Programming Language Abstractions for Modularly Veriﬁed ...jamesrwilcox.com/snapl17-talk.pdf ·...

James R. Wilcox Zach Tatlock Ilya Sergey

Programming Language Abstractions for Modularly Verified Distributed Systems

{P} c {Q}`

Distributed Systems

Distributed Infrastructure

Distributed Applications

Verified Distributed Systems

Verified Distributed Infrastructure

Verified Distributed Infrastructure

-Cert

Veri-

Iron

Wow

Verified Distributed Applications


-Cert

Veri-

Iron

Wow


-Cert

Veri-

Iron

Wow

Challenging to verify apps in terms of infra. verify clients by starting over!

Indicates deeper problems with composition one node’s client is another’s server!


-Cert

Veri-

Iron

Wow

Challenging to verify apps in terms of infra. verify clients by starting over!Indicates deeper problems with composition one node’s client is another’s server!

(Make it possible to) verify clients verify clients without starting over!

Will also enable more general composition

Composition: A way to make proofs harder

Composition: A way to make proofs harder

When distracting language issues are removed and the underlying mathematics is revealed, compositional reasoning is seen to be of little use.

Approach

`{P} c {Q}

Distributed Hoare Type Theory

Distributed InteractionsServers and Clients

Optimizations

Combining Services

Horizons

gcc -O3

Cloud Compute

SC

21

Cloud Compute

Cloud Computewhile True: (from, n) <- recv send (n, factors(n)) to from

: Server


: Server

Traditional specification: messages from server have correct factors

Proved by finding an invariant of the system

Cloud Compute: Server

Cloud Compute: Client

Cloud Compute: Clientsend 21 to server (_, ans) <- recv assert ans == {3, 7}


Expand system to include clients

Need to reason about client-server interaction introduce protocol

Protocols

Protocols

Protocols make it possible to verify clients!

Protocols

Protocols

State:abstract state of each node

Protocols

State:

Transitions:

abstract state of each node

allowed sends and receives

Cloud Compute Protocol

State:

Transitions:


State:

Transitions:

permissions: Set<Msg>


Send Req

Recv Req

Send Resp

Recv Resp

State:

Transitions:


Cloud Compute: Protocol

Send Req

Recv Req

Send Resp

Recv Resp

State:

Transitions:

perm: Set<Msg>Effect: add (from, n) to perm

Recv Request n


Send Req

Recv Req

Send Resp

Recv Resp

State:

Transitions:

perm: Set<Msg>

Effect:removes (n,to) from perm

Send Response (n,l)

Requires:l == factors(n)

(n,to) in perm


Send Req

Recv Req

Send Resp

Recv Resp

State:

Transitions:

perm: Set<Msg>Recv Response l

Ensures:l == factors(n)

(n,to) in perm


Send Req

Recv Req

Send Resp

Recv Resp

State:

Transitions:



Send Req

Recv Req

Send Resp

Recv Resp

State:

Transitions:

permissions: Set<Msg>Protocols make it possible to verify clients!

From Protocols to Types

`{P} c {Q}


`{P} { }tsent ( )m h,send m to h


` send m to ht{P} { }tsent ( )m h,


` send m to ht

t 2

{P} { }tsent ( )m h,


` send m to ht

t 2

{P} { }tsent ( )m h,

P ) Pre t


recv ensures correct factors

Cloud Compute: More Clientssend 21 to server1 send 35 to server2 (_, ans1) <- recv (_, ans2) <- recv assert ans1 ans2 == {3, 5, 7}[

Cloud Compute: More Clientssend 21 to server1 send 35 to server2 (_, ans1) <- recv (_, ans2) <- recv assert ans1 ans2 == {3, 5, 7}[

Same protocol enables verification


: Server


: Server

Precondition on send requires correct factors

Cloud Computecache = {}while True: (from, n) <- recv ans = if n cache then cache[n] else factors(n) cache[n] = ans send (n, ans) to from

: More Servers

2

Cloud Computecache = {}while True: (from, n) <- recv ans = if n cache then cache[n] else factors(n) cache[n] = ans send (n, ans) to from

: More Servers

2

Still follows protocol!

Cloud Computewhile True: (from, n) <- recv send n to backend (_, ans) <- recv send (n, ans) to from

: More Servers


: More ServersStill follows protocol!


: More ServersStill follows protocol!

One node’s client is another’s server!

Any combination of transitions follows protocolWell-typed programs don’t go wrong!

Horizons

Adding other effects

Sophisticated protocol compositione.g. computation uses separate database

e.g. mutable heap, threads, failure…

Fault tolerancewhat do Verdi’s VSTs look like here?


-Cert

Veri-

Iron

Wow


-Cert

Veri-

Iron

Wow

Challenging to verify apps in terms of infra. verify clients by starting over!

Indicates deeper problems with composition one node’s client is another’s server!


-Cert

Veri-

Iron

Wow

Challenging to verify apps in terms of infra. verify clients by starting over!Indicates deeper problems with composition one node’s client is another’s server!

Protocols make it possible to verify clients reason about client-server interactionAlso enable more general composition



-Cert

Veri-

Iron

Wow




-Cert

Veri-

Iron

Wow

Composition is hard but important for infrastructure

Achieve with types syntactic theory of composition



Programming Language Abstractions for Modularly Veriﬁed ...jamesrwilcox.com/snapl17-talk.pdf ·...

Documents

Transcript of Programming Language Abstractions for Modularly Veriﬁed ...jamesrwilcox.com/snapl17-talk.pdf ·...