# Model Checking Paxos in Spin

@inproceedings{Delzanno2014ModelCP, title={Model Checking Paxos in Spin}, author={Giorgio Delzanno and Michele Tatarek and Riccardo Traverso}, booktitle={GandALF}, year={2014} }

We present a formal model of a distributed consensus algorithm in the executable specification language Promela extended with a new type of guards, called counting guards, needed to implement transitions that depend on majority voting. Our formalization exploits abstractions that follow from reduction theorems applied to the specific case-study. We apply the model checker Spin to automatically validate finite instances of the model and to extract preconditions on the size of quorums used in the…

## 8 Citations

A Spin-based model checking for the simple concurrent program on a preemptive RTOS

- Computer ScienceArXiv
- 2018

An existing preemptive scheduling model of RTOS kernel by eChronos is adapted from machine-assisted proof to Spin-based model checker and can be automatically verified rather than formulating proofs by hand.

Formal Verification of Multi-Paxos for Distributed Consensus

- Computer ScienceFM
- 2016

This paper describes formal specification and verification of Lamport’s Multi-Paxos algorithm for distributed consensus in TLA+, and discusses the general strategies for proving properties about sets and tuples that helped the proof check succeed in significantly reduced time.

Refinement Checking Parameterised Quorum Systems

- Computer Science2017 17th International Conference on Application of Concurrency to System Design (ACSD)
- 2017

A generic compositional formalism is introduced, based on parameterised labelled transition systems, which allows to express safety properties of parameterised quorum systems and proves that any parameterised verification task expressible in the formalism collapses into finitely many finite state refinement checking problems.

Formal Verification of Fault-Tolerant Systems

- Computer Science
- 2017

This thesis formally verify the correctness of the persistent memory manager in IBM’s 4765 secure coprocessor, which provides a transactional semantics of persistent memory updates.

TLA+ model checking made symbolic

- Computer ScienceProc. ACM Program. Lang.
- 2019

This paper presents APALACHE -- a first symbolic model checker for TLA+.

Raft Refloated: Do We Have Consensus?

- Computer ScienceOPSR
- 2015

This study developed a clean-slate implementation of the Raft protocol and built an event-driven simulation framework for prototyping it on experimental topologies and empirically validate the correctness of theRaft protocol invariants and evaluate Raft's understandability claims.

Cutoff Bounds for Consensus Algorithms

- Computer ScienceCAV
- 2017

This work provides an expressive language for consensus algorithms targeting the benign asynchronous setting and gives algorithm-dependent cutoff bounds, the first cutoff result for fault-tolerant distributed systems.

Learning to generate Reliable Broadcast Algorithms

- Computer Science
- 2022

This work shows that the approach is able to generate correct fault-tolerant Reliable Broadcast algorithms with the same performance of others available in the literature, in only 12, 000 learning episodes.

## References

SHOWING 1-10 OF 27 REFERENCES

Graph- versus Vector-Based Analysis of a Consensus Protocol

- Computer ScienceGRAPHITE
- 2014

This paper model Paxos in a rich declarative transformation language, featuring (among other things) nested quantifiers, and validate the model using the GROOVE model checker, a graph-based tool that exploits isomorphism as a natural way to prune the state space via symmetry reductions.

Tutorial on Parameterized Model Checking of Fault-Tolerant Distributed Algorithms

- Computer ScienceSFM
- 2014

This tutorial uses the core of a fault-tolerant distributed broadcasting algorithm as a case study to explain the concepts of the abstraction techniques, and discusses how they can be implemented.

On Efficient Models for Model Checking Message-Passing Distributed Protocols

- Computer ScienceFMOODS/FORTE
- 2010

It is shown that the proposed model (without interleaved delivery events and with relaxed semantics of computation events) is significantly more efficient for explicit state model checking.

Invisible Safety of Distributed Protocols

- Computer Science, MathematicsICALP
- 2006

This paper presents a technique, called “coloring,” that allows, in many instances, to replace the second order reachability predicates by first order predicates, resulting in properties that are amenable to Invisible Invariants.

Parameterized Verification of Broadcast Networks of Register Automata

- Computer ScienceRP
- 2013

We study parameterized verification problems for networks of interacting register automata. We consider safety properties expressed in terms of reachability, from arbitrarily large initial…

Using Bounded Model Checking to Verify Consensus Algorithms

- Computer ScienceDISC
- 2008

The proposed approach allows us to model check some consensus algorithms up to around 10 processes and addresses the difficulty of reducing the verification problem to small model checking problems that involve only single phases of algorithm execution.

Impossibility of distributed consensus with one faulty process

- MathematicsPODS '83
- 1983

It is shown that every protocol for this problem has the possibility of nontermination, even with only one faulty process, in the asynchronous consensus problem.

Towards Modeling and Model Checking Fault-Tolerant Distributed Algorithms

- Computer Science, EngineeringSPIN
- 2013

Model checking state-of-the-art fault-tolerant distributed algorithms (such as Paxos) is currently out of reach except for very small systems.

Who is afraid of Model Checking Distributed Algorithms

- Computer Science
- 2012

The major technical obstacles and methodological challenges of automated verification of distributed algorithms are discussed.

On the Complexity of Parameterized Reachability in Reconfigurable Broadcast Networks

- Computer Science, MathematicsFSTTCS
- 2012

This work first considers reachability of a configuration with a given set of control states and shows that parameterized verification is decidable with polynomial time complexity, then moves to richer queries and shows how the complexity changes when considering properties with negation or cardinality constraints.