Automated Verification of a Randomized Distributed Consensus Protocol Using Cadence SMV and PRISM?
We consider the randomized consensus protocol of Aspnes and Herlihy for achieving agreement among N asynchronous processes that communicate via read/write shared registers. The algorithm guarantees termination in the presence of stopping failures within polynomial expected time. Processes proceed through possibly unboundedly many rounds; at each round, they read the status of all other processes and attempt to agree. Each attempt involves a distributed random walk: when processes disagree, a shared coin-flipping protocol is used to decide their next preferred value. Achieving polynomial expected time depends on the probability that all processes draw the same value being above an appropriate bound. For the non-probabilistic part of the algorithm, we use the proof assistant Cadence SMV to prove validity and agreement for all N and for all rounds. The coin-flipping protocol is verified using the probabilistic model checker PRISM. For a finite number of processes (up to 10) we automatically calculate the minimum probability of the processes drawing the same value. The correctness of the full protocol follows from the separately proved properties. This is the first time a complex randomized distributed algorithm has been mechanically verified.
KeywordsModel Check Consensus Problem Round Number Consensus Protocol Byzantine Agreement
- 2.C. Baier, E. Clarke, and V. Hartonas-Garmhausen. On the semantic foundations of Probabilistic VERUS. In C. Baier, M. Huth, M. Kwiatkowska, and M. Ryan, editors, Proc. PROBMIV’98, volume 22 of ENTCS, 1998.Google Scholar
- 4.A. Bianco and L. de Alfaro. Model checking of probabilistic and nondeterministic systems. In P. Thiagarajan, editor, Proc. FST & TCS, volume 1026 of LNCS, pages 499–513, 1995.Google Scholar
- 5.C. Cachin, K. Kursawe, and V. Shoup. Random oracles in Constantinople: Practical asynchronous byzantine agreement using cryptography. In Proc. PODC’00, pages 123–132, 2000.Google Scholar
- 6.L. de Alfaro, M. Kwiatkowska, G. Norman, D. Parker, and R. Segala. Symbolic model checking of concurrent probabilistic systems using MTBDDs and the Kronecker representation. In S. Graf and M. Schwartzbach, editors, Proc. TACAS’2000, volume 1785 of LNCS, pages 395–410, 2000.Google Scholar
- 9.H. Hermanns, J.-P. Katoen, J. Meyer-Kayser, and M. Siegle. A Markov Chain Model Checker. In S. Graf and M. Schwartzbach, editors, Proc. TACAS 2000, volume 1785 of LNCS, pages 347–362, 2000.Google Scholar
- 10.A. Itai and M. Rodeh. The lord of the ring or probabilistic methods for breaking symmetry in distributed networks. Technical Report RJ 3110, IBM, 1981.Google Scholar
- 11.N. Lynch. Distributed Algorithms. Morgan Kaufmann, 1996.Google Scholar
- 12.K. McMillan. Verfication of an implementation of Tomasulo’s algorithm by compositional model checking. In A. Hu and M. Vardi, editors, Proc. CAV’98, volume 1427 of LNCS, pages 110–121, 1998.Google Scholar
- 13.K. McMillan. Verification of infinite state systems by compositional model checking. In L. Pierre and T. Kropf, editors, Proc. CHARME’99, volume 1703 of LNCS, pages 219–233, 1999.Google Scholar
- 14.K. McMillan, S. Qadeer, and J. Saxe. Induction and compositional model checking. In E. Emerson and A. P. Sistla, editors, Proc. CAV 2000, volume 1855 of LNCS, pages 312–327, 2000.Google Scholar
- 16.F. Somenzi. CUDD: CU decision diagram package. Public software, Colorado University, Boulder, 1997.Google Scholar
- 17.M. Vardi. Automatic verification of probabilistic concurrent finite state programs. In Proc. FOCS’85, pages 327–338, 1985.Google Scholar