Pretend Synchrony: Synchronous Verification of Asynchronous Distributed Programs

Klaus von Gleissenthal, Rami Gökhan Kıcı, Alexander Bakst, Deian Stefan, Ranjit Jhala

Abstract

We present pretend synchrony, a new approach to verifying distributed systems, based on the observation that while distributed programs must execute asynchronously, we can often soundly treat them as if they were synchronous when verifying their correctness.

To do so, we compute a synchronization, a semantically equivalent program where all sends, receives, and buffers, have been replaced by simple assignments, yielding a program that can be verified using Floyd-Hoare style Verification Conditions and SMT.

We have implemented our approach as a framework for writing verified distributed programs in Go.

We develop four challenging case studies — the classic two-phase commit protocol, a distributed key-value store, the Raft leader election protocol and multi-paxos — to demonstrate that pretend synchrony allows us to develop performant systems while making verification of functional correctness simpler by reducing the manually specified invariants by a factor of 6, and faster, reducing checking time by three orders of magnitude.

Paper

Paper Download Link

Artifact Evaluation Instructions

VM Username: popl19

VM Password: popl19

Artifact Evaluation Download Link

Thank you for evaluating our artifact! Our artifact evaluation consists of three parts:

  1. Verification effort difference between IceT and Dafny,
  2. Verification time of benchmarks written in Goolong, and
  3. Performance comparison of our key-value store implementation of our benchmarks using Amazon EC2 instances

Verification Effort

To evaluate the verification effort of our approach, we have manually annotated the lines of the proofs of the Two-Phase commit protocol, Raft leader election and Single-decree Paxos written in IceT and Dafny with the following categories:

  • Code: Corresponds to the implementation of the algorithm
  • Annotation:Corresponds to verification related operations like updating ghost variables
  • Invariant:Corresponds to loop invariants
  • Harness: Corresponds to code needed to implement the message passing and concurrency semantics, which are not natively supported by Dafny

Dafny proofs can be found in ~/Desktop/popl19-artifact-evaluation/icet_vs_dafny/dafny and IceT proofs can be found in ~/Desktop/popl19-artifact-evaluation/icet_vs_dafny/icet. Double clicking ~/Desktop/popl19-artifact-evaluation/icet_vs_dafny/dafny-comparison will run the ~/Desktop/popl19-artifact-evaluation/icet_vs_dafny/print_table.py script, which will in turn print the Table 7.1 from the paper (without the performance metrics).

You can also measure the runtime of the annotated proofs using briskit command.

Verification Time

Our Goolong library and benchmarks can be found in ~/Desktop/popl19-artifact-evaluation/gochai/. Running make in that folder will build the benchmarks.

To get the verification time of our benchmarks, simply double click the ~/Desktop/popl19-artifact-evaluation/gochai/verify-benchmarks script. It will open a new terminal window, verify the benchmarks, and report how much time it took from start to finish.

Performance Comparison

If you want to run the performance evaluation on our EC2 machines, please notify us such that we can provide you the SSH keys to the instances and the IP addresses. The SSH key will go into the ~/Desktop/popl19-artifact-evaluation/amazon-scripts/key-pair.pem file, with file permissions set using chmod 600 key-pair.pem. Since the IPs of the instances can change, we will send you them as well. You will need the update the following portion of the ~/Desktop/popl19-artifact-evaluation/amazon-scripts/info.sh file: 

...
export IPS=( \
    "ec2-18-224-190-16.us-east-2.compute.amazonaws.com" \
    "ec2-18-223-143-90.us-east-2.compute.amazonaws.com" \
    "ec2-13-59-150-246.us-east-2.compute.amazonaws.com" \
)
...

After these steps, you can run EPaxos, PSync and Goolong on the cloud with 3 instances.

Running Goolong

Simply run ./multi_run.sh ./test_gochai.sh -b in the ~/Desktop/popl19-artifact-evaluation/amazon-scripts/ folder (-b is for batched processing).

It will run the script 10 times, and report the average (in seconds). Each run executes 5000 requests, so the throughput (req/ms) can be calculated by the formula ((5000 / average_time) / 1000)

Running EPaxos

Simply run ./multi_run.sh ./test_epaxos.sh -b in the ~/Desktop/popl19-artifact-evaluation/amazon-scripts/ folder (-b is for batched processing).

It will run the script 10 times, and report the average (in seconds). Each run executes 5000 requests, so the throughput (req/ms) can be calculated by the formula ((5000 / average_time) / 1000)

Running PSync

For this, you are going to need three terminals. In terminal 1 run ~/Desktop/popl19-artifact-evaluation/amazon-scripts/test_psync.sh --test 1. Similarly, in terminals 2 and 3 run with ... --test 2 and ... --test 3. The output will look the following: 

...
stopping ...
#decisions = 254000, Δt = 10137.0, throughput = 25.05672289632041
DONE !

T in ... throughtput = T in the output contains the throughput value (in reqs/ms) for a single run. The table 7.2 in the paper contains the average of running this command ten times.

Contact Information

Klaus von Gleissenthall

Rami Gökhan Kıcı