Presentation is loading. Please wait.

Presentation is loading. Please wait.

PSync: A Partially Synchronous Language for Fault-tolerant Distributed Algorithms Cezara Dr ă goi, INRIA ENS CNRS Thomas A. Henzinger, IST Austria Damien.

Published byImogene Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "PSync: A Partially Synchronous Language for Fault-tolerant Distributed Algorithms Cezara Dr ă goi, INRIA ENS CNRS Thomas A. Henzinger, IST Austria Damien."— Presentation transcript:

1 PSync: A Partially Synchronous Language for Fault-tolerant Distributed Algorithms Cezara Dr ă goi, INRIA ENS CNRS Thomas A. Henzinger, IST Austria Damien Zufferey, MIT CSAIL POPL, 2016.1.21 1

2 Motivation Replication 2

3 Replication and Consistency X = -13 X = 4 X = 42 Consensus X = 42 3

4 The Paxos Algorithm [Lamport 98] Used at Google (Chubby), Microsoft (Autopilot), … Proposer Acceptor Prepare Promise Accept Accepted 4

5 Paxos in the Literature The part-time parliament [Lamport 98] Paxos made simple [Lamport 01] Paxos made live: An engineering perspective [Chandra et al. 07] In search of an understandable consensus algorithm [Ongaro and Ousterhout 14] Paxos made moderately complex [van Renesse and Altinbuken 15] Paxos made transparent [Cui et al. 15]... Question: Could the same problem be simpler in different model ? 5

6 Contributions source code + specifications verifierruntime proof or counterexample executable 6 PSync: a DSL to simplify the implementation and reasoning about fault-tolerant algorithms. Simple round-based model Efficient runtime system Automated verification Main elements: Communication-closed rounds The environment as an adversary

7 Asynchronous Programming Model and Faults Consensus is not solvable with asynchrony and faults [FLP 85]. Actor model, CSP, CCS, pi-calculus, … Many PL based on or implementing these models 7 Asynchrony Fault Waiting for a message

8 Faults as an adversarial Environment [Gafni 98] Abstraction: Execution: 8

9 Communication-closed Rounds [Elrad & Francez 82] Proposer Acceptor Prepare Promise Accept Accepted A round is a logical unit of time, a scope for the messages, the granularity of messages reception. 9

10 PSync Program Structure Program Round T 10

11 PSync Lockstep Semantics 11 Send Update Env (HO) Init Round[0] Round[1] … Round[ i mod r ] Challenge: Executing the lockstep semantics on a system which is not synchronous and provide liveness guarantees.

12 Example: Last Voting Algorithm Coordinator 12 CollectCandidate Quorum Accept new Round[(Int,Time)]{ def send(): Map[ProcessID, (Int,Time)] = Map( coord -> (x, ts) ) def update(mailbox: Map[ProcessID, (Int,Time)]) { if (id == coord && mailbox.size > n/2) { vote = mailbox.maxBy(_._2._2)._2._1 // value with maximal ts commit = true }

13 Preserving Local Views Indistinguishability for every process p, the transitions and states of the projection of the traces on p agree up to finite stuttering. 13 Lockstep: Runtime: Theorem Indistinguishable

14 Runtime Algorithm Discard late messages Catching up 14 Accumulate Send Update Receive TO Next round Preserve liveness assuming partial synchrony [Dwork et al. 88]

15 From Indistinguishability to Refinement Theorem: Observational refinement Clients ∥ Runtime(P) ⊆ Clients ∥ Lockstep(P) 15 Client 1 Init Decide Client 2 Client 3 Init Decide Init Decide

16 Benefits for Verification Promise Accept Reason about rounds in isolation. Lockstep semantics, no interleaving. Simple invariants that connects the round at the boundaries. No message in flight, only local state of the processes. Previous work on a logic verification of consensus algorithms [VMCAI 14] 16

17 Preserving Global Properties Theorem: Given a specification S closed under indistinguishability, if a PSync program P satisfies S then the asynchronous semantics of P refines S. Consensus is closed under indistinguishability. Verification engine for safety and liveness properties based on SMT. 17

18 Implementation https://github.com/dzufferey/psync Implemented in Scala, Apache 2.0 license 18

19 Do Algorithms use Rounds ? AlgorithmLOCUse roundsAsynchronous One third rule52 ✓✓ Last Voting (Paxos)89 ✓✓ Flood min consensus24 ✓✗ Ben-Or randomized consensus56 ✓✓ K-set agreement42 ✓✓ K-set agreement early stopping33 ✓✗ Lattice agreement34 ✗✓ 54 ✓✓ Two phases commit53 ✓✗ Eager reliable broadcast36 ✗✗ 19

20 Code Size (Easy to Implement) Paxos inLOCExecutableVerification PSync89 ✓ Semi-automated DistAlgo43 ✓✗ Distal157 ✓✗ Overlog107 ✓✗ TLA+53 ✗ Interactive IO Automata142 ✗ Interactive EventML1729 N ✓ Interactive Verdi (Raft)520 ✓ Interactive Bloom224 ✓✗ 20

21 Performance and Verification 21 ImplementationYearLanguageThroughput (x 1000 req./s) Last Voting in PSync2015Scala170 Egalitarian Paxos2013Go450 Paxos in Distal2013Scala150 JPaxos / SPaxos2012Java75 / 300 Paxos for system builder2008C40 Verification of# Invariants (LOC)# VCs Solving time in s. One third rule4 (23)275 Last Voting8 (35)4516

22 Conclusion PSync uses a simple programming abstraction: the HO-model Lockstep semantics Communication-closed rounds Asynchrony and faults as an adversary that drops messages Automated verification becomes possible Runtime Asynchronous semantics indistinguishable from the lockstep semantics Can be implemented efficiently 22

Download ppt "PSync: A Partially Synchronous Language for Fault-tolerant Distributed Algorithms Cezara Dr ă goi, INRIA ENS CNRS Thomas A. Henzinger, IST Austria Damien."

Similar presentations

Paxos and Zookeeper Roy Campbell.

Paxos and Zookeeper Roy Campbell.
Impossibility of Distributed Consensus with One Faulty Process

Impossibility of Distributed Consensus with One Faulty Process
N-Consensus is the Second Strongest Object for N+1 Processes Eli Gafni UCLA Petr Kuznetsov Max Planck Institute for Software Systems.

N-Consensus is the Second Strongest Object for N+1 Processes Eli Gafni UCLA Petr Kuznetsov Max Planck Institute for Software Systems.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
NETWORK ALGORITHMS Presenter- Kurchi Subhra Hazra.

NETWORK ALGORITHMS Presenter- Kurchi Subhra Hazra.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
CS 5204 – Operating Systems1 Paxos Student Presentation by Jeremy Trimble.

CS 5204 – Operating Systems1 Paxos Student Presentation by Jeremy Trimble.
Failure Detection The ping-ack failure detector in a synchronous system satisfies – A: completeness – B: accuracy – C: neither – D: both.

Failure Detection The ping-ack failure detector in a synchronous system satisfies – A: completeness – B: accuracy – C: neither – D: both.
1 Indranil Gupta (Indy) Lecture 8 Paxos February 12, 2015 CS 525 Advanced Distributed Systems Spring 2015 All Slides © IG 1.

1 Indranil Gupta (Indy) Lecture 8 Paxos February 12, 2015 CS 525 Advanced Distributed Systems Spring 2015 All Slides © IG 1.
6.852: Distributed Algorithms Spring, 2008 Class 7.

6.852: Distributed Algorithms Spring, 2008 Class 7.
Distributed Systems Overview Ali Ghodsi

Distributed Systems Overview Ali Ghodsi
P. Kouznetsov, 2006 Abstracting out Byzantine Behavior Peter Druschel Andreas Haeberlen Petr Kouznetsov Max Planck Institute for Software Systems.

P. Kouznetsov, 2006 Abstracting out Byzantine Behavior Peter Druschel Andreas Haeberlen Petr Kouznetsov Max Planck Institute for Software Systems.
Consensus Hao Li.

Consensus Hao Li.
Byzantine Generals Problem: Solution using signed messages.

Byzantine Generals Problem: Solution using signed messages.
1 Principles of Reliable Distributed Systems Lectures 11: Authenticated Byzantine Consensus Spring 2005 Dr. Idit Keidar.

1 Principles of Reliable Distributed Systems Lectures 11: Authenticated Byzantine Consensus Spring 2005 Dr. Idit Keidar.
The Need for Language Support for Fault-Tolerant Distributed Systems Cezara Dr ă goi, INRIA ENS CNRS Thomas A. Henzinger, IST Austria Damien Zufferey,

The Need for Language Support for Fault-Tolerant Distributed Systems Cezara Dr ă goi, INRIA ENS CNRS Thomas A. Henzinger, IST Austria Damien Zufferey,
Paxos Made Simple Gene Pang. Paxos L. Lamport, The Part-Time Parliament, September 1989 Aegean island of Paxos A part-time parliament – Goal: determine.

Paxos Made Simple Gene Pang. Paxos L. Lamport, The Part-Time Parliament, September 1989 Aegean island of Paxos A part-time parliament – Goal: determine.
 Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring 2006 1 Principles of Reliable Distributed Systems Lecture 7: Failure Detectors.

 Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Lecture 7: Failure Detectors.
1 Principles of Reliable Distributed Systems Lecture 5: Failure Models, Fault-Tolerant Broadcasts and State-Machine Replication Spring 2005 Dr. Idit Keidar.

1 Principles of Reliable Distributed Systems Lecture 5: Failure Models, Fault-Tolerant Broadcasts and State-Machine Replication Spring 2005 Dr. Idit Keidar.

Similar presentations

Ads by Google