|
|
|
|
|
|
by ongardie
3967 days ago
|
|
|
I included the paper proof for Raft in my PhD dissertation, but there's a good chance it contains errors. Here's a quote from the intro:
"The proof shows that the specification preserves the State Machine Safety property. The main
idea of the proof is summarized in Section 3.6.3, but the detailed proof is much more precise. We
found the proof useful in understanding Raft’s safety at a deeper level, and others may find value
in this as well. However, the proof is fairly long and difficult for humans to verify and maintain;
we believe it to be basically correct, but it might include errors or omissions. At this scale, only a
machine-checked proof could definitively be error-free."
From Appendix B of my dissertation: https://github.com/ongardie/dissertation/#readme This Coq proof is an enormous step forward. It's that machine-checked proof I was hoping someone would do when I wrote the above paragraph.
1) Assuming the TCB is correct, we know the Verdi implementation satisfies linearizability.
2) Assuming the TCB is correct and the Verdi implementation and the Raft paper/dissertation/spec are equivalent, then the Raft algorithm satisfies linearizability too. I'm more willing to believe that the Verdi implementation implements Raft faithfully than I am willing to believe that my hand proof is correct. If you're really worried about (2), you have the option of using the Verdi generated implementation. If you're less worried about (2), you can now have more confidence in the safety of the Raft algorithm in general. |
|
|