Paxos Consensus, Deconstructed and Abstracted

Lamport’s Paxos algorithm is a classic consensus protocol for state machine replication in environments that admit crash failures. Many versions of Paxos exploit the protocol’s intrinsic properties for the sake of gaining better run-time performance, thus widening the gap between the original description of the algorithm, which was proven correct, and its real-world implementations. In this work, we address the challenge of specifying and verifying complex Paxos-based systems by (a) devising composable specifications for implementations of Paxos’s single-decree version, and (b) engineering disciplines to reason about protocol-aware, semantics-preserving optimisations to single-decree Paxos. In a nutshell, our approach elaborates on the deconstruction of single-decree Paxos by Boichat et al. We provide novel non-deterministic specifications for each module in the deconstruction and prove that the implementations refine the corresponding specifications, such that the proofs of the modules that remain unchanged can be reused across different implementations. We further reuse this result and show how to obtain a verified implementation of Multi-Paxos from a verified implementation of single-decree Paxos, by a series of novel protocol-aware transformations of the network semantics, which we prove to be behaviour-preserving.

[1]  Leslie Lamport,et al.  Fast Paxos , 2006, Distributed Computing.

[2]  Stephan Merz,et al.  Proving the Correctness of Disk Paxos , 2005, Arch. Formal Proofs.

[3]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[4]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[5]  Rachid Guerraoui,et al.  Deconstructing paxos , 2003, SIGA.

[6]  Xinyu Feng,et al.  A program logic for concurrent objects under fair scheduling , 2016, POPL.

[7]  Xinyu Feng,et al.  Modular verification of linearizability with non-fixed linearization points , 2013, PLDI 2013.

[8]  Kenneth L. McMillan,et al.  Ivy: safety verification by interactive generalization , 2016, PLDI.

[9]  Leslie Lamport,et al.  Paxos Made Simple , 2001 .

[10]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[11]  Ilya Sergey,et al.  Programming and proving with distributed protocols , 2017, Proc. ACM Program. Lang..

[12]  Shmuel Sagiv,et al.  Paxos made EPR: decidable reasoning about distributed protocols , 2017, Proc. ACM Program. Lang..

[13]  Alexey Gotsman,et al.  A Generic Logic for Proving Linearizability , 2016, FM.

[14]  Thomas A. Henzinger,et al.  PSync: a partially synchronous language for fault-tolerant distributed algorithms , 2016, POPL.

[15]  G. Winskel The formal semantics of programming languages , 1993 .

[16]  Xi Wang,et al.  Verdi: a framework for implementing and formally verifying distributed systems , 2015, PLDI.

[17]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[18]  Ilya Sergey,et al.  Programming Language Abstractions for Modularly Verified Distributed Systems , 2017, SNAPL.

[19]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[20]  Peter W. O'Hearn,et al.  Abstraction for concurrent objects , 2009, Theor. Comput. Sci..

[21]  John K. Ousterhout,et al.  In Search of an Understandable Consensus Algorithm , 2014, USENIX ATC.

[22]  Viktor Vafeiadis,et al.  Modular fine-grained concurrency verification , 2008 .

[23]  Michael D. Ernst,et al.  Planning for change in a formal verification of the raft consensus protocol , 2016, CPP.

[24]  Robert Griesemer,et al.  Paxos made live: an engineering perspective , 2007, PODC '07.

[25]  Stephan Merz,et al.  Formal Verification of a Consensus Algorithm in the Heard-Of Model , 2009, Int. J. Softw. Informatics.

[26]  Mark Bickford,et al.  Formal Specification, Verification, and Implementation of Fault-Tolerant Systems using EventML , 2015, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[27]  Martín Abadi,et al.  The existence of refinement mappings , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[28]  Robbert van Renesse,et al.  Paxos Made Moderately Complex , 2015, ACM Comput. Surv..

[29]  Keith Marzullo,et al.  Mencius: Building Efficient Replicated State Machine for WANs , 2008, OSDI.

[30]  Yanhong A. Liu,et al.  Formal Verification of Multi-Paxos for Distributed Consensus , 2016, FM.

[31]  Martín Abadi,et al.  The Existence of Refinement Mappings , 1988, LICS.

[32]  Leslie Lamport,et al.  Model Checking TLA+ Specifications , 1999, CHARME.