Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic.

Size: px

Start display at page:

Download "Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic."

Kelley Hilary Walters
6 years ago
Views:

1 Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic ` {P } c {Q} Ilya Sergey James R. Wilcox Zach Tatlock

2 Distributed Systems

3 Distributed Infrastructure

4 Distributed Applications

5 Verified Distributed Systems

6 Verified Distributed Infrastructure Veri- Wow Iron -Cert

7 Verified Distributed Applications Veri- Wow Iron -Cert

8 Verified Distributed Applications Veri- Challenging to verify apps in terms of infra. starting from scratch is unacceptable Wow Indicates deeper problems with composition one node s client is another s server! Iron -Cert

9 Verified Challenges Distributed Solutions Applications Client reasoning Veri- Protocols Wow Invariants WithInv rule Separation Frame rule/hooks Disel: Iron -Cert `{P } c {Q}

10 Outline `{P } c {Q} Protocols and running example Logical mechanisms programming with protocols invariants framing and hooks Implementation and future work

11 Cloud Compute 21 C S

12 Cloud Compute

13 Cloud Compute: Server while true: (from, n) <- recv Req send Resp(n, factors(n)) to from Traditional specification: messages from server have correct factors Proved by finding an invariant of the system

14 Cloud Compute: Server

15 Cloud Compute: Client

16 Cloud Compute: Client send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7} Start over with clients in system? In Disel: use protocol to describe client interface

17 Protocols

18 Protocols A protocol is an interface among nodes Enables compositional verification

19 Cloud Compute Protocol Messages: State: Transitions: Sends: precondition and effect Receives: effect

20 Cloud Compute Protocol Messages: Req(n) Resp(n,s) State: outstanding: Set<Msg> Transitions: Sends: Receives: Req Req Resp Resp

21 Cloud Compute Req(21) C S Send Req(n) Precondition: Effect: none none

22 Cloud Compute Req(21) C S { } (C,21) Receive Req(n) Effect: add (from, n) to out

23 Cloud Compute C S { } Resp({3,7}) Send Resp(n,l) Requires: l == factors(n) (n,to) in out Effect: removes (n,to) from out

24 Cloud Compute C S { } Resp({3,7}) Recv Resp(n,l) Effect: none

25 Cloud Compute Protocol Messages: Req(n) Resp(n,s) State: outstanding: Set<Msg> Transitions: Sends: Receives: Req Req Resp Resp

26 Outline `{P } c {Q} Protocols and running example Logical mechanisms programming with protocols invariants framing and hooks Implementation and future work

27 Cloud Compute: Server while true: (from, n) <- recv Req send Resp(n, factors(n)) to from Precondition on send requires correct factors

28 Cloud Compute: Server t 2 `{Pre }send m m to to h h t t { sent ( m, h) } t while true: (from, n) <- recv Req send Resp(n, factors(n)) to from Precondition on send requires correct factors

29 Cloud Compute: Client send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7} recv doesn t ensure correct factors

30 Cloud Compute: Client t 2 ` {>} recv m {recvd( m)} t send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7} recv doesn t ensure correct factors

31 Protocol Invariants `{P } c {Q} I inductive 0 `{P ^ I} c {Q ^ I} Protocol where every state satisfies I

32 Cloud Compute: Client t 2 0 ` {>} recv m {recvd( m)} t send Req(21) to server (_, ans) <- recv Resp assert ans == {3, 7} Now recv ensures correct factors

33 Cloud Compute: More Clients send Req(21) to server1 send Req(35) to server2 (_, ans1) <- recv Resp (_, ans2) <- recv Resp assert ans1 [ ans2 == {3, 5, 7} Same protocol enables verification

34 Frame rule `{P } c {Q} independent protocols R stable ` {P R} c {Q R} Reuse invariants from component protocols

35 Frame rule: Hooks `{P } c {Q} R stable ` {P R} c {Q R} Allows one protocol to restrict another

36 Outline `{P } c {Q} Protocols and running example Logical mechanisms programming with protocols invariants framing and hooks Implementation and future work

37 Implementation Shallowly embedded in Coq with full power of functional programming Executable via extraction to OCaml via trusted shim to implement semantics Case study: two-phase commit exercises all features of the logic

38 Related and Future Work Concurrent separation logics Iris, FCSL, CAP, Adding other effects e.g. mutable heap, threads, failure

Composition: A way to make proofs harder In 1997, the unfortunate reality is that engineers rarely specify and reason formally about the systems

39 Composition: A way to make proofs harder In 1997, the unfortunate reality is that engineers rarely specify and reason formally about the systems they build. It seems unlikely that reasoning about the composition of open-system specifications will be a practical concern within the next 15 years.

40 Verified Challenges Distributed Solutions Applications Client reasoning Veri- Protocols Wow Invariants WithInv rule Separation Frame rule/hooks Disel: Iron -Cert `{P } c {Q}

Programming Language Abstractions for Modularly Verified Distributed Systems. James R. Wilcox Zach Tatlock Ilya Sergey

Programming Language Abstractions for Modularly Verified Distributed Systems ` {P } c {Q} James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure Distributed Applications