###
Journal of Software:2020.31(5):1332-1352

CRDT协议的TLA+描述与验证
纪业,魏恒峰,黄宇,吕建
(计算机软件新技术国家重点实验室(南京大学), 江苏 南京 210023)
Specifying and Verifying CRDT Protocols Using TLA+
JI Ye,WEI Heng-Feng,HUANG Yu,Lü Jian
(State Key Laboratory for Novel Software Technology (Nanjing University), Nanjing 210023, China)
Abstract
Chart / table
Reference
Similar Articles
Article :Browse 347   Download 225
Received:September 03, 2019    Revised:October 24, 2019
> 中文摘要: 无冲突复制数据类型(conflict-free replicated data types,简称CRDT)是一种封装了冲突消解策略的分布式复制数据类型,它能够保证分布式系统中副本节点间的强最终一致性,即执行了相同更新操作的副本节点具有相同的状态.CRDT协议设计精巧,不易保证其正确性.旨在采用模型检验技术验证一系列CRDT协议的正确性.具体而言,构建了一个可复用的CRDT协议描述与验证框架,包括网络通信层、协议接口层、具体协议层与规约层.网络通信层描述副本节点之间的通信模型,实现了多种类型的通信网络.协议接口层为已知的CRDT协议(分为基于操作的协议与基于状态的协议)提供了统一的接口.在具体协议层,用户可以根据协议的需求选用合适的底层通信网络.规约层则描述了所有CRDT协议都需要满足的强最终一致性与最终可见性(所有的更新操作最终都会被所有的副本节点接收并处理).使用TLA+形式化规约语言实现了该框架,然后以Add-Wins Set复制数据类型为例,展示了如何使用框架描述具体协议,并使用TLC模型检验工具来验证协议的正确性.
Abstract:Conflict-free replicated data types (CRDT) are replicated data types that encapsulate the mechanisms for resolving concurrent conflicts. They guarantee strong eventual consistency among replicas in distributed systems, which requires replicas that have executed the same set of updates be in the same state. However, CRDT protocols are subtle and it is difficult to ensure their correctness. This study leverages model checking to verify the correctness of CRDT protocols. Specifically, a reusable framework is proposed for modelling and verifying CRDT protocols. The framework consists of four layers, i.e., the communication layer, the interface layer, the protocol layer, and the specification layer. The communication layer models the communication among replicas and implements a variety of communication networks. The interface layer provides a uniform interface for existing CRDT protocols, including both the operation-based protocols and the state-based ones. In the protocol layer, users can choose the appropriate underlying communication network required by a specific protocol. The specification layer specifies strong eventual consistency and the eventual visibility property (i.e., all updates are eventually delivered by all replicas) that every CRDT protocol should satisfy. This framework is implemented using a formal specification language called TLA+. It is also demonstrated that how to model CRDT protocols in this framework and how to verify their correctness via the model checking tool called TLC, taking Add-Wins Set as an example.
文章编号:     中图分类号:    文献标志码:
基金项目:国家重点研发计划(2017YFB1001801);国家自然科学基金(61702253,61772258) 国家重点研发计划(2017YFB1001801);国家自然科学基金(61702253,61772258)
Foundation items:National Key Research and Development Program of China (2017YFB1001801); National Natural Science Foundation of China (61702253, 61772258)
Reference text:

纪业,魏恒峰,黄宇,吕建.CRDT协议的TLA+描述与验证.软件学报,2020,31(5):1332-1352

JI Ye,WEI Heng-Feng,HUANG Yu,Lü Jian.Specifying and Verifying CRDT Protocols Using TLA+.Journal of Software,2020,31(5):1332-1352