Automated Verification of a Randomized Distributed Consensus Protocol Using Cadence SMV and PRISM?

  • Marta Kwiatkowska
  • Gethin Norman
  • Roberto Segala
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2102)


We consider the randomized consensus protocol of Aspnes and Herlihy for achieving agreement among N asynchronous processes that communicate via read/write shared registers. The algorithm guarantees termination in the presence of stopping failures within polynomial expected time. Processes proceed through possibly unboundedly many rounds; at each round, they read the status of all other processes and attempt to agree. Each attempt involves a distributed random walk: when processes disagree, a shared coin-flipping protocol is used to decide their next preferred value. Achieving polynomial expected time depends on the probability that all processes draw the same value being above an appropriate bound. For the non-probabilistic part of the algorithm, we use the proof assistant Cadence SMV to prove validity and agreement for all N and for all rounds. The coin-flipping protocol is verified using the probabilistic model checker PRISM. For a finite number of processes (up to 10) we automatically calculate the minimum probability of the processes drawing the same value. The correctness of the full protocol follows from the separately proved properties. This is the first time a complex randomized distributed algorithm has been mechanically verified.


Model Check Consensus Problem Round Number Consensus Protocol Byzantine Agreement 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    J. Aspnes and M. Herlihy. Fast randomized consensus using shared memory. Journal of Algorithms, 11(3):441–460, 1990.zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    C. Baier, E. Clarke, and V. Hartonas-Garmhausen. On the semantic foundations of Probabilistic VERUS. In C. Baier, M. Huth, M. Kwiatkowska, and M. Ryan, editors, Proc. PROBMIV’98, volume 22 of ENTCS, 1998.Google Scholar
  3. 3.
    C. Baier and M. Kwiatkowska. Model checking for a probabilistic branching time logic with fairness. Distributed Computing, 11:125–155, 1998.CrossRefGoogle Scholar
  4. 4.
    A. Bianco and L. de Alfaro. Model checking of probabilistic and nondeterministic systems. In P. Thiagarajan, editor, Proc. FST & TCS, volume 1026 of LNCS, pages 499–513, 1995.Google Scholar
  5. 5.
    C. Cachin, K. Kursawe, and V. Shoup. Random oracles in Constantinople: Practical asynchronous byzantine agreement using cryptography. In Proc. PODC’00, pages 123–132, 2000.Google Scholar
  6. 6.
    L. de Alfaro, M. Kwiatkowska, G. Norman, D. Parker, and R. Segala. Symbolic model checking of concurrent probabilistic systems using MTBDDs and the Kronecker representation. In S. Graf and M. Schwartzbach, editors, Proc. TACAS’2000, volume 1785 of LNCS, pages 395–410, 2000.Google Scholar
  7. 7.
    M. Fischer, N. Lynch, and M. Paterson. Impossibility of distributed commit with one faulty process. Journal of the ACM, 32(5):374–382, 1985.zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    H. Hansson and B. Jonsson. A logic for reasoning about time and reliability. Formal Aspects of Computing, 6(4):512–535, 1994.zbMATHCrossRefGoogle Scholar
  9. 9.
    H. Hermanns, J.-P. Katoen, J. Meyer-Kayser, and M. Siegle. A Markov Chain Model Checker. In S. Graf and M. Schwartzbach, editors, Proc. TACAS 2000, volume 1785 of LNCS, pages 347–362, 2000.Google Scholar
  10. 10.
    A. Itai and M. Rodeh. The lord of the ring or probabilistic methods for breaking symmetry in distributed networks. Technical Report RJ 3110, IBM, 1981.Google Scholar
  11. 11.
    N. Lynch. Distributed Algorithms. Morgan Kaufmann, 1996.Google Scholar
  12. 12.
    K. McMillan. Verfication of an implementation of Tomasulo’s algorithm by compositional model checking. In A. Hu and M. Vardi, editors, Proc. CAV’98, volume 1427 of LNCS, pages 110–121, 1998.Google Scholar
  13. 13.
    K. McMillan. Verification of infinite state systems by compositional model checking. In L. Pierre and T. Kropf, editors, Proc. CHARME’99, volume 1703 of LNCS, pages 219–233, 1999.Google Scholar
  14. 14.
    K. McMillan, S. Qadeer, and J. Saxe. Induction and compositional model checking. In E. Emerson and A. P. Sistla, editors, Proc. CAV 2000, volume 1855 of LNCS, pages 312–327, 2000.Google Scholar
  15. 15.
    A. Pogosyants, R. Segala, and N. Lynch. Verification of the randomized consensus algorithm of Aspnes and Herlihy: a case study. Distributed Computing, 13(3):155–186, 2000.CrossRefGoogle Scholar
  16. 16.
    F. Somenzi. CUDD: CU decision diagram package. Public software, Colorado University, Boulder, 1997.Google Scholar
  17. 17.
    M. Vardi. Automatic verification of probabilistic concurrent finite state programs. In Proc. FOCS’85, pages 327–338, 1985.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Marta Kwiatkowska
    • 1
  • Gethin Norman
    • 1
  • Roberto Segala
    • 2
  1. 1.School of Computer ScienceUniversity of BirminghamBirminghamUK
  2. 2.Dipartimento di Scienze dell'InformazioneUniversità di BolognaBolognaItaly

Personalised recommendations