Abstract
We present the first specification and verification of an implementation of a causally-consistent distributed database that supports modular verification of full functional correctness properties of clients and servers. We specify and reason about the causally-consistent distributed database in Aneris, a higher-order distributed separation logic for an ML-like programming language with network primitives for programming distributed systems. We demonstrate that our specifications are useful, by proving the correctness of small, but tricky, synthetic examples involving causal dependency and by verifying a session manager library implemented on top of the distributed database. We use Aneris's facilities for modular specification and verification to obtain a highly modular development, where each component is verified in isolation, relying only on the specifications (not the implementations) of other components. We have used the Coq formalization of the Aneris logic to formalize all the results presented in the paper in the Coq proof assistant.
Highlights
The ubiquitous distributed systems of the present day internet often require highly available and scalable distributed data storage solutions
We further note that in loc. cit. the consistency model corresponds to RA consistency of the weak memory, while our model describes causal consistency for a distributed system implementation
According to Lahav [2019], understanding how concurrent separation logics for the RA model can be weakened to the causal consistency is an interesting research question, and we hope that our specifications may serve as inspiration for future investigations in that direction
Summary
The ubiquitous distributed systems of the present day internet often require highly available and scalable distributed data storage solutions. Our Aneris specifications for the distributed database are based on a mathematical model tracking the abstract state of the local key-value stores, i.e., the history of updates. The ordering is defined such that it reflects causal order: if the time of event e is strictly less than the time of e ′, e ′ causally depends on e, and if the time of e and e ′ are incomparable, e and e ′ are causally independent This allows us to formulate the causal consistency of the distributed database as follows: If a node observes an apply event a, it must have already observed all write events of the abstract global memory that happened before (according to logical time) the write event corresponding to a. We focus on safety properties and the properties we show (e.g., on any replica, all updates that have been applied are causally consistent) are met by our implementation regardless of whether the network is reliable or not
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
