Simpler Specifications and Easier Proofs of Distributed Algorithms Using History Variables
share
This paper studies specifications and proofs of distributed algorithms when only message history variables are used, using Basic Paxos and Multi-Paxos for distributed consensus as precise case studies. We show that not using and maintaining other state variables yields simpler specifications that are more declarative and easier to understand. It also allows easier proofs to be developed by needing fewer invariants and facilitating proof derivations. Furthermore, the proofs are mechanically checked more efficiently. We show that specifications in TLA+ and proofs in TLA+ Proof System (TLAPS) are reduced by 25 100 lines to about 50 lines) and 48 lines), respectively, for Multi-Paxos. Overall we need 54 written invariants and our proofs have 46 Basic Paxos takes 26 our proofs for Multi-Paxos are checked by TLAPS within 1.5 minutes whereas prior proofs for Multi-Paxos fail to be checked in the new version of TLAPS.
READ FULL TEXT