Formal Verification of the Interactive Convergence Clock Synchronization Algorithm using EHDM

We describe a formal speci cation and mechanically checked veri cation of the Interactive Convergence Clock Synchronization Algorithm of Lamport and Melliar-Smith [16]. In the course of this work, we discovered several technical aws in the analysis given by Lamport and Melliar-Smith, even though their presentation is unusually precise and detailed. As far as we know, these aws (a ecting the main theorem and four of its ve lemmas) were not detected by the \social process" of informal peer scrutiny to which the paper has been subjected since its publication. We discuss the aws in the published proof and give a revised presentation of the analysis that not only corrects the aws in the original, but is also more precise and, we believe, easier to follow. This informal presentation was derived directly from our formal speci cation and veri cation. Some of our corrections to the aws in the original require slight modi cations to the assumptions underlying the algorithm and to the constraints on its parameters, and thus change the external speci cation of the algorithm. The formal analysis of the Interactive Convergence Clock Synchronization Algorithm was performed using the Ehdm formal speci cation and veri cation environment. This application of Ehdm provides a demonstration of some of the capabilities of the system. Note: This second edition of the report presents a revised version of the formal speci cation and veri cation that exploits some of the features introduced into Ehdm since the original veri cation was performed, and also improves the substance of the veri cation in three respects.

[1]  Ricky W. Butler A survey of provably correct fault-tolerant clock synchronization techniques , 1988 .

[2]  Hermann Kopetz,et al.  Clock Synchronization in Distributed Real-Time Systems , 1987, IEEE Transactions on Computers.

[3]  P. M. Melliar-Smith,et al.  Synchronizing clocks in the presence of faults , 1985, JACM.

[4]  Fred B. Schneider,et al.  Understanding Protocols for Byzantine Clock Synchronization , 1987 .

[5]  Robert E. Shostak,et al.  Deciding Combinations of Theories , 1982, JACM.

[6]  D. C. Luckham,et al.  A methodology for verifying programs , 1975, Reliable Software.

[7]  Robert S. Boyer,et al.  Computational Logic , 1990, ESPRIT Basic Research Series.

[8]  Zohar Manna,et al.  The logical basis for computer programming. Volume 1: deductive reasoning , 1985 .

[9]  Parameswaran Ramanathan,et al.  Fault-tolerant clock synchronization in distributed systems , 1990, Computer.

[10]  Natarajan Shankar,et al.  A mechanical proof of the Church-Rosser theorem , 1988, JACM.

[11]  Danny Dolev,et al.  On the possibility and impossibility of achieving clock synchronization , 1984, STOC '84.

[12]  Leslie Lamport,et al.  Synchronizing Time Servers , 1987 .

[13]  Richard J. Lipton,et al.  Social processes and proofs of theorems and programs , 1977, POPL.

[14]  Robert S. Boyer,et al.  A computational logic handbook , 1979, Perspectives in computing.

[15]  I. Lakatos PROOFS AND REFUTATIONS (I)*† , 1963, The British Journal for the Philosophy of Science.

[16]  Zohar Manna,et al.  The logical basis for computer programming: vol. 2, deductive systems , 1990 .