Schneider [7] generalizes a number of protocols for Byzantine faulttolerant clock synchronization and presents a uniform proof for their correctness. In Schneider’s schema, each processor maintains a local clock by periodically adjusting each value to one computed by a convergence function applied to the readings of all the clocks. Then, correctness of an algorithm, i.e. that the readings of two clocks at any time are within a fixed bound of each other, is based upon some conditions on the convergence function. To prove that a particular clock synchronization algorithm is correct it suffices to show that the convergence function used by the algorithm meets Schneider’s conditions. Using the theorem prover Isabelle, we formalize the proofs that the convergence functions of two algorithms, namely, the Interactive Convergence Algorithm (ICA) of Lamport and Melliar-Smith [4] and the Fault-tolerant Midpoint algorithm of Lundelius-Lynch [5], meet Schneider’s conditions. Furthermore, we experiment on handling some parts of the proofs with fully automatic tools like ICS[3] and CVC-lite[2]. These theories are part of a joint work with Alwen Tiu and Leonor P. Nieto [1]. In this work the correctness of Schneider schema was also verified using Isabelle (available at http://isa-afp.org/entries/GenClock. shtml).
[1]
S Miner Paul,et al.
Verification of Fault-Tolerant Clock Synchronization Systems
,
2003
.
[2]
Fred B. Schneider,et al.
Understanding Protocols for Byzantine Clock Synchronization
,
1987
.
[3]
P. M. Melliar-Smith,et al.
Synchronizing clocks in the presence of faults
,
1985,
JACM.
[4]
Natarajan Shankar.
Mechanical Verification of a Generalized Protocol for Byzantine Fault Tolerant Clock Synchronization
,
1992,
FTRTFT.
[5]
Nancy A. Lynch,et al.
A new fault-tolerant algorithm for clock synchronization
,
1984,
PODC '84.
[6]
Damián Barsotti,et al.
Verification of clock synchronization algorithms: experiments on a combination of deductive tools
,
2007,
Formal Aspects of Computing.