Model Checking Paxos in Spin

  title={Model Checking Paxos in Spin},
  author={Giorgio Delzanno and Michele Tatarek and Riccardo Traverso},
We present a formal model of a distributed consensus algorithm in the executable specification language Promela extended with a new type of guards, called counting guards, needed to implement transitions that depend on majority voting. Our formalization exploits abstractions that follow from reduction theorems applied to the specific case-study. We apply the model checker Spin to automatically validate finite instances of the model and to extract preconditions on the size of quorums used in the… 

Tables from this paper

A Spin-based model checking for the simple concurrent program on a preemptive RTOS
An existing preemptive scheduling model of RTOS kernel by eChronos is adapted from machine-assisted proof to Spin-based model checker and can be automatically verified rather than formulating proofs by hand.
Formal Verification of Multi-Paxos for Distributed Consensus
This paper describes formal specification and verification of Lamport’s Multi-Paxos algorithm for distributed consensus in TLA+, and discusses the general strategies for proving properties about sets and tuples that helped the proof check succeed in significantly reduced time.
Refinement Checking Parameterised Quorum Systems
  • Antti Siirtola
  • Computer Science
    2017 17th International Conference on Application of Concurrency to System Design (ACSD)
  • 2017
A generic compositional formalism is introduced, based on parameterised labelled transition systems, which allows to express safety properties of parameterised quorum systems and proves that any parameterised verification task expressible in the formalism collapses into finitely many finite state refinement checking problems.
Formal Verification of Fault-Tolerant Systems
This thesis formally verify the correctness of the persistent memory manager in IBM’s 4765 secure coprocessor, which provides a transactional semantics of persistent memory updates.
TLA+ model checking made symbolic
This paper presents APALACHE -- a first symbolic model checker for TLA+.
Raft Refloated: Do We Have Consensus?
This study developed a clean-slate implementation of the Raft protocol and built an event-driven simulation framework for prototyping it on experimental topologies and empirically validate the correctness of theRaft protocol invariants and evaluate Raft's understandability claims.
Cutoff Bounds for Consensus Algorithms
This work provides an expressive language for consensus algorithms targeting the benign asynchronous setting and gives algorithm-dependent cutoff bounds, the first cutoff result for fault-tolerant distributed systems.
Learning to generate Reliable Broadcast Algorithms
This work shows that the approach is able to generate correct fault-tolerant Reliable Broadcast algorithms with the same performance of others available in the literature, in only 12, 000 learning episodes.


Graph- versus Vector-Based Analysis of a Consensus Protocol
This paper model Paxos in a rich declarative transformation language, featuring (among other things) nested quantifiers, and validate the model using the GROOVE model checker, a graph-based tool that exploits isomorphism as a natural way to prune the state space via symmetry reductions.
Tutorial on Parameterized Model Checking of Fault-Tolerant Distributed Algorithms
This tutorial uses the core of a fault-tolerant distributed broadcasting algorithm as a case study to explain the concepts of the abstraction techniques, and discusses how they can be implemented.
On Efficient Models for Model Checking Message-Passing Distributed Protocols
It is shown that the proposed model (without interleaved delivery events and with relaxed semantics of computation events) is significantly more efficient for explicit state model checking.
Invisible Safety of Distributed Protocols
This paper presents a technique, called “coloring,” that allows, in many instances, to replace the second order reachability predicates by first order predicates, resulting in properties that are amenable to Invisible Invariants.
Parameterized Verification of Broadcast Networks of Register Automata
We study parameterized verification problems for networks of interacting register automata. We consider safety properties expressed in terms of reachability, from arbitrarily large initial
Using Bounded Model Checking to Verify Consensus Algorithms
The proposed approach allows us to model check some consensus algorithms up to around 10 processes and addresses the difficulty of reducing the verification problem to small model checking problems that involve only single phases of algorithm execution.
Impossibility of distributed consensus with one faulty process
It is shown that every protocol for this problem has the possibility of nontermination, even with only one faulty process, in the asynchronous consensus problem.
Towards Modeling and Model Checking Fault-Tolerant Distributed Algorithms
Model checking state-of-the-art fault-tolerant distributed algorithms (such as Paxos) is currently out of reach except for very small systems.
Who is afraid of Model Checking Distributed Algorithms
The major technical obstacles and methodological challenges of automated verification of distributed algorithms are discussed.
On the Complexity of Parameterized Reachability in Reconfigurable Broadcast Networks
This work first considers reachability of a configuration with a given set of control states and shows that parameterized verification is decidable with polynomial time complexity, then moves to richer queries and shows how the complexity changes when considering properties with negation or cardinality constraints.