using a single round number
• Different acceptors have different round numbers ➜ methods act differently depending on which majority they query
• Solution: highly non-deterministic specification
Set of values stored at acceptors: singleton {v} if a majority accepted value v
round = 0;vals = {none};
![Page 63: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/63.jpg)
atomic read(k) { if (round < k) { round = k; v = pickNondet(vals); return v; } else return abort; }}
atomic write(k, v) { if (round <= k) { if (nondet()) { vals = {v}; round = k; return commit; } else { vals = vals U {v}; return abort; } } else { return abort; }
round = 0;vals = {none};
Write can abort even if the parameter round is higher or equal than the current one
![Page 64: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/64.jpg)
atomic read(k) { if (round < k) { round = k; v = pickNondet(vals); return v; } else return abort; }}
atomic write(k, v) { if (round <= k) { if (nondet()) { vals = {v}; round = k; return commit; } else { vals = vals U {v}; return abort; } } else { return abort; }
round = 0;vals = {none};
propose(v) { chose a round r; vʹ = read(r); if (vʹ = abort) increase r and repeat; if (vʹ = none) vʹ = v; if (write(r, v’) = commit) return v’; else increase r and repeat;}
propose(v) { chose a round r; vʹ = read(r); if (vʹ = abort) increase r and repeat; if (vʹ = none) vʹ = v; if (write(r, v’) = commit) return v’; else increase r and repeat;}
Write can abort even if the parameter round is higher or equal than the current one
OK for consensus safety - it just restarts
![Page 65: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/65.jpg)
atomic read(k) { if (round < k) { round = k; v = pickNondet(vals); return v; } else return abort; }}
atomic write(k, v) { if (round <= k) { if (nondet()) { vals = {v}; round = k; return commit; } else { vals = vals U {v}; return abort; } } else { return abort; }
round = 0;vals = {none};
Spec allows to prove that a decision taken in consensus can’t be changed
![Page 66: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/66.jpg)
atomic read(k) { if (round < k) { round = k; v = pickNondet(vals); return v; } else return abort; }}
atomic write(k, v) { if (round <= k) { if (nondet()) { vals = {v}; round = k; return commit; } else { vals = vals U {v}; return abort; } } else { return abort; }
round = 0;vals = {none};
Successful write of v sets vals to {v}
![Page 67: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/67.jpg)
atomic read(k) { if (round < k) { round = k; v = pickNondet(vals); return v; } else return abort; }}
atomic write(k, v) { if (round <= k) { if (nondet()) { vals = {v}; round = k; return commit; } else { vals = vals U {v}; return abort; } } else { return abort; }
round = 0;vals = {none};
Following successful read will return vSuccessful write of v sets vals to {v}
![Page 68: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/68.jpg)
atomic read(k) { if (round < k) { round = k; v = pickNondet(vals); return v; } else return abort; }}
atomic write(k, v) { if (round <= k) { if (nondet()) { vals = {v}; round = k; return commit; } else { vals = vals U {v}; return abort; } } else { return abort; }
round = 0;vals = {none};
Following successful read will return vSuccessful write of v sets vals to {v}
propose() writes what it read
propose(v) { chose a round r; vʹ = read(r); if (vʹ = abort) increase r and repeat; if (vʹ = none) vʹ = v; if (write(r, v’) = commit) return v’; else increase r and repeat;}
propose(v) { chose a round r; vʹ = read(r); if (vʹ = abort) increase r and repeat; if (vʹ = none) vʹ = v; if (write(r, v’) = commit) return v’; else increase r and repeat;}
![Page 69: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/69.jpg)
atomic read(k) { if (round < k) { round = k; v = pickNondet(vals); return v; } else return abort; }}
atomic write(k, v) { if (round <= k) { if (nondet()) { vals = {v}; round = k; return commit; } else { vals = vals U {v}; return abort; } } else { return abort; }
round = 0;vals = {none};
Currently automating all proofs in Ivy [Tel-Aviv U. & MSR]
propose(v) { chose a round r; vʹ = read(r); if (vʹ = abort) increase r and repeat; if (vʹ = none) vʹ = v; if (write(r, v’) = commit) return v’; else increase r and repeat;}
propose(v) { chose a round r; vʹ = read(r); if (vʹ = abort) increase r and repeat; if (vʹ = none) vʹ = v; if (write(r, v’) = commit) return v’; else increase r and repeat;}
![Page 70: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/70.jpg)
Multi-Paxos
c3, c2, c1 c1, c2, c3 c2, c1, c3
c2, c1, c3 c2, c1, c3 c2, c1, c3
State machine replication requires solving a sequence of consensus instances
![Page 71: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/71.jpg)
Multi-Paxos
c3, c2, c1 c1, c2, c3 c2, c1, c3
c2, c1, c3 c2, c1, c3 c2, c1, c3
State machine replication requires solving a sequence of consensus instances
• Naive solution: execute a separate Paxos instance for each sequence element
• Multi-Paxos: execute Phase 1 once for multiple sequence elements
![Page 72: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/72.jpg)
Multi-Paxos
c3, c2, c1 c1, c2, c3 c2, c1, c3
c2, c1, c3 c2, c1, c3 c2, c1, c3
State machine replication requires solving a sequence of consensus instances
• Naive solution: execute a separate Paxos instance for each sequence element
• Multi-Paxos: execute Phase 1 once for multiple sequence elements
ConjectureMulti-Paxos refines the naive solution➜can be proven without unpacking the
proof of Paxos
![Page 73: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/73.jpg)
Other protocols:
• Multi-Paxos
• ZAB
• Byzantine Paxos
• ...
![Page 74: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/74.jpg)
Broken [Michael+ 2016]
Is it all lost?Is it all lost?
![Page 75: Álvaro García Pérez - UPMbabel.ls.fi.upm.es/~agarcia/talks/ACW2017/slides.pdf · Towards modular verification of consensus protocols Álvaro García Pérez IMDEA Software Institute,](https://reader033.fdocuments.us/reader033/viewer/2022051905/5ff6da0a1cd8c5392c2e2495/html5/thumbnails/75.jpg)
Broken [Michael+ 2016]
Is it all lost?Is it all lost?
Not all. Formal techniques can make distributed algorithms more
reliable and understandable
Not all. Formal techniques can make distributed algorithms more
reliable and understandable