Programming Language Abstractions for Modularly Verified Distributed Systems

Distributed systems are rarely developed as monolithic programs. Instead, like any software, these systems may consist of multiple program components, which are then compiled separately and linked together. Modern systems also incorporate various services interacting with each other and with client applications. However, state-of-the-art verification tools focus predominantly on verifying standalone, closed-world protocols or systems, thus failing to account for the compositional nature of distributed systems. For example, standalone verification has the drawback that when protocols and their optimized implementations evolve, one must re-verify the entire system from scratch, instead of leveraging compositionality to contain the reverification effort. In this paper, we focus on the challenge of modular verification of distributed systems with respect to high-level protocol invariants as well as for low-level implementation safety properties. We argue that the missing link between the two is a programming paradigm that would allow one to reason about both high-level distributed protocols and low-level implementation primitives in a single verification-friendly framework. Such a link would make it possible to reap the benefits from both the vast body of research in distributed computing, focused on modular protocol decomposition and consistency properties, as well as from the recent advances in program verification, enabling construction of provably correct systems implementations. To showcase the modular verification challenges, we present some typical scenarios of decomposition between a distributed protocol and its implementations. We then describe our ongoing research agenda, in which we are attempting to address the outlined problems by providing a typing discipline and a set of domain-specific primitives for specifying, implementing and verifying distributed systems. Our approach, mechanized within a proof assistant, provides the means of decomposition necessary for modular proofs about distributed protocols and systems.

[1]  Viktor Vafeiadis,et al.  Structuring the verification of heap-manipulating programs , 2010, POPL '10.

[2]  Thomas A. Henzinger,et al.  The Need for Language Support for Fault-Tolerant Distributed Systems , 2015, SNAPL.

[3]  Richard J. Lipton,et al.  Reduction: a method of proving properties of parallel programs , 1975, CACM.

[4]  Nancy A. Lynch,et al.  An introduction to input/output automata , 1989 .

[5]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.

[6]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[7]  Binoy Ravindran,et al.  Brief Announcement: A Family of Leaderless Generalized-Consensus Algorithms , 2016, PODC.

[8]  Yanhong A. Liu,et al.  From clarity to efficiency for distributed algorithms , 2012, OOPSLA '12.

[9]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[10]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[11]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[12]  Adam Chlipala,et al.  Chapar: certified causally consistent distributed key-value stores , 2016, POPL.

[13]  Vasco Thudichum Vasconcelos,et al.  Language Primitives and Type Discipline for Structured Communication-Based Programming Revisited: Two Systems for Higher-Order Session Communication , 1998, SecReT@ICALP.

[14]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[15]  Nissim Francez,et al.  Decomposition of Distributed Programs into Communication-Closed Layers , 1982, Sci. Comput. Program..

[16]  Serdar Tasiran,et al.  A calculus of atomic actions , 2009, POPL '09.

[17]  Kenneth L. McMillan,et al.  Ivy: safety verification by interactive generalization , 2016, PLDI.

[18]  Mark Bickford,et al.  Formal Specification, Verification, and Implementation of Fault-Tolerant Systems using EventML , 2015, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[19]  Martín Abadi,et al.  The existence of refinement mappings , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[20]  Xinyu Feng,et al.  A rely-guarantee-based simulation for verifying concurrent program transformations , 2012, POPL '12.

[21]  Colin S. Gordon Verifying Concurrent Programs by Controlling Alias Interference , 2014 .

[22]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[23]  Xinyu Feng,et al.  Modular verification of linearizability with non-fixed linearization points , 2013, PLDI 2013.

[24]  Philippa Gardner,et al.  Fault-Tolerant Resource Reasoning , 2015, APLAS.

[25]  Bernardo Toninho,et al.  Dependent session types via intuitionistic linear type theory , 2011, PPDP.

[26]  Thomas A. Henzinger,et al.  PSync: a partially synchronous language for fault-tolerant distributed algorithms , 2016, POPL.

[27]  Xi Wang,et al.  Verdi: a framework for implementing and formally verifying distributed systems , 2015, PLDI.

[28]  Robbert van Renesse,et al.  Vive La Différence: Paxos vs. Viewstamped Replication vs. Zab , 2013, IEEE Transactions on Dependable and Secure Computing.

[29]  Robin Milner,et al.  A Theory of Type Polymorphism in Programming , 1978, J. Comput. Syst. Sci..

[30]  Lars Birkedal,et al.  Logical relations for fine-grained concurrency , 2013, POPL.

[31]  Viktor Vafeiadis,et al.  Concurrent Abstract Predicates , 2010, ECOOP.

[32]  Nobuko Yoshida,et al.  Multiparty asynchronous session types , 2008, POPL '08.

[33]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[34]  Aleksandar Nanevski,et al.  Subjective auxiliary state for coarse-grained concurrency , 2013, POPL.

[35]  Nobuko Yoshida,et al.  Dynamic multirole session types , 2011, POPL '11.

[36]  Ilya Sergey,et al.  Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity , 2014, ESOP.

[37]  Ilya Sergey,et al.  Hoare-style specifications as correctness conditions for non-linearizable concurrent objects , 2016, OOPSLA.

[38]  Ilya Sergey,et al.  Mechanized Verification of Fine-grained Concurrent Programs Accompanying tutorial and code commentary for PLDI 2015 artifact evaluation , 2015 .

[39]  Lars Birkedal,et al.  Impredicative Concurrent Abstract Predicates , 2014, ESOP.

[40]  Stephanie Weirich,et al.  Language-based verification will change the world , 2010, FoSER '10.

[41]  Butler W. Lampson,et al.  How to Build a Highly Available System Using Consensus , 1996, WDAG.

[42]  Lars Birkedal,et al.  Polymorphism and separation in hoare type theory , 2006, ICFP '06.

[43]  Viktor Vafeiadis,et al.  GPS: navigating weak memory with ghosts, protocols, and separation , 2014, OOPSLA.

[44]  Lars Birkedal,et al.  Unifying refinement and hoare-style reasoning in a logic for higher-order concurrency , 2013, ICFP.

[45]  Robbert van Renesse,et al.  Paxos Made Moderately Complex , 2015, ACM Comput. Surv..

[46]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[47]  John C. Mitchell,et al.  Protocol Composition Logic (PCL) , 2007, Computation, Meaning, and Logic.

[48]  Leslie Lamport,et al.  Formal Foundation for Specification and Verification , 1984, Advanced Course: Distributed Systems.

[49]  Nancy A. Lynch,et al.  Hierarchical correctness proofs for distributed algorithms , 1987, PODC '87.

[50]  Michael D. Ernst,et al.  Planning for change in a formal verification of the raft consensus protocol , 2016, CPP.

[51]  Robert Griesemer,et al.  Paxos made live: an engineering perspective , 2007, PODC '07.

[52]  Nancy A. Lynch,et al.  Forward and Backward Simulations: I. Untimed Systems , 1995, Inf. Comput..

[53]  Fabrizio Montesi,et al.  Choreographies, logically , 2017, Distributed Computing.

[54]  Aaron Turon,et al.  A separation logic for refining concurrent objects , 2011, POPL '11.

[55]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[56]  Peter W. O'Hearn,et al.  Abstraction for concurrent objects , 2009, Theor. Comput. Sci..

[57]  Ilya Sergey,et al.  Communicating State Transition Systems for Fine-Grained Concurrent Resources , 2014, ESOP.

[58]  Gottfried Vossen,et al.  Transactional Information Systems: Theory, Algorithms, and the Practice of Concurrency Control and Recovery , 2002 .

[59]  Leslie Lamport,et al.  Fast Paxos , 2006, Distributed Computing.

[60]  Stephan Merz,et al.  Proving the Correctness of Disk Paxos , 2005, Arch. Formal Proofs.

[61]  Rachid Guerraoui,et al.  Deconstructing paxos , 2003, SIGA.

[62]  Lars Birkedal,et al.  Ynot: dependent types for imperative programs , 2008, ICFP.

[63]  John K. Ousterhout,et al.  In Search of an Understandable Consensus Algorithm , 2014, USENIX Annual Technical Conference.

[64]  Amin Vahdat,et al.  Mace: language support for building distributed systems , 2007, PLDI '07.