A formal approach to fault tolerant distributed consensus

The term distributed Consensus denotes the problem of getting a certain number of processes, that could be far away from each other and that exchange messages through some communication means, to all agree on the same value. This problem has been proved impossible to solve in asynchronous settings when at least one process can crash, i.e., stop working. Since the problem of reaching Consensus among processes is recurrent in the domain of distributed computation, many algorithms have been proposed for solving it, circumventing the impossibility result through the introduction of some kind of synchrony in the system. Such algorithms are traditionally expressed in natural language or in pseudocode, thus sometimes generating ambiguities on their contents and on their correctness proofs. In this thesis, we propose a simple, yet efficient way of providing formal descriptions and proofs of distributed Consensus algorithms. Such method is based on the use of inference rules, it requires very little prior knowledge in order to be understood, and follows closely the way algorithms are expressed in pseudocode, thus being intuitive for the users. To show the validity of our claims, we use our method to formalize two of the major distributed Consensus algorithms, namely the Chandra-Toueg and the Paxos algorithms. Using our rigorous description, we then formally prove that such algorithms guarantee the respect of the Validity, Agreement and Termination properties that every solution to the Consensus problem should provide. This proving exercise actually reveals interesting results. We see that the Chandra-Toueg and the Paxos algorithms have strong points of resemblance and their correctness proofs can be carried out in very similar manners. However, while the Chandra-Toueg algorithm proves to be correct under the point of view of the three properties, we discover that Paxos does not give any guarantee of terminating. This generates a philosophical question: should such algorithm be considered a Consensus algorithm or not?

[1]  N. Segent Performance evaluation of a consensus algorithm with Petri nets , 1997, Proceedings of the Seventh International Workshop on Petri Nets and Performance Models.

[2]  C. Petri Kommunikation mit Automaten , 1962 .

[3]  Nancy A. Lynch,et al.  Timed I/O automata: a mathematical framework for modeling and analyzing real-time systems , 2003, RTSS 2003. 24th IEEE Real-Time Systems Symposium, 2003.

[4]  Stephan Merz,et al.  Proving the Correctness of Disk Paxos , 2005, Arch. Formal Proofs.

[5]  Nancy A. Lynch,et al.  Hybrid I/O automata , 1995, Inf. Comput..

[6]  Sam Toueg,et al.  The weakest failure detector for solving consensus , 1992, PODC '92.

[7]  Michael Ben-Or,et al.  Another advantage of free choice (Extended Abstract): Completely asynchronous agreement protocols , 1983, PODC '83.

[8]  Uwe Nestmann,et al.  Unreliable Failure Detectors via Operational Semantics , 2003, ASIAN.

[9]  Leslie Lamport,et al.  Disk Paxos , 2003, Distributed Computing.

[10]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[11]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[12]  John Rushby,et al.  Formal Verification of an Oral Messages Algorithm for Interactive Consistency , 2003 .

[13]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[14]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[15]  Uwe Nestmann,et al.  Modeling Consensus in a Process Calculus , 2003, CONCUR.

[16]  André Schiper,et al.  The Heard-Of model: computing in distributed systems with benign faults , 2009, Distributed Computing.

[17]  Hagen Völzer Randomized Non-sequential Processes and Distributed Adversaries , 2002 .

[18]  Jan Friso Groote,et al.  Syntax and semantics of CRL , 1995 .

[19]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[20]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[21]  Martín Abadi,et al.  The Existence of Refinement Mappings , 1988, LICS.

[22]  William D. Young,et al.  Comparing verification systems: interactive consistency in ACL2 , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[23]  Tatsuhiro Tsuchiya,et al.  Model Checking of Consensus Algorit , 2007, 2007 26th IEEE International Symposium on Reliable Distributed Systems (SRDS 2007).

[24]  Maurice Herlihy,et al.  Wait-free synchronization , 1991, TOPL.

[25]  Frits W. Vaandrager,et al.  Root Contention in IEEE 1394 , 1999, ARTS.

[26]  Nancy A. Lynch,et al.  Hierarchical correctness proofs for distributed algorithms , 1987, PODC '87.

[27]  Jan Friso Groote,et al.  Proof Theory for µCRL: A Language for Processes with Data , 1993, Semantics of Specification Languages.

[28]  Nancy A. Lynch,et al.  Revisiting the PAXOS algorithm , 1997, Theor. Comput. Sci..

[29]  André Schiper,et al.  Advances in the Design and Implementation of Group Communication Middleware , 2006, Research Results of the DICS Program.

[30]  Martin Berger,et al.  The Two-Phase Commitment Protocol in an Extended pi-Calculus , 2003, EXPRESS.

[31]  Marta Z. Kwiatkowska,et al.  Automated Verification of a Randomized Distributed Consensus Protocol Using Cadence SMV and PRISM , 2001, CAV.

[32]  Roberto Segala,et al.  Modeling and verification of randomized distributed real-time systems , 1996 .

[33]  André Schiper,et al.  The Heard-Of Model: Unifying all Benign Failures , 2006 .

[34]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[35]  Robert Griesemer,et al.  Paxos made live: an engineering perspective , 2007, PODC '07.

[36]  Scott A. Smolka,et al.  Composition and Behaviors of Probabilistic I/O Automata , 1994, Theor. Comput. Sci..

[37]  Roberto Segala,et al.  Verification of the randomized consensus algorithm of Aspnes and Herlihy: a case study , 2000, Distributed Computing.

[38]  Nancy A. Lynch,et al.  Probabilistic Simulations for Probabilistic Processes , 1994, Nord. J. Comput..

[39]  Maurice Herlihy,et al.  Fast Randomized Consensus Using Shared Memory , 1990, J. Algorithms.

[40]  André Schiper,et al.  Dependable Systems , 2006, Research Results of the DICS Program.

[41]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[42]  Jan Friso Groote,et al.  Formal Verification of a Leader Election Protocol in Process Algebra , 1997, Theor. Comput. Sci..

[43]  Marcos K. Aguilera,et al.  Failure Detection and Randomization: A Hybrid Approach to Solve Consensus , 1998, SIAM J. Comput..

[44]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[45]  Leslie Lamport,et al.  Paxos Made Simple , 2001 .

[46]  Matthew Hennessy,et al.  A Fault Tolerance Bisimulation Proof for Consensus (Extended Abstract) , 2007, ESOP.

[47]  Uwe Nestmann,et al.  Distributed Consensus, revisited , 2007, Acta Informatica.

[48]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1985, JACM.

[49]  Tatsuhiro Tsuchiya,et al.  Model Checking of Consensus Algorithms , 2007 .

[50]  Sam Toueg,et al.  Unreliable failure detectors for reliable distributed systems , 1996, JACM.

[51]  Martin Friedrich Berger Towards abstractions for distributed systems , 2003 .

[52]  Manfred Jaeger Fairness, Computable Fairness and Randomness , 1999 .

[53]  Jan A. Bergstra,et al.  Algebra of Communicating Processes with Abstraction , 1985, Theor. Comput. Sci..

[54]  Maurice Clint Program proving: Coroutines , 2004, Acta Informatica.

[55]  Frits W. Vaandrager,et al.  Verification of a Leader Election Protocol: Formal Methods Applied to IEEE 1394 , 2000, Formal Methods Syst. Des..

[56]  Robin Milner,et al.  A Calculus of Communicating Systems , 1980, Lecture Notes in Computer Science.

[57]  Nancy A. Lynch,et al.  Consensus in the presence of partial synchrony , 1988, JACM.

[58]  Amy P. Felty,et al.  A correctness proof of a cache coherence protocol , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[59]  Tushar Deepak Chandra,et al.  Paxos Made Live - An Engineering Perspective (2006 Invited Talk) , 2007 .