John Rushby and Friedrich von Henke. Formal verification of a faulttolerant clock synchronization algorithm. NASA Contractor Report 4239, June 1989.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....As such, they are often the ones engineers have most difficulty convincing themselves they ve got right. In the first years of the program, formal specifications and verifications for these building blocks were undertaken and completed in the following systems: EHDM and later in PVS at SRI [55, 50, 59]; Nqthm, the Boyer Moore prover, at CLI [1, 2, 45, 44, 68] and Clio and the Penelope Ada verification system at ORA [61, 4, 63, 30, 62] Concurrently we gained experience at Langley using a number of the prover systems including EHDM, Nqthm, and HOL. During that time we were primarily occupied ....

John Rushby and Friedrich von Henke. Formal verification of a faulttolerant clock synchronization algorithm. NASA Contractor Report 4239, June 1989.

....Replicate R Processor Replicate 1 Actuators Sensors Figure 6: Generic Hardware Architecture designed in a synchronous manner. The advantages of this approach are discussed in [21] At the asynchronous replicated system level, the assumptions of the synchronous model must be discharged. In, [22] Rushby and von Henke report on the formal verification of Lamport and Melliar Smith s [14] interactiveconvergence clock synchronization algorithm. This algorithm can serve as a foundation for the implementation of the replicated system as a collection of asynchronously operating processors. ....

J. Rushby and F. von Henke, "Formal verification of a fault-tolerant clock synchronization algorithm," NASA Contractor Report 4239, June 1989.

....an interactive consistency mechanism and a reliable voting mechanism are assumed at this level. The formal details of the model, specified as a state transition system, are described in section 6. At the third level, the assumptions of the synchronous model must be discharged. Rushby and von Henke [11] report on the formal verification of Lamport and Melliar Smith s [6] interactive convergence clock synchronization algorithm. This algorithm can serve as a foundation for the implementation of the replicated system as a collection of asynchronously operating processors. Elaboration of the ....

John Rushby and Friedrick von Henke. Formal verification of a fault tolerant clock synchronization algorithm. Contractor Report 4239, NASA, June 1989.

....communication, and voting. The use of this intermediate model avoids introducing these issues along with those of real time, thus preventing an overload of details in the proof process. At the fourth level, the assumptions of the synchronous model must be discharged. Rushby and von Henke [Rushby 1989] report on the formal verification of Lamport and Melliar Smith s [Lamport 1985] interactive convergence clock synchronization algorithm. This algorithm can serve as a foundation for the implementation of the replicated system as a collection of asynchronously operating processors. Dedicated ....

....theory upon which the DA specification depends. Although the RCP architecture does not depend on any particular clock synchronization algorithm, we have used the specification for the interactive consistency algorithm (ICA) Lamport 1985] since Ehdm specifications for ICA already exist [Rushby 1989]. The formal definition of a clock is fundamental. A clock can be modeled as a function from real time t to clock time T : C(t) T or as a function from clock time to real time: c(T ) t. 3 Since the ICA theory was expressed in terms of the latter, we will also be modeling clocks as functions ....

[Article contains additional citation context not shown here]

John Rushby and Friedrich von Henke. Formal verification of a fault-tolerant clock synchronization algorithm. NASA Contractor Report 4239, June 1989.

....for formal methods because they involve detailed and sophisticated reasoning that is challenging even for a competent human mathematician. We believe that formal methods are already demonstrating that they can make a genuine contribution toward the clarity and correctness of these algorithms [11, 2]. One important algorithm in this field is the Interactive Convergence Clock Synchronization Algorithm (ICCSA) of Lamport and Melliar Smith [9] This algorithm maintains approximate synchronization among a number of clocks even when the clocks begin running at slightly different times, run at ....

....of Lamport and Melliar Smith both develops the algorithm and states formally the assumptions and desired properties required to state and prove its correctness properties. A mechanical verification of the algorithm using EHDM was performed by John Rushby and Friedrich von Henke and described in [11]. 1 The EHDM effort resulted is a completely formal presentation of the algorithm and its proof, a presentation that is arguably somewhat clearer and more rigorous than the original published proof. Rushby and von Henke challenged users of proof systems other than EHDM as follows. We found that ....

[Article contains additional citation context not shown here]

J. Rushby and F. von Henke. Formal Verification of a Fault-Tolerant Clock Synchronization Algorithm. NASA CR-4239, June 1989.

....The approach adopted here for the design of the distributed aspect of the system is motivated by Lamport s paper [3] At the base of the system is a distributed clock synchronization algorithm, allowing the system to be viewed as a synchronous system. Under contract to NASA, Rushby and von Henke [6] formally verified Lamport and Melliar Smith s [4] clock synchronization algorithm 1 providing a key system building block. In a system relying on exact match voting it must also be ensured that each processor receives the same inputs from the sensors. This is accomplished by a Byzantine ....

John Rushby and Frieder von Henke. Formal verification of a fault tolerant clock synchronization algorithm. Technical Report 4239, NASA, June 1989. Contractor Report.

.... similar to the protocol in [12] was proved by Moore in [62] As an interesting benchmark problem for specification and verification, the interactive convergence clock synchronization algorithm [51] has been mechanically checked respectively with the Boyer Moore prover in [82] and with PVS in [73]. Also, several versions of the oral messages algorithm [52] have been proved correct in [84] with the new version ACL2 [46] of Nqthm and with PVS in [76, 72, 55] Nqthm is also used by [65] Since several years, numerous protocols have been checked in the field of security systems whith modal ....

J. Rushby and F. von Henke. Formal verification of a fault-tolerant clock synchronization algorithm. NASA Contractor Report 4239, 1989.

....the algorithm. The first step was completed by SRI International. The first such proof was accomplished during the design and verification of SIFT [29] The proof was done by hand in the style of journal proofs. More recently this proof step was mechanically verified using the Ehdm theorem prover[39, 40]. In addition, SRI mechanically verified Schneider s clock synchronization paradigm [41] using Ehdm[42, 43] A further generalization was found at NASA Langley [44] 4 . The design of a digital circuit to distribute clock values in support of fault tolerant synchronization was completed by SRI ....

John Rushby and Friedrich von Henke, "Formal verification of a fault-tolerant clock synchronization algorithm", NASA CR-4239, June 1989.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC