Protocols to ensure that messages are delivered in causal order are a ubiquitous building block of distributed systems. For instance, key-value stores can use causally ordered message delivery to ensure causal consistency -- a sweet spot in the availability/consistency trade-off space -- and replicated data structures rely on the existence of an underlying causally-ordered messaging layer to ensure that geo-distributed replicas eventually converge to the same state. A causal delivery protocol ensures that when a message is delivered to a process, any causally preceding messages sent to the same process have already been delivered to it. While causal message delivery protocols are widely used in distributed systems, verification of the correctness of those protocols is less common, much less machine-checked proofs about executable implementations. We implemented a standard causal broadcast protocol in Haskell and used the Liquid Haskell solver-aided verification system to express and mechanically prove that messages will never be delivered to a process in an order that violates causality. To do so, we express a process-local causal delivery property using refinement types, and we prove that it holds of our implementation using Liquid Haskell's theorem-proving facilities, resulting in the first machine-checked proof of correctness of an executable causal broadcast implementation. We then put our verified causal broadcast implementation to work as the foundation of a distributed key-value store implemented in Haskell.
翻译:确保以因果顺序发送信息的协议,是分布式系统无处不在的构件。例如,关键价值商店可以使用因果顺序发送信息,以确保因果一致性 -- -- 提供/一致性交换空间中的一个甜点 -- -- 以及复制的数据结构依赖于存在一个基本的因果顺序发送信息层,以确保地理分布的复制最终会与同一国家相聚。一个因果发送协议确保信息发送到一个程序时,任何因果之前发送给同一程序的信息已经发送到该程序。虽然因果发送信息协议在分布式系统中被广泛使用,但核实这些协议的正确性不那么常见,更不那么机器核查的关于可执行的证明。我们在哈斯凯尔实施了标准的因果广播协议,并使用由Haskell液体分配的解答器辅助的核查系统来表达和机械地证明,信息将永远不会发送到一个程序上,从而违反因果关系。为了这样做,我们用精细的种类表达一个过程-地方因果发送信息的财产,我们证明它执行这些协议的正确性不是那么常见的,我们用液处理的机机能的机能性执行。