Verification of consensus algorithms using satisfiability solving

Tatsuhiro Tsuchiya, André Schiper
2010 Distributed computing  
Consensus is at the heart of fault-tolerant distributed computing systems. Much research has been devoted to developing algorithms for this particular problem. This paper presents a semi-automatic verification approach for asynchronous consensus algorithms, aiming at facilitating their development. Our approach uses model checking, a widely practiced verification method based on state traversal. The challenge here is that the state space of these algorithms is huge, often infinite, thus making
more » ... odel checking infeasible. The proposed approach addresses this difficulty by reducing the verification problem to small model checking problems that involve only single phases of algorithm execution. Because a phase consists of a small, finite number of rounds, bounded model checking, a technique using satisfiability solving, can be effectively used to solve these problems. The proposed approach allows us to model check several consensus algorithms up to around 10 processes. For any round r , its kernel is defined as the set of processes K (r ) = p∈ H O( p, r ). With this notation, a synchronous system with reliable links and at most f crash failures can be represented by the following communication predicate: The consensus problem is therefore solved by a pair "round-based algorithm + communication predicate". The solution applies to a partially synchronous system whenever the communication predicate is implementable in such a system. We come back to this issue later in Sect. 2.4. The round-based model can naturally be extended to accommodate coordinator-based algorithms, by letting a communication predicate deal with not only HO sets but also with coordinators. This extended notion of a communication predicate is called a communication-coordinator predicate. A process is usually coordinator for a sequence of rounds, and this sequence of rounds is called a phase. We denote by k the number of rounds that compose a single phase. Let Coord( p, φ) ∈ denote the coordinator of process p in phase φ. We assume that p knows its coordinator Coord( p, φ) in phase φ and that the coordinator does not change during that phase. The domain of a communication-coordinator predicate is the collection of H O( p, r ) and Coord( p, φ), for all p ∈ , r > 0, φ > 0. The sending function and the state transition function are now represented
doi:10.1007/s00446-010-0123-3 fatcat:sbptb5a5b5dujn4hluqa3j7ggu