A project of using TLA+ to model check and prove the correctness of the consensus algorithm in the PaxosStore@VLDB2017 paper and the open-source Tencent/paxosstore.
While constructing specification of the consensus algorithm TPaxos in PaxosStore, we uncover a crucial but sutble detail in TPaxos which is not fully clarified, called TPaxosAP. We verify the correctness of both TPaxos and TPaxosAP, and establish the refinement mappings from TPaxos to Voting and from TPaxosAP to EagerVoting(equivalent to Voting).
- TPaxos.tla: the specification of the TPaxos.
- TPaxosAP.tla: the specification of the variant of TPaxos.
- TPaxosWithVotes.tla: the refinement mapping of TPaxos refining Voting.
- TPaxosAPWithVotes.tla: the refinement mapping of TPaxosAP refining EagerVoting.
- EagerVoting.tla: a specification that is equivalent to Voting.
- Voting.tla: a specification introduced by Lamport in paper Byzantizing Paxos by Refinement.
- Consensus.tla: a specification that implemented by Voting.
We prove the correctness of TPaxos using TLAPS(a internal proof system of TLA+). While writing the proof of TPaxos, we make some small changes on the specification which won't introduce additional rules but only made our proof not too complicated.
We prove the refinement relation using the method of model checking. The details refers to experiment.
PS. here is a similar work that provides a framework to specify and verify CRDT Protocols using TLA+.