Extreme modelling in practice

@article{Davis2020ExtremeMI,
  title={Extreme modelling in practice},
  author={A. Jesse Jiryu Davis and Max Hirschhorn and Judah Schvimer},
  journal={Proceedings of the VLDB Endowment},
  year={2020},
  volume={13},
  pages={1346 - 1358}
}
Formal modelling is a powerful tool for developing complex systems. At MongoDB, we use TLA+ to model and verify multiple aspects of several systems. Ensuring conformance between a specification and its implementation can add value to any specification; it can avoid transcription errors, prevent bugs as a large organization rapidly develops the specified code, and even keep multiple implementations of the same specification in sync. In this paper, we explore model-based testing as a tool for… 

Figures from this paper

MET: Model Checking-Driven Explorative Testing of CRDT Designs and Implementations

It is argued that the CRDT design should be formally specified and model-checked, to uncover deep bugs which are beyond human reasoning, and how Met provides sufficient confidence in the correctness of the authors' CRDT designs and implementations is discussed.

Compositional Model Checking of Consensus Protocols Specified in TLA+ via Interaction-Preserving Abstraction

This work proposes the Interaction-Preserving Abstraction (IPA) framework, which leverages the features of TLA+ and enables practical and efficient compositional model checking of consensus protocols specified in TLA+.

Compositional Model Checking of Consensus Protocols via Interaction-Preserving Abstraction

The Interaction-Preserving Abstraction (IPA) framework is proposed, which leverages the features of TLA+ and enables practical and efficient compositional model checking of consensus protocols specified in TLA+.

Planning for Software System Recovery by Knowing Design Limitations of Cloud-native Patterns

The result suggests that important quality decisions derived from formal models of the patterns help application designers prepare for unacceptable system quality degradation by knowing when a third-party implementation of the architectural patterns fails to maintain its guarantees.

Modulo: Finding Convergence Failure Bugs in Distributed Systems with Divergence Resync Models

Modulo, the first Model-Based Testing tool using Divergence Resync Models (DRMs) to systematically explore divergence and convergence in real distributed systems, and ran Modulo to check ZooKeeper, MongoDB, and Redis and found 11 bugs.

Specification and Verification with the TLA+ Trifecta: TLC, Apalache, and TLAPS

Using an algorithm due to Safra for distributed termination detection as a running example, a work is suggested that supports multiple types of analysis and that can be adapted to the desired degree of confidence.

Verifying Transactional Consistency of MongoDB

This work formally specify and verify the transactional consistency protocols of MongoDB, and proves that WiredTiger, ReplicaSet, and ShardedCluster satisfy different variants of snapshot isolation, namely StrongSI, RealtimeSI, and SessionSI , respectively.

Leveraging TLA+ Specifications to Improve the Reliability of the ZooKeeper Coordination Service

The formal specifications help eliminate the ambiguities in the protocol design and provide comprehensive system documentation and help find new critical deep bugs in system implementation, which are beyond the reach of state-of-the-art testing techniques.

Formal verification of a distributed dynamic reconfiguration protocol

This work presents the first machine checked inductive invariant and safety proof of a dynamic reconfiguration protocol for a Raft based replication system, MongoRaftReconfig, and a formal TLAPS proof of two key safety properties, LeaderCompleteness and StateMachineSafety.

References

SHOWING 1-10 OF 45 REFERENCES

Model-Based Trace-Checking

This paper proposes that traces can usefully be analysed by checking them against a formal model using a standard model-checker or else an animator for executable specifications, and illustrated using a Travel Agent case study implemented in J2EE.

Concurrent Development of Model and Implementation

This paper considers how a formal mathematically-based model can be used in support of evolutionary software development, and in particular how such a model can be kept consistent with the

Model-based approaches for validating business critical systems

A new methodology is described that tackles this problem using co-evolution of models and prototypes to strengthen the relationship between modelling and testing and uses model-based tests and trace-driven model checking.

Formal verification in hardware design: a survey

A selection of case studies where formal methods were applied to industrial-scale designs, such as microprocessors, floating-point hardware, protocols, memory subsystems, and communications hardware are presented.

Automated testing of protocol specifications and their implementations

A highly automated approach is proposed for validating the consistency of distinct representations of an identical software functionality. This approach is based on checking whether the observable

Automating the Generation and Sequencing of Test Cases from Model-Based Specifications

Formal specifications contain a great deal of information that can be exploited in the testing of an implementation, either for the generation of test-cases, for sequencing the tests, or as an oracle

Using a formal specification and a model checker to monitor and direct simulation

An error trace was generated which exercised a bug in the implementation that had not been discovered before a prototype was built and was applied to the multiprocessing hardware of the Alpha 21364 microprocessor and the cache coherence protocol.

Use of Formal Methods at Amazon Web Services

Since 2011, engineers at Amazon Web Services have been using formal specification and model checking to help solve difficult design problems in critical systems, finding that subtle bugs can hide in complex concurrent fault-tolerant systems.

Model Checking TLA+ Specifications

TLC is a new model checker for debugging a TLA+ specification by checking invariance properties of a finite-state model of the specification.

Using Formal Verification/Analysis Methods on the Critical Path in System Design: A Case Study

The SMV model checker was integrated into the project design flow, and used to verify a specification of a cache coherency protocol for a directory based, distributed shared memory, machine.