Home

Awesome

<!--- This file was generated from `meta.yml`, please do not edit manually. Follow the instructions on https://github.com/coq-community/templates to regenerate. --->

Disel: Distributed Separation Logic

Docker CI

Disel is a framework for implementation and compositional verification of distributed systems and their clients in Coq. In Disel, users implement distributed systems using a domain specific language shallowly embedded in Coq which provides both high-level programming constructs as well as low-level communication primitives. Components of composite systems are specified in Disel as protocols, which capture system-specific logic and disentangle system definitions from implementation details.

Meta

Building and installation instructions

The easiest way to install the latest released version of Disel: Distributed Separation Logic is via OPAM:

opam repo add coq-released https://coq.inria.fr/opam/released
opam install coq-disel

To instead build and install manually, do:

git clone https://github.com/DistributedComponents/disel.git
cd disel
make   # or make -j <number-of-cores-on-your-machine> 
make install

Project Structure

VM Instructions

Please download the virtual machine, import it into VirtualBox, and boot the machine. This VM image has been tested with VirtualBox versions 5.1.24 and 5.1.28 with Oracle VM VirtualBox Extension Pack. Versions 4.X are known not to work with this image.

If prompted for login information, both the username and password are "popl" (without quotes).

For your convenience, all necessary software, including Coq 8.6 and ssreflect have been installed, and a checkout of Disel is present in ~/disel. Additionally, emacs and Proof General are installed so that you can browse the sources.

We recommend checking the proofs using the provided Makefile and running the two extracted applications. Additionally, you might be interested to compare the definitions and theorems from some parts of the paper to their formalizations in Coq.

Checking the proofs can be accomplished by opening a terminal and running

cd ~/disel
make clean; make -j 4

You may see lots of warnings about notations and "nothing to inject"; these are expected. Success is indicated by the build terminating without printing "error".

Extracting and running the example applications is described below.

Code corresponding to the paper

The following describes how the paper corresponds to the code:

Exploring further

We encourage you to explore Disel further by extending one of the examples or trying your own. For example, you could build an application that uses the calculator to evaluate arithmetic expressions and prove its correctness. As a more involved example, you could define a new protocol for leader election in a ring and prove that at most one node becomes leader. To get started, we recommend following the Calculator example and modifying it as necessary.

Extracting and Running Disel Programs

As described in Section 5.1, Disel programs can be extracted to OCaml and run. You can build the two examples as follows.

sending msg in protocol 1 with tag = 0, contents = [1; 2] to 1

Tag 0 indicates a request in the Calculator protocol. Contents 1; 2 indicate the arguments to the function being calculated (in this case, addition). The message is sent to node 1, which is the delegating server.

The client then receives a response logged as

got msg in protocol 1 with tag = 1, contents = [3; 1; 2] from 1

Tag 1 indicates a response. The contents mean that the answer to 1 + 2 is 3.

Several more rounds of messages are exchanged. The final line summarizes the entire execution.

client got result list [([1; 2], 3); ([3; 4], 7); ([5; 6], 11); ([7; 8], 15); ([9; 10], 19)]
sending msg in protocol 0 with tag = 0, contents = [0; 1; 2] to 1
sending msg in protocol 0 with tag = 0, contents = [0; 1; 2] to 2
sending msg in protocol 0 with tag = 0, contents = [0; 1; 2] to 3

Tag 0 indicates a prepare message. The contents indicate the index of the current request (0, since this is the first data item) and the actual data to commit (in this case, [1; 2], as specified in data_seq). A separate prepare message is sent to each participant.

The participants respond with votes, which are logged as follows

got msg in protocol 0 with tag = 1, contents = [0] from 1
got msg in protocol 0 with tag = 1, contents = [0] from 3
got msg in protocol 0 with tag = 1, contents = [0] from 2

Tag 1 indicates a Yes vote. The messages are ordered nondeterministically based on the operating system's and network's scheduling decisions.

Since all participants voted yes, the coordinator proceeds to commit the data by sending Commit messages (tag 3) to all participants.

sending msg in protocol 0 with tag = 3, contents = [0] to 1
sending msg in protocol 0 with tag = 3, contents = [0] to 2
sending msg in protocol 0 with tag = 3, contents = [0] to 3

Participants acknowledge the commit with AckCommit messages (tag 5)

got msg in protocol 0 with tag = 5, contents = [0] from 3
got msg in protocol 0 with tag = 5, contents = [0] from 1
got msg in protocol 0 with tag = 5, contents = [0] from 2

This completes the first round. The remaining three rounds execute similarly, based on the decisions from the choice sequences. When any participant votes no (tag 2), the coordinator instead aborts the transaction by sending Abort messages (tag 4). In that case, participants respond with AckAbort messages (tag 6). Once all four rounds are over, all nodes exit.

Proof Size Statistics

Section 5.2 and Table 1 describe the size of our development. Those were obtained by using the coqwc tool on manually dissected files, according to our vision of what should count as a program, spec, or a proof. These numbers might slightly differ from reported in the paper due to the evolution of the project since the submission.