Ben-Or: Checking liveness properties #395

ghost · 2021-10-25T14:23:24Z

ghost
Oct 25, 2021

I am trying to implement Ben-Or's algorithm and test it for safety and liveness. I'm using the UnReliableBroadCast, FailureInjector and Timer provided by the tutorials. If I make fail less than N/2 processes, and no matter how much I increase the temperature-threshold or the max step, the protocol does not make progress. Ben-Or is a probabilistic algorithm that should terminate with probability 1. I always see the following error that I assume is the liveness check:

<StrategyLog> Found bug using 'random' strategy.
Error: PImplementation.Progress detected potential liveness bug in hot state 'PendingReqs'

When I replace the unreliable broadcast with the reliable one it clearly works. I tried to check the Paxos tutorial that looks similar respecting to the network assumptions, but it does not compile.

Is it reasonable what is happening? How many steps should I allow for seeing progress? Also, is the "cold" state modifier still needed or only the "hot"?

This is my Ben-Or implementation: https://github.com/pinzaghi/themiscyra/blob/master/examples/P/BenOr/PSrc/BenOr.p and the liveness spec: https://github.com/pinzaghi/themiscyra/blob/master/examples/P/BenOr/PSpec/Progress.p

EDIT: Looking in detail the logs, I found something strange. For some reason the cancel timer function do this:

fun CancelTimer(timer: Timer)
{
  send timer, eCancelTimer;
  receive {
    case eTimeOut: {}
  }
}

and my process blocks forever waiting for the eTimeOut event. Why is this implemented this way? Why should I wait for an event after canceling a timer?

Answered by ankushdesai

Oct 25, 2021

Hi Ben,

The timer machine has been edited in the latest commit and final version of the tutorials. Can I please request you to update your models to use the latest version of the time, failure detector and injector?

After you have done that, I agree with you that if the Ben-Or algorithm must always terminate for all executions that the checker must not report an error.

We can look at it together after you have updated your models.

Thanks,
Ankush

View full answer

ankushdesai · 2021-10-25T19:13:42Z

ankushdesai
Oct 25, 2021
Maintainer

Hi Ben,

The timer machine has been edited in the latest commit and final version of the tutorials. Can I please request you to update your models to use the latest version of the time, failure detector and injector?

After you have done that, I agree with you that if the Ben-Or algorithm must always terminate for all executions that the checker must not report an error.

We can look at it together after you have updated your models.

Thanks,
Ankush

0 replies

ankushdesai · 2021-11-08T19:36:25Z

ankushdesai
Nov 8, 2021
Maintainer

Did this help?

1 reply

ghost Nov 8, 2021

Yes, I forgot to pull the latest version of the repo.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ben-Or: Checking liveness properties #395

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

Ben-Or: Checking liveness properties #395

ghost Oct 25, 2021

Replies: 2 comments · 1 reply

ankushdesai Oct 25, 2021 Maintainer

ankushdesai Nov 8, 2021 Maintainer

ghost Nov 8, 2021

ghost
Oct 25, 2021

Replies: 2 comments 1 reply

ankushdesai
Oct 25, 2021
Maintainer

ankushdesai
Nov 8, 2021
Maintainer