Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

The Verification of a Distributed System

The Verification of a Distributed System

Caitie McCaffrey

November 30, 2016
Tweet

More Decks by Caitie McCaffrey

Other Decks in Technology

Transcript

  1. The Verification of a Distributed System A Practitioner’s Guide to

    Increasing Confidence in System Correctness
  2. LESLIE LAMPORT “A Distributed System is one in which the

    failure of a computer you didn’t even know existed can render your own computer unusable”
  3. Overview Formal Verification Provably Correct Systems Testing in the Wild

    Increase Confidence in System Correctness Research A New Hope
  4. Hour Clock Specification ————————————— MODULE HourClock ———————————————— EXTENDS Naturals VARIABLE

    hr HCini == hr \in (1 .. 12) HCnxt == hr’ = IF hr # 12 THEN hr + 1 ELSE 1 HC == HCini /\ [][HCnxt] _hr ————————————————————————————————————————————- THEOREM HC => []HCini ============================================= Leslie Lamport, Specifying Systems TLA+
  5. “Formal Methods Have Been a Big Success” S3 & 10+

    Core Pieces of Infrastructure Verified 2 Serious Bugs Found Increased Confidence to make Optimizations Use of Formal Methods at Amazon Web Services TLA+
  6. Leslie Lamport, Specifying Systems “Its a good idea to understand

    a system before building it, so its a good idea to write a specification of a system before implementing it” TLA+
  7. “Formal methods deal with models of systems, not the systems

    themselves” Use of Formal Methods at Amazon Web Services
  8. POPL 2016 “Our Verified Implementation is extracted to OCaml &

    runs on real networks” Program Extraction COQ
  9. POPL 2016 “We have developed & checked our framework in

    Coq, extracted it to OCaml, and built executable stores” Program Extraction COQ
  10. 77% of Production failures can be reproduced by a Unit

    Test Simple Testing can Prevent Most Critical Failures
  11. Error Handling Code is simply empty or only contains a

    Log statement Error Handler aborts cluster on an overly general exception Error Handler contains comments like FIXME or TODO 35% of Catastrophic Failures Simple Testing can Prevent Most Critical Failures
  12. Testing error handling code could have prevented 58% of catastrophic

    failures Simple Testing can Prevent Most Critical Failures
  13. Three nodes or less can reproduce 98% of failures Simple

    Testing can Prevent Most Critical Failures
  14. QuickCheck ScalaCheck Haskell Erlang Scala Java & & C, C++,

    Clojure, Common Lisp, Elm, F#, C#, Go, JavaScript, Node.js, Objective-C, OCaml, Perl, Prolog, PHP, Python, R, Ruby, Rust, Scheme, Smalltalk, StandardML , Swift Languages with Quick Check Ports:
  15. -The Verification of a Distributed System “Without explicitly forcing a

    system to fail, it is unreasonable to have any confidence it will operate correctly in failure modes”
  16. Netflix Simian Army • Chaos Monkey: kills instances • Latency

    Monkey: artificial latency induced • Chaos Gorilla: simulates outage of entire availability zone.
  17. Kyle has used this tool to show us that many

    of the Distributed Systems we know seem stable but are really just this. (cut to tire fire photo) JEPSEN credit: @aphyr Fault Injection Tool that simulates network partitions in the system under test
  18. Kyle has used this tool to show us that many

    of the Distributed Systems we know seem stable but are really just this. (cut to tire fire photo) JEPSEN credit: @aphyr Fault Injection Tool that simulates network partitions in the system under test
  19. How to Run a GameDay 1. Notify Engineering Teams that

    Failure is Coming 2. Induce Failures 3. Monitor Systems Under Test 4. Observing Only Team Monitors Recovery Processes & Systems, Files Bugs 5. Prioritize Bugs & Get Buy-In Across Teams Resilience Engineering: Learning to Embrace Failure
  20. Game Day at Stripe “During a recent game day, we

    tested failing over a Redis cluster by running kill -9 on its primary node, and ended up losing all data in the cluster” Game Day Exercises at Stripe: Learning from `kill -9`
  21. Research Improving the Verification of Distributed Systems Lineage Driven Fault

    Injection ‘Cause I’m Strong Enough: Reasoning about Consistency Choices in Distributed Systems IronFleet: Proving Practical Distributed Systems Correct
  22. Conclusion Use Formal Verification on Critical Components Unit Tests &

    Integration Tests find a multitude of Errors Increase Confidence via Property Testing & Fault Injection