FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

Similar documents
FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

A Practical Comparison of Alloy and Spin

Reasoning about Identifier Spaces: How to Make Chord Correct

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

A Practical Comparison of Alloy and Spin

Chord. Advanced issues

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

LECT-05, S-1 FP2P, Javed I.

CS 347 Parallel and Distributed Data Processing

Peer to Peer I II 1 CS 138. Copyright 2015 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.

1 Introduction. 3 Syntax

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

March 10, Distributed Hash-based Lookup. for Peer-to-Peer Systems. Sandeep Shelke Shrirang Shirodkar MTech I CSE

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Having a BLAST with SLAM

Distributed Systems Final Exam

: Scalable Lookup

Chord: A Scalable Peer-to-peer Lookup Service For Internet Applications

Page 1. How Did it Start?" Model" Main Challenge" CS162 Operating Systems and Systems Programming Lecture 24. Peer-to-Peer Networks"

Chord : A Scalable Peer-to-Peer Lookup Protocol for Internet Applications

Chordy: a distributed hash table. Johan Montelius and Vladimir Vlassov. August 29, 2016

CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011

FROM ARCHITECTURE TO REQUIREMENTS* : A TELECOMMUNICATIONS*

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

Having a BLAST with SLAM

CSCI 270: Introduction to Algorithms and Theory of Computing Fall 2017 Prof: Leonard Adleman Scribe: Joseph Bebel

Combining Complementary Formal Verification Strategies to Improve Performance and Accuracy

On the Consistency of DHT-Based Routing

8 Supervised Overlay Networks

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

Distributed Systems Programming (F21DS1) Formal Verification

Programming Languages Fall 2014

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

TESTING. Overview Slide 6.2. Testing (contd) Slide 6.4. Testing Slide 6.3. Quality issues Non-execution-based testing

Computing intersections in a set of line segments: the Bentley-Ottmann algorithm

Finite State Verification. CSCE Lecture 14-02/25/2016

INF5140: Specification and Verification of Parallel Systems

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Plan of the lecture. Quick-Sort. Partition of lists (or using extra workspace) Quick-Sort ( 10.2) Quick-Sort Tree. Partitioning arrays

EE 122: Peer-to-Peer Networks

Topic 9: Control Flow

Introduction to Machine-Independent Optimizations - 6

Global Optimization. Lecture Outline. Global flow analysis. Global constant propagation. Liveness analysis. Local Optimization. Global Optimization

Topics in Software Testing

Using Spin to Help Teach Concurrent Programming

Securing Chord for ShadowWalker. Nandit Tiku Department of Computer Science University of Illinois at Urbana-Champaign

Having a BLAST with SLAM

An Expresway over Chord in Peer-to-Peer Systems

Understanding Disconnection and Stabilization of Chord

CMSC 330: Organization of Programming Languages. Lambda Calculus Encodings

Spark verification features

P Is Not Equal to NP. ScholarlyCommons. University of Pennsylvania. Jon Freeman University of Pennsylvania. October 1989

We will show that the height of a RB tree on n vertices is approximately 2*log n. In class I presented a simple structural proof of this claim:

CompSci 356: Computer Network Architectures Lecture 21: Overlay Networks Chap 9.4. Xiaowei Yang

Conditional Elimination through Code Duplication

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Certitude Functional Qualification with Formal Verification. Jean-Marc Forey November 2012

Outline. Proof Carrying Code. Hardware Trojan Threat. Why Compromise HDL Code?

P2P Network Structured Networks: Distributed Hash Tables. Pedro García López Universitat Rovira I Virgili

Ulysses: A Robust, Low-Diameter, Low-Latency Peer-to-Peer Network

Formal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5

Encoding functions in FOL. Where we re at. Ideally, would like an IF stmt. Another example. Solution 1: write your own IF. No built-in IF in Simplify

Content Overlays. Nick Feamster CS 7260 March 12, 2007

Querying Peer-to-Peer Networks Using P-Trees

15 212: Principles of Programming. Some Notes on Induction

COS 598D: PATTERNS IN NETWORK ARCHITECTURE

Content Overlays (continued) Nick Feamster CS 7260 March 26, 2007

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Object-Oriented and Classical Software Engineering

Object-Oriented and Classical Software Engineering

Automated Reasoning. Model Checking with SPIN (II)

Formal Verification of 800 Genetically Constructed Automata Programs: A Case Study

Small-World Overlay P2P Networks: Construction and Handling Dynamic Flash Crowd

Finite State Verification. CSCE Lecture 21-03/28/2017

Basic Definitions: Testing

Safety and liveness for critical sections

EECS 122: Introduction to Computer Networks Overlay Networks and P2P Networks. Overlay Networks: Motivations

CIS 700/005 Networking Meets Databases

CMSC 330: Organization of Programming Languages

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Notebook Assignments

Having a BLAST with SLAM

HW1. Due: September 13, 2018

From: FM 2006 Alloy Intro and Logic. Greg Dennis and Rob Seater Software Design Group, MIT

Advances in Programming Languages

Lecture 5 Finding meaningful clusters in data. 5.1 Kleinberg s axiomatic framework for clustering

More Dataflow Analysis

Software Model Checking. Xiangyu Zhang

416 Distributed Systems. Mar 3, Peer-to-Peer Part 2

CSE 331: Introduction to Algorithm Analysis and Design Graphs

Model Checking with Automata An Overview

Distributed Algorithms 6.046J, Spring, Nancy Lynch

DESIGN AND VALIDATION OF COMPUTER PROTOCOLS

Notes for Recitation 8

6.830 Lecture PS1 Due Next Time (Tuesday!) Lab 1 Out end of week start early!

Program development plan

An Adaptive Stabilization Framework for DHT

Utility Maximization

Lecture Compiler Middle-End

Transcription:

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 58D, SPRING 20 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY Pamela Zave AT&T Laboratories Research Florham Park, New Jersey, USA

THE PRESS RELEASE "Three features that distinguish Chord from many peer-to-peer lookup protocols are its simplicity, provable correctness, and provable performance." THE (NEWLY DISCOVERED) REALITY the only "proof" covers the join-andstabilize case only, with no failures this "proof" is an informal construction of ill-defined terms, unstated assumptions, and unjustified or incomprehensible steps however, the subset can be proven correct, formally the full protocol is incorrect, even after bugs with straightforward fixes are eliminated not one of the six properties claimed invariant for the full protocol is invariantly true USE LIGHTWEIGHT MODELING and avoid embarrassment! some of the many papers analyzing Chord performance are based on false assumptions about how the protocol works

THE FAIL EVENT THE RECONCILIATION OPERATION BEFORE BEFORE update: replace dead successor by live succ2 succ2 35 22 failing flush: remove dead predecessor 35 AFTER AFTER reconcile: improve succ2 by replacing with successor's successor 35 35

ANTECEDENT PREDECESSORS pred AntecedentPredecessors [t: Time] { all n: Node let antes = (succ.t).n n.prdc.t in antes } at time t, the set of all nodes whose successor is n WHERE DID IT COME FROM? must be an invariant to prove that the pure-join model is correct WAS IT PREVIOUSLY KNOWN? no, supporting my allegation that the previous "proof" is useless fails, AP is violated IS IT GOOD FOR ANYTHING ELSE? yes, it enables us to diagnose and fix a Chord bug this can be prevented by an extra check in the stabilize event stabilizes, the cycle is lost

PROPERTIES CLAIMED INVARIANT FOR THE FULL MODEL after untangling bad definitions and formalizing, we get 5 properties 2 OrderedAppendages OneOrderedCycle ConnectedAppendages 48 1 7 15 OrderedMerges 4 21 3 NOT ONE of these properties is actually an invariant! 35 30 ValidSuccessorList (will be explained)

ORDERED MERGES best live pred OrderedMerges [t: Time] { successor let cyclemembers = { n: Node n in n.(^(bestsucc.t)) } all disj n1, n2, n3: Node ( n3 in n1.bestsucc.t && n3 in n2.bestsucc.t && n1 in cyclemembers && n2!in cyclemembers && n3 in cyclemembers ) => Between[n1,n2,n3] } The good news: Violations are repaired by stabilization. The bad news: Compromises some lookups. Invalidates some assumptions used in performance analysis. easily violated, even in the pure-join model stabilizes and notifies stabilizes and notifies

ORDERED APPENDAGES WHY A POWERFUL ASSERTION LANGUAGE IS NEEDED pred OrderedAppendages [t: Time] { let members = { n: Node Member[n,t] } let cyclemembers = { n: members n in n.(^(bestsucc.t)) } let appendsucc = bestsucc.t - (cyclemembers -> Node) all n: cyclemembers all disj a1, a2, a3: (members - cyclemembers) + n ( n in a1.(^appendsucc) && a2 = a1.appendsucc && (a1 in a3.(^appendsucc) a3 in a2.(^appendsucc) ) ) =>! Between[a1,a3,a2] } 15 a1, a2, a3 have to be confined to the appendage tree rooted at n a3 can be n 25 18 1 a2 a1 the successor relation on appendages only 17 a3 cannot be 18 27

VALID SUCCESSOR LIST "if a node x's successors skip over a live node y, then y is not in the successor list of any x antecedent" how it can be violated why it matters x 17 20 joins, 17 stabilizes, reconciles 17 stabilizes 17 17 fails, updates 25 25 20 25 20 y 25 20 20 was part of the cycle, is now an appendage

WHY THE FULL PROTOCOL IS NOT CORRECT DESIRED THEOREM: In any reachable state, if there are no subsequent joins or failures, then eventually the network will become ideal and remain ideal. this ring is ideal 0 0 0 40 18 3 nodes join and become integrated 4 5 40 18 new nodes fail, old nodes update 18 40 21 this ring is disordered, so the protocol cannot fix it this is actually a class of counterexamples: any ring of odd size becomes disordered any ring of even size splits into two disconnected subnetworks (which the protocol cannot fix)

COMPARISON, REVISITED PROMELA/SPIN ALLOY state structure invariants primitive in Promela; displayed poorly by Spin except for the most basic ones, an invariant must be written as a C program sometimes searching for the right invariant requires a great deal of trial and error this is why C programs don't make good invariants Alloy language is rich and expressive; many display options Alloy language is rich, expressive, and concise these are not superficial properties they cannot be slapped on top of Spin like frosting on a cake at least two studies of Chord have been made using the model checker Mace, and they did not find any of these problems very few, very weak invariants, so Mace did not have much to look for working on Chord implementations, so Mace could only do heuristic checking, not complete checking

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback