A Fault Tolerance Bisimulation Proof for Consensus

Motivation

Methodology

Conclusions

A Fault Tolerance Bisimulation Proof for Consensus Adrian Francalanza1

Matthew Hennessy2

1 Department

of Computing Imperial College

2 Department

of Informatics University of Sussex

European Symposium on Programming, 2007

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Outline

1 Motivation

2 Methodology

3 Conclusions

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Outline

1 Motivation

2 Methodology

3 Conclusions

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Distributed Systems: Consensus Consensus Setting n autonomous participants who may independently fail hold a value v ∈ V . must decide on a value v 0 ∈ V . Defining Correctness of Consensus Termination: All non-failing participants must eventually decide. Agreement: No two participants decide on different values. Validity: If all participants are given the same value v ∈ V as input, then v is the only possible decision value. Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Rotating Coordinator Algorithm 2 ...

1

i

... n

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

n−1

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Rotating Coordinator Algorithm 2 ...

1

i

... n

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

n−1

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Rotating Coordinator Algorithm 2 ...

1

i

... n

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

n−1

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Rotating Coordinator Algorithm 2 ...

1

i

?

? ?

?

n

n−1

...

Problems caused by Failure Decision Blocking: a participant waiting forever for a value to be broadcast from a crashed co-ordinator

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Rotating Coordinator Algorithm 2 ...

1

i

... n

n−1

Problems caused by Failure Decision Blocking: a participant waiting forever for a value to be broadcast from a crashed co-ordinator Corrupted Broadcast: a co-ordinator broadcasts its values to a subset of the participants before crashing. Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Distributed Systems: Consensus with Perfect Failure Detection Rotating Coordinator Algorithm for Participant i part[1..n]; \\ array of n participants x_i := input; \\ initialise for r := 1 to n do { if (r = i) then broadcast(x_i); if alive(part[r]) then x_i:= input(part[r]); } output x_i; \\ decide

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Distributed Systems: Consensus with Perfect Failure Detection Rotating Coordinator Algorithm for Participant i part[1..n]; \\ array of n participants x_i := input; \\ initialise for r := 1 to n do { if (r = i) then broadcast(x_i); if alive(part[r]) then x_i:= input(part[r]); } output x_i; \\ decide

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Distributed Systems: Consensus with Perfect Failure Detection Rotating Coordinator Algorithm for Participant i part[1..n]; \\ array of n participants x_i := input; \\ initialise for r := 1 to n do { if (r = i) then broadcast(x_i); if alive(part[r]) then x_i:= input(part[r]); } output x_i; \\ decide

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Distributed Systems: Consensus with Perfect Failure Detection Rotating Coordinator Algorithm for Participant i part[1..n]; \\ array of n participants x_i := input; \\ initialise for r := 1 to n do { if (r = i) then broadcast(x_i); if alive(part[r]) then x_i:= input(part[r]); } output x_i; \\ decide

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way

Language: Parallel composition, atomic actions, action hiding, reduction semantics Bisimulation: lts and ≈ characterises behavioural equivalence

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way

Language: Parallel composition, atomic actions, action hiding, reduction semantics Bisimulation: lts and ≈ characterises behavioural equivalence Theorem P | P | . . . | P ≈ SPEC

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way (2)

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way (2)

complex to understand hard to digest not intuitive

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures!

Language: Parallel composition, atomic actions, action hiding, reduction semantics with failures. Bisimulation: lts and ≈ characterises behavioural equivalence Theorem l1 [[P]] | . . . | ln [[P]] ≈

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

SPEC FAIL

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures!

Language: Parallel composition, atomic actions, action hiding, reduction semantics with failures. Bisimulation: lts and ≈ characterises behavioural equivalence Theorem l1 [[P]] | . . . | ln [[P]] ≈

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

SPEC FAIL

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Language: Parallel composition, atomic actions, action hiding, reduction semantics with failures. τ

(Γ, n + 1) . M −→ (Γ − l, n) . M

Γ ` l : alive

Bisimulation: lts and ≈ characterises behavioural equivalence Theorem Γ, n − 1 . l1 [[P]] | . . . | ln [[P]] ≈ Γ, n − 1 . SPEC FAIL

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Expressing Participant i in our process calculus (Participant) Pxi,r

def

=

Rxi,r | Bxi,r

x ∈ {true, false}, r ≤ n

Pxi,n+1

def

=

decxi

x ∈ {true, false}

def

false x truei,r .Ptrue i,r +1 + falsei,r .Pi,r +1 + susp lr .Pi,r +1

(Recieve) Rxi,r

=

(Broadcast) x Bi,i

def

Bxi,r

def

=

=

Qn

x ∈ {true, false}

0

x ∈ {true, false}, r 6= i

j=1 xj,r

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Expressing Participant i in our process calculus (Participant) Pxi,r

def

=

Rxi,r | Bxi,r

x ∈ {true, false}, r ≤ n

Pxi,n+1

def

=

decxi

x ∈ {true, false}

def

false x truei,r .Ptrue i,r +1 + falsei,r .Pi,r +1 + susp lr .Pi,r +1

(Recieve) Rxi,r

=

(Broadcast) x Bi,i

def

Bxi,r

def

=

=

Qn

x ∈ {true, false}

0

x ∈ {true, false}, r 6= i

j=1 xj,r

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Expressing Participant i in our process calculus (Participant) Pxi,r

def

=

Rxi,r | Bxi,r

x ∈ {true, false}, r ≤ n

Pxi,n+1

def

=

decxi

x ∈ {true, false}

def

false x truei,r .Ptrue i,r +1 + falsei,r .Pi,r +1 + susp lr .Pi,r +1

(Recieve) Rxi,r

=

(Broadcast) x Bi,i

def

Bxi,r

def

=

=

Qn

x ∈ {true, false}

0

x ∈ {true, false}, r 6= i

j=1 xj,r

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Expressing Participant i in our process calculus (Participant) Pxi,r

def

=

Rxi,r | Bxi,r

x ∈ {true, false}, r ≤ n

Pxi,n+1

def

=

decxi

x ∈ {true, false}

def

false x truei,r .Ptrue i,r +1 + falsei,r .Pi,r +1 + susp lr .Pi,r +1

(Recieve) Rxi,r

=

(Broadcast) x Bi,i

def

Bxi,r

def

=

=

Qn

x ∈ {true, false}

0

x ∈ {true, false}, r 6= i

j=1 xj,r

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Expressing Participant i in our process calculus (Participant) Pxi,r

def

=

Rxi,r | Bxi,r

x ∈ {true, false}, r ≤ n

Pxi,n+1

def

=

decxi

x ∈ {true, false}

def

false x truei,r .Ptrue i,r +1 + falsei,r .Pi,r +1 + susp lr .Pi,r +1

(Recieve) Rxi,r

=

(Broadcast) x Bi,i

def

Bxi,r

def

=

=

Qn

x ∈ {true, false}

0

x ∈ {true, false}, r 6= i

j=1 xj,r

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Expressing Participant i in our process calculus (Participant) Pxi,r

def

=

Rxi,r | Bxi,r

x ∈ {true, false}, r ≤ n

Pxi,n+1

def

=

decxi

x ∈ {true, false}

def

false x truei,r .Ptrue i,r +1 + falsei,r .Pi,r +1 + susp lr .Pi,r +1

(Recieve) Rxi,r

=

(Broadcast) x Bi,i

def

Bxi,r

def

=

=

Qn

x ∈ {true, false}

0

x ∈ {true, false}, r 6= i

j=1 xj,r

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Expressing Participant i in our process calculus (Participant) Pxi,r

def

=

Rxi,r | Bxi,r

x ∈ {true, false}, r ≤ n

Pxi,n+1

def

=

decxi

x ∈ {true, false}

def

false x truei,r .Ptrue i,r +1 + falsei,r .Pi,r +1 + susp lr .Pi,r +1

(Recieve) Rxi,r

=

(Broadcast) x Bi,i

def

Bxi,r

def

=

=

Qn

x ∈ {true, false}

0

x ∈ {true, false}, r 6= i

j=1 xj,r

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Composing n Participants to solve Consensus     Qn proptrue .Ptrue truei,r , def i,1 i n C = ν i,r =1 false i=1 li .Pfalse +propfalse i,r i,1 i

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Composing n Participants to solve Consensus     Qn proptrue .Ptrue truei,r , def i,1 i n C = ν i,r =1 false i=1 li .Pfalse +propfalse i,r i,1 i

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Composing n Participants to solve Consensus     Qn proptrue .Ptrue truei,r , def i,1 i n C = ν i,r =1 false i=1 li .Pfalse +propfalse i,r i,1 i

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Composing n Participants to solve Consensus     Qn proptrue .Ptrue truei,r , def i,1 i n C = ν i,r =1 false i=1 li .Pfalse +propfalse i,r i,1 i

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

The Process Calculi Way ... with Failures! Composing n Participants to solve Consensus     Qn proptrue .Ptrue truei,r , def i,1 i n C = ν i,r =1 false i=1 li .Pfalse +propfalse i,r i,1 i

Specification in the presence of Failure VERY COMPLEX!

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Bisimulation with Failure

An even bigger, more complex bisimulation!

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Outline

1 Motivation

2 Methodology

3 Conclusions

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (1): Testing Harnesses

Language: Parallel composition, atomic actions, action hiding, reduction semantics w. failures, immortal location ?. Bisimulation: lts and ≈ characterises behavioural equivalence w.r.t immortal observers Theorem

Γ, n − 1 . (ν m)(?[[Q]] ˜ | l1 [[P]] | . . . | ln [[P]]) ≈ Γ, 0 . ?[[SPEC ]]

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (1): Testing Harnesses Language: ... Bisimulation: ... Theorem

Γ, n − 1 . (ν m)(?[[Q]] ˜ | l1 [[P]] | . . . | ln [[P]]) ≈ Γ, 0 . ?[[SPEC ]]

Advantages 1

Simplifies specification formulation

2

Permits separate tests for correctness criteria

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (1): Testing Harnesses Harnesses For Consensus (Initialisation) Q def Ix = start. ni=1 propxi Q def Igen = start. ni=1 (proptrue + propfalse ) i i

x ∈ {true, false}

(Agreement) Axi

def

Axn+1

def

=

ok

Agen i

def

dectrue .Atrue i i+1

=

=

decxi .Axi+1 + susp li .Axi+1

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

x ∈ {true, false} ,i ≤ n x ∈ {true, false}

+

decfalse .Afalse i i+1

+ susp li .Agen i+1

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (1): Testing Harnesses Language: . . . Bisimulation: . . . Theorem

Agreement and Termination gen Γ, n − 1 . (ν m)(?[[I ˜ | Agen 1 ]] | C) ≈ Γ, 0 . ? [[start.ok]] Validity true Γ, n − 1 . (ν m)(?[[I ˜ | Atrue 1 ]] | C) ≈ Γ, 0 . ? [[start.ok]] false Γ, n − 1 . (ν m)(?[[I ˜ | Afalse 1 ]] | C) ≈ Γ, 0 . ? [[start.ok]]

m ˜ =

Qn

true , i=1 propi

propfalse , dectrue , decfalse i i i

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (1): ... on the bisimulation front

Where we left off... (big, complex bisimulation!)

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (1): ... on the bisimulation front

Agreement

Validity

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (2): Fault Tolerance

Language: . . . Bisimulation: . . . Theorem Γ, n − 1 . (ν m)(?[[I|A]] ˜ | C) ≈ Γ, 0 . ?[[start.ok]]

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (2): Fault Tolerance

Language: . . . Bisimulation: . . . Theorem

Γ, n − 1 . (ν m)(?[[I|A]] ˜ |

C |{z}

) ≈ Γ, 0 . ?[[start.ok]]

Induce failure

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (2): Fault Tolerance Language: . . . Bisimulation: . . . Theorem

Preserve observable behaviour z }| { Γ, n − 1 . (ν m) ˜ ?[[I|A]] |

C |{z}

Preserve observable behaviour z }| { ) ≈ Γ, 0 . ?[[start.ok]]

Induce failure

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (2): Fault Tolerance

Language: . . . Bisimulation: . . . Theorem Γ, n − 1 . (ν m)(?[[I|A]] ˜ | C) ≈ Γ, 0 . ?[[start.ok]]

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (2): Fault Tolerance Language: . . . Bisimulation: . . . Theorem

Basic Correctness Γ, 0 . (ν m)(?[[I|A]] ˜ | C) ≈ Γ, 0 . ?[[start.ok]]

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (2): Fault Tolerance Language: . . . Bisimulation: . . . Theorem

Basic Correctness Γ, 0 . (ν m)(?[[I|A]] ˜ | C) ≈ Γ, 0 . ?[[start.ok]] Correctness Preservation Γ, n − 1 . (ν m)(?[[I|A]] ˜ | C) ≈ Γ, 0 . (ν m)(?[[I|A]] ˜ | C)

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (2): ... on the bisimulation front

Agreement

Validity

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (2): ... on the bisimulation front

Basic Correctness Correctnes Preservation

Agreement

Validity

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (2): Advantages

1

2

Natural way how to analyse algorithms in the presence of failure. Stages are Independent: Test them in parallel Simpler (failure-free) stage can be used as a vetting stage

3

Refined Up-to Techniques: we have different confluences and structural equivalences under different failure settings.

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques

Confluence Properties hΓ, ni . N 

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

τ

/ hΓ, ni . M

β

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques

Confluence Properties hΓ, ni . N  µ

τ

/ hΓ, ni . M

β



hΓ0 , n0 i . N 0

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques

Confluence Properties hΓ, ni . N  µ



hΓ0 , n0 i . N 0 

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

/ hΓ, ni . M

τ

β

µ

τ β

 / hΓ0 , n0 i . M 0

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques

Structural Equivalence Properties hΓ, ni . N

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

≡

hΓ, ni . M

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques

Structural Equivalence Properties hΓ, ni . N µ

≡

hΓ, ni . M



hΓ0 , n0 i . N 0

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques

Structural Equivalence Properties hΓ, ni . N µ



hΓ0 , n0 i . N 0

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

≡

hΓ, ni . M µ



≡ hΓ0 , n0 i . M 0

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence in a Failure-free Setting Γ, 0 . (νa) (l[[a]] | k[[a.P]])

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence in a Failure-free Setting τ

Γ, 0 . (νa) (l[[a]] | k[[a.P]]) 7−→β Γ, 0 . (νa) (k[[P]])

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence in a Failure-free Setting τ

Γ, 0 . (νa) (l[[a]] | k[[a.P]]) 7−→β Γ, 0 . (νa) (k[[P]])

Confluence in a Failure Setting

Γ, n . (νa) (l[[a]] | k[[a.P + susp l.P]])

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence in a Failure-free Setting τ

Γ, 0 . (νa) (l[[a]] | k[[a.P]]) 7−→β Γ, 0 . (νa) (k[[P]])

Confluence in a Failure Setting

τ

Γ, n . (νa) (l[[a]] | k[[a.P + susp l.P]]) 7−→β Γ, n . (νa) (k[[P]])

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques

Structural Equivalence in a Failure-free Setting

Γ, 0 . l[[P + susp k.Q]] ≡ Γ, 0 . l[[P]]

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Γ ` k : alive

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques

Confluence Within Consensus 

truei,j , Γ, n . ν falsei,j

 (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q + susp l.R]])

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques

Confluence Within Consensus



truei,j , Γ, n . ν falsei,j

at round j  z }| { (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q + susp lj .R]]) | {z } | {z } coordinator

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

participant

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence Within Consensus

3 Cases 

truei,j , Γ, n . ν falsei,j

 (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q + susp lj .R]])

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence Within Consensus

Failure Free 

truei,j , Γ, 0 . ν falsei,j

 (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q + susp lj .R]])

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence Within Consensus

Failure Free  truei,j , (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q + susp lj .R]]) Γ, 0 . ν falsei,j ≡ (νtruei,j , falsei,j ) (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q]]) 

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence Within Consensus

Failure Free  truei,j , (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q + susp lj .R]]) Γ, 0 . ν falsei,j ≡ (νtruei,j , falsei,j ) (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q]]) ≡ (νtruei,j , falsei,j ) (lj [[truei,j ]] | li [[truei,j .P]]) 

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence Within Consensus

Failure Free 

 truei,j , Γ, 0 . ν (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q + susp lj .R]]) falsei,j ≡ (νtruei,j , falsei,j ) (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q]]) ≡ (νtruei,j , falsei,j ) (lj [[truei,j ]] | li [[truei,j .P]]) τ 7−→β (νtruei,j , falsei,j ) (li [[P]])

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence Within Consensus

Broadcast same as estimate 

truei,j , Γ, n . ν falsei,j

 (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q + susp lj .P]])

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence Within Consensus

Broadcast same as estimate  truei,j , (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q + susp lj .P]]) Γ, n . ν falsei,j ≡ (νtruei,j , falsei,j ) (lj [[truei,j ]] | li [[truei,j .P + susp lj .P]]) 

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence Within Consensus

Broadcast same as estimate 

 truei,j , Γ, n . ν (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q + susp lj .P]]) falsei,j ≡ (νtruei,j , falsei,j ) (lj [[truei,j ]] | li [[truei,j .P + susp lj .P]]) τ 7−→β (νtruei,j , falsei,j ) (li [[P]])

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence Within Consensus

Broadcast different from estimate 

truei,j , Γ, n . ν falsei,j

 (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q + susp lj .R]])

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques Confluence Within Consensus

Broadcast different from estimate  truei,j , (lj [[truei,j ]] | li [[truei,j .P + falsei,j .Q + susp lj .R]]) Γ, n . ν falsei,j ≡ (νtruei,j , falsei,j ) (lj [[truei,j ]] | li [[truei,j .P + susp lj .Q]]) 

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): Up-to Techniques

Why is it worthwhile...? techniques for attaining fault tolerance are bounded and reused in many algorithms. Fault tolerance is attained through replication! Space replication: P|P| . . . |P Time replication: P.P . . . P

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): ... on the bisimulation front

Basic Correctness Correctnes Preservation

Agreement

Validity

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology (3): ... on the bisimulation front

Basic Correctness Correctnes Preservation

Agreement

Validity

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Outline

1 Motivation

2 Methodology

3 Conclusions

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Motivation

Methodology

Conclusions

Methodology in 3 acts

1

Testing Harnesses: Limiting observations to non-failing locations.

2

Fault Tolerance: Splitting analysis into basic correctness and correctness preservation phases.

3

Refined Up-to Techniques: for both failure-free and failure phases.

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Fault Tolerance (...in a nut shell)

Restrict observation to immortal locations

OBSERVER VIEW

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Fault Tolerance (...in a nut shell)

Preserves observation up to 1 failure

OBSERVER VIEW

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Fault Tolerance (...in a nut shell)

Preserves observation up to 1 failure

OBSERVER VIEW

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Fault Tolerance (...in a nut shell)

Preserves observation up to 1 failure

OBSERVER VIEW

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Fault Tolerance (...in a nut shell)

Preserves observation up to 2 failures

OBSERVER VIEW

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Fault Tolerance (...in a nut shell)

Preserves observation up to 2 failures

OBSERVER VIEW

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Fault Tolerance (...in a nut shell)

Preserves observation up to 3 failures

OBSERVER VIEW

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere

Fault Tolerance (...in a nut shell)

Preserves observation up to 3 failures

OBSERVER VIEW

Adrian Francalanza, Matthew Hennessy A Fault Tolerance Bisimulation Proof for Consensus

Universities of Somewhere and Elsewhere