Multi-Grained Specifications for Distributed System Model Checking and Verification

Lingzhi Ouyang; Xudong Sun; Ruize Tang; Yu Huang; Madhav Jivrajani; Xiaoxing Ma; Tianyin Xu

doi:10.1145/3689031.3696069

Multi-Grained Specifications for Distributed System Model Checking and Verification

Lingzhi Ouyang, Xudong Sun, Ruize Tang, Yu Huang, Madhav Jivrajani, Xiaoxing Ma, Tianyin Xu

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

This paper presents our experience specifying and verifying the correctness of ZooKeeper, a complex and evolving distributed coordination system. We use TLA⁺ to model fine-grained behaviors of ZooKeeper and use the TLC model checker to verify its correctness properties; we also check conformance between the model and code. The fundamental challenge is to balance the granularity of specifications and the scalability of model checking-fine-grained specifications lead to state-space explosion, while coarse-grained specifications introduce model-code gaps. To address this challenge, we write specifications with different granularities for composable modules, and compose them into mixed-grained specifications based on specific scenarios. For example, to verify code changes, we compose fine-grained specifications of changed modules and coarse-grained specifications that abstract away details of unchanged code with preserved interactions. We show that writing multi-grained specifications is a viable practice and can cope with model-code gaps without untenable state space, especially for evolving software where changes are typically local and incremental. We detected six severe bugs that violate five types of invariants and verified their code fixes; the fixes have been merged to ZooKeeper. We also improve the protocol design to make it easy to implement correctly.

Original language	English (US)
Title of host publication	EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems
Publisher	Association for Computing Machinery
Pages	379-395
Number of pages	17
ISBN (Electronic)	9798400711961
DOIs	https://doi.org/10.1145/3689031.3696069
State	Published - Mar 30 2025
Event	20th European Conference on Computer Systems, EuroSys 2025, co-located 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025 - Rotterdam, Netherlands Duration: Mar 30 2025 → Apr 3 2025

Publication series

Name	EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems

Conference

Conference	20th European Conference on Computer Systems, EuroSys 2025, co-located 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025
Country/Territory	Netherlands
City	Rotterdam
Period	3/30/25 → 4/3/25

Keywords

Distributed systems
model checking
reliability

ASJC Scopus subject areas

Computer Networks and Communications
Hardware and Architecture
Control and Systems Engineering

Online availability

10.1145/3689031.3696069

Library availability

Discover UIUC Full Text

Cite this

Ouyang, L., Sun, X., Tang, R., Huang, Y., Jivrajani, M., Ma, X., & Xu, T. (2025). Multi-Grained Specifications for Distributed System Model Checking and Verification. In EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems (pp. 379-395). (EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems). Association for Computing Machinery. https://doi.org/10.1145/3689031.3696069

Multi-Grained Specifications for Distributed System Model Checking and Verification. / Ouyang, Lingzhi; Sun, Xudong; Tang, Ruize et al.
EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems. Association for Computing Machinery, 2025. p. 379-395 (EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Ouyang, L, Sun, X, Tang, R, Huang, Y, Jivrajani, M, Ma, X & Xu, T 2025, Multi-Grained Specifications for Distributed System Model Checking and Verification. in EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems. EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems, Association for Computing Machinery, pp. 379-395, 20th European Conference on Computer Systems, EuroSys 2025, co-located 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025, Rotterdam, Netherlands, 3/30/25. https://doi.org/10.1145/3689031.3696069

Ouyang L, Sun X, Tang R, Huang Y, Jivrajani M, Ma X et al. Multi-Grained Specifications for Distributed System Model Checking and Verification. In EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems. Association for Computing Machinery. 2025. p. 379-395. (EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems). Epub 2025 Mar 30. doi: 10.1145/3689031.3696069

@inproceedings{ab0dee7191b242439fe33a3329b1e8be,

title = "Multi-Grained Specifications for Distributed System Model Checking and Verification",

abstract = "This paper presents our experience specifying and verifying the correctness of ZooKeeper, a complex and evolving distributed coordination system. We use TLA+ to model fine-grained behaviors of ZooKeeper and use the TLC model checker to verify its correctness properties; we also check conformance between the model and code. The fundamental challenge is to balance the granularity of specifications and the scalability of model checking-fine-grained specifications lead to state-space explosion, while coarse-grained specifications introduce model-code gaps. To address this challenge, we write specifications with different granularities for composable modules, and compose them into mixed-grained specifications based on specific scenarios. For example, to verify code changes, we compose fine-grained specifications of changed modules and coarse-grained specifications that abstract away details of unchanged code with preserved interactions. We show that writing multi-grained specifications is a viable practice and can cope with model-code gaps without untenable state space, especially for evolving software where changes are typically local and incremental. We detected six severe bugs that violate five types of invariants and verified their code fixes; the fixes have been merged to ZooKeeper. We also improve the protocol design to make it easy to implement correctly.",

keywords = "Distributed systems, model checking, reliability",

author = "Lingzhi Ouyang and Xudong Sun and Ruize Tang and Yu Huang and Madhav Jivrajani and Xiaoxing Ma and Tianyin Xu",

note = "We thank the anonymous reviewers and our shepherd, Serdar Tasiran, for their insightful comments. Huang\u2019s group is supported by the National Natural Science Foundation of China (62025202, 62372222), the CCF-Huawei Populus Grove Fund (CCF-HuaweiFM202304), the Cooperation Fund of Huawei-NJU Next Generation Programming Innovation Lab (YBN2019105178SW38), and the Postgraduate Research & Practice Innovation Program of Jiangsu Province (KYCX24_ 0235). Xu\u2019s group is supported in part by NSF CNS-2130560, CNS-2145295, and a VMware Research Gift.; 20th European Conference on Computer Systems, EuroSys 2025, co-located 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025 ; Conference date: 30-03-2025 Through 03-04-2025",

year = "2025",

month = mar,

day = "30",

doi = "10.1145/3689031.3696069",

language = "English (US)",

series = "EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems",

publisher = "Association for Computing Machinery",

pages = "379--395",

booktitle = "EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems",

address = "United States",

}

TY - GEN

T1 - Multi-Grained Specifications for Distributed System Model Checking and Verification

AU - Ouyang, Lingzhi

AU - Sun, Xudong

AU - Tang, Ruize

AU - Huang, Yu

AU - Jivrajani, Madhav

AU - Ma, Xiaoxing

AU - Xu, Tianyin

N1 - We thank the anonymous reviewers and our shepherd, Serdar Tasiran, for their insightful comments. Huang\u2019s group is supported by the National Natural Science Foundation of China (62025202, 62372222), the CCF-Huawei Populus Grove Fund (CCF-HuaweiFM202304), the Cooperation Fund of Huawei-NJU Next Generation Programming Innovation Lab (YBN2019105178SW38), and the Postgraduate Research & Practice Innovation Program of Jiangsu Province (KYCX24_ 0235). Xu\u2019s group is supported in part by NSF CNS-2130560, CNS-2145295, and a VMware Research Gift.

PY - 2025/3/30

Y1 - 2025/3/30

N2 - This paper presents our experience specifying and verifying the correctness of ZooKeeper, a complex and evolving distributed coordination system. We use TLA+ to model fine-grained behaviors of ZooKeeper and use the TLC model checker to verify its correctness properties; we also check conformance between the model and code. The fundamental challenge is to balance the granularity of specifications and the scalability of model checking-fine-grained specifications lead to state-space explosion, while coarse-grained specifications introduce model-code gaps. To address this challenge, we write specifications with different granularities for composable modules, and compose them into mixed-grained specifications based on specific scenarios. For example, to verify code changes, we compose fine-grained specifications of changed modules and coarse-grained specifications that abstract away details of unchanged code with preserved interactions. We show that writing multi-grained specifications is a viable practice and can cope with model-code gaps without untenable state space, especially for evolving software where changes are typically local and incremental. We detected six severe bugs that violate five types of invariants and verified their code fixes; the fixes have been merged to ZooKeeper. We also improve the protocol design to make it easy to implement correctly.

AB - This paper presents our experience specifying and verifying the correctness of ZooKeeper, a complex and evolving distributed coordination system. We use TLA+ to model fine-grained behaviors of ZooKeeper and use the TLC model checker to verify its correctness properties; we also check conformance between the model and code. The fundamental challenge is to balance the granularity of specifications and the scalability of model checking-fine-grained specifications lead to state-space explosion, while coarse-grained specifications introduce model-code gaps. To address this challenge, we write specifications with different granularities for composable modules, and compose them into mixed-grained specifications based on specific scenarios. For example, to verify code changes, we compose fine-grained specifications of changed modules and coarse-grained specifications that abstract away details of unchanged code with preserved interactions. We show that writing multi-grained specifications is a viable practice and can cope with model-code gaps without untenable state space, especially for evolving software where changes are typically local and incremental. We detected six severe bugs that violate five types of invariants and verified their code fixes; the fixes have been merged to ZooKeeper. We also improve the protocol design to make it easy to implement correctly.

KW - Distributed systems

KW - model checking

KW - reliability

UR - http://www.scopus.com/inward/record.url?scp=105002232781&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=105002232781&partnerID=8YFLogxK

U2 - 10.1145/3689031.3696069

DO - 10.1145/3689031.3696069

M3 - Conference contribution

AN - SCOPUS:105002232781

T3 - EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems

SP - 379

EP - 395

BT - EuroSys 2025 - Proceedings of the 2025 20th European Conference on Computer Systems

PB - Association for Computing Machinery

T2 - 20th European Conference on Computer Systems, EuroSys 2025, co-located 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025

Y2 - 30 March 2025 through 3 April 2025

ER -

Multi-Grained Specifications for Distributed System Model Checking and Verification

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this