Ensemble is a widely used group communication system that supports distributed programming by providing precise guarantees for synchronization, message ordering, and message delivery. Ensemble eases the task of distributed-application programming, but as a result, ensuring the correctness of Ensemble itself is a difficult problem. In this paper we use I/O automata for formalizing, specifying, and verifying the Ensemble implementation. We focus specifically on message total ordering, a property that is commonly used to guarantee consistency within a process group. The systematic verification of this protocol led to the discovery of an error in the implementation.

Group communication system assist the development of fault-tolerant distributed algorithms by providing precise guarantees on message ordering, delivery, and synchronization. Ensemble is a widely used group communication system that is highly modular and configurable. Formally verifying Ensemble is a formidable task, but it has wide-ranging benefits, from formal assistance in the design of new distributed applications, to ensuring the reliability of critical distributed algorithms for all applications that use Ensemble. In this paper, we present a verification framework that we are using the verify Ensemble in the Nuprl proof development system. The framework is based on I/O automata, which are ideal for the verification in some respects: they they specify modular components that range from concrete protocol code to abstract services. But traditional I/O automata do not allow re-use of formal theorems as automata are composed. We present a new type-theoretic basis for I/O automata that preserves safety properties during composition using an object-oriented methodology.

This paper has two goals. The first is to present a formalization in Nuprl type theory of a very general methodology for system description, specification and verification. The method is especially suitable for describing distributed systems, and is based on a modification of the I/O automata of Lynch & Tuttle. By using infinite extendible records as the state spaces of automata we gain a key inheritance property that make modular verification tractible. The second goal is to show how we can state and prove meta-theorems about the method in Nuprl by a reflection procedure whereby we define syntax and semantics for both system descriptions and specifications within Nuprl type theory. We can then define a syntactic predicate transformation algorithm that generates syntactic verification conditions, and then prove the meta-theorem that shows that the truth of (the meanings of) the verification conditions implies that (the meaning of) the description satisfies (the meaning of) the specification. 1

There is a well-established theory and practice for creating correct-by-construction functional programs by extracting them from constructive proofs of assertions of the form ∀x: A.∃y: B.R(x, y). There have been several efforts to extend this methodology to concurrent programs, say by using linear logic, but there is no practice and the results are limited. In this paper we define a logic of events that justifies the extraction of correct distributed processes from constructive proofs that system specifications are achievable, and we describe an implementation of an extraction process in the context of constructive type theory. We show that a class of message automata, similar to IO automata and to active objects, are realizers for this logic. We provide a relative consistency result for the logic. We show an example of protocol derivation in this logic, and show how to embed temporal logics such as T LA+ in the event logic. 1

To produce a program guaranteed to satisfy a given specification one can synthesize it from a formal constructive proof that a computation satisfying that specification exists. This process is particularly effective if the specifications are written in a high-level language that makes it easy for designers to specify their goals. We consider a high-level specification language that results from adding knowledge to a fragment of Nuprl specifically tailored for specifying distributed protocols, called event theory. We then show how high-level knowledge-based programs can be synthesized from the knowledge-based specifications using a proof development system such as Nuprl. Methods of Halpern and Zuck [1992] then apply to convert these knowledge-based protocols to ordinary protocols. These methods can be expressed as heuristic transformation tactics in Nuprl. 1

Abstract not found

. Ensemble is a widely used group communication system that supports distributed programming by providing precise guarantees for synchronization, message ordering, and message delivery. Ensemble eases the task of distributed-application programming, but as a result, ensuring the correctness of Ensemble itself is a difficult problem. In this paper we use I/O automata for formalizing, specifying, and verifying the Ensemble implementation. We focus specifically on message total ordering , a property that is commonly used to guarantee consistency within a process group. The systematic verification of this protocol led to the discovery of an error in the implementation. 1 Introduction Ensemble [8, 16] is a working system for supporting group communication. In the group communication model, processes join together to form views that vary over time, but at any time a process belongs to exactly one view. Ensemble provides precise semantics for message delivery and ordering both with...

Abstract. Interface automata provide a formalism capturing the high level interactions between software components. Checking compatibility, and other safety properties, in an automata-based system suffers from the scalability issues inherent in exhaustive techniques such as model checking. This work develops a theoretical framework and automated algorithms for modular verification of interface automata. We propose sound and complete assume-guarantee rules for interface automata, and learning-based algorithms to automate assumption generation. Our algorithms have been implemented in a practical model-checking tool and have been applied to a realistic NASA case study. 1

Abstract This article presents a theory of classes and inheritance built on top of constructive typetheory. Classes are defined using dependent and very dependent function types that are found in the Nuprl constructive type theory. Inheritance is defined in terms of a general subtypingrelation over the underlying types. Among the basic types is the intersection type which plays a critical role in the applications because it provides a method of composing program components.The class theory is applied to defining algebraic structures such as monoids, groups, rings, etc. and relating them. It is also used to define communications protocols as infinite stateautomata. The article illustrates the role of these formal automata in defining the services of a distributed group communications system. In both applications the inheritance mechanismsallow reuse of proofs and the statement of general properties of system composition. 1 Introduction The results presented here were created as part of a broad effort to understand how to use computers to significantly automate the design and development of software systems. This is one of the main goals of the "PRL project " at Cornell1. One of the basic tenants of our approach to this task is that we should seek the most naturally expressive formal language in which to specify the services, characteristics and constraints that a software system must satisfy. If the formal expression of services is close to a natural one, then people can more readily use it. We also want to allow very compact notations for concepts used to describe systems, and this effect is also a consequence of expressive richness. We have discovered that it is frequently the case that the system we have built to implement one formal language will support an even richer one. So we have come to see our work as also progressively improving the reach of our tools.