Skip to content
/ raft-spin Public

A formally verified Raft specification in Spin, as course project of Software Formal Verification, 2020 Autumn, Tsinghua University

License

MIT license
14 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

namasikanam/raft-spin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
LICENSE
LICENSE
 
 
raft.pml
raft.pml
 
 
readme.md
readme.md
 
 
report.md
report.md
 
 

Repository files navigation

Formally verified Raft in SPIN

This is a formally verified Raft specification in SPIN, as a course project of Software Formal Verification, 2020 Autumn, Tsinghua University.

This main references of this work are the Raft paper, PhD dissertation of Diego Ongaro and TLA+ formal model of Raft.

Here is the technial report (in Chinese).

Requirements

  • Model checker: SPIN (~6.5.1)

A large memory space is needed to run.

For Linux, it's recommended to unlimit the memory of process by the following way:

ulimit -s unlimited

Verification

As it takes a long time to verify all properties together, it's better to verify each property separately.

The following command is recommended:

$ spin -run -a -bit -bcs -n [-noclaim | -ltl p] raft.pml

The interpretation of the used parameters:

  • -run: model check rather than simulate.
  • -a: inspect acceptance cycles, which is needed for verifying LTL properties.
  • -bit: store states by bit, to save space cost.
  • -bcs: use bounded-context-switching algorithm to speed up.
  • -n: close the output of unreachable states. Because we verify each property seperately, other unverified properties will generate many unreachable states. Thus, we need to close the output of these many unreachable states.

The followings are the verification commands for all 6 properties in the Raft paper. The total time to run all commands is about 1 hour.

Deadlock (invalid end state)

$ spin -run -a -bit -bcs -n -noclaim raft.pml

Election Safety

$ spin -run -a -bit -bcs -n -ltl electionSafety raft.pml

Leader Append-Only (As this property is too complicated, we decompose it into 6 sub-properties. The valid of original property is equivalent to the valid of all 6 sub-properties.)

$ spin -run -a -bit -bcs -n -ltl leaderAppendOnly00 raft.pml
$ spin -run -a -bit -bcs -n -ltl leaderAppendOnly01 raft.pml
$ spin -run -a -bit -bcs -n -ltl leaderAppendOnly10 raft.pml
$ spin -run -a -bit -bcs -n -ltl leaderAppendOnly11 raft.pml
$ spin -run -a -bit -bcs -n -ltl leaderAppendOnly20 raft.pml
$ spin -run -a -bit -bcs -n -ltl leaderAppendOnly21 raft.pml

Log Matching

$ spin -run -a -bit -bcs -n -ltl electionSafety raft.pml

Leader Completeness

$ spin -run -a -bit -bcs -n -ltl electionSafety raft.pml

State Machine Safety

$ spin -run -a -bit -bcs -n -ltl electionSafety raft.pml

About

A formally verified Raft specification in Spin, as course project of Software Formal Verification, 2020 Autumn, Tsinghua University

Topics

raft spin formal-verification

Resources

Readme

License

MIT license
Activity

Stars

14 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published