A Case Study in the Mechanical Veri

To date, there is little evidence that modular reasoning about fault-tolerant systems can simplify the veriication process in practice. We study this question using a prominent example from the fault tolerance literature: the problem of reliable broadcast in point-to-point networks opposed to crash failures of processes. The experiences from this case study show how modular speciication techniques and rigorous proof re-use can indeed help in such undertakings. A Case Study in the Mechanical Veriication of Fault Tolerance 1 1. INTRODUCTION A system is said to be fault-tolerant if it exhibits a well-deened system behavior in the presence of faults Laprie 1992]. The importance of fault-tolerant systems stems from their omnipresence throughout today's technical infrastructure. The failure of a critical computer system can have catastrophical consequences, resulting in loss of considerable industrial value or even loss of human life. Thus, systems with veriiable fault-tolerance properties are of increasing importance. Because it is necessary to precisely describe faulty behavior and its interaction with normal system operation, fault-tolerance considerations place an additional complexity burden on a formal veriication process. In theory, the additional complexity can be dealt with by rst reasoning about the system in fault free environments and | after placing it into a faulty environment | reasoning only about those aspects of the system which have changed GG artner 1999]. Many case studies exist which prove certain algorithms correct in the case of faults using theorem provers like PVS Lincoln and Rushby 1993; Qadeer and Shankar 1998]. However, these case studies do not exploit the theoretical ideas sketched above and thus the proofs seem more complex than they need to be. Consequently, there is little evidence to date that such modular reasoning can indeed simplify the veriication process using theorem provers in practice. The basic notion underlying most of the theory behind modular reasoning about fault-tolerant systems is that of a transformation GG artner 1999]. Today, there exists a solid basis of elegant transformational techniques in the literature Peled However, the examples used to show the usefulness of these theories have been rather small and academic. To the best of our knowledge, the only real case study which has been performed using theorem provers is the component-based mechanical veriication of a self-stabilizing mutual exclusion protocol by Kulkarni, Rushby, and Shankar 1999]. While it shows that modular reasoning does have advantages, it also concludes that | being the rst such case study …