Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Soteria

Sreeja S Nair
March 15, 2019
0
57

 Soteria

Invite talk at the IRIF verification seminar

Sreeja S Nair

March 15, 2019
Tweet

More Decks by Sreeja S Nair

See All by Sreeja S Nair
Consistency in Zenoh, an edge data fabric
sreeja
0
60
Exploring the coordination lattice
sreeja
0
23
Designing safe and highly available distributed applications
sreeja
0
57
First year PhD review
sreeja
0
26
Invariant Safety for Distributed Applications
sreeja
0
28
Static Code Analysis tool for Industrial Systems
sreeja
0
10
Static Code Analysis tool for Control System Software
sreeja
0
33

Featured

See All Featured
It's Worth the Effort
3n
183
27k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Unsuck your backbone
ammeep
668
57k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k

Transcript

  1. Invariant Safety for Distributed Applications 1 Sreeja Nair, Gustavo Petri,

    Marc Shapiro Verification Seminar 15-03-2019

  2. Invariant Safety for Distributed Applications • Applications are distributed due

    to demands of low response time • CAP theorem depicts a tension between Consistency and Availability • Ideal world for developers = high availability + convergence + application safety • A modular and sequential proof to ensure this! 2

  3. Replicated data store 3

  4. Replicated data store 3

  5. Replicated data store 3

  6. Replicated data store 3

  7. Auction application • State • Status • INVALID or ACTIVE

    or CLOSED • Winner • Set of bids, each bid comprising • BidId • Placed • Amount 4 • Invariant • Bids can be placed only when the status is active • When auction is closed, there is a winner • Winner is the highest bid • Operations • Start auction • Place bid • Close auction

  8. Evolution of state 5 Alice/ Australia Bob/ Belgium Charlie/ Canada

    Status Winner Bids

  9. Evolution of state 5 Alice/ Australia Bob/ Belgium Charlie/ Canada

    Start auction Status Winner Bids

  10. Evolution of state 5 Alice/ Australia Bob/ Belgium Charlie/ Canada

    Start auction Status Winner Bids

  11. Evolution of state 5 Alice/ Australia Bob/ Belgium Charlie/ Canada

    Start auction Status Winner Bids

  12. Evolution of state 5 Alice/ Australia Bob/ Belgium Charlie/ Canada

    Start auction Status Winner Bids

  13. Evolution of state 5 Alice/ Australia Bob/ Belgium Charlie/ Canada

    Start auction Status Winner Bids

  14. Evolution of state 5 Alice/ Australia Bob/ Belgium Charlie/ Canada

    Start auction Status Winner Bids

  15. Evolution of state 5 Alice/ Australia Bob/ Belgium Charlie/ Canada

    Start auction Place bid Status Winner Bids

  16. Evolution of state 5 100 Alice/ Australia Bob/ Belgium Charlie/

    Canada Start auction Place bid Status Winner Bids

  17. Evolution of state 5 100 Alice/ Australia Bob/ Belgium Charlie/

    Canada Start auction Place bid Place bid Status Winner Bids

  18. Evolution of state 5 100 105 Alice/ Australia Bob/ Belgium

    Charlie/ Canada Start auction Place bid Place bid Status Winner Bids

  19. Evolution of state 5 100 105 Alice/ Australia Bob/ Belgium

    Charlie/ Canada Start auction Place bid Place bid Status Winner Bids

  20. Evolution of state 5 100 105 Alice/ Australia Bob/ Belgium

    Charlie/ Canada Start auction Place bid Place bid Status Winner Bids ???

  21. Evolution of state 5 100 105 Alice/ Australia Bob/ Belgium

    Charlie/ Canada Start auction Place bid Place bid Status Winner Bids

  22. Evolution of state 5 100 105 Alice/ Australia Bob/ Belgium

    Charlie/ Canada Start auction Place bid Place bid Status Winner Bids 100 105 Merge!

  23. Semi-lattice • Set of state should form a monotonic semi-lattice

    • Equipped with a partial order function • Each update should inflate the state • Merge should be the Least Upper Bound 6

  24. Alice/ Australia Bob/ Belgium Charlie/ Canada Start auction Place bid

    Place bid Status Winner Bids Evolution of state 7

  25. Alice/ Australia Bob/ Belgium Charlie/ Canada Start auction Place bid

    Place bid Status Winner Bids Evolution of state 7

  26. Alice/ Australia Bob/ Belgium Charlie/ Canada Start auction Place bid

    Place bid Status Winner Bids Evolution of state 7

  27. Alice/ Australia Bob/ Belgium Charlie/ Canada Start auction Place bid

    Place bid Status Winner Bids Evolution of state 7

  28. Alice/ Australia Bob/ Belgium Charlie/ Canada Start auction Place bid

    Place bid Status Winner Bids Evolution of state 7

  29. Alice/ Australia Bob/ Belgium Charlie/ Canada Start auction Close auction

    Place bid Place bid Status Winner Bids Evolution of state 7

  30. Alice/ Australia Bob/ Belgium Charlie/ Canada Start auction Close auction

    Place bid Place bid Status Winner Bids Evolution of state 7

  31. Alice/ Australia Bob/ Belgium Charlie/ Canada Start auction Close auction

    Place bid Place bid Status Winner Bids Evolution of state 7

  32. Alice/ Australia Bob/ Belgium Charlie/ Canada Start auction Close auction

    Place bid Place bid Status Winner Bids Evolution of state 7

  33. Alice/ Australia Bob/ Belgium Charlie/ Canada Start auction Close auction

    Place bid Place bid Status Winner Bids Evolution of state 7

  34. Safety in sequential executions • Each operation and merge must

    satisfy the invariant • Ensured by preconditions 8

  35. Precondition for merge? • It must hold true since merge

    can happen at any time • Can be also called Concurrent Invariant • The weakest precondition to be upheld for the resulting state of merge to uphold the sequential invariant • Ensures all concurrent operations are still safe • Never block any merge!! 9

  36. Safety in concurrent executions • A state in a replica

    evolves with • A local update by operation • Merge • Merge is the only point of observable concurrency 10 Alice/ Australia Bob/ Belgium Charlie/ Canada Start auction Place bid Place bid

  37. Proof Rule for safety of distributed applications • Initial state

    must satisfy the sequential invariant and concurrent invariant • Each update and merge should preserve both the sequential invariant and concurrent invariant 11

  38. Proof Rule • Intuition • Merge is the only point

    of external influence • Merge can happen any time • Properties • Modular • Each operation and merge reasoned in isolation • Sequential • Reasoning as if for a sequential application 12

  39. Revisiting auction • Invariant • Bids can be placed only

    when the status is active • When auction is closed, there is a winner • Winner is the highest bid 13

  40. Safety of Auction 14 Invariant 1. Bids can be placed

    only when the status is active 2. When auction is closed, there is a winner 3. Winner is the highest bid

  41. Safety of Auction • Start auction 14 Invariant 1. Bids

    can be placed only when the status is active 2. When auction is closed, there is a winner 3. Winner is the highest bid

  42. Safety of Auction • Start auction 14 Invariant 1. Bids

    can be placed only when the status is active 2. When auction is closed, there is a winner 3. Winner is the highest bid

  43. Safety of Auction • Start auction 14 Invariant 1. Bids

    can be placed only when the status is active 2. When auction is closed, there is a winner 3. Winner is the highest bid • Place bid • If auction concurrently closed in other replica, precondition of merge violated!

  44. Safety of Auction • Start auction 14 Invariant 1. Bids

    can be placed only when the status is active 2. When auction is closed, there is a winner 3. Winner is the highest bid • Place bid • If auction concurrently closed in other replica, precondition of merge violated!

  45. Safety of Auction • Start auction 14 Invariant 1. Bids

    can be placed only when the status is active 2. When auction is closed, there is a winner 3. Winner is the highest bid • Place bid • If auction concurrently closed in other replica, precondition of merge violated! • Close auction • Similar to place bid

  46. Safety of Auction • Start auction 14 Invariant 1. Bids

    can be placed only when the status is active 2. When auction is closed, there is a winner 3. Winner is the highest bid • Place bid • If auction concurrently closed in other replica, precondition of merge violated! • Close auction • Similar to place bid

  47. Evolution in a semi-lattice 15 ………… ………… ………… …………

  48. Evolution in a semi-lattice 15 ………… ………… ………… …………

  49. Evolution in a semi-lattice 15 ………… ………… ………… …………

  50. Concurrency Control • Option 1: • Strong consistency of place

    bid and close auction operations • Issue: each place bid need synchronisation • Option 2: • Concurrency control similar to readers-write lock • Place bids work without synchronisation • Closing auction needs synchronisation 16

  51. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Status Winner Bids

    Tokens Evolution of state with Concurrency Control

  52. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Status

    Winner Bids Tokens Evolution of state with Concurrency Control

  53. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Status

    Winner Bids Tokens Evolution of state with Concurrency Control

  54. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Evolution of state with Concurrency Control

  55. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Evolution of state with Concurrency Control

  56. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Evolution of state with Concurrency Control

  57. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Evolution of state with Concurrency Control

  58. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Evolution of state with Concurrency Control

  59. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Evolution of state with Concurrency Control

  60. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Release token Evolution of state with Concurrency Control

  61. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Release token Evolution of state with Concurrency Control

  62. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Release token Release token Evolution of state with Concurrency Control

  63. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Release token Release token Evolution of state with Concurrency Control

  64. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Release token Release token Release token Evolution of state with Concurrency Control

  65. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Release token Release token Release token Evolution of state with Concurrency Control

  66. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Release token Release token Release token Evolution of state with Concurrency Control No more bids can be placed!!

  67. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Release token Release token Release token Evolution of state with Concurrency Control

  68. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Release token Release token Release token Evolution of state with Concurrency Control

  69. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Release token Release token Release token Evolution of state with Concurrency Control

  70. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Place bid Place

    bid Status Winner Bids Tokens Release token Release token Release token Evolution of state with Concurrency Control

  71. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Close auction Place

    bid Place bid Status Winner Bids Tokens Release token Release token Release token Evolution of state with Concurrency Control

  72. 17 Alice/ Australia Bob/ Belgium Charlie/ Canada Close auction Place

    bid Place bid Status Winner Bids Tokens Release token Release token Release token Evolution of state with Concurrency Control

  73. Tool Support - Soteria • Implemented on top of Boogie

    • Input • Application state • Invariant • Partial Order function • Operations with preconditions • Merge operation with precondition 18

  74. Soteria checks • Sanity checks • Convergence checks • Each

    operation is monotonically non-decreasing • Merge is the least upper bound • Safety checks • Sequential safety -> each operation preserves the invariant • Concurrent safety -> each operation preserves the precondition of merge 19

  75. Conclusion • A new proof rule for verification of distributed

    applications • For applications using state-based CRDTs • A tool for design verification • Available at https://github.com/sreeja/soteria_tool 20